diff options
| author | bors <bors@rust-lang.org> | 2021-03-03 05:45:50 +0000 |
|---|---|---|
| committer | bors <bors@rust-lang.org> | 2021-03-03 05:45:50 +0000 |
| commit | cbca5689a5a0c63c6c5fda22bb0678164b52fec3 (patch) | |
| tree | fe4110e6d7b108a21fe434e976db4cc3a298baaa | |
| parent | 35dbef235048f9a2939dc20effe083ca483c37ff (diff) | |
| parent | c989de52b8ad76439f6178170d94ead64ee3ffc7 (diff) | |
| download | rust-cbca5689a5a0c63c6c5fda22bb0678164b52fec3.tar.gz rust-cbca5689a5a0c63c6c5fda22bb0678164b52fec3.zip | |
Auto merge of #76345 - okready:sgx-mem-range-overflow-checks, r=joshtriplett
Add is_enclave_range/is_user_range overflow checks Fixes #76343. This adds overflow checking to `is_enclave_range` and `is_user_range` in `sgx::os::fortanix_sgx::mem` in order to mitigate possible security issues with enclave code. It also accounts for an edge case where the memory range provided ends exactly at the end of the address space, where calculating `p + len` would overflow back to zero despite the range potentially being valid.
| -rw-r--r-- | library/std/src/sys/sgx/abi/mem.rs | 42 |
1 files changed, 34 insertions, 8 deletions
diff --git a/library/std/src/sys/sgx/abi/mem.rs b/library/std/src/sys/sgx/abi/mem.rs index da899773dbb..3753fdd3536 100644 --- a/library/std/src/sys/sgx/abi/mem.rs +++ b/library/std/src/sys/sgx/abi/mem.rs @@ -47,20 +47,46 @@ pub fn image_base() -> u64 { /// Returns `true` if the specified memory range is in the enclave. /// -/// `p + len` must not overflow. +/// For safety, this function also checks whether the range given overflows, +/// returning `false` if so. #[unstable(feature = "sgx_platform", issue = "56975")] pub fn is_enclave_range(p: *const u8, len: usize) -> bool { - let start = p as u64; - let end = start + (len as u64); - start >= image_base() && end <= image_base() + (unsafe { ENCLAVE_SIZE } as u64) // unsafe ok: link-time constant + let start = p as usize; + + // Subtract one from `len` when calculating `end` in case `p + len` is + // exactly at the end of addressable memory (`p + len` would overflow, but + // the range is still valid). + let end = if len == 0 { + start + } else if let Some(end) = start.checked_add(len - 1) { + end + } else { + return false; + }; + + let base = image_base() as usize; + start >= base && end <= base + (unsafe { ENCLAVE_SIZE } - 1) // unsafe ok: link-time constant } /// Returns `true` if the specified memory range is in userspace. /// -/// `p + len` must not overflow. +/// For safety, this function also checks whether the range given overflows, +/// returning `false` if so. #[unstable(feature = "sgx_platform", issue = "56975")] pub fn is_user_range(p: *const u8, len: usize) -> bool { - let start = p as u64; - let end = start + (len as u64); - end <= image_base() || start >= image_base() + (unsafe { ENCLAVE_SIZE } as u64) // unsafe ok: link-time constant + let start = p as usize; + + // Subtract one from `len` when calculating `end` in case `p + len` is + // exactly at the end of addressable memory (`p + len` would overflow, but + // the range is still valid). + let end = if len == 0 { + start + } else if let Some(end) = start.checked_add(len - 1) { + end + } else { + return false; + }; + + let base = image_base() as usize; + end < base || start > base + (unsafe { ENCLAVE_SIZE } - 1) // unsafe ok: link-time constant } |