Skip to content

Commit 73062c5

Browse files
volcano0drvolcano0dr
committed
Fixed dereferencing pointers in untrusted memory
1 parent af7174a commit 73062c5

File tree

1 file changed

+20
-15
lines changed

1 file changed

+20
-15
lines changed

sgx_trts/src/enclave/init.rs

Lines changed: 20 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -107,13 +107,21 @@ pub fn ctors() -> SgxResult {
107107
}
108108

109109
pub fn global_init(tcs: &mut Tcs, raw: *mut InitInfoHeader, tidx: usize) -> SgxResult {
110-
let mut header = NonNull::new(raw).ok_or(SgxStatus::Unexpected)?;
111-
let header = unsafe { header.as_mut() };
112-
ensure!(header.is_host_range(), SgxStatus::Unexpected);
110+
let u_header = NonNull::new(raw)
111+
.map(|h| unsafe { h.as_ref() })
112+
.ok_or(SgxStatus::Unexpected)?;
113+
ensure!(u_header.is_host_range(), SgxStatus::Unexpected);
113114
lfence();
114115

116+
// copy to trusted memory.
117+
let header = *u_header;
115118
ensure!(header.check(), SgxStatus::Unexpected);
116-
ensure!(header.as_ref().is_host_range(), SgxStatus::Unexpected);
119+
lfence();
120+
121+
let u_bytes = u_header
122+
.as_bytes(header.info_size)
123+
.ok_or(SgxStatus::Unexpected)?;
124+
ensure!(u_bytes.is_host_range(), SgxStatus::Unexpected);
117125
lfence();
118126

119127
ensure!(state::get_state() == State::InitDone, SgxStatus::Unexpected);
@@ -128,7 +136,8 @@ pub fn global_init(tcs: &mut Tcs, raw: *mut InitInfoHeader, tidx: usize) -> SgxR
128136
let env_len = header.env_len;
129137
let args_len = header.args_len;
130138

131-
let bytes: Vec<u8> = header.as_mut().into();
139+
// copy to trusted memory.
140+
let bytes: Vec<u8> = u_bytes.into();
132141

133142
unsafe {
134143
extern "C" {
@@ -176,18 +185,14 @@ impl InitInfoHeader {
176185
false
177186
}
178187
}
179-
}
180-
181-
unsafe impl ContiguousMemory for InitInfoHeader {}
182188

183-
impl AsRef<[u8]> for InitInfoHeader {
184-
fn as_ref(&self) -> &[u8] {
185-
unsafe { slice::from_raw_parts(self as *const _ as *const u8, self.info_size) }
189+
fn as_ptr(&self) -> *const InitInfoHeader {
190+
self
186191
}
187-
}
188192

189-
impl AsMut<[u8]> for InitInfoHeader {
190-
fn as_mut(&mut self) -> &mut [u8] {
191-
unsafe { slice::from_raw_parts_mut(self as *mut _ as *mut u8, self.info_size) }
193+
fn as_bytes(&self, len: usize) -> Option<&[u8]> {
194+
(self.info_size == len).then(|| unsafe { slice::from_raw_parts(self.as_ptr().cast(), len) })
192195
}
193196
}
197+
198+
unsafe impl ContiguousMemory for InitInfoHeader {}

0 commit comments

Comments
 (0)