Skip to content

Commit

Permalink
Linux 2.17.1 Open Source Gold Release
Browse files Browse the repository at this point in the history 
Along with the latest processor microcode address CVE-2022-21233.
- Modified the Edger8r to generate code with mitigations for the associated issue.
- Modified the API memcpy and memcpy_s to have mitigations for the associated issue.

Signed-off-by: Li, Xun <xun.li@intel.com>
  • Loading branch information
@llly
llly committed Aug 10, 2022
1 parent 15098e7 commit 70e1535
Show file tree
Hide file tree
Showing 4 changed files with 142 additions and 61 deletions.
16 changes: 8 additions & 8 deletions common/inc/internal/se_version.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,21 +31,21 @@
#ifndef _SE_VERSION_H_
#define _SE_VERSION_H_

#define STRFILEVER "2.17.100.3"
#define STRFILEVER "2.17.101.1"
#define SGX_MAJOR_VERSION 2
#define SGX_MINOR_VERSION 17
#define SGX_REVISION_VERSION 100
#define SGX_REVISION_VERSION 101
#define MAKE_VERSION_UINT(major,minor,rev) (((uint64_t)major)<<32 | ((uint64_t)minor) << 16 | rev)
#define VERSION_UINT MAKE_VERSION_UINT(SGX_MAJOR_VERSION, SGX_MINOR_VERSION, SGX_REVISION_VERSION)

#define COPYRIGHT "Copyright (C) 2022 Intel Corporation"

#define UAE_SERVICE_VERSION "2.3.215.3"
#define URTS_VERSION "1.1.119.3"
#define ENCLAVE_COMMON_VERSION "1.1.122.3"
#define LAUNCH_VERSION "1.0.117.3"
#define EPID_VERSION "1.0.117.3"
#define QUOTE_EX_VERSION "1.1.117.3"
#define UAE_SERVICE_VERSION "2.3.216.1"
#define URTS_VERSION "1.1.120.1"
#define ENCLAVE_COMMON_VERSION "1.1.123.1"
#define LAUNCH_VERSION "1.0.118.1"
#define EPID_VERSION "1.0.118.1"
#define QUOTE_EX_VERSION "1.1.118.1"

#define PCE_VERSION "1.17.100.2"
#define LE_VERSION "1.17.100.2"
Expand Down
1 change: 1 addition & 0 deletions common/inc/tlibc/string.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,7 @@ __BEGIN_DECLS

void * _TLIBC_CDECL_ memchr(const void *, int, size_t);
int _TLIBC_CDECL_ memcmp(const void *, const void *, size_t);
void * _TLIBC_CDECL_ memcpy_nochecks(void *, const void *, size_t);
void * _TLIBC_CDECL_ memcpy(void *, const void *, size_t);
void * _TLIBC_CDECL_ memcpy_verw(void *, const void *, size_t);
void * _TLIBC_CDECL_ memmove(void *, const void *, size_t);
Expand Down
97 changes: 58 additions & 39 deletions sdk/edger8r/linux/CodeGen.ml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -211,11 +211,13 @@ let retval_declr = { Ast.identifier = retval_name; Ast.array_dims = []; }
let eid_name = "eid"
let ms_ptr_name = "pms"
let ms_struct_val = "ms"
let ms_in_struct_val = "__in_ms"
let mk_ms_member_name (pname: string) = "ms_" ^ pname
let mk_ms_struct_name (fname: string) = "ms_" ^ fname ^ "_t"
let ms_retval_name = mk_ms_member_name retval_name
let mk_tbridge_name (fname: string) = "sgx_" ^ fname
let mk_parm_accessor name = sprintf "%s->%s" ms_struct_val (mk_ms_member_name name)
let mk_in_parm_accessor name = sprintf "%s.%s" ms_in_struct_val (mk_ms_member_name name)
let mk_tmp_var name = "_tmp_" ^ name
let mk_tmp_var2 name1 name2 = "_tmp_" ^ name1 ^ "_" ^ name2
let mk_len_var name = "_len_" ^ name
Expand All @@ -242,14 +244,6 @@ extern \"C\" {\n\
(* Header footer *)
let header_footer = "\n#ifdef __cplusplus\n}\n#endif /* __cplusplus */\n\n#endif\n"

(* NO_HARDEN_EXT_WRITES Macro *)
let mk_no_harden_macro = sprintf "\n#ifdef NO_HARDEN_EXT_WRITES\n%s\n#else\n%s\n#endif /* NO_HARDEN_EXT_WRITES */\n"

