BUG写手

Maybe you can try my [fixed version](https://github.com/LeoneChen/SGX_SQLite/tree/base)

Seems to use Occlum version of [linux-sgx](https://github.com/occlum/linux-sgx)

Thanks for response! I've used hard breakpoint, and I add-symbol-file for user space shared library in gdb, but failed. I'll try other method. Still thanks for help!

Hi @Wenzel ! Currently I use gdbserver in qemu vm to debug user space task. Firstly we have to add gdbserver into initrd. I use gen_initrd.sh provided by kAFL example...

SGXSan belongs to my project EnclaveFuzz which is different from SGXFuzz, EnclaveFuzz is almost done, but under several test. EnclaveFuzz shall be published in near future.

# Null Pointer Dereference Since zero address is under the control of untrusted host, NPD is dangerous for Enclave If `ssl_conn_handle` called before `ssl_conn_init`, `connectionHandler` can be NULL, since address...

# Null Pointer Dereference Although `thread_info` is `in,out`, SGX TBridge just pass null to real ECALL https://github.com/bl4ck5un/mbedtls-SGX/blob/eab8e36a1e670a2fa66105735143eafa51931bff/example/enclave/Enclave.edl#L12 `thread_info` is null https://github.com/bl4ck5un/mbedtls-SGX/blob/eab8e36a1e670a2fa66105735143eafa51931bff/example/enclave/ecalls.cpp#L44-L46 Even if `this` is not NULL, `thread_info` can be...

# UAF 1 ecall_closedb called twice, lead to UAF ``` #0 ReportGenericError (pc=140737295875590, bp=140737488342096, sp=140737488341976, addr=4961980, is_write=false, access_size=4, fatal=true, msg=0x2dfd59 "Enclave out of bound") at /mnt/hdd/chenliheng/SGXSan/SGXSanRT/SGXSanRTApp/SGXSanRTApp.cpp:516 #1 0x0000000000344f47 in __asan_load4...

感谢两位 我看看

# Arbitrarily access In `ecall_EC_KEY_free` -> `EC_KEY_free` -> `EC_GROUP_free` -> `EC_EX_DATA_free_all_data`, in `d->free_func(d->data)`, `d` is from ecall parameter, and `d->free_func` can be set by host, cause arbitrarily execute. And can...