Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add runtime inited checks in Enclave command handlings to improve security #2416

Merged
merged 2 commits into from
Aug 4, 2023

Conversation

wenyongh
Copy link
Contributor

@wenyongh wenyongh commented Aug 2, 2023

As reported in #2252 (comment),
wait_map may be referred again after free in linux-sgx ecall command if it isn't set NULL.

@yamt
Copy link
Collaborator

yamt commented Aug 2, 2023

are you trying to make wasm_runtime_destroy idempotent?
otherwise, i guess it should be fixed in Enclave.cpp instead.

@wenyongh wenyongh changed the title Set wait_map NULL after free Add runtime inited checks in Enclave command handlings to improve security Aug 2, 2023
@wenyongh
Copy link
Contributor Author

wenyongh commented Aug 2, 2023

are you trying to make wasm_runtime_destroy idempotent? otherwise, i guess it should be fixed in Enclave.cpp instead.

Good point, I added more checks in Enclave instead to fix some similar issues.

Copy link
Collaborator

@yamt yamt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@wenyongh wenyongh merged commit 8fc621a into bytecodealliance:main Aug 4, 2023
@LeoneChen
Copy link

LeoneChen commented Aug 4, 2023

Hello, I think wait_map = NULL; is necessary. And I found other functions use wait_map already have check wait_map is NULL at function entrypoint like bh_hash_map_find, then this problem can be fixed.

If you only fix at linux-sgx platform, other platform may also face same UAF bug

@yamt
Copy link
Collaborator

yamt commented Aug 4, 2023

Hello, I think wait_map = NULL; is necessary. And I found other functions use wait_map already have check wait_map is NULL at function entrypoint like bh_hash_map_find, then this problem can be fixed.

If you only fix at linux-sgx platform, other platform may also face same UAF bug

the bug (calling wasm_runtime_destroy twice) was in linux-sgx and it has been fixed.

if other platforms have similar bugs, they should be fixed too. (have they?)

having double-free checks everywhere is not viable, IMO.

@LeoneChen
Copy link

LeoneChen commented Aug 4, 2023

It's different from free since the caller needs to specify which pointer to free, e.g. free(ptr), it's the caller's duty to set ptr to null.

However, in WAMR, API is wasm_runtime_destroy() and it free wait_map internal, caller (library user) can't access the wait_map variable, then it's duty of wasm_runtime_destroy() to set wait_map to NULL

I think it's hard to ensure we don't have double free in other platform

@yamt
Copy link
Collaborator

yamt commented Aug 4, 2023

It's different from free since the caller needs to specify which pointer to free, e.g. free(ptr), it's the caller's duty to set ptr to null.

However, in WAMR, API is wasm_runtime_destroy() and it free wait_map internal, caller (library user) can't access the wait_map variable, then it's duty of wasm_runtime_destroy() to set wait_map to NULL

i disagree. while it's ok to set wait_map to NULL, it's far from a "duty".
calling wasm_runtime_destroy twice as sgx was doing is an undefined behavior as double free is.
what you are saying is something like it's free's duty to prepare to handle double free.

@LeoneChen
Copy link

All right

@wenyongh wenyongh deleted the fix_linux_sgx branch August 8, 2023 03:00
victoryang00 pushed a commit to victoryang00/wamr-aot-gc-checkpoint-restore that referenced this pull request May 27, 2024
…urity (bytecodealliance#2416)

Call ecall commands arbitrarily from host when enclave's runtime isn't initialized
may cause unexpected behavior, for example, load/instantiate wasm module.
Add runtime inited status checks in enclave to improve the security.

Also fix `wait_map` issue mentioned in
bytecodealliance#2252 (comment)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants