SGX_SQLite icon indicating copy to clipboard operation
SGX_SQLite copied to clipboard
verified publisher icon yerzhan7

[Security] Use after free in enclave

Open mustakimur opened this issue 6 years ago • 0 comments

ecall_closedb() must set db pointer to NULL after free the object.

void ecall_closedb(){
    sqlite3_close(db);
    db = NULL; // change
    ocall_println_string("Enclave: Closed database connection");
}

Otherwise a check like:

  if (db == 0){
     return ERR;
  }
  magic = db->magic_byte;

will fail from multiple places.

mustakimur avatar Jun 13 '19 21:06 mustakimur