Headline
CVE-2023-36199: Two bugs on SGXWallet · Issue #419 · skalenetwork/sgxwallet
An issue in skalenetwork sgxwallet v.1.9.0 and below allows an attacker to cause a denial of service via the trustedGenerateEcdsaKey component.
NULL Pointer De-reference
A null-pointer de-reference in trustedGenerateEcdsaKey. The global variable curve could be null if trustedGenerateEcdsaKey was called before trustedEnclaveInit
Heap OOB
Ecall trustedBlsSignMessage uses a macro to log messages. However, the size of max buffer length does not match.
From the EDL file, the length of err_string is 256.
/* EDL Def. */
#define TINY_BUF_SIZE 256
public void trustedBlsSignMessage (
[out] int *errStatus,
[out, count = TINY_BUF_SIZE] char* err_string,
[in, count = TINY_BUF_SIZE] uint8_t* encrypted_key,
uint64_t enc_len,
[in, string] char* hashX ,
[in, string] char* hashY,
[out, count = SMALL_BUF_SIZE] char* signature);
The SGXSDK’s TBridge will malloc 256bytes for _in_err_string.
/* Generated tbridge */
/* sgxwallet/secure_enclave/secure_enclave_t.c */
static sgx_status_t SGX_CDECL sgx_trustedBlsSignMessage(void* pms)
{
...
if (_tmp_err_string != NULL && _len_err_string != 0) {
if ( _len_err_string % sizeof(*_tmp_err_string) != 0)
{
status = SGX_ERROR_INVALID_PARAMETER;
goto err;
}
/* _len_err_string is 256 here */
if ((_in_err_string = (char*)malloc(_len_err_string)) == NULL) {
status = SGX_ERROR_OUT_OF_MEMORY;
goto err;
}
memset((void*)_in_err_string, 0, _len_err_string);
}
However, in the CHECK_STATUS macro, the errString is used but the BUF_LEN is 1024, which is defined in here.
#define CHECK_STATUS(__ERRMESSAGE__) if (status != SGX_SUCCESS) { \
LOG_ERROR(__FUNCTION__); \
snprintf(errString, BUF_LEN, "failed with status %d : %s", status, __ERRMESSAGE__); \
LOG_ERROR(errString); \
*errStatus = status; \
goto clean; \
};
If the length of error message is larger than 256, it may lead to overflow.