[Pal/Linux-SGX] Detect signal stack overflow in "enclave_entry.S"

Creating a frame with CPU context on signal stack when handling an exception was done without any bound checks. Malicious host could generate any amount of signals and cause these frames to overflow the stack. This commit fixes it by adding bound checks, effectively disallowing more than ~9 nested exceptions (which should be more than enough in normal case). Signed-off-by: Borys Popławski <borysp@invisiblethingslab.com>
gramineproject · Sep 30, 2021 · baee61e · baee61e
1 parent 7e59c4d
commit baee61e
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/Pal/src/host/Linux-SGX/enclave_entry.S b/Pal/src/host/Linux-SGX/enclave_entry.S
@@ -384,6 +384,16 @@ enclave_entry:
 	addq $STACK_FRAME_SUB, %rax
 	subq %rax, %rsi
 
+	# Disallow too many nested exceptions. In normal Gramine flow, this should never happen.
+	# Since addresses need to be canonical, this addition does not overflow.
+	movq %gs:SGX_SIG_STACK_HIGH, %rax
+	addq %gs:SGX_SIG_STACK_LOW, %rax
+	shrq $1, %rax
+	cmp %rax, %rsi
+	jae .Lno_signal_stack_overflow
+	FAIL_LOOP
+.Lno_signal_stack_overflow:
+
 	# Align xsave area to 64 bytes after sgx_cpu_context_t
 	andq $~(PAL_XSTATE_ALIGN - 1), %rsi
 	subq $SGX_CPU_CONTEXT_XSTATE_ALIGN_SUB, %rsi