This is an automated email from the ASF dual-hosted git repository.
rduan pushed a commit to branch v2.0.0-preview
in repository https://gitbox.apache.org/repos/asf/incubator-teaclave-sgx-sdk.git
The following commit(s) were added to refs/heads/v2.0.0-preview by this push:
new 73062c51 Fixed dereferencing pointers in untrusted memory
73062c51 is described below
commit 73062c511265492d7bd915fed916e60b6687a770
Author: volcano <[email protected]>
AuthorDate: Fri Apr 11 15:58:45 2025 +0800
Fixed dereferencing pointers in untrusted memory
---
sgx_trts/src/enclave/init.rs | 35 ++++++++++++++++++++---------------
1 file changed, 20 insertions(+), 15 deletions(-)
diff --git a/sgx_trts/src/enclave/init.rs b/sgx_trts/src/enclave/init.rs
index 1e61526d..c2f27e5a 100644
--- a/sgx_trts/src/enclave/init.rs
+++ b/sgx_trts/src/enclave/init.rs
@@ -107,13 +107,21 @@ pub fn ctors() -> SgxResult {
}
pub fn global_init(tcs: &mut Tcs, raw: *mut InitInfoHeader, tidx: usize) ->
SgxResult {
- let mut header = NonNull::new(raw).ok_or(SgxStatus::Unexpected)?;
- let header = unsafe { header.as_mut() };
- ensure!(header.is_host_range(), SgxStatus::Unexpected);
+ let u_header = NonNull::new(raw)
+ .map(|h| unsafe { h.as_ref() })
+ .ok_or(SgxStatus::Unexpected)?;
+ ensure!(u_header.is_host_range(), SgxStatus::Unexpected);
lfence();
+ // copy to trusted memory.
+ let header = *u_header;
ensure!(header.check(), SgxStatus::Unexpected);
- ensure!(header.as_ref().is_host_range(), SgxStatus::Unexpected);
+ lfence();
+
+ let u_bytes = u_header
+ .as_bytes(header.info_size)
+ .ok_or(SgxStatus::Unexpected)?;
+ ensure!(u_bytes.is_host_range(), SgxStatus::Unexpected);
lfence();
ensure!(state::get_state() == State::InitDone, SgxStatus::Unexpected);
@@ -128,7 +136,8 @@ pub fn global_init(tcs: &mut Tcs, raw: *mut InitInfoHeader,
tidx: usize) -> SgxR
let env_len = header.env_len;
let args_len = header.args_len;
- let bytes: Vec<u8> = header.as_mut().into();
+ // copy to trusted memory.
+ let bytes: Vec<u8> = u_bytes.into();
unsafe {
extern "C" {
@@ -176,18 +185,14 @@ impl InitInfoHeader {
false
}
}
-}
-
-unsafe impl ContiguousMemory for InitInfoHeader {}
-impl AsRef<[u8]> for InitInfoHeader {
- fn as_ref(&self) -> &[u8] {
- unsafe { slice::from_raw_parts(self as *const _ as *const u8,
self.info_size) }
+ fn as_ptr(&self) -> *const InitInfoHeader {
+ self
}
-}
-impl AsMut<[u8]> for InitInfoHeader {
- fn as_mut(&mut self) -> &mut [u8] {
- unsafe { slice::from_raw_parts_mut(self as *mut _ as *mut u8,
self.info_size) }
+ fn as_bytes(&self, len: usize) -> Option<&[u8]> {
+ (self.info_size == len).then(|| unsafe {
slice::from_raw_parts(self.as_ptr().cast(), len) })
}
}
+
+unsafe impl ContiguousMemory for InitInfoHeader {}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
