Skip to content
Permalink
Browse files Browse the repository at this point in the history
Check for output_len range in ecall_restore
This may cause vulnerablity if pointing to trusted memory.

This issue was reported by Qinkun Bao, Zhaofeng Chen, Mingshen Sun, and
Kang Li from Baidu Security.

PiperOrigin-RevId: 322476223
Change-Id: I8a6406e9f07a20582d4387bd9a3469dfa9cbcb12
  • Loading branch information
kongoshuu committed Jul 22, 2020
1 parent bc3fdb4 commit e582f36
Showing 1 changed file with 4 additions and 2 deletions.
6 changes: 4 additions & 2 deletions asylo/platform/primitives/sgx/ecalls.cc
Expand Up @@ -62,9 +62,11 @@ int ecall_take_snapshot(char **output, uint64_t *output_len) {
int ecall_restore(const char *input, uint64_t input_len, char **output,
uint64_t *output_len) {
if (!asylo::primitives::TrustedPrimitives::IsOutsideEnclave(input,
input_len)) {
input_len) ||
!asylo::primitives::TrustedPrimitives::IsOutsideEnclave(
output_len, sizeof(uint64_t))) {
asylo::primitives::TrustedPrimitives::BestEffortAbort(
"ecall_restore: input found to not be in untrusted memory.");
"ecall_restore: input/output found to not be in untrusted memory.");
}
int result = 0;
size_t tmp_output_len;
Expand Down

0 comments on commit e582f36

Please sign in to comment.