Check for output_len range in ecall_restore

kongoshuu · kongoshuu · commit e582f36ac49e · 2020-07-21T17:22:14.000-07:00
This may cause vulnerablity if pointing to trusted memory.

This issue was reported by Qinkun Bao, Zhaofeng Chen, Mingshen Sun, and
Kang Li from Baidu Security.

PiperOrigin-RevId: 322476223
Change-Id: I8a6406e9f07a20582d4387bd9a3469dfa9cbcb12
diff --git a/asylo/platform/primitives/sgx/ecalls.cc b/asylo/platform/primitives/sgx/ecalls.cc
@@ -62,9 +62,11 @@ int ecall_take_snapshot(char **output, uint64_t *output_len) {
 int ecall_restore(const char *input, uint64_t input_len, char **output,
                   uint64_t *output_len) {
   if (!asylo::primitives::TrustedPrimitives::IsOutsideEnclave(input,
-                                                              input_len)) {
+                                                              input_len) ||
+      !asylo::primitives::TrustedPrimitives::IsOutsideEnclave(
+          output_len, sizeof(uint64_t))) {
     asylo::primitives::TrustedPrimitives::BestEffortAbort(
-        "ecall_restore: input found to not be in untrusted memory.");
+        "ecall_restore: input/output found to not be in untrusted memory.");
   }
   int result = 0;
   size_t tmp_output_len;
