-
Notifications
You must be signed in to change notification settings - Fork 628
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix Enclave Interfaces of WAMR SGX version; Set pointer to NULL after free, otherwise cause UAF/DF #2357
base: main
Are you sure you want to change the base?
Conversation
LeoneChen
commented
Jul 13, 2023
- Fix Enclave Interfaces of WAMR SGX version
- Set pointer to NULL after free, otherwise cause UAF/DF
Hi, I see that there some CI tests are failing, seems not able to call BTW, what is the purpose of using idx rather than raw pointer for module_inst and other data? Is it for easier management with the help of the newly introduced pointer manager? |
Use raw pointer is very dangerous, since it can point to in-Enclave memory, it's hard to check pointed memory is a valid context content or invalid sensitive in-Enclave data. So use indexes to replace the raw pointers when passing
|
Thanks! That makes sense |
Do you means CI tests successfully call |
This part of code maybe can be optimized. I think it's better to avoid using lock |
Can you provide more detail about it? Then I can figure out why it failed |
Some spec tests are failing, output is something like: Starting interpreter for module '/tmp/tmp9j2olynn.aot'
Running: ../../../product-mini/platforms/linux-sgx/enclave-sample/iwasm --heap-size=0 -v=0 --repl /tmp/tmp9j2olynn.aot
Testing(return) i32_add = 0x102:i32
THE FINAL EXCEPTION IS out should be in a form likes numbers:type, but Call ecall_handle_cmd_exec_app_func() failed. You can run a hello world aot file with similar cmd option to reproduce it to double-check whether it's due to the newly added check |
On your local machine, you can also run spec tests to check: # assume you install the SDK in /opt/intel/sgxsdk/
source /opt/intel/sgxsdk/environment
# in WAMR root directory
cd tests/wamr-test-suites
# the shell script will automatically compile needed component and run spec test on sgx iwasm
./test_wamr.sh -b -x -t aot -s spec -p -P |
Ok, I'll try aot mode. I currently is preparing thesis proposal, so maybe late to fix it. |
Thanks |
No hurry, good luck with your thesis! |
Thanks! |
@TianlongLiang Hello, I fixed the parameters check in 1306d68, and all CI tests passed |
LGTM |
product-mini/platforms/linux-sgx/enclave-sample/Enclave/Enclave.cpp
Outdated
Show resolved
Hide resolved
} | ||
|
||
wasm_application_execute_main(module_inst, app_argc - 1, app_argv + 1); | ||
|
||
for (uint32 i = 0; i < app_argc; i++) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The return value may be written back into app_argv[0..1], had better copy them back into u_app_argv
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It need some time
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The return value may be written back into app_argv[0..1], had better copy them back into u_app_argv
Hello I want to confirm, it means 1. put the return value (bool
type) into app_argv[0..1]
or 2. content in app_argv
can be modified by wasm_application_execute_main
, and you want this modification propagates to outside of Enclave
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi, I checked again, wasm_application_execute_main puts the return value into *(int *)argv
, here should be *(int *)(app_argv + 1)
, see:
https://github.com/bytecodealliance/wasm-micro-runtime/blob/main/core/iwasm/include/wasm_export.h#L836-L838
So my understanding is that we had better write*(int *)(app_argv + 1)
back into *(int *)u_app_argv
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I got it, so it's case 2, and I have to let the content in *(int*)argv
propagates to outside Enclave
CI tests failed again. What is nuttx. How can I reproduce this problem in my local machine |
Nuttx CI issue was fixed with PR #2414, could you rebase again? |
OK, I try it |
2. Set pointer to NULL after free, otherwise cause UAF/DF
@LeoneChen Many thanks for the fixing, it really improves the security of WAMR linux-sgx. We are preparing to release 1.2.3, since the changes of this PR are a little big and complex, we (and some customers) need to more time to test, I think we had better merge this PR after the new release is created, and currently we can create another PR to fix the issue of |
Yes, it's OK. Fix This PR is complex and needs more review, and I also need to think about how to write back content to |
Fix it by yourself or I create a new PR? |
Let me fix it by myself😊 |
OK |
I think it's not a good code practice... And in current situation, Maybe can use stack memory |
Yes, how about adding an extra argument in public bool ecall_handle_cmd_exec_app_main(
uint16_t wasm_module_inst_idx,
[in, count=app_argc] char **u_app_argv,
uint32_t app_argc,
[out, count=1] int *ret_main
); |
@LeoneChen I found more similar issues in Enclave, and uploaded PR #2416 to fix them, could you help review it? Thanks. |
OK |