Too large size
There is no check of attr_len, which can be very large and exceed max size can provided for string at line 43
|
[user_check] const char* attr_buf, size_t attr_len, |
|
TeeErrorCode ecall_TeeRun(const char* attr_buf, size_t attr_len, |
|
const char* req_buf, size_t req_len, char** res_buf, |
|
size_t* res_len) { |
|
// check and register functions firstly if they are not registered |
|
using tee::trusted::TeeInstance; |
|
TeeInstance& ti = TeeInstance::GetInstance(); |
|
TeeErrorCode ret = ti.RegisterTrustedPbFunctions(); |
|
if (ret != TEE_SUCCESS) { |
|
ELOG_ERROR_TRACE(); |
|
return ret; |
|
} |
|
|
|
// Default response length is zero if there is any thing wrong. |
|
*res_len = 0; |
|
*res_buf = 0; |
|
|
|
// Get the ecall attributes |
|
std::string attr_str(attr_buf, attr_len); |
NPD
Although target_info is marked as in, TBirdge will not process when it's null, and there is not check in real ecall. target_report is as the same
|
TeeErrorCode ecall_RaVerifyReport(sgx_target_info_t* target_info, |
|
sgx_report_t* target_report) { |
|
if (memcmp(target_info->mr_enclave.m, target_report->body.mr_enclave.m, |
|
sizeof(sgx_measurement_t)) != 0) { |
Arbitarily write
res_buf is user_check, but have no check, and it can point to Enclave to overwrite Enclave's sensitive data
|
TeeErrorCode ecall_TeeRun(const char* attr_buf, size_t attr_len, |
|
const char* req_buf, size_t req_len, char** res_buf, |
|
size_t* res_len) { |
|
// check and register functions firstly if they are not registered |
|
using tee::trusted::TeeInstance; |
|
TeeInstance& ti = TeeInstance::GetInstance(); |
|
TeeErrorCode ret = ti.RegisterTrustedPbFunctions(); |
|
if (ret != TEE_SUCCESS) { |
|
ELOG_ERROR_TRACE(); |
|
return ret; |
|
} |
|
|
|
// Default response length is zero if there is any thing wrong. |
|
*res_len = 0; |
|
*res_buf = 0; |