(* NO_HARDEN_EXT_WRITES Macro *)
let memcpy_macro = mk_no_harden_macro
"#define MEMCPY_S memcpy_s\n#define MEMSET memset"
"#define MEMCPY_S memcpy_verw_s\n#define MEMSET memset_verw"

(* Little functions for generating file names. *)
let get_uheader_short_name (file_shortnm: string) = file_shortnm ^ "_u.h"
let get_uheader_name (file_shortnm: string) =
Expand Down Expand Up @@ -738,7 +732,7 @@ let gen_theader_preemble (guard: string) (inclist: string) =
#include <wchar.h>\n\
#include <stddef.h>\n\
#include \"sgx_edger8r.h\" /* for sgx_ocall etc. */\n\n" in
grd_hdr ^ inc_exp ^ inclist ^ "\n" ^ common_macros ^ memcpy_macro
grd_hdr ^ inc_exp ^ inclist ^ "\n" ^ common_macros

(* Generate trusted header for enclave *)
let gen_trusted_header (ec: enclave_content) =
Expand All @@ -761,7 +755,7 @@ let gen_trusted_header (ec: enclave_content) =
close_out out_chan

(* It generates function invocation expression. *)
let mk_parm_name_raw (pt: Ast.parameter_type) (declr: Ast.declarator) =
let mk_parm_name_raw (pt: Ast.parameter_type) (declr: Ast.declarator) (tbridge: bool)=
let cast_expr =
let tystr = get_param_tystr pt in
if Ast.is_array declr && List.length declr.Ast.array_dims > 1
Expand All @@ -770,31 +764,29 @@ let mk_parm_name_raw (pt: Ast.parameter_type) (declr: Ast.declarator) =
sprintf "(%s (*)%s)" tystr dims
else ""
in
cast_expr ^ mk_parm_accessor declr.Ast.identifier
cast_expr ^ (if tbridge then mk_in_parm_accessor else mk_parm_accessor) declr.Ast.identifier

(* We passed foreign array `foo_array_t foo' as `&foo[0]', thus we
* need to get back `foo' by '* array_ptr' where
* array_ptr = &foo[0]
*)
let add_foreign_array_ptrref
(f: Ast.parameter_type -> Ast.declarator -> string)
(pt: Ast.parameter_type)
(declr: Ast.declarator) =
let arg = f pt declr in
(arg: string)
(pt: Ast.parameter_type) =
if is_foreign_array pt
then sprintf "(%s != NULL) ? (*%s) : NULL" arg arg
else arg

let mk_parm_name_ubridge (pt: Ast.parameter_type) (declr: Ast.declarator) =
add_foreign_array_ptrref mk_parm_name_raw pt declr
add_foreign_array_ptrref (mk_parm_name_raw pt declr false) pt

let mk_parm_name_ext (pt: Ast.parameter_type) (declr: Ast.declarator) =
let name = declr.Ast.identifier in
match pt with
Ast.PTVal _ -> mk_parm_name_raw pt declr
Ast.PTVal _ -> mk_parm_name_raw pt declr true
| Ast.PTPtr (_, attr) ->
match attr.Ast.pa_direction with
| Ast.PtrNoDirection -> mk_parm_name_raw pt declr
| Ast.PtrNoDirection -> mk_parm_name_raw pt declr true
| _ -> mk_in_var name

