Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix vulnerability in UntrustedCacheMalloc
The pointer array is stored in untrusted memory, so we cannot trust the
value even after validation. We should validate the pointer is pointing
to untrusted memory after it's stored inside the enclave.

PiperOrigin-RevId: 358474391
Change-Id: I63cf6c251bdaf1b491dbf06cc0dcf77f7b141756
  • Loading branch information
kongoshuu committed Feb 19, 2021
1 parent 8081258 commit a47ef55
Showing 1 changed file with 5 additions and 4 deletions.
9 changes: 5 additions & 4 deletions asylo/platform/primitives/sgx/untrusted_cache_malloc.cc
Expand Up @@ -104,11 +104,12 @@ void *UntrustedCacheMalloc::GetBuffer() {
buffers =
primitives::AllocateUntrustedBuffers(kPoolIncrement, kPoolEntrySize);
for (int i = 0; i < kPoolIncrement; i++) {
if (!buffers[i] ||
!TrustedPrimitives::IsOutsideEnclave(buffers[i], kPoolEntrySize)) {
abort();
void *buf = buffers[i];
if (!buf || !TrustedPrimitives::IsOutsideEnclave(buf, kPoolEntrySize)) {
TrustedPrimitives::BestEffortAbort(
"Cached buffer is not outside the enclave");
}
buffer_pool_.push(buffers[i]);
buffer_pool_.push(buf);
}
}
buffer = buffer_pool_.top();
Expand Down

0 comments on commit a47ef55

Please sign in to comment.