c989de52b8
Functions such as `is_enclave_range` and `is_user_range` in `sgx::os::fortanix_sgx::mem` are often used to make sure memory ranges passed to an enclave from untrusted code or passed to other trusted code functions are safe to use for their intended purpose. Currently, these functions do not perform any checks to make sure the range provided doesn't overflow when adding the range length to the base address. While debug builds will panic if overflow occurs, release builds will simply wrap the result, leading to false positive results for either function. The burden is placed on application authors to know to perform overflow checks on their own before calling these functions, which can easily lead to security vulnerabilities if omitted. Additionally, since such checks are performed in the Intel SGX SDK versions of these functions, developers migrating from Intel SGX SDK code may expect these functions to operate the same. This commit adds explicit overflow checking to `is_enclave_range` and `is_user_range`, returning `false` if overflow occurs in order to prevent misuse of invalid memory ranges. It also alters the checks to account for ranges that lie exactly at the end of the address space, where calculating `p + len` would overflow despite the range being valid. |
||
|---|---|---|
| .. | ||
| alloc | ||
| backtrace@4083a90168 | ||
| core | ||
| panic_abort | ||
| panic_unwind | ||
| proc_macro | ||
| profiler_builtins | ||
| rtstartup | ||
| rustc-std-workspace-alloc | ||
| rustc-std-workspace-core | ||
| rustc-std-workspace-std | ||
| std | ||
| stdarch@78891cdf29 | ||
| term | ||
| test | ||
| unwind | ||