Add is_enclave_range/is_user_range overflow checks #76345
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Functions such as `is_enclave_range` and `is_user_range` in `sgx::os::fortanix_sgx::mem` are often used to make sure memory ranges passed to an enclave from untrusted code or passed to other trusted code functions are safe to use for their intended purpose. Currently, these functions do not perform any checks to make sure the range provided doesn't overflow when adding the range length to the base address. While debug builds will panic if overflow occurs, release builds will simply wrap the result, leading to false positive results for either function. The burden is placed on application authors to know to perform overflow checks on their own before calling these functions, which can easily lead to security vulnerabilities if omitted. Additionally, since such checks are performed in the Intel SGX SDK versions of these functions, developers migrating from Intel SGX SDK code may expect these functions to operate the same. This commit adds explicit overflow checking to `is_enclave_range` and `is_user_range`, returning `false` if overflow occurs in order to prevent misuse of invalid memory ranges. It also alters the checks to account for ranges that lie exactly at the end of the address space, where calculating `p + len` would overflow despite the range being valid.
|
Thanks for the pull request, and welcome! The Rust team is excited to review your changes, and you should hear from @Mark-Simulacrum (or someone else) soon. If any changes to this PR are deemed necessary, please add them as extra commits. This ensures that the reviewer can see what has changed since they last reviewed the code. Due to the way GitHub handles out-of-date commits, this should also make it reasonably obvious what issues have or haven't been addressed. Large or tricky changes may require several passes of review and changes. Please see the contribution instructions for more information. |
rust-highfive
added
the
S-waiting-on-review
|
✌️ @jethrogb can now approve this pull request |
jyn514
added
the
T-libs-api
camelid
added
S-waiting-on-review
|
@jethrogb any updates? |
camelid
added
S-waiting-on-review
|
r? @jethrogb |
crlf0710
added
S-waiting-on-review
crlf0710
added
S-waiting-on-review
JohnCSimon
added
S-waiting-on-review
camelid
added
S-waiting-on-review
JohnCSimon
added
S-waiting-on-review
|
This seems reasonable to me, and the logic looks correct. @bors r+ |
|
📌 Commit c989de5 has been approved by |
bors
added
S-waiting-on-bors
Dylan-DPC-zz
pushed a commit
to Dylan-DPC-zz/rust
that referenced
this pull request
Mar 3, 2021
…ks, r=joshtriplett Add is_enclave_range/is_user_range overflow checks Fixes rust-lang#76343. This adds overflow checking to `is_enclave_range` and `is_user_range` in `sgx::os::fortanix_sgx::mem` in order to mitigate possible security issues with enclave code. It also accounts for an edge case where the memory range provided ends exactly at the end of the address space, where calculating `p + len` would overflow back to zero despite the range potentially being valid.
|
☀️ Test successful - checks-actions |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #76343.
This adds overflow checking to
is_enclave_rangeandis_user_rangeinsgx::os::fortanix_sgx::memin order to mitigate possible security issues with enclave code. It also accounts for an edge case where the memory range provided ends exactly at the end of the address space, where calculatingp + lenwould overflow back to zero despite the range potentially being valid.