Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Check the buffer address before copy the data from the buffer
This commit fixed an Occlum security issue. The researchers from KU
Leuven (Belgium) and the University of Birmingham (UK) found it and
reported it to Occlum team. Thank you, Jo Van Bulck, Frank Piessens,
Fritz Alder, David Oswald, Jesse Spielman and Sam Thomas.
  • Loading branch information
zongmin.gu authored and tatetian committed Nov 29, 2021
1 parent 580a981 commit 36918e4
Showing 1 changed file with 8 additions and 2 deletions.
10 changes: 8 additions & 2 deletions src/libos/src/util/mem_util.rs
Expand Up @@ -48,9 +48,12 @@ pub mod from_user {
return_errno!(EINVAL, "NULL address is invalid");
}

// confirm that at least the fisrt byte of the string is from user
check_ptr(out_ptr)?;

let cstr = unsafe { CStr::from_ptr(out_ptr) };
let cstring = CString::from(cstr);
if !is_inside_user_space(out_ptr as *const u8, cstring.as_bytes().len()) {
if !is_inside_user_space(out_ptr as *const u8, cstring.as_bytes_with_nul().len()) {
return_errno!(EFAULT, "the whole buffer is not in the user space");
}
Ok(cstring)
Expand Down Expand Up @@ -127,11 +130,14 @@ pub mod from_untrusted {
return_errno!(EINVAL, "NULL address is invalid");
}

// confirm that at least the fisrt byte of the string is out side of enclave
check_ptr(out_ptr)?;

let cstr = unsafe { CStr::from_ptr(out_ptr) };
let cstring = CString::from(cstr);
if !sgx_trts::trts::rsgx_raw_is_outside_enclave(
out_ptr as *const u8,
cstring.as_bytes().len(),
cstring.as_bytes_with_nul().len(),
) {
return_errno!(EFAULT, "the string is not outside enclave");
}
Expand Down

0 comments on commit 36918e4

Please sign in to comment.