let gen_func_invoking (fd: Ast.func_decl)
Expand Down Expand Up @@ -968,7 +960,7 @@ let gen_ptr_size (ty: Ast.atype) (pattr: Ast.ptr_attr) (name: string) (get_parm:
else
(* genrerate ms_parm_len only for ecall with string/wstring in _t.c.*)
if (pattr.Ast.pa_isstr || pattr.Ast.pa_iswstr) && parm_name <> name then
sprintf "%s_len " (mk_parm_accessor name)
sprintf "%s_len " (mk_in_parm_accessor name)
else
(* genrerate strlen(param)/wcslen(param) only for ocall with string/wstring in _t.c.*)
if pattr.Ast.pa_isstr then
Expand Down Expand Up @@ -1407,7 +1399,7 @@ let gen_struct_ptr_direction_post (param_direction: Ast.ptr_direction) (struct_t
"\t\tstatus = SGX_ERROR_INVALID_PARAMETER;";
"\t\tbreak;";
"\t}";
sprintf "\tif (MEMCPY_S(%s, %s, %s, %s)) {" in_ptr_name in_len_ptr_var in_struct_member out_len_ptr_var;
sprintf "\tif (memcpy_verw_s(%s, %s, %s, %s)) {" in_ptr_name in_len_ptr_var in_struct_member out_len_ptr_var;
sprintf "\t\tstatus = SGX_ERROR_UNEXPECTED;";
"\t\tbreak;";
"\t}";
Expand Down Expand Up @@ -1449,7 +1441,7 @@ let gen_parm_ptr_direction_post (plist: Ast.pdecl list) =
"\t{";
sprintf "\t\t%s[%s - 1] = '\\0';" in_ptr_name len_var;
sprintf "\t\t%s = strlen(%s) + 1;" len_var in_ptr_name;
sprintf "\t\tif (MEMCPY_S((void*)%s, %s, %s, %s)) {" (mk_tmp_var name) len_var in_ptr_name len_var;
sprintf "\t\tif (memcpy_verw_s((void*)%s, %s, %s, %s)) {" (mk_tmp_var name) len_var in_ptr_name len_var;
"\t\t\tstatus = SGX_ERROR_UNEXPECTED;";
"\t\t\tgoto err;";
"\t\t}";
Expand All @@ -1463,7 +1455,7 @@ let gen_parm_ptr_direction_post (plist: Ast.pdecl list) =
"\t{";
sprintf "\t\t%s[(%s - sizeof(wchar_t))/sizeof(wchar_t)] = (wchar_t)0;" in_ptr_name len_var;
sprintf "\t\t%s = (wcslen(%s) + 1) * sizeof(wchar_t);" len_var in_ptr_name;
sprintf "\t\tif (MEMCPY_S((void*)%s, %s, %s, %s)) {" (mk_tmp_var name) len_var in_ptr_name len_var;
sprintf "\t\tif (memcpy_verw_s((void*)%s, %s, %s, %s)) {" (mk_tmp_var name) len_var in_ptr_name len_var;
"\t\t\tstatus = SGX_ERROR_UNEXPECTED;";
"\t\t\tgoto err;";
"\t\t}";
Expand All @@ -1474,7 +1466,7 @@ let gen_parm_ptr_direction_post (plist: Ast.pdecl list) =
else
let code_template = [
sprintf "\tif (%s) {" in_ptr_name;
sprintf "%s\t\tif (MEMCPY_S(%s, %s, %s, %s)) {" struct_deep_copy_post (mk_tmp_var name) len_var in_ptr_name len_var;
sprintf "%s\t\tif (memcpy_verw_s(%s, %s, %s, %s)) {" struct_deep_copy_post (mk_tmp_var name) len_var in_ptr_name len_var;
"\t\t\tstatus = SGX_ERROR_UNEXPECTED;";
"\t\t\tgoto err;";
"\t\t}";
Expand Down Expand Up @@ -1547,7 +1539,7 @@ let gen_tmp_size (pattr: Ast.ptr_attr) (plist: Ast.pdecl list) =
else
let param_tystr = find_param_type s plist in
let tmp_var = mk_tmp_var s in
let parm_str = mk_parm_accessor s in
let parm_str = mk_in_parm_accessor s in
Hashtbl.add param_cache s true;
sprintf "\t%s %s = %s;\n" param_tystr tmp_var parm_str
in
Expand Down Expand Up @@ -1602,7 +1594,7 @@ let tbridge_mk_parm_name_ext (pt: Ast.parameter_type) (declr: Ast.declarator) =
else mk_parm_name_ext pt declr

let mk_parm_name_tbridge (pt: Ast.parameter_type) (declr: Ast.declarator) =
add_foreign_array_ptrref tbridge_mk_parm_name_ext pt declr
add_foreign_array_ptrref (tbridge_mk_parm_name_ext pt declr) pt

