packages/linux-sgx
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!79 [sync] PR-78: backport patch and cve

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @houmingyong 
Signed-off-by: @houmingyong
This commit is contained in:
openeuler-ci-bot 2023-10-28 06:18:50 +00:00 committed by Gitee
commit a38a4c3e67
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
3 changed files with 623 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

367
backport-CVE-2022-1941-Fix-parsing-vulnerability-for-MessageSet-type.patch Normal file
View File

@ -0,0 +1,367 @@
From 55815e423bb82cc828836bbd60c79c1f9a195763 Mon Sep 17 00:00:00 2001
From: Deanna Garcia <deannagarcia@google.com>
Date: Tue, 13 Sep 2022 17:20:00 +0000
Subject: [PATCH] Apply patch
Reference:https://github.com/protocolbuffers/protobuf/commit/55815e423bb82cc828836bbd60c79c1f9a195763
Conflict: Changing the Source File Path
---
src/google/protobuf/extension_set_inl.h | 27 +++--
src/google/protobuf/wire_format.cc | 26 +++--
src/google/protobuf/wire_format_lite.h | 27 +++--
src/google/protobuf/wire_format_unittest.cc | 109 ++++++++++++++++++--
4 files changed, 152 insertions(+), 37 deletions(-)
diff --git a/external/protobuf/protobuf_code/src/google/protobuf/extension_set_inl.h b/external/protobuf/protobuf_code/src/google/protobuf/extension_set_inl.h
index 074784b96d5..77f95f62fd5 100644
--- a/external/protobuf/protobuf_code/src/google/protobuf/extension_set_inl.h
+++ b/external/protobuf/protobuf_code/src/google/protobuf/extension_set_inl.h
@@ -206,16 +206,21 @@ const char* ExtensionSet::ParseMessageSetItemTmpl(
const char* ptr, const Msg* containing_type,
internal::InternalMetadata* metadata, internal::ParseContext* ctx) {
std::string payload;
- uint32 type_id = 0;
- bool payload_read = false;
+ uint32 type_id;
+ enum class State { kNoTag, kHasType, kHasPayload, kDone };
+ State state = State::kNoTag;
+
while (!ctx->Done(&ptr)) {
uint32 tag = static_cast<uint8>(*ptr++);
if (tag == WireFormatLite::kMessageSetTypeIdTag) {
uint64 tmp;
ptr = ParseBigVarint(ptr, &tmp);
GOOGLE_PROTOBUF_PARSER_ASSERT(ptr);
- type_id = tmp;
- if (payload_read) {
+ if (state == State::kNoTag) {
+ type_id = tmp;
+ state = State::kHasType;
+ } else if (state == State::kHasPayload) {
+ type_id = tmp;
ExtensionInfo extension;
bool was_packed_on_wire;
if (!FindExtension(2, type_id, containing_type, ctx, &extension,
@@ -241,20 +246,24 @@ const char* ExtensionSet::ParseMessageSetItemTmpl(
GOOGLE_PROTOBUF_PARSER_ASSERT(value->_InternalParse(p, &tmp_ctx) &&
tmp_ctx.EndedAtLimit());
}
- type_id = 0;
+ state = State::kDone;
}
} else if (tag == WireFormatLite::kMessageSetMessageTag) {
- if (type_id != 0) {
+ if (state == State::kHasType) {
ptr = ParseFieldMaybeLazily(static_cast<uint64>(type_id) * 8 + 2, ptr,
containing_type, metadata, ctx);
GOOGLE_PROTOBUF_PARSER_ASSERT(ptr != nullptr);
- type_id = 0;
+ state = State::kDone;
} else {
+ std::string tmp;
int32 size = ReadSize(&ptr);
GOOGLE_PROTOBUF_PARSER_ASSERT(ptr);
- ptr = ctx->ReadString(ptr, size, &payload);
+ ptr = ctx->ReadString(ptr, size, &tmp);
GOOGLE_PROTOBUF_PARSER_ASSERT(ptr);
- payload_read = true;
+ if (state == State::kNoTag) {
+ payload = std::move(tmp);
+ state = State::kHasPayload;
+ }
}
} else {
ptr = ReadTag(ptr - 1, &tag);
diff --git a/external/protobuf/protobuf_code/src/google/protobuf/wire_format.cc b/external/protobuf/protobuf_code/src/google/protobuf/wire_format.cc
index c30b7abff63..382d01ea0cf 100644
--- a/external/protobuf/protobuf_code/src/google/protobuf/wire_format.cc
+++ b/external/protobuf/protobuf_code/src/google/protobuf/wire_format.cc
@@ -657,9 +657,11 @@ struct WireFormat::MessageSetParser {
const char* _InternalParse(const char* ptr, internal::ParseContext* ctx) {
// Parse a MessageSetItem
auto metadata = reflection->MutableInternalMetadata(msg);
+ enum class State { kNoTag, kHasType, kHasPayload, kDone };
+ State state = State::kNoTag;
+
std::string payload;
uint32 type_id = 0;
- bool payload_read = false;
while (!ctx->Done(&ptr)) {
// We use 64 bit tags in order to allow typeid's that span the whole
// range of 32 bit numbers.
@@ -668,8 +670,11 @@ struct WireFormat::MessageSetParser {
uint64 tmp;
ptr = ParseBigVarint(ptr, &tmp);
GOOGLE_PROTOBUF_PARSER_ASSERT(ptr);
- type_id = tmp;
- if (payload_read) {
+ if (state == State::kNoTag) {
+ type_id = tmp;
+ state = State::kHasType;
+ } else if (state == State::kHasPayload) {
+ type_id = tmp;
const FieldDescriptor* field;
if (ctx->data().pool == nullptr) {
field = reflection->FindKnownExtensionByNumber(type_id);
@@ -696,17 +701,17 @@ struct WireFormat::MessageSetParser {
GOOGLE_PROTOBUF_PARSER_ASSERT(value->_InternalParse(p, &tmp_ctx) &&
tmp_ctx.EndedAtLimit());
}
- type_id = 0;
+ state = State::kDone;
}
continue;
} else if (tag == WireFormatLite::kMessageSetMessageTag) {
- if (type_id == 0) {
+ if (state == State::kNoTag) {
int32 size = ReadSize(&ptr);
GOOGLE_PROTOBUF_PARSER_ASSERT(ptr);
ptr = ctx->ReadString(ptr, size, &payload);
GOOGLE_PROTOBUF_PARSER_ASSERT(ptr);
- payload_read = true;
- } else {
+ state = State::kHasPayload;
+ } else if (state == State::kHasType) {
// We're now parsing the payload
const FieldDescriptor* field = nullptr;
if (descriptor->IsExtensionNumber(type_id)) {
@@ -720,7 +725,12 @@ struct WireFormat::MessageSetParser {
ptr = WireFormat::_InternalParseAndMergeField(
msg, ptr, ctx, static_cast<uint64>(type_id) * 8 + 2, reflection,
field);
- type_id = 0;
+ state = State::kDone;
+ } else {
+ int32 size = ReadSize(&ptr);
+ GOOGLE_PROTOBUF_PARSER_ASSERT(ptr);
+ ptr = ctx->Skip(ptr, size);
+ GOOGLE_PROTOBUF_PARSER_ASSERT(ptr);
}
} else {
// An unknown field in MessageSetItem.
diff --git a/external/protobuf/protobuf_code/src/google/protobuf/wire_format_lite.h b/external/protobuf/protobuf_code/src/google/protobuf/wire_format_lite.h
index f2a3cad8281..0b13096ccbf 100644
--- a/external/protobuf/protobuf_code/src/google/protobuf/wire_format_lite.h
+++ b/external/protobuf/protobuf_code/src/google/protobuf/wire_format_lite.h
@@ -1798,6 +1798,9 @@ bool ParseMessageSetItemImpl(io::CodedInputStream* input, MS ms) {
// we can parse it later.
