Out of Bounds read in Asylo

Vulnerability

In Google Asylo (a framework for enclave applications), the enc_untrusted_inet_ntop function in asylo/platform/host_call/trusted/ performs an out-of-bounds read. The original code used memcpy(dst, result.data(), std::min(static_cast<size_t>(size), static_cast<size_t>(INET6_ADDRSTRLEN))), but the variable size (provided by the untrusted caller) could be larger than the actual result buffer length, allowing memcpy to copy data beyond the valid heap allocation. This affects all versions prior to the fix in commit 6ff3b77ffe110a33a2f93848a6333f33616f02c4 [1].

Exploitation

The attacker must be able to control the size parameter passed to enc_untrusted_inet_ntop from outside the enclave (e.g., via a compromised or malicious untrusted host process). No additional authentication is required beyond the ability to invoke this host call. By providing an overly large size value, the attacker can cause memcpy to read beyond the bounds of result.data() into adjacent enclave heap memory.

Impact

Successful exploitation results in an out-of-bounds read, leaking sensitive data from the enclave heap. The attacker may gain knowledge of secret keys, application data, or other protected information residing in memory adjacent to the result buffer. The confidentiality of the enclave is compromised; there is no direct write or code execution impact described in the available references.

Mitigation

The vulnerability is fixed in commit 6ff3b77ffe110a33a2f93848a6333f33616f02c4, which adds static_cast<size_t>(result.size()) to the min call, ensuring that memcpy does not copy more bytes than the actual result buffer contains [1]. All users should update their Asylo dependency to include this commit. No workaround is available. The Asylo project has been archived and is now read-only.