From 12cb488f36fd8b344e313430870fa5e807b54fc6 Mon Sep 17 00:00:00 2001 From: Kun Lai Date: Fri, 13 Jan 2023 11:00:50 +0000 Subject: [PATCH] [libos] Fix vulnerable nonce in DCAP verifier This commit fixed a security issue in the dcap verifier. The issue was caused by the '[in, out]' attributes of pointer parameter qve_report_info in the ocall function occlum_ocall_verify_dcap_quote(). This led to the vulnerability where the protected qve_report_info.nonce field in libos could be arbitrarily rewritten by attacker outside libos. Signed-off-by: Kun Lai --- src/libos/src/util/sgx/dcap/quote_verifier.rs | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/libos/src/util/sgx/dcap/quote_verifier.rs b/src/libos/src/util/sgx/dcap/quote_verifier.rs index c37fb4ae..ae1e47c6 100644 --- a/src/libos/src/util/sgx/dcap/quote_verifier.rs +++ b/src/libos/src/util/sgx/dcap/quote_verifier.rs @@ -39,6 +39,7 @@ impl QuoteVerifier { let mut collateral_expiration_status = 1; let mut supplemental_data = vec![0; self.supplemental_data_size as usize]; let mut qve_report_info = sgx_ql_qe_report_info_t::default(); + let mut nonce; unsafe { let sgx_status = sgx_read_rand( @@ -48,6 +49,7 @@ impl QuoteVerifier { if sgx_status != sgx_status_t::SGX_SUCCESS { return_errno!(EAGAIN, "failed to get random number from sgx"); } + nonce = qve_report_info.nonce; } qve_report_info.app_enclave_target_info = get_self_target()?; @@ -66,6 +68,9 @@ impl QuoteVerifier { supplemental_data.as_mut_ptr(), ); assert_eq!(sgx_status_t::SGX_SUCCESS, sgx_status); + // We have to re-write qve_report_info.nonce with the value we backed up earlier, + // since qve_report_info.nonce can be overwrite by attacker from ocall side. + qve_report_info.nonce = nonce; } match qe3_ret {