std::string message_data;
+ enum class State { kNoTag, kHasType, kHasPayload, kDone };
+ State state = State::kNoTag;
+
while (true) {
const uint32 tag = input->ReadTagNoLastTag();
if (tag == 0) return false;
@@ -1806,26 +1809,34 @@ bool ParseMessageSetItemImpl(io::CodedInputStream* input, MS ms) {
case WireFormatLite::kMessageSetTypeIdTag: {
uint32 type_id;
if (!input->ReadVarint32(&type_id)) return false;
- last_type_id = type_id;
-
- if (!message_data.empty()) {
+ if (state == State::kNoTag) {
+ last_type_id = type_id;
+ state = State::kHasType;
+ } else if (state == State::kHasPayload) {
// We saw some message data before the type_id. Have to parse it
// now.
io::CodedInputStream sub_input(
reinterpret_cast<const uint8*>(message_data.data()),
static_cast<int>(message_data.size()));
sub_input.SetRecursionLimit(input->RecursionBudget());
- if (!ms.ParseField(last_type_id, &sub_input)) {
+ if (!ms.ParseField(type_id, &sub_input)) {
return false;
}
message_data.clear();
+ state = State::kDone;
}
break;
}
case WireFormatLite::kMessageSetMessageTag: {
- if (last_type_id == 0) {
+ if (state == State::kHasType) {
+ // Already saw type_id, so we can parse this directly.
+ if (!ms.ParseField(last_type_id, input)) {
+ return false;
+ }
+ state = State::kDone;
+ } else if (state == State::kNoTag) {
// We haven't seen a type_id yet. Append this data to message_data.
uint32 length;
if (!input->ReadVarint32(&length)) return false;
@@ -1836,11 +1847,9 @@ bool ParseMessageSetItemImpl(io::CodedInputStream* input, MS ms) {
auto ptr = reinterpret_cast<uint8*>(&message_data[0]);
ptr = io::CodedOutputStream::WriteVarint32ToArray(length, ptr);
if (!input->ReadRaw(ptr, length)) return false;
+ state = State::kHasPayload;
} else {
- // Already saw type_id, so we can parse this directly.
- if (!ms.ParseField(last_type_id, input)) {
- return false;
- }
+ if (!ms.SkipField(tag, input)) return false;
}
break;
diff --git a/external/protobuf/protobuf_code/src/google/protobuf/wire_format_unittest.cc b/external/protobuf/protobuf_code/src/google/protobuf/wire_format_unittest.cc
index e75fc316f87..8d767b2833e 100644
--- a/external/protobuf/protobuf_code/src/google/protobuf/wire_format_unittest.cc
+++ b/external/protobuf/protobuf_code/src/google/protobuf/wire_format_unittest.cc
@@ -46,6 +46,7 @@
#include <google/protobuf/io/zero_copy_stream_impl.h>
#include <google/protobuf/io/zero_copy_stream_impl_lite.h>
#include <google/protobuf/descriptor.h>
+#include <google/protobuf/dynamic_message.h>
#include <google/protobuf/wire_format_lite.h>
#include <google/protobuf/testing/googletest.h>
#include <google/protobuf/stubs/logging.h>
@@ -585,30 +586,56 @@ TEST(WireFormatTest, ParseMessageSet) {
EXPECT_EQ(message_set.DebugString(), dynamic_message_set.DebugString());
}
-TEST(WireFormatTest, ParseMessageSetWithReverseTagOrder) {
+namespace {
+std::string BuildMessageSetItemStart() {
std::string data;
{
- unittest::TestMessageSetExtension1 message;
- message.set_i(123);
- // Build a MessageSet manually with its message content put before its
- // type_id.
io::StringOutputStream output_stream(&data);
io::CodedOutputStream coded_output(&output_stream);
coded_output.WriteTag(WireFormatLite::kMessageSetItemStartTag);
+ }
+ return data;
+}
+std::string BuildMessageSetItemEnd() {
+ std::string data;
+ {
+ io::StringOutputStream output_stream(&data);
+ io::CodedOutputStream coded_output(&output_stream);
+ coded_output.WriteTag(WireFormatLite::kMessageSetItemEndTag);
+ }
+ return data;
+}
+std::string BuildMessageSetTestExtension1(int value = 123) {
+ std::string data;
+ {
+ unittest::TestMessageSetExtension1 message;
+ message.set_i(value);
+ io::StringOutputStream output_stream(&data);
+ io::CodedOutputStream coded_output(&output_stream);
// Write the message content first.
