The EifReader::from_eif function does not honor the description of sections set in the EifHeader. Instead, it starts parsing section headers starting directly after the last element it has parsed using a file seek based scheme (https://github.com/aws/aws-nitro-enclaves-image-format/blob/main/src/utils/eif_reader.rs#L103-L107). This means it does not do the validation of the file in the same way as the Nitro virtualization stack which goes by the section boundaries described in EifHeader.
This can be problematic with hand-crafted EIF that contains more data than the sections (e.g. gaps with random data between section). Handling of such files might yield undefined nitro-cli behavior.
maayank
commented
1 month ago
The
EifReader::from_eiffunction does not honor the description of sections set in theEifHeader. Instead, it starts parsing section headers starting directly after the last element it has parsed using a file seek based scheme (https://github.com/aws/aws-nitro-enclaves-image-format/blob/main/src/utils/eif_reader.rs#L103-L107). This means it does not do the validation of the file in the same way as the Nitro virtualization stack which goes by the section boundaries described inEifHeader.This can be problematic with hand-crafted EIF that contains more data than the sections (e.g. gaps with random data between section). Handling of such files might yield undefined
nitro-clibehavior.