Merge pull request #119 from datachainlab/audit-202409

Audit-202409

Signed-off-by: Jun Kimura <jun.kimura@datachain.jp>

Author: bluele

Cargo.lock

@@ -9,11 +9,11 @@ description  = """
 
 [dependencies]
 log = "0.4.8"
-env_logger = "0.9.0"
+env_logger = "0.11.5"
 hex = { version = "0.4", default-features = false, features = ["alloc"] }
 tokio = { version = "1.0", features = ["full"] }
 anyhow = { version = "1.0.56" }
-clap = { version = "3.2", features = ["derive"] }
+clap = { version = "4.5.21", features = ["derive"] }
 dirs = "4.0"
 serde = { version = "1.0.184", default-features = false, features = ["alloc"] }
 serde_json = { version = "1.0", default-features = false, features = ["alloc", "preserve_order"] }
@@ -28,7 +28,7 @@ keymanager = { path = "../modules/keymanager" }
 remote-attestation = { path = "../modules/remote-attestation" }
 
 [build-dependencies]
-git2 = "0.17"
+git2 = "0.19"
 
 [features]
 default = []

app/Cargo.toml

@@ -9,8 +9,8 @@ pub(crate) fn generate_enclave_key(
     input: GenerateEnclaveKeyInput,
 ) -> Result<GenerateEnclaveKeyResponse, Error> {
     let ek = EnclaveKey::new()?;
-    let sealed_ek = ek.seal()?;
     let ek_pub = ek.get_pubkey();
+    let sealed_ek = ek.seal()?;
     let report_data = ReportData::new(ek_pub.as_address(), input.operator);
     let report = match rsgx_create_report(&input.target_info, &report_data.into()) {
         Ok(r) => r,

enclave-modules/ecall-handler/src/enclave_manage/enclave.rs

@@ -17,3 +17,7 @@ host-api = { path = "../host-api" }
 ecall-handler = { path = "../ecall-handler" }
 enclave-environment = { path = "../environment" }
 ecall-commands = { path = "../../modules/ecall-commands", default-features = false }
+
+[features]
+default = []
+panic-logging = []

enclave-modules/runtime/Cargo.toml

@@ -31,12 +31,15 @@ mod errors;
 static ALLOC: sgx_alloc::System = sgx_alloc::System;
 
 #[cfg(not(test))]
+#[allow(unused_variables)]
 #[panic_handler]
 fn begin_panic_handler(info: &core::panic::PanicInfo<'_>) -> ! {
+    #[cfg(feature = "panic-logging")]
+    let msg = alloc::format!("[enclave] panic: {:?}\n", info).into_bytes();
+    #[cfg(not(feature = "panic-logging"))]
+    let msg = alloc::format!("[enclave] panic\n").into_bytes();
     let _ = host_api::api::execute_command(host_api::ocall_commands::Command::Log(
-        host_api::ocall_commands::LogCommand {
-            msg: alloc::format!("[enclave] panic: {:?}\n", info).into_bytes(),
-        },
+        host_api::ocall_commands::LogCommand { msg },
     ));
     sgx_abort();
 }

enclave-modules/runtime/src/lib.rs

@@ -1,19 +1,25 @@
 use log::*;
-use sgx_trts::trts::{rsgx_lfence, rsgx_raw_is_outside_enclave, rsgx_sfence};
+use sgx_trts::trts::{rsgx_lfence, rsgx_sfence};
 use sgx_types::*;
 
+/// Validates a mutable pointer and its length.
+///
+/// Assumes that the `ptr` is a valid pointer of enclave outside memory.
 pub fn validate_mut_ptr(ptr: *mut u8, ptr_len: usize) -> SgxResult<()> {
-    if rsgx_raw_is_outside_enclave(ptr, ptr_len) {
-        warn!("Tried to access memory outside enclave -- rsgx_slice_is_outside_enclave");
+    if ptr.is_null() || ptr_len == 0 {
+        warn!("Tried to access an empty pointer - ptr.is_null() || ptr_len == 0");
         return Err(sgx_status_t::SGX_ERROR_UNEXPECTED);
     }
     rsgx_sfence();
     Ok(())
 }
 
+/// Validates a constant pointer and its length.
+///
+/// Assumes that the `ptr` is a valid pointer of enclave outside memory.
 pub fn validate_const_ptr(ptr: *const u8, ptr_len: usize) -> SgxResult<()> {
     if ptr.is_null() || ptr_len == 0 {
-        warn!("Tried to access an empty pointer - ptr.is_null()");
+        warn!("Tried to access an empty pointer - ptr.is_null() || ptr_len == 0");
         return Err(sgx_status_t::SGX_ERROR_UNEXPECTED);
     }
     rsgx_lfence();