You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@teaclave.apache.org by GitBox <gi...@apache.org> on 2020/06/22 23:57:39 UTC
[GitHub] [incubator-teaclave-sgx-sdk] duanbing opened a new issue #251: libc::free core dump due to invalid address
duanbing opened a new issue #251:
URL: https://github.com/apache/incubator-teaclave-sgx-sdk/issues/251
I have a untrusted function declared as below:
```
int ocall_call(
[in, count=en_req_size] const uint8_t* en_req,
size_t en_req_size,
[out] void** output,
[out] size_t* output_size
) ;
```
and defined as below:
```
#[no_mangle]
pub extern "C" fn ocall_call(
en_req: *const u8,
en_req_size: usize,
output: *mut *mut libc::c_void,
output_size: *mut usize,
) -> sgx_status_t {
let en_req_slice = unsafe { slice::from_raw_parts(en_req, en_req_size) };
// ... here omits the step to get res from en_req_slice, which works well.
let s = serde_json::to_string(&res).unwrap();
unsafe {
*output = libc::malloc(s.len());
//TODO 判断malloc是否成功,参考: https://github.com/apache/incubator-teaclave-sgx-sdk/blob/e60e5adfadcbe4b34913d1c82cd5f7ac021fc3cf/sgx_urts/src/mem.rs#L22
std::ptr::copy_nonoverlapping(s.as_ptr(), *(output as *mut *mut u8), s.len());
*output_size = s.len();
}
sgx_status_t::SGX_SUCCESS
}
```
everything works well now. Then I try free the memory allocated in ocall_call by:
1. calling libc::free in TEE, core dumpped raised without any tips.
2. ocall_free(p *mut libc::c_void) { libc::free(p) } , core dumped with tip `munmap_chunk(): invalid pointer `, then I print the address p before and after ocall_free, get the different value.
neither of that does work.
plz help, thanks.
Bing
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@teaclave.apache.org
For additional commands, e-mail: notifications-help@teaclave.apache.org
[GitHub] [incubator-teaclave-sgx-sdk] duanbing commented on issue #251: libc::free core dump due to invalid address
Posted by GitBox <gi...@apache.org>.
duanbing commented on issue #251:
URL: https://github.com/apache/incubator-teaclave-sgx-sdk/issues/251#issuecomment-647835021
> > ```
> > void ocall_free([user_check]void* p);
> > -----
> > #[no_mangle]
> > pub extern "C" fn ocall_free(p: *mut libc::c_void) {
> > println!("addr: {:?}", p);
> > unsafe { libc::free(p) }
> > }
> > ```
>
> before you call `ocall-free`, what is the pointer's value? is it pointing to an unsafe buffer? can i pass the sgx_is_outside_enclave check?
```
....
let mut output = 0 as *mut libc::c_void;
let mut out_len: usize = 0;
let resp = unsafe {
ocall_call(&mut rt,
req.as_ptr() as *const u8,
req.len(),
&mut output,
&mut out_len)
};
// TODO resp和rt都要判断
match resp {
sgx_status_t::SGX_SUCCESS => {
....
println!("before free: {:?}", output);
let mut rt : sgx_status_t = sgx_status_t::SGX_ERROR_UNEXPECTED;
unsafe{ocall_free(&mut rt, output as usize)};
..
Ok(xxxx)
},
...
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@teaclave.apache.org
For additional commands, e-mail: notifications-help@teaclave.apache.org
[GitHub] [incubator-teaclave-sgx-sdk] dingelish commented on issue #251: libc::free core dump due to invalid address
Posted by GitBox <gi...@apache.org>.
dingelish commented on issue #251:
URL: https://github.com/apache/incubator-teaclave-sgx-sdk/issues/251#issuecomment-647834295
> ```
> void ocall_free([user_check]void* p);
> -----
> #[no_mangle]
> pub extern "C" fn ocall_free(p: *mut libc::c_void) {
> println!("addr: {:?}", p);
> unsafe { libc::free(p) }
> }
> ```
before you call `ocall-free`, what is the pointer's value? is it pointing to an unsafe buffer? can i pass the sgx_is_outside_enclave check?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@teaclave.apache.org
For additional commands, e-mail: notifications-help@teaclave.apache.org
[GitHub] [incubator-teaclave-sgx-sdk] dingelish closed issue #251: libc::free core dump due to invalid address
Posted by GitBox <gi...@apache.org>.
dingelish closed issue #251:
URL: https://github.com/apache/incubator-teaclave-sgx-sdk/issues/251
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@teaclave.apache.org
For additional commands, e-mail: notifications-help@teaclave.apache.org
[GitHub] [incubator-teaclave-sgx-sdk] dingelish commented on issue #251: libc::free core dump due to invalid address
Posted by GitBox <gi...@apache.org>.
dingelish commented on issue #251:
URL: https://github.com/apache/incubator-teaclave-sgx-sdk/issues/251#issuecomment-647832391
(1) libc::free in TEE is designed to fail. it's because p points to untrusted memory and enclave's memory allocator cannot do anything on external heap.
(2) could you please paste your EDl definition of ocall_free as well as its implementation? since your passing a pointer, EDL requires you to demonstrate the direction and conduct memcpy according to the definition. in this case, the pointer is a [in] argument of ocall_free, but no need of memory copy. so the most simple solution is to pass the argument in immediate value like uint64_t and avoid from "pointer semantics" caused memcpy.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@teaclave.apache.org
For additional commands, e-mail: notifications-help@teaclave.apache.org
[GitHub] [incubator-teaclave-sgx-sdk] duanbing edited a comment on issue #251: libc::free core dump due to invalid address
Posted by GitBox <gi...@apache.org>.
duanbing edited a comment on issue #251:
URL: https://github.com/apache/incubator-teaclave-sgx-sdk/issues/251#issuecomment-647835021
> > ```
> > void ocall_free([user_check]void* p);
> > -----
> > #[no_mangle]
> > pub extern "C" fn ocall_free(p: *mut libc::c_void) {
> > println!("addr: {:?}", p);
> > unsafe { libc::free(p) }
> > }
> > ```
>
> before you call `ocall-free`, what is the pointer's value? is it pointing to an unsafe buffer? can i pass the sgx_is_outside_enclave check?
