Android: Heap-overflow in "tlc_server" via LOAD_TUI_RESOURCE command As a part of the TrustZone framework available on Samsung devices, Samsung provides an Android daemon which enables communication with a selected set of trustlets running in the Secure World. The daemon is spawned multiple time, once for each supported trustlet. It then registers an Android binder service with a name corresponding to the trustlet with which it may communicate. Apart from the regular commands which enable communication with the trustlet itself, the daemon also provides a special command called LOAD_TUI_RESOURCE (command code 5) which enables loading a KNOX TUI (Trusted User Interface) resource. The function handling this command has the following logic: Parcel data = ...; ... if (data.readInt32(&numDwords)) goto error; uint32_t* buffer = (uint32_t*)malloc(numDwords * 4); if (!buffer) goto error; for (uint32_t i=0; i<numDwords; i++) { if (data.readInt32(&dword)) goto error; buffer[i] = dword; } Since the length field (numDwords) is not validated, it may be arbitrarily large. This means that the calculation a4*numDwordsa may overflow on 32-bit builds of "tlc_server" (i.e., on 32-bit Android devices), resulting in a small value. The loop would then attempt to copy whatever amount of values written to the parcel (controlled by the attacker) into the allocated buffer, resulting in a heap-overflow. The tlc_server runs with the asystema UID and GID and has an SELinux context of au:r:tlc_server:s0a. This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public. Found by: laginimaineb