Add sysno check in MessageReader

kongoshuu · kongoshuu · commit 90d7619e9dd9 · 2021-06-03T11:02:29.000-07:00
The sysno in MessageReader is interpreted from the Message header passed
from the host. A malicious Message header may provide a modified sysno
to bypass the validation, and overwrites enclave memory. This change
adds a check for sysno to make sure it matches the expected value.

This issue was reported by Qinkun Bao, Zhaofeng Chen, Mingshen Sun, and
Kang Li from Baidu Security.

PiperOrigin-RevId: 377328054
Change-Id: I3ff6f60694d3390f66da89d139cf7cc7b49abaea
diff --git a/asylo/platform/system_call/system_call.cc b/asylo/platform/system_call/system_call.cc
@@ -115,6 +115,9 @@ extern "C" int64_t enc_untrusted_syscall(int sysno, ...) {
   // Copy outputs back into pointer parameters.
   auto response_reader =
       asylo::system_call::MessageReader({response_buffer, response_size});
+  if (response_reader.sysno() != sysno) {
+    error_handler("system_call.cc: Unexpected sysno in response");
+  }
   const asylo::primitives::PrimitiveStatus response_status =
       response_reader.Validate();
   if (!response_status.ok()) {
