Open labyrinth-ssr opened 1 year ago
https://github.com/apache/incubator-teaclave-sgx-sdk/blob/3c903bdac4e503dd27b9b1f761c4abfc55f2464c/samplecode/localattestation/attestation/src/func.rs#L144-L145 https://github.com/apache/incubator-teaclave-sgx-sdk/blob/3c903bdac4e503dd27b9b1f761c4abfc55f2464c/samplecode/dcap-pckretrieval/qpl/src/lib.rs#L138-L142
with Box::into_raw(), the pointee is on the heap. Multiple assignments will cause leak of the old value.
Box::into_raw()
Probable fix is like: If session_request_safe should only be called once, adding an Atomic to guarantee assigning only once.
session_request_safe
const UNINITIALIZED: usize = 0; const INITIALIZING: usize = 1; const INITIALIZED: usize = 2; static GLOBAL_INIT: AtomicUsize = AtomicUsize::new(UNINITIALIZED); pub struct SetGlobalDefaultError { _no_construct: (), } // in `session_request_safe` if GLOBAL_INIT .compare_exchange( UNINITIALIZED, INITIALIZING, Ordering::SeqCst, Ordering::SeqCst, ) .is_ok() { let ptr = Box::into_raw(Box::new(session_info)); *session_ptr = ptr as * mut _ as usize; }
Otherwise add the else branch:
else { drop(Box::from_raw(*session_ptr)); let ptr = Box::into_raw(Box::new(session_info)); *session_ptr = ptr as * mut _ as usize; }
https://github.com/apache/incubator-teaclave-sgx-sdk/blob/3c903bdac4e503dd27b9b1f761c4abfc55f2464c/samplecode/localattestation/attestation/src/func.rs#L144-L145 https://github.com/apache/incubator-teaclave-sgx-sdk/blob/3c903bdac4e503dd27b9b1f761c4abfc55f2464c/samplecode/dcap-pckretrieval/qpl/src/lib.rs#L138-L142
with
Box::into_raw(), the pointee is on the heap. Multiple assignments will cause leak of the old value.Probable fix is like: If
session_request_safeshould only be called once, adding an Atomic to guarantee assigning only once.Otherwise add the else branch: