BUGS found

# Too large size
There is no check of `attr_len`, which can be very large and exceed max size can provided for string at line 43
https://github.com/SOFAEnclave/trusted-function-framework/blob/1c5ab9f5ca6453b71ef4da78b745022d60609fcf/sdk/edl/kubetee.edl#L7
https://github.com/SOFAEnclave/trusted-function-framework/blob/1c5ab9f5ca6453b71ef4da78b745022d60609fcf/sdk/trusted/trusted_pbcall.cpp#L26-L43

# NPD
Although `target_info` is marked as `in`, TBirdge will not process when it's null, and there is not check in real ecall. `target_report` is as the same 
https://github.com/SOFAEnclave/trusted-function-framework/blob/1c5ab9f5ca6453b71ef4da78b745022d60609fcf/sdk/trusted/ra/trusted_ra.cpp#L25-L28

# Arbitarily write
`res_buf` is `user_check`, but have no check, and it can point to Enclave to overwrite Enclave's sensitive data
https://github.com/SOFAEnclave/trusted-function-framework/blob/1c5ab9f5ca6453b71ef4da78b745022d60609fcf/sdk/trusted/trusted_pbcall.cpp#L26-L40

	TeeErrorCode ecall_TeeRun(const char* attr_buf, size_t attr_len,
	const char* req_buf, size_t req_len, char** res_buf,
	size_t* res_len) {
	// check and register functions firstly if they are not registered
	using tee::trusted::TeeInstance;
	TeeInstance& ti = TeeInstance::GetInstance();
	TeeErrorCode ret = ti.RegisterTrustedPbFunctions();
	if (ret != TEE_SUCCESS) {
	ELOG_ERROR_TRACE();
	return ret;
	}

	// Default response length is zero if there is any thing wrong.
	*res_len = 0;
	*res_buf = 0;

	// Get the ecall attributes
	std::string attr_str(attr_buf, attr_len);

	TeeErrorCode ecall_RaVerifyReport(sgx_target_info_t* target_info,
	sgx_report_t* target_report) {
	if (memcmp(target_info->mr_enclave.m, target_report->body.mr_enclave.m,
	sizeof(sgx_measurement_t)) != 0) {

	TeeErrorCode ecall_TeeRun(const char* attr_buf, size_t attr_len,
	const char* req_buf, size_t req_len, char** res_buf,
	size_t* res_len) {
	// check and register functions firstly if they are not registered
	using tee::trusted::TeeInstance;
	TeeInstance& ti = TeeInstance::GetInstance();
	TeeErrorCode ret = ti.RegisterTrustedPbFunctions();
	if (ret != TEE_SUCCESS) {
	ELOG_ERROR_TRACE();
	return ret;
	}

	// Default response length is zero if there is any thing wrong.
	*res_len = 0;
	*res_buf = 0;

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

BUGS found #1

Too large size

NPD

Arbitarily write

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

BUGS found #1

Description

Too large size

NPD

Arbitarily write

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions