[Security issue]

[yudhui]

Hello, We find some vulnerabilities in server/Enclave/app.cpp. For example, the first parametres "id" in "enclave_get_id_buf" is a uint32_t pointer. However it is declared in EDL as [user-check]. Attacker can compromise it points to arbitrary address in enclave.

Then in "enclave_get_id_buf" , Data is copy to "id" buffer from "enc_id_buf". Note that untrusted OS dont need execute "enclave_init_id_buf", so it points to Null address.

Null address is out of enclave which can be control by untrusted OS. So, attacker can write arbitrary value at arbitrary address and compromises the control flow in encalve.