From 36918e42bf6732c4d3996bc99eb013eb6b90b249 Mon Sep 17 00:00:00 2001 From: "zongmin.gu" Date: Thu, 25 Nov 2021 17:36:23 +0800 Subject: [PATCH] Check the buffer address before copy the data from the buffer This commit fixed an Occlum security issue. The researchers from KU Leuven (Belgium) and the University of Birmingham (UK) found it and reported it to Occlum team. Thank you, Jo Van Bulck, Frank Piessens, Fritz Alder, David Oswald, Jesse Spielman and Sam Thomas. --- src/libos/src/util/mem_util.rs | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/libos/src/util/mem_util.rs b/src/libos/src/util/mem_util.rs index 519cb4ea..7e10a90d 100644 --- a/src/libos/src/util/mem_util.rs +++ b/src/libos/src/util/mem_util.rs @@ -48,9 +48,12 @@ pub mod from_user { return_errno!(EINVAL, "NULL address is invalid"); } + // confirm that at least the fisrt byte of the string is from user + check_ptr(out_ptr)?; + let cstr = unsafe { CStr::from_ptr(out_ptr) }; let cstring = CString::from(cstr); - if !is_inside_user_space(out_ptr as *const u8, cstring.as_bytes().len()) { + if !is_inside_user_space(out_ptr as *const u8, cstring.as_bytes_with_nul().len()) { return_errno!(EFAULT, "the whole buffer is not in the user space"); } Ok(cstring) @@ -127,11 +130,14 @@ pub mod from_untrusted { return_errno!(EINVAL, "NULL address is invalid"); } + // confirm that at least the fisrt byte of the string is out side of enclave + check_ptr(out_ptr)?; + let cstr = unsafe { CStr::from_ptr(out_ptr) }; let cstring = CString::from(cstr); if !sgx_trts::trts::rsgx_raw_is_outside_enclave( out_ptr as *const u8, - cstring.as_bytes().len(), + cstring.as_bytes_with_nul().len(), ) { return_errno!(EFAULT, "the string is not outside enclave"); }