On Wed, Oct 05, 2022 at 01:02:39AM +0200, Borys wrote: > On 10/4/22 23:50, Jarkko Sakkinen wrote: > > On Mon, Oct 03, 2022 at 07:19:21PM +0200, Borys wrote: > >> Hi, > >> > >> I've stumbled upon "sgx_validate_offset_length" function in > >> "arch/x86/kernel/cpu/sgx/ioctl.c" (all of this is based on 6.0-rc7 > >> version), which does not entirely do what it claims. "offset" and > >> "length" parameters are provided by userspace and as such their addition > >> can overflow, which may result in this function approving malicious > >> values. Fortunately this does not result in any exploitable bugs at the > >> moment (or at least I couldn't find any), but this might change if > >> "sgx_validate_offset_length" is used in a new context or current usages > >> are changed, so it might be worth fixing anyway. Simple overflow check > >> `offset + length < offset` should be enough. > >> > >> Best regards, > >> > >> Borys > >> > > > > I agree with the bug but not on security issue. > > > > If you can call the ioctl API in the first place, you can already apply > > the operations in arbitrary locations inside the enclave, i.e. it does > > not introduce any new capability to the untrusted runtime. > > > > BR, Jarkko > > I meant it could possibly enable some local priv escalation, if other > code has wrong assumptions. But again, this is purely theoretical, > current usages fail on invalid values anyway. > > Best regards, > Borys Yeah, in all cases it needs to be fixed. Thanks for pointing it out. BR, Jarkko
