Bugs found

[LeoneChen]

In seekAndRead, osRead call ocall_read, and get got from host, but without proper check, and then it used in memset of unixRead, cause &pBuf[got] stack overflow

SQLITE_PRIVATE int sqlite3BtreeOpen(...) {
  unsigned char zDbHeader[100];
  rc = sqlite3PagerReadFileheader(...,zDbHeader); // sqlite3PagerReadFileheader call unixRead, and zDbHeader is passed to pBuf
}
static int unixRead(..., void *pBuf, ...) {
  got = seekAndRead(...);
  // if got is not equal to amt or smaller than 0 
  memset(&((char*)pBuf)[got], 0, amt-got); // &pBuf[got] stack overflow
}
static int seekAndRead(...) {
  got = osRead(id->h, pBuf, cnt); // osRead call ocall_read, and get got from host
  return got;
}

[LeoneChen]

UAF 1

ecall_closedb called twice, lead to UAF

#0  ReportGenericError (pc=140737295875590, bp=140737488342096, sp=140737488341976, addr=4961980, is_write=false, access_size=4, fatal=true, msg=0x2dfd59 "Enclave out of bound") at /mnt/hdd/chenliheng/SGXSan/SGXSanRT/SGXSanRTApp/SGXSanRTApp.cpp:516
#1  0x0000000000344f47 in __asan_load4 (addr=4961980, toCmp=false, funcName=0x7ffff47f35e0 <__unnamed_233> "sqlite3SafetyCheckSickOrOk") at /mnt/hdd/chenliheng/SGXSan/SGXSanRT/SGXSanRTApp/PoisonCheck.cpp:90
#2  0x00007ffff486fe06 in sqlite3SafetyCheckSickOrOk (db=0x4bb658) at Enclave/sqlite3.c:28916
#3  0x00007ffff486c96d in sqlite3Close (db=0x4bb658, forceZombie=0) at Enclave/sqlite3.c:141527
#4  0x00007ffff486c8e7 in sqlite3_close (db=0x4bb658) at Enclave/sqlite3.c:141580
#5  0x00007ffff482dedc in ecall_closedb () at Enclave/Enclave.cpp:54
#6  0x00007ffff4826e6f in sgx_ecall_closedb (pms=0x0) at Enclave/Enclave_t.c:281

UAF 2

ecall_execute_sql after ecall_closedb

#0  ReportGenericError (pc=140737295806423, bp=140737488341328, sp=140737488341208, addr=4798172, is_write=false, access_size=4, fatal=true, msg=0x2dfd59 "Enclave out of bound") at /mnt/hdd/chenliheng/SGXSan/SGXSanRT/SGXSanRTApp/SGXSanRTApp.cpp:516
#1  0x0000000000344f47 in __asan_load4 (addr=4798172, toCmp=false, funcName=0x7ffff47f21c0 <__unnamed_180> "sqlite3SafetyCheckOk") at /mnt/hdd/chenliheng/SGXSan/SGXSanRT/SGXSanRTApp/PoisonCheck.cpp:90
#2  0x00007ffff485efd7 in sqlite3SafetyCheckOk (db=0x493678) at Enclave/sqlite3.c:28903
#3  0x00007ffff485de9b in sqlite3_exec (db=0x493678, zSql=0x499f80 "", xCallback=0x7ffff482d7c0 <callback(void*, int, char**, char**)>, pArg=0x0, pzErrMsg=0x7fffffffcc40) at Enclave/sqlite3.c:111147
#4  0x00007ffff482d708 in ecall_execute_sql (sql=0x499f80 "") at Enclave/Enclave.cpp:44
#5  0x00007ffff4826d3c in sgx_ecall_execute_sql (pms=0x7fffffffce08) at Enclave/Enclave_t.c:270