Low - This vulnerability enabled the host process to change addresses between check and use in enclave.
SealSettings(args) { // <<---- args is on the enclave stack but the struct it points to is in the host process region
if (!in_host_process(args->data_to_seal, args->sz_data_to_seal)) { // <<--- checked here
return ERROR;
}
// << --- host process threads can write the region here
size_t local_size = args->sz_data_to_seal + 4;
void* local_buffer = malloc(local_size);
// \/ ---- BUG - thread in host process may change args->data_to_seal before it is used in memcpy below.
memcpy(local_buffer,args->data_to_seal, local_size);
EnclaveSealData(local_buffer, local_size, args->protectedBlob, args->sz_protected_blob, &needed);
return needed;
}
quidity Finder
Summary
A bypass in the fix for CVE-2023-36880 enables host process to change addresses between check and use in enclave as the arg pointer for the seal/unseal functions is dereferenced and its addresses are validated, then dereferenced again to get regions to read / write.
Severity
Low - This vulnerability enabled the host process to change addresses between check and use in enclave.
Proof of Concept
Timeline
Date reported: 12/14/2023
Date fixed: 2/28/2024
Date disclosed: 4/4/2024