incubator-teaclave-sgx-sdk icon indicating copy to clipboard operation
incubator-teaclave-sgx-sdk copied to clipboard

Published 20 hours ago verified publisher icon apache

*session_ptr and *pp_quote_config may be leaked if overwrites to

Open labyrinth-ssr opened this issue 2 years ago • 0 comments
trafficstars

https://github.com/apache/incubator-teaclave-sgx-sdk/blob/3c903bdac4e503dd27b9b1f761c4abfc55f2464c/samplecode/localattestation/attestation/src/func.rs#L144-L145 https://github.com/apache/incubator-teaclave-sgx-sdk/blob/3c903bdac4e503dd27b9b1f761c4abfc55f2464c/samplecode/dcap-pckretrieval/qpl/src/lib.rs#L138-L142

with Box::into_raw(), the pointee is on the heap. Multiple assignments will cause leak of the old value.

Probable fix is like: If session_request_safe should only be called once, adding an Atomic to guarantee assigning only once.

const UNINITIALIZED: usize = 0;
const INITIALIZING: usize = 1;
const INITIALIZED: usize = 2;
static GLOBAL_INIT: AtomicUsize = AtomicUsize::new(UNINITIALIZED);
pub struct SetGlobalDefaultError {
    _no_construct: (),
}

// in `session_request_safe`
       if GLOBAL_INIT
                .compare_exchange(
                    UNINITIALIZED,
                    INITIALIZING,
                    Ordering::SeqCst,
                    Ordering::SeqCst,
                )
                .is_ok()
            {
                let ptr = Box::into_raw(Box::new(session_info));
                *session_ptr = ptr as * mut _ as usize;
            }

Otherwise add the else branch:

           else {
              drop(Box::from_raw(*session_ptr));
              let ptr = Box::into_raw(Box::new(session_info));
              *session_ptr = ptr as * mut _ as usize;
          }

labyrinth-ssr avatar Jul 28 '23 06:07 labyrinth-ssr