Skip to content

Commit bcac8e7

Browse files
authored
Merge pull request from GHSA-525h-wxcc-f66m
Signed-off-by: Ming-Wei Shih <mishih@microsoft.com>
1 parent 10186a4 commit bcac8e7

File tree

12 files changed

+714
-82
lines changed

12 files changed

+714
-82
lines changed

Diff for: include/openenclave/edl/socket.edl

+5-7
Original file line numberDiff line numberDiff line change
@@ -18,8 +18,6 @@
1818

1919
enclave
2020
{
21-
22-
2321
// Headers needed for integral types
2422
include "openenclave/corelibc/bits/types.h"
2523
include "openenclave/bits/edl/syscall_types.h"
@@ -73,7 +71,7 @@ enclave
7371

7472
oe_host_fd_t oe_syscall_accept_ocall(
7573
oe_host_fd_t sockfd,
76-
[in, out, size=addrlen_in] struct oe_sockaddr* addr,
74+
[out, size=addrlen_in] struct oe_sockaddr* addr,
7775
oe_socklen_t addrlen_in,
7876
[out, count=1] oe_socklen_t* addrlen_out)
7977
propagate_errno;
@@ -117,7 +115,7 @@ enclave
117115

118116
ssize_t oe_syscall_recv_ocall(
119117
oe_host_fd_t sockfd,
120-
[in, out, size=len] void* buf,
118+
[out, size=len] void* buf,
121119
size_t len,
122120
int flags)
123121
propagate_errno;
@@ -127,7 +125,7 @@ enclave
127125
[out, size=len] void* buf,
128126
size_t len,
129127
int flags,
130-
[in, out, size=addrlen_in] struct oe_sockaddr* src_addr,
128+
[out, size=addrlen_in] struct oe_sockaddr* src_addr,
131129
oe_socklen_t addrlen_in,
132130
[out, count=1] oe_socklen_t* addrlen_out)
133131
propagate_errno;
@@ -186,14 +184,14 @@ enclave
186184

187185
int oe_syscall_getsockname_ocall(
188186
oe_host_fd_t sockfd,
189-
[in, out, size=addrlen_in] struct oe_sockaddr* addr,
187+
[out, size=addrlen_in] struct oe_sockaddr* addr,
190188
oe_socklen_t addrlen_in,
191189
[out, size=1] oe_socklen_t* addrlen_out)
192190
propagate_errno;
193191

194192
int oe_syscall_getpeername_ocall(
195193
oe_host_fd_t sockfd,
196-
[in, out, size=addrlen_in] struct oe_sockaddr* addr,
194+
[out, size=addrlen_in] struct oe_sockaddr* addr,
197195
oe_socklen_t addrlen_in,
198196
[out, size=1] oe_socklen_t* addrlen_out)
199197
propagate_errno;

Diff for: include/openenclave/internal/syscall/fd.h

+1-1
Original file line numberDiff line numberDiff line change
@@ -110,7 +110,7 @@ typedef struct _oe_socket_ops
110110
void* buf,
111111
size_t len,
112112
int flags,
113-
const struct oe_sockaddr* src_addr,
113+
struct oe_sockaddr* src_addr,
114114
oe_socklen_t* addrlen);
115115

116116
ssize_t (*sendmsg)(oe_fd_t* sock, const struct oe_msghdr* msg, int flags);

Diff for: include/openenclave/internal/syscall/iov.h

+2-1
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,8 @@ int oe_iov_pack(
1515
const struct oe_iovec* iov,
1616
int iovcnt,
1717
void** buf_out,
18-
size_t* buf_size_out);
18+
size_t* buf_size_out,
19+
size_t* data_size_out);
1920

2021
int oe_iov_sync(
2122
const struct oe_iovec* iov,

Diff for: include/openenclave/internal/syscall/sys/socket.h

+4-1
Original file line numberDiff line numberDiff line change
@@ -133,6 +133,9 @@ OE_EXTERNC_BEGIN
133133
#define OE_SO_BSDCOMPAT 14
134134
#define OE_SO_REUSEPORT 15
135135

136+
/* Socket message flags. */
137+
#define OE_MSG_CTRUNC 0x0008
138+
136139
/* oe_shutdown() options. */
137140
#define OE_SHUT_RD 0
138141
#define OE_SHUT_WR 1
@@ -204,7 +207,7 @@ ssize_t oe_recvfrom(
204207
void* buf,
205208
size_t len,
206209
int flags,
207-
const struct oe_sockaddr* src_addr,
210+
struct oe_sockaddr* src_addr,
208211
oe_socklen_t* addrlen);
209212

210213
ssize_t oe_sendmsg(int sockfd, const struct oe_msghdr* buf, int flags);

Diff for: syscall/consolefs.c

+84-4
Original file line numberDiff line numberDiff line change
@@ -205,12 +205,30 @@ static ssize_t _consolefs_read(oe_fd_t* file_, void* buf, size_t count)
205205
ssize_t ret = -1;
206206
file_t* file = _cast_file(file_);
207207

208-
if (!file)
208+
/*
209+
* According to the POSIX specification, when the count is greater
210+
* than SSIZE_MAX, the result is implementation-defined. OE raises an
211+
* error in this case.
212+
* Refer to
213+
* https://pubs.opengroup.org/onlinepubs/9699919799/functions/read.html for
214+
* for more detail.
215+
*/
216+
if (!file || count > OE_SSIZE_MAX)
209217
OE_RAISE_ERRNO(OE_EINVAL);
210218

211219
if (oe_syscall_read_ocall(&ret, file->host_fd, buf, count) != OE_OK)
212220
OE_RAISE_ERRNO(OE_EINVAL);
213221

