ehsm
ehsm copied to clipboard
Published
20 hours ago •
intel
intel
Bugs found in ehsm
Hello~
Heap OOB
enclave_decrypt defined in EDL set cmk_size as cmk's size, but attacker can feed cmk_size smaller then sizeof(ehsm_keyblob_t), and TBridge only malloc cmk_size for it.
public sgx_status_t enclave_decrypt([in, size=cmk_size] ehsm_keyblob_t* cmk, size_t cmk_size,
[in, size=aad_size] ehsm_data_t *aad, size_t aad_size,
[in, size=ciphertext_size] ehsm_data_t *ciphertext, size_t ciphertext_size,
[in, out, size=plaintext_size] ehsm_data_t *plaintext, size_t plaintext_size);
Then in function enclave_decrypt, cmk->keybloblen will out-of-bound access invalid memory, e.g. cmk->keybloblen is at offset 0x30, but cmk_size is fed with 0x20.
sgx_status_t enclave_decrypt(ehsm_keyblob_t *cmk, size_t cmk_size,
ehsm_data_t *aad, size_t aad_size,
ehsm_data_t *ciphertext, size_t ciphertext_size,
ehsm_data_t *plaintext, size_t plaintext_size)
{
sgx_status_t ret = SGX_ERROR_UNEXPECTED;
if (cmk == NULL ||
cmk_size != APPEND_SIZE_TO_KEYBLOB_T(cmk->keybloblen) ||
cmk->keybloblen == 0 ||
cmk->metadata.origin != EH_INTERNAL_KEY)
return SGX_ERROR_INVALID_PARAMETER;
...
}