WireFormatLite::WriteTag(WireFormatLite::kMessageSetMessageNumber,
WireFormatLite::WIRETYPE_LENGTH_DELIMITED,
&coded_output);
coded_output.WriteVarint32(message.ByteSizeLong());
message.SerializeWithCachedSizes(&coded_output);
- // Write the type id.
- uint32 type_id = message.GetDescriptor()->extension(0)->number();
+ }
+ return data;
+}
+std::string BuildMessageSetItemTypeId(int extension_number) {
+ std::string data;
+ {
+ io::StringOutputStream output_stream(&data);
+ io::CodedOutputStream coded_output(&output_stream);
WireFormatLite::WriteUInt32(WireFormatLite::kMessageSetTypeIdNumber,
- type_id, &coded_output);
- coded_output.WriteTag(WireFormatLite::kMessageSetItemEndTag);
+ extension_number, &coded_output);
}
+ return data;
+}
+void ValidateTestMessageSet(const std::string& test_case,
+ const std::string& data) {
+ SCOPED_TRACE(test_case);
{
- proto2_wireformat_unittest::TestMessageSet message_set;
+ ::proto2_wireformat_unittest::TestMessageSet message_set;
ASSERT_TRUE(message_set.ParseFromString(data));
EXPECT_EQ(123,
@@ -616,10 +643,15 @@ TEST(WireFormatTest, ParseMessageSetWithReverseTagOrder) {
.GetExtension(
unittest::TestMessageSetExtension1::message_set_extension)
.i());
+
+ // Make sure it does not contain anything else.
+ message_set.ClearExtension(
+ unittest::TestMessageSetExtension1::message_set_extension);
+ EXPECT_EQ(message_set.SerializeAsString(), "");
}
{
// Test parse the message via Reflection.
- proto2_wireformat_unittest::TestMessageSet message_set;
+ ::proto2_wireformat_unittest::TestMessageSet message_set;
io::CodedInputStream input(reinterpret_cast<const uint8*>(data.data()),
data.size());
EXPECT_TRUE(WireFormat::ParseAndMergePartial(&input, &message_set));
@@ -631,6 +663,61 @@ TEST(WireFormatTest, ParseMessageSetWithReverseTagOrder) {
unittest::TestMessageSetExtension1::message_set_extension)
.i());
}
+ {
+ // Test parse the message via DynamicMessage.
+ DynamicMessageFactory factory;
+ std::unique_ptr<Message> msg(
+ factory
+ .GetPrototype(
+ ::proto2_wireformat_unittest::TestMessageSet::descriptor())
+ ->New());
+ msg->ParseFromString(data);
+ auto* reflection = msg->GetReflection();
+ std::vector<const FieldDescriptor*> fields;
+ reflection->ListFields(*msg, &fields);
+ ASSERT_EQ(fields.size(), 1);
+ const auto& sub = reflection->GetMessage(*msg, fields[0]);
+ reflection = sub.GetReflection();
+ EXPECT_EQ(123, reflection->GetInt32(
+ sub, sub.GetDescriptor()->FindFieldByName("i")));
+ }
+}
+} // namespace
+
+TEST(WireFormatTest, ParseMessageSetWithAnyTagOrder) {
+ std::string start = BuildMessageSetItemStart();
+ std::string end = BuildMessageSetItemEnd();
+ std::string id = BuildMessageSetItemTypeId(
+ unittest::TestMessageSetExtension1::descriptor()->extension(0)->number());
+ std::string message = BuildMessageSetTestExtension1();
+
+ ValidateTestMessageSet("id + message", start + id + message + end);
+ ValidateTestMessageSet("message + id", start + message + id + end);
+}
+
+TEST(WireFormatTest, ParseMessageSetWithDuplicateTags) {
+ std::string start = BuildMessageSetItemStart();
+ std::string end = BuildMessageSetItemEnd();
+ std::string id = BuildMessageSetItemTypeId(
+ unittest::TestMessageSetExtension1::descriptor()->extension(0)->number());
+ std::string other_id = BuildMessageSetItemTypeId(123456);
+ std::string message = BuildMessageSetTestExtension1();
+ std::string other_message = BuildMessageSetTestExtension1(321);
+
+ // Double id
+ ValidateTestMessageSet("id + other_id + message",
+ start + id + other_id + message + end);
+ ValidateTestMessageSet("id + message + other_id",
+ start + id + message + other_id + end);
+ ValidateTestMessageSet("message + id + other_id",
+ start + message + id + other_id + end);
+ // Double message
+ ValidateTestMessageSet("id + message + other_message",
+ start + id + message + other_message + end);
+ ValidateTestMessageSet("message + id + other_message",
+ start + message + id + other_message + end);
+ ValidateTestMessageSet("message + other_message + id",
+ start + message + other_message + id + end);
}
void SerializeReverseOrder(

251
backport-Fix-sgx_create_enclave-retry-mechanism.patch Normal file
View File

@ -0,0 +1,251 @@
From 2502597c269947edcd2bc38d9d4277f558a4a25e Mon Sep 17 00:00:00 2001
From: gaoyusong <a869920004@163.com>
Date: Tue, 28 Feb 2023 19:57:46 +0800
Subject: [PATCH] Fix sgx_create_enclave retry mechanism
Reference: https://github.com/intel/linux-sgx/commit/111a916b5d19554d2c86f3d881bf00ac91de1b34
Conflict: NA
---
.../templates/sgx/SGXEnclave/untrusted/sample.cpp | 5 +++++
SampleCode/Cxx11SGXDemo/App/App.cpp | 5 +++++
SampleCode/Cxx14SGXDemo/App/App.cpp | 5 +++++
SampleCode/PowerTransition/App/ErrorSupport.cpp | 1 +
SampleCode/ProtobufSGXDemo/App/App.cpp | 5 +++++
SampleCode/SampleDNNL/App/App.cpp | 5 +++++
SampleCode/SampleEnclave/App/App.cpp | 5 +++++
SampleCode/SampleEnclaveGMIPP/App/App.cpp | 5 +++++
SampleCode/SampleEnclavePCL/App/App.cpp | 5 +++++
SampleCode/SealUnseal/App/ErrorSupport.cpp | 1 +
SampleCode/Switchless/App/App.cpp | 5 +++++
common/inc/sgx_error.h | 2 +-
psw/ae/aesm_service/source/oal/linux/internal_log.cpp | 1 +
psw/urts/loader.cpp | 9 +++++----
14 files changed, 54 insertions(+), 5 deletions(-)
diff --git a/Linux_SGXEclipsePlugin/build_directory/plugins/com.intel.sgx/templates/sgx/SGXEnclave/untrusted/sample.cpp b/Linux_SGXEclipsePlugin/build_directory/plugins/com.intel.sgx/templates/sgx/SGXEnclave/untrusted/sample.cpp
index 2885ebd..c8bcf48 100644
--- a/Linux_SGXEclipsePlugin/build_directory/plugins/com.intel.sgx/templates/sgx/SGXEnclave/untrusted/sample.cpp
+++ b/Linux_SGXEclipsePlugin/build_directory/plugins/com.intel.sgx/templates/sgx/SGXEnclave/untrusted/sample.cpp
@@ -102,6 +102,11 @@ static sgx_errlist_t sgx_errlist[] = {
"Can't open enclave file.",
NULL
},
+ {
+ SGX_ERROR_MEMORY_MAP_FAILURE,
+ "Failed to reserve memory for the enclave.",
+ NULL
+ },
};
/* Check error conditions for loading enclave */
diff --git a/SampleCode/Cxx11SGXDemo/App/App.cpp b/SampleCode/Cxx11SGXDemo/App/App.cpp
