Unchecked buffer overrun in enc_untrusted_recvfrom

Vulnerability

A memory safety vulnerability exists in Google's Asylo (up to version 0.6.0) within the enc_untrusted_recvfrom trusted host call. The function receives data into a caller-supplied buffer but does not validate that the number of bytes returned by the host (result) is less than or equal to the requested len. This allows an untrusted attacker to make a call where the host returns a size larger than len, causing subsequent memcpy operations (which use std::min(len, buffer_received.size())) to copy data from unintended memory locations outside the intended buffer [1]. The fix was introduced in commit 6e158d558abd3c29a0208e30c97c9a8c5bd4230f.

Exploitation

An untrusted attacker must be able to invoke the enc_untrusted_recvfrom trusted host call. The attacker controls the return size from the host (by controlling the network or host environment), which is not checked against the requested len. By crafting a response with a result greater than len, the attacker can cause the trusted code to read memory beyond the allocated buffer [1]. No additional authentication is required beyond the ability to make the host call.

Impact

Successful exploitation results in an arbitrary memory read. The attacker can read memory locations outside the intended buffer, including memory addresses within the secure enclave. This can lead to disclosure of sensitive data protected by the enclave, such as cryptographic keys or application secrets. The compromise is limited to confidentiality (information disclosure) and does not directly allow code execution or modification [1].

Mitigation

The vulnerability is fixed in commit 6e158d558abd3c29a0208e30c97c9a8c5bd4230f and later versions of Asylo. Users should upgrade to a version of Asylo that includes this commit. No workaround is available if the fix cannot be applied. The repository has been archived and is read-only as of April 2026, so no further updates are expected [1].