Several Bugs

[LeoneChen]

UAF 1

If ssl_conn_handle called after ssl_conn_teardown by untrusted host

mbedtls-SGX/example/enclave/ecalls.cpp

Lines 44 to 50 in eab8e36

	void ssl_conn_handle(long int thread_id, thread_info_t* thread_info) {
	connectionHandler->handle(thread_id, thread_info);
	}
	void ssl_conn_teardown(void) {
	delete connectionHandler;
	}

this is dangling, and this->conf at line 159 will cause UAF

mbedtls-SGX/example/enclave/ssl_conn_hdlr.cpp

Lines 151 to 159 in eab8e36

	void TLSConnectionHandler::handle(long int thread_id, thread_info_t *thread_info) {
	int ret, len;
	mbedtls_net_context *client_fd = &thread_info->client_fd;
	unsigned char buf[1024];
	mbedtls_ssl_context ssl;
	// thread local data
	mbedtls_ssl_config conf;
	memcpy(&conf, &this->conf, sizeof(mbedtls_ssl_config));

UAF 2

If ssl_conn_teardown called after ssl_conn_teardown by untrusted host, second will call delete connectionHandler;, srvcert is freed member varibale
In TLSConnectionHandler::~TLSConnectionHandler,

mbedtls-SGX/example/enclave/ssl_conn_hdlr.cpp

Lines 129 to 131 in eab8e36

	TLSConnectionHandler::~TLSConnectionHandler() {
	mbedtls_x509_crt_free(&srvcert);
	mbedtls_pk_free(&pkey);

In mbedtls_x509_crt_free.

mbedtls-SGX/trusted/mbedtls-2.6.0/library/x509_crt.c

Lines 2346 to 2360 in eab8e36

	void mbedtls_x509_crt_free( mbedtls_x509_crt *crt )
	{
	mbedtls_x509_crt *cert_cur = crt;
	mbedtls_x509_crt *cert_prv;
	mbedtls_x509_name *name_cur;
	mbedtls_x509_name *name_prv;
	mbedtls_x509_sequence *seq_cur;
	mbedtls_x509_sequence *seq_prv;
	if( crt == NULL )
	return;
	do
	{
	mbedtls_pk_free( &cert_cur->pk );

In mbedtls_pk_free, and finally ctx->pk_info will access already free-ed ctx, cause UAF.

mbedtls-SGX/trusted/mbedtls-2.6.0/library/pk.c

Lines 66 to 74 in eab8e36

	void mbedtls_pk_free( mbedtls_pk_context *ctx )
	{
	if( ctx == NULL || ctx->pk_info == NULL )
	return;
	ctx->pk_info->ctx_free_func( ctx->pk_ctx );
	mbedtls_zeroize( ctx, sizeof( mbedtls_pk_context ) );
	}

[LeoneChen]

Null Pointer Dereference

Since zero address is under the control of untrusted host, NPD is dangerous for Enclave

If ssl_conn_handle called before ssl_conn_init, connectionHandler can be NULL, since address of TLSConnectionHandler::handle is from vTable, it is called.

mbedtls-SGX/example/enclave/ecalls.cpp

Lines 44 to 46 in eab8e36

	void ssl_conn_handle(long int thread_id, thread_info_t* thread_info) {
	connectionHandler->handle(thread_id, thread_info);
	}

In TLSConnectionHandler::handle, this is NULL, &this->conf used in memcpy will cause copy from untrusted 0 address

mbedtls-SGX/example/enclave/ssl_conn_hdlr.cpp

Lines 151 to 159 in eab8e36

	void TLSConnectionHandler::handle(long int thread_id, thread_info_t *thread_info) {
	int ret, len;
	mbedtls_net_context *client_fd = &thread_info->client_fd;
	unsigned char buf[1024];
	mbedtls_ssl_context ssl;
	// thread local data
	mbedtls_ssl_config conf;
	memcpy(&conf, &this->conf, sizeof(mbedtls_ssl_config));

[LeoneChen]

Null Pointer Dereference

Although thread_info is in,out, SGX TBridge just pass null to real ECALL

mbedtls-SGX/example/enclave/Enclave.edl

Line 12 in eab8e36

public void ssl_conn_handle(long int thread_id, [in,out] thread_info_t* thread_info);

thread_info is null

mbedtls-SGX/example/enclave/ecalls.cpp

Lines 44 to 46 in eab8e36

	void ssl_conn_handle(long int thread_id, thread_info_t* thread_info) {
	connectionHandler->handle(thread_id, thread_info);
	}

Even if this is not NULL, thread_info can be NULL due to lack of check, at line 160 cause NPD

mbedtls-SGX/example/enclave/ssl_conn_hdlr.cpp

Lines 151 to 160 in eab8e36

	void TLSConnectionHandler::handle(long int thread_id, thread_info_t *thread_info) {
	int ret, len;
	mbedtls_net_context *client_fd = &thread_info->client_fd;
	unsigned char buf[1024];
	mbedtls_ssl_context ssl;
	// thread local data
	mbedtls_ssl_config conf;
	memcpy(&conf, &this->conf, sizeof(mbedtls_ssl_config));
	thread_info->config = &conf;