index cc92865..f44b435 100644
--- a/SampleCode/Cxx11SGXDemo/App/App.cpp
+++ b/SampleCode/Cxx11SGXDemo/App/App.cpp
@@ -132,6 +132,11 @@ static sgx_errlist_t sgx_errlist[] = {
"The enclave is signed as product enclave, and can not be created as debuggable enclave.",
NULL
},
+ {
+ SGX_ERROR_MEMORY_MAP_FAILURE,
+ "Failed to reserve memory for the enclave.",
+ NULL
+ },
};
/* Check error conditions for loading enclave */
diff --git a/SampleCode/Cxx14SGXDemo/App/App.cpp b/SampleCode/Cxx14SGXDemo/App/App.cpp
index 62a8dde..59cdfbe 100644
--- a/SampleCode/Cxx14SGXDemo/App/App.cpp
+++ b/SampleCode/Cxx14SGXDemo/App/App.cpp
@@ -132,6 +132,11 @@ static sgx_errlist_t sgx_errlist[] = {
"The enclave is signed as product enclave, and can not be created as debuggable enclave.",
NULL
},
+ {
+ SGX_ERROR_MEMORY_MAP_FAILURE,
+ "Failed to reserve memory for the enclave.",
+ NULL
+ },
};
/* Check error conditions for loading enclave */
diff --git a/SampleCode/PowerTransition/App/ErrorSupport.cpp b/SampleCode/PowerTransition/App/ErrorSupport.cpp
index 4142ab0..9fdf0ce 100644
--- a/SampleCode/PowerTransition/App/ErrorSupport.cpp
+++ b/SampleCode/PowerTransition/App/ErrorSupport.cpp
@@ -51,6 +51,7 @@ static sgx_errlist_t sgx_errlist[] = {
{SGX_ERROR_OUT_OF_EPC, "Out of EPC memory."},
{SGX_ERROR_NO_DEVICE, "Invalid SGX device."},
{SGX_ERROR_MEMORY_MAP_CONFLICT, "Memory map conflicted."},
+ {SGX_ERROR_MEMORY_MAP_FAILURE, "Failed to reserve memory for the enclave."},
{SGX_ERROR_INVALID_METADATA, "Invalid encalve metadata."},
{SGX_ERROR_DEVICE_BUSY, "SGX device is busy."},
{SGX_ERROR_INVALID_VERSION, "Enclave metadata version is invalid."},
diff --git a/SampleCode/ProtobufSGXDemo/App/App.cpp b/SampleCode/ProtobufSGXDemo/App/App.cpp
index 58b74b4..ae7f2f3 100644
--- a/SampleCode/ProtobufSGXDemo/App/App.cpp
+++ b/SampleCode/ProtobufSGXDemo/App/App.cpp
@@ -132,6 +132,11 @@ static sgx_errlist_t sgx_errlist[] = {
"The enclave is signed as product enclave, and can not be created as debuggable enclave.",
NULL
},
+ {
+ SGX_ERROR_MEMORY_MAP_FAILURE,
+ "Failed to reserve memory for the enclave.",
+ NULL
+ },
};
/* Check error conditions for loading enclave */
diff --git a/SampleCode/SampleDNNL/App/App.cpp b/SampleCode/SampleDNNL/App/App.cpp
index 41c6752..cfb4f15 100644
--- a/SampleCode/SampleDNNL/App/App.cpp
+++ b/SampleCode/SampleDNNL/App/App.cpp
@@ -134,6 +134,11 @@ static sgx_errlist_t sgx_errlist[] = {
"Can't open enclave file.",
NULL
},
+ {
+ SGX_ERROR_MEMORY_MAP_FAILURE,
+ "Failed to reserve memory for the enclave.",
+ NULL
+ },
};
/* Check error conditions for loading enclave */
diff --git a/SampleCode/SampleEnclave/App/App.cpp b/SampleCode/SampleEnclave/App/App.cpp
index 6ac49c8..8aa10da 100644
--- a/SampleCode/SampleEnclave/App/App.cpp
+++ b/SampleCode/SampleEnclave/App/App.cpp
@@ -128,6 +128,11 @@ static sgx_errlist_t sgx_errlist[] = {
"Can't open enclave file.",
NULL
},
+ {
+ SGX_ERROR_MEMORY_MAP_FAILURE,
+ "Failed to reserve memory for the enclave.",
