Implement copy_and_verify_buffer_address (copy_and_verify_address + r…

…ange_check)
PLSysSec · Mar 20, 2020 · 1eda990 · 1eda990
1 parent 1b43fbf
commit 1eda990
Showing 1 changed file with 36 additions and 4 deletions.
diff --git a/code/include/rlbox.hpp b/code/include/rlbox.hpp
@@ -583,8 +583,7 @@ class tainted_base_impl
   // Template needed to ensure that function isn't instantiated for unsupported
   // types like function pointers which causes compile errors...
   template<typename T2 = T>
-  inline std::unique_ptr<T_CopyAndVerifyRangeEl[]> copy_and_verify_range_helper(
-    std::size_t count) const
+  inline const void* verify_range_helper(std::size_t count) const
   {
     static_assert(std::is_pointer_v<T>);
     static_assert(detail::is_fundamental_or_enum_v<T_CopyAndVerifyRangeEl>);
@@ -601,6 +600,18 @@ class tainted_base_impl
     detail::check_range_doesnt_cross_app_sbx_boundary<T_Sbx>(
       start, count * sizeof(T_CopyAndVerifyRangeEl));
 
+    return start;
+  }
+
+  template<typename T2 = T>
+  inline std::unique_ptr<T_CopyAndVerifyRangeEl[]> copy_and_verify_range_helper(
+    std::size_t count) const
+  {
+    const void* start = verify_range_helper(count);
+    if (start == nullptr) {
+      return nullptr;
+    }
+
     auto target = std::make_unique<T_CopyAndVerifyRangeEl[]>(count);
 
     for (size_t i = 0; i < count; i++) {
@@ -678,8 +689,8 @@ class tainted_base_impl
    * @brief Copy a tainted pointer from sandbox and verify the address.
    *
    * This function is useful if you need to verify physical bits representing
-   * the address of a pointed to since copy_and_verify performs a deep copy and
-   * changes the address bits.
+   * the address of a pointer. Other APIs such as copy_and_verify performs a
+   * deep copy and changes the address bits.
    *
    * @param verifer Function used to verify the copied value.
    * @tparam T_Func the type of the verifier ``T_Ret(*)(uintptr_t)``
@@ -693,6 +704,27 @@ class tainted_base_impl
     auto val = reinterpret_cast<uintptr_t>(impl().get_raw_value());
     return verifier(val);
   }
+
+  /**
+   * @brief Copy a tainted pointer to a buffer from sandbox and verify the
+   * address.
+   *
+   * This function is useful if you need to verify physical bits representing
+   * the address of a buffer. Other APIs such as copy_and_verify performs a
+   * deep copy and changes the address bits.
+   *
+   * @param verifer Function used to verify the copied value.
+   * @tparam T_Func the type of the verifier ``T_Ret(*)(uintptr_t)``
+   * @return Whatever the verifier function returns.
+   */
+  template<typename T_Func>
+  inline auto copy_and_verify_buffer_address(T_Func verifier, std::size_t size)
+  {
+    static_assert(std::is_pointer_v<T>,
+                  "copy_and_verify_address must be used on pointers");
+    auto val = reinterpret_cast<uintptr_t>(verify_range_helper(size));
+    return verifier(val);
+  }
 };
 
 #define BinaryOpWrappedRhs(opSymbol)                                           \