Re: sgx_validate_offset_length bug

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Borys,

On 10/3/2022 10:19 AM, Borys wrote:
> I've stumbled upon "sgx_validate_offset_length" function in
> "arch/x86/kernel/cpu/sgx/ioctl.c" (all of this is based on 6.0-rc7
> version), which does not entirely do what it claims. "offset" and
> "length" parameters are provided by userspace and as such their
> addition can overflow, which may result in this function approving
> malicious values. Fortunately this does not result in any exploitable
> bugs at the moment (or at least I couldn't find any), but this might
> change if "sgx_validate_offset_length" is used in a new context or
> current usages are changed, so it might be worth fixing anyway.
> Simple overflow check `offset + length < offset` should be enough.> 

Could you please elaborate where you see a possibility for overflow?

Together the provided values, offset and length, are already ensured to
not exceed the total size of the enclave in the following check:

sgx_validate_offset_length() {
	...
	if (offset + length - PAGE_SIZE >= encl->size)
		return -EINVAL;
	...
}

Reinette



[Index of Archives]     [AMD Graphics]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux