Skip to content
Permalink
Browse files

Merge pull request from GHSA-mg2p-657r-46cj

* Fix size-and-allocate OCALLs

- Enclave functions that make two OCALLs to size and allocate enclave buffers which are then returned to host can leak enclave heap information if the enclave is provided a larger size than necessary, then copies the larger size out to host.
- Functions that do this now require that the initial size matches the written data size before information based on that buffer size are copied back to host.

* Update SECURITY.md
  • Loading branch information...
CodeMonkeyLeet committed Oct 8, 2019
1 parent f46418d commit a39476e5de854317a1a74ec3c08257a00c1625d5
Showing with 26 additions and 15 deletions.
  1. +3 −3 SECURITY.md
  2. +4 −1 enclave/core/sgx/backtrace.c
  3. +19 −11 enclave/core/sgx/report.c
@@ -12,9 +12,9 @@ supported versions of Open Enclave:

| Version | Supported |
| ------- | ------------------ |
| 0.6.x | :white_check_mark: |
| 0.6.0 | :white_check_mark: |
| < 0.6 | :x: |
| 0.7.x | :white_check_mark: |
| 0.7.0 | :white_check_mark: |
| < 0.7 | :x: |

## Reporting a Vulnerability

@@ -141,8 +141,11 @@ char** oe_backtrace_symbols(void* const* buffer, int size)
goto done;
}

if ((oe_result_t)retval != OE_OK)
if ((oe_result_t)retval != OE_OK ||
symbols_buffer_size_out != symbols_buffer_size)
{
goto done;
}
}
else if ((oe_result_t)retval != OE_OK)
{
@@ -302,9 +302,10 @@ oe_result_t oe_get_report_v2(
uint8_t** report_buffer,
size_t* report_buffer_size)
{
oe_result_t result;
oe_result_t result = OE_UNEXPECTED;
uint8_t* tmp_buffer = NULL;
size_t tmp_buffer_size = 0;
size_t out_buffer_size = 0;

if ((report_buffer == NULL) || (report_buffer_size == NULL))
{
@@ -324,7 +325,8 @@ oe_result_t oe_get_report_v2(
&tmp_buffer_size);
if (result != OE_BUFFER_TOO_SMALL)
{
return result;
result = (result == OE_OK) ? OE_UNEXPECTED : result;
OE_RAISE(result);
}

tmp_buffer = oe_calloc(1, tmp_buffer_size);
@@ -333,24 +335,30 @@ oe_result_t oe_get_report_v2(
return OE_OUT_OF_MEMORY;
}

result = _oe_get_report_internal(
out_buffer_size = tmp_buffer_size;
OE_CHECK(_oe_get_report_internal(
flags,
report_data,
report_data_size,
opt_params,
opt_params_size,
tmp_buffer,
&tmp_buffer_size);
if (result != OE_OK)
{
oe_free(tmp_buffer);
return result;
}
&out_buffer_size));

if (out_buffer_size != tmp_buffer_size)
OE_RAISE(OE_UNEXPECTED);

*report_buffer = tmp_buffer;
*report_buffer_size = tmp_buffer_size;
*report_buffer = tmp_buffer;
tmp_buffer = NULL;

result = OE_OK;

return OE_OK;
done:
if (tmp_buffer)
oe_free(tmp_buffer);

return result;
}

void oe_free_report(uint8_t* report_buffer)

0 comments on commit a39476e

Please sign in to comment.
You can’t perform that action at this time.