```
....
let mut output = 0 as *mut libc::c_void;
let mut out_len: usize = 0;
let resp = unsafe {
ocall_call(&mut rt,
req.as_ptr() as *const u8,
req.len(),
&mut output,
&mut out_len)
};
// TODO resp和rt都要判断
match resp {
sgx_status_t::SGX_SUCCESS => {
....
println!("before free: {:?}", output);
let mut rt : sgx_status_t = sgx_status_t::SGX_ERROR_UNEXPECTED;
unsafe{ocall_free(&mut rt, output)};
..
Ok(xxxx)
},
...
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@teaclave.apache.org
For additional commands, e-mail: notifications-help@teaclave.apache.org
[GitHub] [incubator-teaclave-sgx-sdk] duanbing commented on issue #251: libc::free core dump due to invalid address
Posted by GitBox <gi...@apache.org>.
duanbing commented on issue #251:
URL: https://github.com/apache/incubator-teaclave-sgx-sdk/issues/251#issuecomment-647840840
> `unsafe{ocall_free(&mut rt, output)};` how about `unsafe {ocall_free(output)}`? ocall_free returns void ...
OK.. it works. 😓😓😓
BTW, sgx_is_outside_enclave also return non-zero.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@teaclave.apache.org
For additional commands, e-mail: notifications-help@teaclave.apache.org
[GitHub] [incubator-teaclave-sgx-sdk] duanbing commented on issue #251: libc::free core dump due to invalid address
Posted by GitBox <gi...@apache.org>.
duanbing commented on issue #251:
URL: https://github.com/apache/incubator-teaclave-sgx-sdk/issues/251#issuecomment-647833912
```
void ocall_free([user_check]void* p);
-----
#[no_mangle]
pub extern "C" fn ocall_free(p: *mut libc::c_void) {
println!("addr: {:?}", p);
unsafe { libc::free(p) }
}
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@teaclave.apache.org
For additional commands, e-mail: notifications-help@teaclave.apache.org
[GitHub] [incubator-teaclave-sgx-sdk] dingelish edited a comment on issue #251: libc::free core dump due to invalid address
Posted by GitBox <gi...@apache.org>.
dingelish edited a comment on issue #251:
URL: https://github.com/apache/incubator-teaclave-sgx-sdk/issues/251#issuecomment-647834295
> ```
> void ocall_free([user_check]void* p);
> -----
> #[no_mangle]
> pub extern "C" fn ocall_free(p: *mut libc::c_void) {
> println!("addr: {:?}", p);
> unsafe { libc::free(p) }
> }
> ```
before you call `ocall-free`, what is the pointer's value? is it pointing to an untrusted buffer? can it pass the sgx_is_outside_enclave check?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@teaclave.apache.org
For additional commands, e-mail: notifications-help@teaclave.apache.org
[GitHub] [incubator-teaclave-sgx-sdk] duanbing commented on issue #251: libc::free core dump due to invalid address
Posted by GitBox <gi...@apache.org>.
duanbing commented on issue #251:
URL: https://github.com/apache/incubator-teaclave-sgx-sdk/issues/251#issuecomment-647834297
I also tried usize. doesn't work as well. Will try u64 later.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@teaclave.apache.org
For additional commands, e-mail: notifications-help@teaclave.apache.org
[GitHub] [incubator-teaclave-sgx-sdk] dingelish edited a comment on issue #251: libc::free core dump due to invalid address
Posted by GitBox <gi...@apache.org>.
dingelish edited a comment on issue #251:
URL: https://github.com/apache/incubator-teaclave-sgx-sdk/issues/251#issuecomment-647838518
`unsafe{ocall_free(&mut rt, output)};` how about `unsafe {ocall_free(output)}`? ocall_free returns void ...
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@teaclave.apache.org
For additional commands, e-mail: notifications-help@teaclave.apache.org
[GitHub] [incubator-teaclave-sgx-sdk] dingelish edited a comment on issue #251: libc::free core dump due to invalid address
Posted by GitBox <gi...@apache.org>.
dingelish edited a comment on issue #251:
URL: https://github.com/apache/incubator-teaclave-sgx-sdk/issues/251#issuecomment-647832391
(1) libc::free in TEE is designed to fail. it's because p points to untrusted memory and enclave's memory allocator cannot do anything on external heap.
(2) could you please paste your EDl definition of ocall_free as well as its implementation? since your passing a pointer, EDL requires you to demonstrate the direction and conduct memcpy according to the definition. in this case, the pointer is a [in] argument of ocall_free, but no need of memory copy. so the most simple solution is to pass the argument in immediate value like uint64_t, or mark it as `usercheck` and avoid from "pointer semantics" caused memcpy.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@teaclave.apache.org
For additional commands, e-mail: notifications-help@teaclave.apache.org
[GitHub] [incubator-teaclave-sgx-sdk] dingelish commented on issue #251: libc::free core dump due to invalid address
Posted by GitBox <gi...@apache.org>.
dingelish commented on issue #251:
URL: https://github.com/apache/incubator-teaclave-sgx-sdk/issues/251#issuecomment-647838518
`unsafe{ocall_free(&mut rt, output)};` how about `unsafe {ocall_free(output)}`?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@teaclave.apache.org
For additional commands, e-mail: notifications-help@teaclave.apache.org