Arbitrary enclave memory location write from untrusted environment

Vulnerability

The vulnerability resides in the FromkLinuxSockAddr function within Asylo, a security enclave framework, up to version 0.6.0. The function converts Linux socket address structures but fails to validate that the input_len parameter is at least the size of the expected klinux_sockaddr variant (e.g., klinux_sockaddr_un, klinux_sockaddr_in, klinux_sockaddr_in6). This allows an attacker to provide a crafted klinux_addr with a malicious size, leading to an arbitrary memory overwrite [1].

Exploitation

An attacker with code execution capability within the enclave can invoke a host call to FromkLinuxSockAddr with attacker-controlled input and input_len. By supplying a klinux_addr whose input_len is smaller than the required structure size, the function reads beyond the input buffer and writes attacker-controlled data into adjacent memory locations. No authentication or special privileges are required beyond enclave code execution [1].

Impact

Successful exploitation results in arbitrary memory overwrite from within the enclave. This can lead to compromise of enclave integrity, disclosure of sensitive data, or escalation to host-level code execution, depending on the overwritten memory [1].

Mitigation

The issue was fixed in commit bda9772e7872b0d2b9bee32930cf7a4983837b39, which adds input length checks for each socket address family (AF_UNIX, AF_INET, AF_INET6). Users should upgrade past commit a37fb6a0e7daf30134dbbf357c9a518a1026aa02. No workaround is available. Note that the Asylo repository has been archived [1].