Unchecked buffer overrun in enc_untrusted_read

Vulnerability

In Asylo versions up to 0.6.0, the function enc_untrusted_read does not validate that the return size from the underlying read system call does not exceed the requested count [1]. The parameter size is passed directly to count and the return value is not checked against the buffer size, enabling an out-of-bounds memory read. The vulnerable code path is triggered when an untrusted caller invokes enc_untrusted_read via the host call interface. The commit b1d120a2c7d7446d2cc58d517e20a1b184b82200 fixes this by adding an abort if ret > count [1].

Exploitation

An untrusted attacker can call enc_untrusted_read with a small requested count while the underlying read returns more bytes than requested. Because the return size is not checked against count, the attacker can read memory locations beyond the intended buffer, including memory within the secure enclave. No authentication is required, and the attacker only needs the ability to make host calls from untrusted code.

Impact

Successful exploitation allows an attacker to read arbitrary memory outside the intended buffer, including sensitive data inside the secure enclave. This bypasses the confidentiality guarantees of the enclave, leading to information disclosure of protected data.

Mitigation

Users should upgrade Asylo to a version that includes commit b1d120a2c7d7446d2cc58d517e20a1b184b82200 [1]. No workaround is available for unpatched versions. The repository has been archived and is now read-only, so no further patches are expected.