[security]write data without checking malloc result.

[jmp0x7c00]

Dear sir,

This code didn't check whether malloc() result is NULL and writed sensitive data to it,
as we know, the attacker can mmap the address 0, if the attacker do that, the sensitve data will be writed outside enclave.

in file PrivacyGuard/DataBroker/Enclave/enclave.cpp line ,vulnerability code is here:

sgx_status_t ECALL_enclave_DO_config(int num_DOs)
{
    int i;
    sgx_status_t ret = SGX_SUCCESS;

    sk_key_DO = (sgx_ec_key_128bit_t *) malloc(num_DOs * sizeof(sgx_ec_key_128bit_t));
    // here.
    // same issue to varaible sk_key_DO and DO_data_key_assigned 
    DO_data_key = (sgx_aes_gcm_128bit_key_t *) malloc(num_DOs * sizeof(sgx_aes_gcm_128bit_key_t));
    DO_data_key_assigned = (bool *) malloc(num_DOs * sizeof(bool));

    for(i = 0; i < num_DOs; i++)
    {
        DO_data_key_assigned[i] = false;
    }

    return ret;
}

here sensitive data is writen:

if(!DO_data_key_assigned[DO_ID-1])
    {
        /* Generate a 16-Byte data encryption key for DO's data */
        sgx_read_rand(DO_data_key[DO_ID-1], sizeof(sgx_aes_gcm_128bit_key_t));  //   the data encryption key will be leaked if malloc fails 

[yang-sec]

Thanks and that's a legit concern. I am thinking of ditching malloc and instead, we assign fixed-size arrays (i.e., a fixed maximum number of DOs) to these keys. I guess we should have this fixed number publicized as DataBroker parameter.

[jmp0x7c00]

same issues:

PrivacyGuard/CEE/isv_enclave/enclave_svm.cpp

Line 2006 in 1ef665f

double *ymv = Malloc(double,prob->l);

PrivacyGuard/CEE/isv_enclave/enclave_svm.cpp

Line 2205 in 1ef665f

bool *nonzero = Malloc(bool,l);

PrivacyGuard/CEE/isv_enclave/enclave_svm.cpp

Line 2283 in 1ef665f

int *nz_count = Malloc(int,nr_class);

PrivacyGuard/CEE/isv_enclave/enclave_svm.cpp

Line 2312 in 1ef665f

int *nz_start = Malloc(int,nr_class);

PrivacyGuard/CEE/isv_enclave/enclave_svm.cpp

Line 2574 in 1ef665f

int *start = Malloc(int,nr_class);

//sk_key_DO, DO_data_key , it is sensitive

PrivacyGuard/CEE/isv_enclave/isv_enclave.cpp

Line 404 in 1ef665f

DO_data_key = (sgx_aes_gcm_128bit_key_t *) malloc(num_DOs * sizeof(sgx_aes_gcm_128bit_key_t));

PrivacyGuard/DataBroker/Enclave/enclave.cpp

Line 298 in 1ef665f

sk_key_DO = (sgx_ec_key_128bit_t *) malloc(num_DOs * sizeof(sgx_ec_key_128bit_t));

PrivacyGuard/DataBroker/Enclave/enclave.cpp

Line 299 in 1ef665f

DO_data_key = (sgx_aes_gcm_128bit_key_t *) malloc(num_DOs * sizeof(sgx_aes_gcm_128bit_key_t));

PrivacyGuard/DataBroker/Enclave/enclave.cpp

Line 300 in 1ef665f

DO_data_key_assigned = (bool *) malloc(num_DOs * sizeof(bool));

PrivacyGuard/Enclave_testML/isv_enclave/enclave_svm.cpp

Line 2006 in 1ef665f

double *ymv = Malloc(double,prob->l);

[jmp0x7c00]

updated:

PrivacyGuard/CEE_old/isv_enclave/isv_enclave.cpp

Line 2970 in 94e888a

double *weighted_C = Malloc(double, nr_class);

PrivacyGuard/Enclave_testML/isv_enclave/enclave_svm.cpp

Line 2116 in 94e888a

svm_model *model = Malloc(svm_model,1);

PrivacyGuard/CEE/isv_enclave/enclave_fann.cpp

Line 2718 in 94e888a

struct fann_train_data *data =