Merge pull request from GHSA-mg2p-657r-46cj

* Fix size-and-allocate OCALLs - Enclave functions that make two OCALLs to size and allocate enclave buffers which are then returned to host can leak enclave heap information if the enclave is provided a larger size than necessary, then copies the larger size out to host. - Functions that do this now require that the initial size matches the written data size before information based on that buffer size are copied back to host. * Update SECURITY.md
openenclave · Oct 8, 2019 · a39476e · a39476e
1 parent f46418d
commit a39476e
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 15 deletions.
diff --git a/SECURITY.md b/SECURITY.md
@@ -12,9 +12,9 @@ supported versions of Open Enclave:
 
 | Version | Supported          |
 | ------- | ------------------ |
-| 0.6.x   | :white_check_mark: |
+| 0.7.x   | :white_check_mark: |
-| 0.6.0   | :white_check_mark: |
+| 0.7.0   | :white_check_mark: |
-| < 0.6   | :x:                |
+| < 0.7   | :x:                |
 
 ## Reporting a Vulnerability
 

diff --git a/enclave/core/sgx/backtrace.c b/enclave/core/sgx/backtrace.c
@@ -141,8 +141,11 @@ char** oe_backtrace_symbols(void* const* buffer, int size)
             goto done;
         }
 
-        if ((oe_result_t)retval != OE_OK)
+        if ((oe_result_t)retval != OE_OK ||
+            symbols_buffer_size_out != symbols_buffer_size)
+        {
             goto done;
+        }
     }
     else if ((oe_result_t)retval != OE_OK)
     {

diff --git a/enclave/core/sgx/report.c b/enclave/core/sgx/report.c
@@ -302,9 +302,10 @@ oe_result_t oe_get_report_v2(
     uint8_t** report_buffer,
     size_t* report_buffer_size)
 {
-    oe_result_t result;
+    oe_result_t result = OE_UNEXPECTED;
     uint8_t* tmp_buffer = NULL;
     size_t tmp_buffer_size = 0;
+    size_t out_buffer_size = 0;
 
     if ((report_buffer == NULL) || (report_buffer_size == NULL))
     {
@@ -324,7 +325,8 @@ oe_result_t oe_get_report_v2(
         &tmp_buffer_size);
     if (result != OE_BUFFER_TOO_SMALL)
     {
-        return result;
+        result = (result == OE_OK) ? OE_UNEXPECTED : result;
+        OE_RAISE(result);
     }
 
     tmp_buffer = oe_calloc(1, tmp_buffer_size);
@@ -333,24 +335,30 @@ oe_result_t oe_get_report_v2(
         return OE_OUT_OF_MEMORY;
     }
 
-    result = _oe_get_report_internal(
+    out_buffer_size = tmp_buffer_size;
+    OE_CHECK(_oe_get_report_internal(
         flags,
         report_data,
         report_data_size,
         opt_params,
         opt_params_size,
         tmp_buffer,
-        &tmp_buffer_size);
+        &out_buffer_size));
-    if (result != OE_OK)
+
-    {
+    if (out_buffer_size != tmp_buffer_size)
-        oe_free(tmp_buffer);
+        OE_RAISE(OE_UNEXPECTED);
-        return result;
-    }
 
-    *report_buffer = tmp_buffer;
     *report_buffer_size = tmp_buffer_size;
+    *report_buffer = tmp_buffer;
+    tmp_buffer = NULL;
+
+    result = OE_OK;
 
-    return OE_OK;
+done:
+    if (tmp_buffer)
+        oe_free(tmp_buffer);
+
+    return result;
 }
 
 void oe_free_report(uint8_t* report_buffer)