+ NULL
+ },
};
/* Check error conditions for loading enclave */
diff --git a/SampleCode/SampleEnclaveGMIPP/App/App.cpp b/SampleCode/SampleEnclaveGMIPP/App/App.cpp
index 9e951ae..8b2123c 100644
--- a/SampleCode/SampleEnclaveGMIPP/App/App.cpp
+++ b/SampleCode/SampleEnclaveGMIPP/App/App.cpp
@@ -129,6 +129,11 @@ static sgx_errlist_t sgx_errlist[] = {
"Can't open enclave file.",
NULL
},
+ {
+ SGX_ERROR_MEMORY_MAP_FAILURE,
+ "Failed to reserve memory for the enclave.",
+ NULL
+ },
};
/* Check error conditions for loading enclave */
diff --git a/SampleCode/SampleEnclavePCL/App/App.cpp b/SampleCode/SampleEnclavePCL/App/App.cpp
index 092c68f..42d3c64 100644
--- a/SampleCode/SampleEnclavePCL/App/App.cpp
+++ b/SampleCode/SampleEnclavePCL/App/App.cpp
@@ -158,6 +158,11 @@ static sgx_errlist_t sgx_errlist[] = {
"PCL sealed key GUID mismatch.",
NULL
},
+ {
+ SGX_ERROR_MEMORY_MAP_FAILURE,
+ "Failed to reserve memory for the enclave.",
+ NULL
+ },
};
/* Check error conditions for loading enclave */
diff --git a/SampleCode/SealUnseal/App/ErrorSupport.cpp b/SampleCode/SealUnseal/App/ErrorSupport.cpp
index d890442..8b456a8 100644
--- a/SampleCode/SealUnseal/App/ErrorSupport.cpp
+++ b/SampleCode/SealUnseal/App/ErrorSupport.cpp
@@ -50,6 +50,7 @@ static sgx_errlist_t sgx_errlist[] = {
{SGX_ERROR_OUT_OF_EPC, "Out of EPC memory."},
{SGX_ERROR_NO_DEVICE, "Invalid SGX device."},
{SGX_ERROR_MEMORY_MAP_CONFLICT, "Memory map conflicted."},
+ {SGX_ERROR_MEMORY_MAP_FAILURE, "Failed to reserve memory for the enclave."},
{SGX_ERROR_INVALID_METADATA, "Invalid encalve metadata."},
{SGX_ERROR_DEVICE_BUSY, "SGX device is busy."},
{SGX_ERROR_INVALID_VERSION, "Enclave metadata version is invalid."},
diff --git a/SampleCode/Switchless/App/App.cpp b/SampleCode/Switchless/App/App.cpp
index e86b49b..4f05c19 100644
--- a/SampleCode/Switchless/App/App.cpp
+++ b/SampleCode/Switchless/App/App.cpp
@@ -132,6 +132,11 @@ static sgx_errlist_t sgx_errlist[] = {
"Can't open enclave file.",
NULL
},
+ {
+ SGX_ERROR_MEMORY_MAP_FAILURE,
+ "Failed to reserve memory for the enclave.",
+ NULL
+ },
};
/* Check error conditions for loading enclave */
diff --git a/common/inc/sgx_error.h b/common/inc/sgx_error.h
index 1a410ca..d38ec05 100644
--- a/common/inc/sgx_error.h
+++ b/common/inc/sgx_error.h
@@ -61,7 +61,7 @@ typedef enum _status_t
SGX_ERROR_NDEBUG_ENCLAVE = SGX_MK_ERROR(0x2004), /* The enclave is signed as product enclave, and can not be created as debuggable enclave. */
SGX_ERROR_OUT_OF_EPC = SGX_MK_ERROR(0x2005), /* Not enough EPC is available to load the enclave */
SGX_ERROR_NO_DEVICE = SGX_MK_ERROR(0x2006), /* Can't open SGX device */
- SGX_ERROR_MEMORY_MAP_CONFLICT= SGX_MK_ERROR(0x2007), /* Page mapping failed in driver */
+ SGX_ERROR_MEMORY_MAP_CONFLICT= SGX_MK_ERROR(0x2007), /* Page mapping failed in driver. Deprecated*/
SGX_ERROR_INVALID_METADATA = SGX_MK_ERROR(0x2009), /* The metadata is incorrect. */
SGX_ERROR_DEVICE_BUSY = SGX_MK_ERROR(0x200c), /* Device is busy, mostly EINIT failed. */