(* Generate local variables required for the trusted bridge. *)
let gen_tbridge_local_vars (plist: Ast.pdecl list) =
Expand All @@ -1612,7 +1604,7 @@ let gen_tbridge_local_vars (plist: Ast.pdecl list) =
let ty = Ast.get_param_atype pt in
let tmp_var =
(* Save a copy of pointer in case it might be modified in the marshaling structure. *)
sprintf "\t%s%s %s = %s;\n" qual (Ast.get_tystr ty) (mk_tmp_var name) (mk_parm_accessor name)
sprintf "\t%s%s %s = %s;\n" qual (Ast.get_tystr ty) (mk_tmp_var name) (mk_in_parm_accessor name)
in
let len_var =
if not attr.Ast.pa_chkptr then ""
Expand All @@ -1637,7 +1629,7 @@ let gen_tbridge_local_vars (plist: Ast.pdecl list) =
let gen_local_var_for_foreign_array (ty: Ast.atype) (attr: Ast.ptr_attr) (name: string) =
let tystr = Ast.get_tystr ty in
let tmp_var =
sprintf "\t%s* %s = %s;\n" tystr (mk_tmp_var name) (mk_parm_accessor name)
sprintf "\t%s* %s = %s;\n" tystr (mk_tmp_var name) (mk_in_parm_accessor name)
in
let len_var = sprintf "\tsize_t %s = sizeof(%s);\n" (mk_len_var name) tystr
in
Expand Down Expand Up @@ -1681,13 +1673,28 @@ let gen_func_tbridge (fd: Ast.func_decl) (dummy_var: string) =
ms_struct_val
ms_struct_name
ms_ptr_name in
let declare_ms = sprintf "%s %s;"
ms_struct_name
ms_in_struct_val in
let copy_ms =
let code_template =[
sprintf "if (memcpy_s(&%s, sizeof(%s), %s, sizeof(%s))) {"
ms_in_struct_val
ms_struct_name
ms_struct_val
ms_struct_name;
"\treturn SGX_ERROR_UNEXPECTED;";
"}";
]
in
List.fold_left (fun acc s -> acc ^ "\t" ^ s ^ "\n") "" code_template in

let invoke_func = gen_func_invoking fd mk_parm_name_tbridge in

let update_retval =
let code_template =[
sprintf "%s = %s"(mk_in_var retval_name) invoke_func;
sprintf "if (MEMCPY_S(&%s, sizeof(%s), &%s, sizeof(%s))) {"
sprintf "if (memcpy_verw_s(&%s, sizeof(%s), &%s, sizeof(%s))) {"
(mk_parm_accessor retval_name)
(mk_parm_accessor retval_name)
(mk_in_var retval_name)
Expand All @@ -1705,10 +1712,12 @@ let gen_func_tbridge (fd: Ast.func_decl) (dummy_var: string) =
in
sprintf "%s%s%s\t%s\n\t%s\n%s" func_open local_vars dummy_var check_pms invoke_func func_close
else
sprintf "%s%s\t%s\n%s\n%s%s\n%s%s%s\n%s\n%s%s"
sprintf "%s%s\t%s\n\t%s\n%s%s\n%s%s\n%s%s%s\n%s\n%s%s"
func_open
(mk_check_pms fd.Ast.fname)
declare_ms_ptr
declare_ms
copy_ms
local_vars
(gen_check_tbridge_length_overflow fd.Ast.plist)
(gen_check_tbridge_ptr_parms fd.Ast.plist)
Expand All @@ -1726,7 +1735,7 @@ let tproxy_fill_ms_field (pd: Ast.pdecl) (is_ocall_switchless: bool) =
let parm_accessor = mk_parm_accessor name in
let sgx_ocfree_fn = get_sgx_fname SGX_OCFREE is_ocall_switchless in
let copy_ms_val_filed = [
sprintf "\tif (MEMCPY_S(&%s, sizeof(%s), &%s, sizeof(%s))) {"
sprintf "\tif (memcpy_verw_s(&%s, sizeof(%s), &%s, sizeof(%s))) {"
parm_accessor
parm_accessor
name
Expand Down Expand Up @@ -1786,7 +1795,7 @@ let tproxy_fill_ms_field (pd: Ast.pdecl) (is_ocall_switchless: bool) =
in
let post =
let code_template =[
sprintf "\tif (MEMCPY_S((void *)((size_t)__tmp + sizeof(__local_%s) * i), sizeof(__local_%s), &__local_%s, sizeof(__local_%s))) {" name name name name;
sprintf "\tif (memcpy_verw_s((void *)((size_t)__tmp + sizeof(__local_%s) * i), sizeof(__local_%s), &__local_%s, sizeof(__local_%s))) {" name name name name;
sprintf "\t\t%s();" sgx_ocfree_fn;
"\t\treturn SGX_ERROR_UNEXPECTED;";
"\t}";
Expand All @@ -1801,7 +1810,7 @@ let tproxy_fill_ms_field (pd: Ast.pdecl) (is_ocall_switchless: bool) =
let non_deep_copy_out =
let code_template =
[
sprintf "if (MEMCPY_S(__tmp, ocalloc_size, %s, %s)) {" name len_var;
sprintf "if (memcpy_verw_s(__tmp, ocalloc_size, %s, %s)) {" name len_var;
sprintf "\t\t%s();" sgx_ocfree_fn;
"\t\treturn SGX_ERROR_UNEXPECTED;";
"\t}";
Expand All @@ -1811,7 +1820,7 @@ let tproxy_fill_ms_field (pd: Ast.pdecl) (is_ocall_switchless: bool) =
if deep_copy_out = "" then non_deep_copy_out else deep_copy_out
in
let assign_tmp_to_ptr = [
sprintf "\tif (MEMCPY_S(&%s, sizeof(%s), &__tmp, sizeof(%s))) {"
sprintf "\tif (memcpy_verw_s(&%s, sizeof(%s), &__tmp, sizeof(%s))) {"
parm_accessor
tystr
tystr;
Expand All @@ -1830,7 +1839,7 @@ let tproxy_fill_ms_field (pd: Ast.pdecl) (is_ocall_switchless: bool) =
]
@ check_size @
[
sprintf "\tMEMSET(__tmp_%s, 0, %s);" name len_var;
sprintf "\tmemset_verw(__tmp_%s, 0, %s);" name len_var;
sprintf "\t__tmp = (void *)((size_t)__tmp + %s);" len_var;
sprintf "\tocalloc_size -= %s;" len_var;
"} else {";
Expand Down Expand Up @@ -1887,8 +1896,8 @@ let tproxy_fill_structure(pd: Ast.pdecl) (is_ocall_switchless: bool)=
[
sprintf "%s = %s;" len_member_name (gen_struct_ptr_size ty attr name para_struct);
sprintf "\tif (%s != NULL && %s != 0) {" para_struct_member len_member_name;
sprintf "\t\tif (MEMCPY_S(__tmp, %s, %s, %s) ||" len_member_name para_struct_member len_member_name;
sprintf "\t\t\tMEMCPY_S(&%s, sizeof(%s), &__tmp, sizeof(%s))) {" in_struct_member (Ast.get_tystr ty) (Ast.get_tystr ty);
sprintf "\t\tif (memcpy_verw_s(__tmp, %s, %s, %s) ||" len_member_name para_struct_member len_member_name;
sprintf "\t\t\tmemcpy_verw_s(&%s, sizeof(%s), &__tmp, sizeof(%s))) {" in_struct_member (Ast.get_tystr ty) (Ast.get_tystr ty);
sprintf "\t\t\t%s();" sgx_ocfree_fn;
"\t\t\treturn SGX_ERROR_UNEXPECTED;";
"\t\t}";
Expand Down Expand Up @@ -2224,7 +2233,12 @@ let gen_func_tproxy (ufunc: Ast.untrusted_func) (idx: int) =
Ast.PTVal _ -> acc
| Ast.PTPtr(ty, attr) -> acc ^ copy_memory ty attr declr) "" plist in

