You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@teaclave.apache.org by Bing Duan <no...@github.com> on 2020/06/22 23:57:43 UTC
[apache/incubator-teaclave-sgx-sdk] libc::free core dump due to
invalid address (#251)
I have a untrusted function declared as below:
```
int ocall_call(
[in, count=en_req_size] const uint8_t* en_req,
size_t en_req_size,
[out] void** output,
[out] size_t* output_size
) ;
```
and defined as below:
```
#[no_mangle]
pub extern "C" fn ocall_call(
en_req: *const u8,
en_req_size: usize,
output: *mut *mut libc::c_void,
output_size: *mut usize,
) -> sgx_status_t {
let en_req_slice = unsafe { slice::from_raw_parts(en_req, en_req_size) };
// ... here omits the step to get res from en_req_slice, which works well.
let s = serde_json::to_string(&res).unwrap();
unsafe {
*output = libc::malloc(s.len());
//TODO 判断malloc是否成功,参考: https://github.com/apache/incubator-teaclave-sgx-sdk/blob/e60e5adfadcbe4b34913d1c82cd5f7ac021fc3cf/sgx_urts/src/mem.rs#L22
std::ptr::copy_nonoverlapping(s.as_ptr(), *(output as *mut *mut u8), s.len());
*output_size = s.len();
}
sgx_status_t::SGX_SUCCESS
}
```
everything works well now. Then I try free the memory allocated in ocall_call by:
1. calling libc::free in TEE, core dumpped raised without any tips.
2. ocall_free(p *mut libc::c_void) { libc::free(p) } , core dumped with tip `munmap_chunk(): invalid pointer `, then I print the address p before and after ocall_free, get the different value.
neither of that does work.
plz help, thanks.
Bing
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave-sgx-sdk/issues/251
Re: [apache/incubator-teaclave-sgx-sdk] libc::free core dump due to
invalid address (#251)
Posted by Yu Ding <no...@github.com>.
Closed #251.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave-sgx-sdk/issues/251#event-3470665506
Re: [apache/incubator-teaclave-sgx-sdk] libc::free core dump due to
invalid address (#251)
Posted by Yu Ding <no...@github.com>.
`unsafe{ocall_free(&mut rt, output)};` how about `unsafe {ocall_free(output)}`?
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave-sgx-sdk/issues/251#issuecomment-647838518
Re: [apache/incubator-teaclave-sgx-sdk] libc::free core dump due to
invalid address (#251)
Posted by Yu Ding <no...@github.com>.
(1) libc::free in TEE is designed to fail. it's because p points to untrusted memory and enclave's memory allocator cannot do anything on external heap.
(2) could you please paste your EDl definition of ocall_free as well as its implementation? since your passing a pointer, EDL requires you to demonstrate the direction and conduct memcpy according to the definition. in this case, the pointer is a [in] argument of ocall_free, but no need of memory copy. so the most simple solution is to pass the argument in immediate value like uint64_t and avoid from "pointer semantics" caused memcpy.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave-sgx-sdk/issues/251#issuecomment-647832391
Re: [apache/incubator-teaclave-sgx-sdk] libc::free core dump due to
invalid address (#251)
Posted by Yu Ding <no...@github.com>.
> ```
> void ocall_free([user_check]void* p);
> -----
> #[no_mangle]
> pub extern "C" fn ocall_free(p: *mut libc::c_void) {
> println!("addr: {:?}", p);
> unsafe { libc::free(p) }
> }
> ```
before you call `ocall-free`, what is the pointer's value? is it pointing to an unsafe buffer? can i pass the sgx_is_outside_enclave check?
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave-sgx-sdk/issues/251#issuecomment-647834295
Re: [apache/incubator-teaclave-sgx-sdk] libc::free core dump due to
invalid address (#251)
Posted by Bing Duan <no...@github.com>.
> `unsafe{ocall_free(&mut rt, output)};` how about `unsafe {ocall_free(output)}`? ocall_free returns void ...
OK.. it works. 😓😓😓
BTW, sgx_is_outside_enclave also return non-zero.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave-sgx-sdk/issues/251#issuecomment-647840840
Re: [apache/incubator-teaclave-sgx-sdk] libc::free core dump due to
invalid address (#251)
Posted by Bing Duan <no...@github.com>.
> > ```
> > void ocall_free([user_check]void* p);
> > -----
> > #[no_mangle]
> > pub extern "C" fn ocall_free(p: *mut libc::c_void) {
> > println!("addr: {:?}", p);
> > unsafe { libc::free(p) }
> > }
> > ```
>
> before you call `ocall-free`, what is the pointer's value? is it pointing to an unsafe buffer? can i pass the sgx_is_outside_enclave check?
```
....
let mut output = 0 as *mut libc::c_void;
let mut out_len: usize = 0;
let resp = unsafe {
ocall_call(&mut rt,
req.as_ptr() as *const u8,
req.len(),
&mut output,
&mut out_len)
};
// TODO resp和rt都要判断
match resp {
sgx_status_t::SGX_SUCCESS => {
....
println!("before free: {:?}", output);
let mut rt : sgx_status_t = sgx_status_t::SGX_ERROR_UNEXPECTED;
unsafe{ocall_free(&mut rt, output as usize)};
..
Ok(xxxx)
},
...
```
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave-sgx-sdk/issues/251#issuecomment-647835021
Re: [apache/incubator-teaclave-sgx-sdk] libc::free core dump due to
invalid address (#251)
Posted by Bing Duan <no...@github.com>.
```
void ocall_free([user_check]void* p);
-----
#[no_mangle]
pub extern "C" fn ocall_free(p: *mut libc::c_void) {
println!("addr: {:?}", p);
unsafe { libc::free(p) }
}
```
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave-sgx-sdk/issues/251#issuecomment-647833912
Re: [apache/incubator-teaclave-sgx-sdk] libc::free core dump due to
invalid address (#251)
Posted by Bing Duan <no...@github.com>.
I also tried usize. doesn't work as well. Will try u64 later.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave-sgx-sdk/issues/251#issuecomment-647834297