222+
/*
223+
* Guard the special case that a host sets an arbitrarily large value.
224+
* The returned value should not exceed count.
225+
*/
226+
if (ret > (ssize_t)count)
227+
{
228+
ret = -1;
229+
OE_RAISE_ERRNO(OE_EINVAL);
230+
}
231+
214232
done:
215233
return ret;
216234
}
@@ -220,12 +238,30 @@ static ssize_t _consolefs_write(oe_fd_t* file_, const void* buf, size_t count)
220238
ssize_t ret = -1;
221239
file_t* file = _cast_file(file_);
222240

223-
if (!file)
241+
/*
242+
* According to the POSIX specification, when the count is greater
243+
* than SSIZE_MAX, the result is implementation-defined. OE raises an
244+
* error in this case.
245+
* Refer to
246+
* https://pubs.opengroup.org/onlinepubs/9699919799/functions/write.html for
247+
* for more detail.
248+
*/
249+
if (!file || count > OE_SSIZE_MAX)
224250
OE_RAISE_ERRNO(OE_EINVAL);
225251

226252
if (oe_syscall_write_ocall(&ret, file->host_fd, buf, count) != OE_OK)
227253
OE_RAISE_ERRNO(OE_EINVAL);
228254

255+
/*
256+
* Guard the special case that a host sets an arbitrarily large value.
257+
* The returned value should not exceed count.
258+
*/
259+
if (ret > (ssize_t)count)
260+
{
261+
ret = -1;
262+
OE_RAISE_ERRNO(OE_EINVAL);
263+
}
264+
229265
done:
230266
return ret;
231267
}
@@ -239,21 +275,43 @@ static ssize_t _consolefs_readv(
239275
file_t* file = _cast_file(desc);
240276
void* buf = NULL;
241277
size_t buf_size = 0;
278+
size_t data_size = 0;
242279

243280
if (!file || !iov || iovcnt < 0 || iovcnt > OE_IOV_MAX)
244281
OE_RAISE_ERRNO(OE_EINVAL);
245282

246283
/* Flatten the IO vector into contiguous heap memory. */
247-
if (oe_iov_pack(iov, iovcnt, &buf, &buf_size) != 0)
284+
if (oe_iov_pack(iov, iovcnt, &buf, &buf_size, &data_size) != 0)
248285
OE_RAISE_ERRNO(OE_ENOMEM);
249286

287+
/*
288+
* According to the POSIX specification, when the data_size is greater
289+
* than SSIZE_MAX, the result is implementation-defined. OE raises an
290+
* error in this case.
291+
* Refer to
292+
* https://pubs.opengroup.org/onlinepubs/9699919799/functions/readv.html for
293+
* for more detail.
294+
*/
295+
if (data_size > OE_SSIZE_MAX)
296+
OE_RAISE_ERRNO(OE_EINVAL);
297+
250298
/* Call the host. */
251299
if (oe_syscall_readv_ocall(&ret, file->host_fd, buf, iovcnt, buf_size) !=
252300
OE_OK)
253301
{
254302
OE_RAISE_ERRNO(OE_EINVAL);
255303
}
256304

305+
/*
306+
* Guard the special case that a host sets an arbitrarily large value.
307+
* The returned value should not exceed data_size.
308+
*/
309+
if (ret > (ssize_t)data_size)
310+
{
311+
ret = -1;
312+
OE_RAISE_ERRNO(OE_EINVAL);
313+
}
314+
257315
/* Synchronize data read with IO vector. */
258316
if (oe_iov_sync(iov, iovcnt, buf, buf_size) != 0)
259317
OE_RAISE_ERRNO(OE_EINVAL);
@@ -275,21 +333,43 @@ static ssize_t _consolefs_writev(
275333
file_t* file = _cast_file(desc);
276334
void* buf = NULL;
277335
size_t buf_size = 0;
336+
size_t data_size = 0;
278337

279338
if (!file || (!iov && iovcnt) || iovcnt < 0 || iovcnt > OE_IOV_MAX)
280339
OE_RAISE_ERRNO(OE_EINVAL);
281340

282341
/* Flatten the IO vector into contiguous heap memory. */
283-
if (oe_iov_pack(iov, iovcnt, &buf, &buf_size) != 0)
342+
if (oe_iov_pack(iov, iovcnt, &buf, &buf_size, &data_size) != 0)
284343
OE_RAISE_ERRNO(OE_ENOMEM);
285344

345+
/*
346+
* According to the POSIX specification, when the data_size is greater
347+
* than SSIZE_MAX, the result is implementation-defined. OE raises an
348+
* error in this case.
349+
* Refer to
350+
* https://pubs.opengroup.org/onlinepubs/9699919799/functions/writev.html
351+
* for more detail.
352+
*/
353+
if (data_size > OE_SSIZE_MAX)
354+
OE_RAISE_ERRNO(OE_EINVAL);
355+
286356
/* Call the host. */
287357
if (oe_syscall_writev_ocall(&ret, file->host_fd, buf, iovcnt, buf_size) !=
288358
OE_OK)
289359
{
290360
OE_RAISE_ERRNO(OE_EINVAL);
291361
}
292362

363+
/*
364+
* Guard the special case that a host sets an arbitrarily large value.
365+
* The returned value should not exceed data_size.
366+
*/
367+
if (ret > (ssize_t)data_size)
368+
{
369+
ret = -1;
370+
OE_RAISE_ERRNO(OE_EINVAL);
371+
}
372+
293373
done:
294374

295375
if (buf)

0 commit comments

Comments
 (0)