let set_errno = if propagate_errno then "\t\terrno = ms->ocall_errno;\n" else "" in
let set_errno = if propagate_errno then sprintf "%s\n%s\n%s\n%s\n"
"\t\tif (memcpy_s((void*)&errno, sizeof(errno), &ms->ocall_errno, sizeof(ms->ocall_errno))) {"
(sprintf "\t\t\t%s();" sgx_ocfree_fn)
"\t\t\treturn SGX_ERROR_UNEXPECTED;"
"\t\t}"
else "" in
let func_close = sprintf "%s%s%s\n%s%s\n"
(handle_out_ptr fd.Ast.plist)
set_errno
Expand All @@ -2234,8 +2248,13 @@ let gen_func_tproxy (ufunc: Ast.untrusted_func) (idx: int) =
let sgx_ocall_fn = get_sgx_fname SGX_OCALL ufunc.Ast.uf_is_switchless in
let ocall_null = sprintf "\tstatus = %s(%d, NULL);\n" sgx_ocall_fn idx in
let ocall_with_ms = sprintf "\tstatus = %s(%d, %s);\n" sgx_ocall_fn idx ms_struct_val in
let update_retval = sprintf "\t\tif (%s) *%s = %s;"
retval_name retval_name (mk_parm_accessor retval_name) in
let update_retval = sprintf "%s\n%s\n%s\n%s\n%s\n%s"
(sprintf "\t\tif (%s) {" retval_name)
(sprintf "\t\t\tif (memcpy_s((void*)%s, sizeof(*%s), &%s, sizeof(%s))) {" retval_name retval_name (mk_parm_accessor retval_name) (mk_parm_accessor retval_name))
(sprintf "\t\t\t\t%s();" sgx_ocfree_fn)
"\t\t\t\treturn SGX_ERROR_UNEXPECTED;"
"\t\t\t}"
"\t\t}" in
let func_body = ref [] in
if (is_naked_func fd) && (propagate_errno = false) then
sprintf "%s%s%s%s" func_open local_vars ocall_null "\n\treturn status;\n}"
Expand Down

0 comments on commit 70e1535

Please sign in to comment.