Hi,
We found a buffer overflow and a infomation leak in Enclave/Enclave.cpp.
There is a global variable "Arg arg_enclave;" in enclave and it is initialized in ecall "enclave_init_values". However it value is copyed from "arg" which is untrusted.

We found a member variable in structure "Arg" called "int max_buf_size;". Then we search the code to find where "max_buf_size" is used. We found two patterns:
First is like this "memset(cipher, 0, arg_enclave.max_buf_size);". For example it is used in "enclave_get", while the parametre "cipher" refers to the buf in "enclave_process", and its size is a constant(4125). So, arg_enclave.max_buf_size can be larger than the buffer size.
Second pattern is "message_return(cipher, arg_enclave.max_buf_size, client_sock);". Function "message_return" is an ocall which writes cipher to client_sock.

In function "enclave_message_pass" cipher is introduced from data which is original from "HotCall* hotEcall". While "hotEcall" is transferd from untrusted part.

So, attacker can set cipher points to arbitrary address in encalve and set client_sock to sdtout that will leak information in encalve.

Thanks,
yudhui