SGX_ERROR_INVALID_VERSION = SGX_MK_ERROR(0x200d), /* Metadata version is inconsistent between uRTS and sgx_sign or uRTS is incompatible with current platform. */
diff --git a/psw/ae/aesm_service/source/oal/linux/internal_log.cpp b/psw/ae/aesm_service/source/oal/linux/internal_log.cpp
index f10c3de..c2be8fb 100644
--- a/psw/ae/aesm_service/source/oal/linux/internal_log.cpp
+++ b/psw/ae/aesm_service/source/oal/linux/internal_log.cpp
@@ -468,6 +468,7 @@ static const char *get_sgx_status_t_string(sgx_status_t status)
CASE_ENUM_RET_STRING(SGX_ERROR_OUT_OF_EPC)
CASE_ENUM_RET_STRING(SGX_ERROR_NO_DEVICE)
CASE_ENUM_RET_STRING(SGX_ERROR_MEMORY_MAP_CONFLICT)
+ CASE_ENUM_RET_STRING(SGX_ERROR_MEMORY_MAP_FAILURE)
CASE_ENUM_RET_STRING(SGX_ERROR_INVALID_METADATA)
CASE_ENUM_RET_STRING(SGX_ERROR_DEVICE_BUSY)
CASE_ENUM_RET_STRING(SGX_ERROR_INVALID_VERSION)
diff --git a/psw/urts/loader.cpp b/psw/urts/loader.cpp
index bd98a3c..7ad8a69 100644
--- a/psw/urts/loader.cpp
+++ b/psw/urts/loader.cpp
@@ -907,7 +907,7 @@ int CLoader::load_enclave(SGXLaunchToken *lc, int debug, const metadata_t *metad
int CLoader::load_enclave_ex(SGXLaunchToken *lc, bool debug, const metadata_t *metadata, sgx_config_id_t *config_id, sgx_config_svn_t config_svn, le_prd_css_file_t *prd_css_file, sgx_misc_attribute_t *misc_attr)
{
- unsigned int ret = SGX_SUCCESS, map_conflict_count = 3;
+ unsigned int ret = SGX_SUCCESS, map_retry_count = 3;
bool retry = true;
while (retry)
@@ -919,12 +919,13 @@ int CLoader::load_enclave_ex(SGXLaunchToken *lc, bool debug, const metadata_t *m
case SGX_ERROR_ENCLAVE_LOST: //caused by loading enclave while power transition occurs
break;
- //If memroy map conflict occurs, we only retry 3 times.
+ //If memroy map fail or conflict occurs, we only retry 3 times.
+ case SGX_ERROR_MEMORY_MAP_FAILURE:
case SGX_ERROR_MEMORY_MAP_CONFLICT:
- if(0 == map_conflict_count)
+ if(0 == map_retry_count)
retry = false;
else
- map_conflict_count--;
+ map_retry_count--;
break;
//We don't re-load enclave due to other error code.
--
2.33.0

5
linux-sgx.spec
View File

@ -30,6 +30,8 @@ Patch8: backport-CVE-2022-2068-Fix-file-operations-in-c_rehash.patch
Patch9: backport-CVE-2022-2097-Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch
Patch10: DCAP-disabling-the-rpatch-option.patch
Patch11: add-strip-compilation-option-for-pck-id-retrieval-tool.patch
Patch12: backport-Fix-sgx_create_enclave-retry-mechanism.patch
Patch13: backport-CVE-2022-1941-Fix-parsing-vulnerability-for-MessageSet-type.patch
BuildRequires: gcc-c++ protobuf-devel libtool ocaml-ocamlbuild openssl openssl-devel cmake python curl-devel createrepo_c git nasm
@ -1032,6 +1034,9 @@ fi
%files -n libsgx-headers -f %{LINUX_INSTALLER_RPM_DIR}/libsgx-headers/build/list-libsgx-headers
%changelog
* Sat Oct 28 2023 houmingyong<houmingyong@huawei.com> - 2.15.1-9
- backport patch and cve
* Sat Sep 24 2022 wangyu <wangyu283@huawei.com> - 2.15.1-8
- The postun script should distinguish uninstall and upgrade scenarios