Re: [apache/incubator-teaclave-sgx-sdk] fix: correct buffer overwrite in sgx_libc::ocall::{read, pread64, readv, preadv64} (#353)
@volcano0dr please review. thanks! -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/apache/incubator-teaclave-sgx-sdk/pull/353#issuecomment-897327866
Re: [apache/incubator-teaclave-sgx-sdk] build(sgx_unwind): ignore "config.h.in~" to avoid unnecessary rebuilds (#352)
Thank you for fixing this issue! Please help fix the build script in sgx_no_tstd. I will merge this PR after the repair. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/apache/incubator-teaclave-sgx-sdk/pull/352#issuecomment-897296215
Re: [apache/incubator-teaclave] Use struture builder to construct complicated structures (#542)
Merged. Thanks! -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/apache/incubator-teaclave/pull/542#issuecomment-897018996
Re: [apache/incubator-teaclave] Use struture builder to construct complicated structures (#542)
Merged #542 into master. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/apache/incubator-teaclave/pull/542#event-5143830887
[apache/incubator-teaclave-sgx-sdk] std::sys::os::error_string returns the wrong error messages (#354)
Hello,
During our tests, we encountered a strange error message from the enclave. We
were expecting an error message containing "Destination address required" (the
error message for errno 89 on Linux/Ubuntu) but got "Identifier removed (os
error: 89)" instead.
After digging a little in the implementation, we found the following snippet in
`sgx_tstd/src/io/error.rs` :
```
impl fmt::Display for Error {
fn fmt(&self, fmt: &mut fmt::Formatter<'_>) -> fmt::Result {
match self.repr {
Repr::Os(code) => {
let detail = sys::os::error_string(code);
write!(fmt, "{} (os error: {})", detail, code)
}
Repr::Custom(ref c) => c.error.fmt(fmt),
Repr::Simple(kind) => write!(fmt, "{}", kind.as_str()),
Repr::SgxStatus(status) => {
let detail = status.__description();
write!(fmt, "{} (sgx error: {})", detail, status)
}
}
}
}
```
It turns out that the Os error display uses the `error_string` function which
in turn calls `strerror_r` (declared as an external function in sgx_libc).
`strerror_r` is part of the tlibc library from the Intel Linux SGX SDK and is
responsible for this bug because it uses a hardcoded list of error messages
defined there:
https://github.com/intel/linux-sgx/blob/56faf11a455b06fedd6adc3e60b71f6faf05dc0f/sdk/tlibc/gen/errlist.c
The list comes from OpenBSD but not all OS have the same error code - error
message mapping. In our case, we ran our enclave on an Ubuntu system but got
the error message for errno 89 as if we were on OpenBSD!
We can think of several ways to fix this issue.
A first approach would be to open an issue in the Intel Linux SGX
SDK(https://github.com/intel/linux-sgx) repository so that the `strerror_r`
function from Intel SGX SDK returns the appropriate error messages for all OS.
Another (more practical ?) solution would be to address the issue directly in
the teaclave sgx sdk. We could implement `strerror_r` in teaclave using an
OCALL to the `strerror_r` of the host OS. If performance matters, one might
also want to cache the error message, or even better prefetch them at enclave
initialization.
What do you think is the best approach to take?
Best regards,
Huu Tan Mai, Corentin Lauverjat @ Mithril Security
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave-sgx-sdk/issues/354
[apache/incubator-teaclave-sgx-sdk] fix: correct buffer overwrite in sgx_libc::ocall::{read, pread64, readv, preadv64} (#353)
When calling readv on a buffer larger than the data that is read, the excess
buffer data is unintentionally overwritten by zeros upon copying the data from
tmpiovec. Similar buffer overwrites also occur in read, pread64, and preadv64.
This PR fixes this bug by only copying the data that was effectively read by
the read/pread64/readv/preadv64 ocalls, and not the default zeros that were
pushed into the temporary buffer.
Corentin Lauverjat, Huu Tan Mai @ Mithril Security
You can view, comment on, or merge this pull request online at:
https://github.com/apache/incubator-teaclave-sgx-sdk/pull/353
-- Commit Summary --
* fix: correct buffer overwrite in sgx_libc::ocall::{read, pread64, readv,
preadv64}
-- File Changes --
M sgx_libc/src/linux/x86_64/ocall.rs (19)
-- Patch Links --
https://github.com/apache/incubator-teaclave-sgx-sdk/pull/353.patch
https://github.com/apache/incubator-teaclave-sgx-sdk/pull/353.diff
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave-sgx-sdk/pull/353
[apache/incubator-teaclave-sgx-sdk] build(sgx_unwind): ignore "config.h.in~" to avoid unnecessary rebuilds (#352)
Without this fix, the timestamp of `config.h.in~` invalidates the cargo build whenever alternating between the `dev` and `release` profiles. This can be reproduced by repeatedly building `sgx_unwind` with the following invocation: ``` $ cargo build; cargo build --release Compiling sgx_unwind v0.1.1 (…/incubator-teaclave-sgx-sdk/sgx_unwind) Finished dev [unoptimized + debuginfo] target(s) in 22.34s Compiling sgx_unwind v0.1.1 (…/incubator-teaclave-sgx-sdk/sgx_unwind) Finished release [optimized] target(s) in 21.65s ``` With this fix, once they're built, subsequent invocations don't rebuild them: ``` $ cargo build; cargo build --release Finished dev [unoptimized + debuginfo] target(s) in 0.01s Finished release [optimized] target(s) in 0.01s ``` Note that this issue doesn't seem to occur when repeatedly building just a single profile (presumably because that avoids re-invoking the configure script?), but it significantly impacts the interactive development experience for SGX projects that build both `dev` and `release` targets as part of the same build: this makes the difference between rebuilds being nearly instantaneous, or always taking a minute or so for `sgx_unwind` to rebuild. You can view, comment on, or merge this pull request online at: https://github.com/apache/incubator-teaclave-sgx-sdk/pull/352 -- Commit Summary -- * build(sgx_unwind): add missing "config.h.in~" to native_lib_boilerplate filter -- File Changes -- M sgx_unwind/build.rs (1) -- Patch Links -- https://github.com/apache/incubator-teaclave-sgx-sdk/pull/352.patch https://github.com/apache/incubator-teaclave-sgx-sdk/pull/352.diff -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/apache/incubator-teaclave-sgx-sdk/pull/352
