diff --git a/0041-fix-double-free.patch b/0041-fix-double-free.patch new file mode 100644 index 0000000000000000000000000000000000000000..807856443f68a94027cde57ba747aeb69a74c954 --- /dev/null +++ b/0041-fix-double-free.patch @@ -0,0 +1,36 @@ +From 297bce40545793d545747e25f614b09a185ef489 Mon Sep 17 00:00:00 2001 +From: houmingyong +Date: Wed, 23 Feb 2022 20:33:32 +0800 +Subject: [PATCH] fix double free + +--- + src/host_src/gp/gp_enclave.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/src/host_src/gp/gp_enclave.c b/src/host_src/gp/gp_enclave.c +index c7554de..9bc9514 100644 +--- a/src/host_src/gp/gp_enclave.c ++++ b/src/host_src/gp/gp_enclave.c +@@ -255,10 +255,15 @@ static bool handle_ocall(uint32_t agent_id, int dev_fd, void *buffer, cc_ocall_f + } + ret = true; + done: +- free(tmp_input_buffer); +- free(tmp_output_buffer); +- tmp_input_buffer = NULL; +- tmp_output_buffer = NULL; ++ if (tmp_input_buffer != NULL) { ++ free(tmp_input_buffer); ++ tmp_input_buffer = NULL; ++ } ++ if (tmp_output_buffer != NULL) { ++ free(tmp_output_buffer); ++ tmp_output_buffer = NULL; ++ } ++ + return ret; + } + +-- +2.27.0 + diff --git a/0042-destroy-rwlock-when-create-enclave-failed.patch b/0042-destroy-rwlock-when-create-enclave-failed.patch new file mode 100644 index 0000000000000000000000000000000000000000..a6ecb5a31a9efcdff65760cfe2d7263205ab0de0 --- /dev/null +++ b/0042-destroy-rwlock-when-create-enclave-failed.patch @@ -0,0 +1,39 @@ +From e716ff141b967986d35fc65c59ab0e03015dce48 Mon Sep 17 00:00:00 2001 +From: houmingyong +Date: Thu, 13 Jan 2022 10:24:23 +0800 +Subject: [PATCH] destroy rwlock when create enclave failed + +Conflict:NA +Reference:https://gitee.com/openeuler/secGear/commit/cb80972c3a60261786d76a2a50ab5ce29b312ebd + +--- + src/host_src/enclave.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/host_src/enclave.c b/src/host_src/enclave.c +index 8d6c8a6..e163b58 100644 +--- a/src/host_src/enclave.c ++++ b/src/host_src/enclave.c +@@ -68,6 +68,7 @@ static void error_handle(cc_enclave_t *enclave, void *handle, p_tee_registered r + } + + if (enclave) { ++ pthread_rwlock_destroy(&enclave->rwlock); + explicit_bzero(enclave, sizeof(cc_enclave_t)); + } + } +@@ -192,7 +193,10 @@ cc_enclave_result_t cc_enclave_create(const char *path, enclave_type_t type, uin + + memset(enclave, 0, sizeof(cc_enclave_t)); + if (!check_transform_path(&res, path, &l_path) || !chose_engine_type(&res, type, version, &type_version)) { +- goto done; ++ if (l_path) { ++ free(l_path); ++ } ++ return CC_FAIL; + } + + /* to do: gp support enter enclave debugging */ +-- +2.27.0 + diff --git a/0043-fix-partial-resource-leak.patch b/0043-fix-partial-resource-leak.patch new file mode 100644 index 0000000000000000000000000000000000000000..9b091c42ba180a0131ea7ed9a308879dc49a4774 --- /dev/null +++ b/0043-fix-partial-resource-leak.patch @@ -0,0 +1,99 @@ +From c64400a742d292585f06590741ceb5b37837e4bc Mon Sep 17 00:00:00 2001 +From: houmingyong +Date: Mon, 17 Jan 2022 19:21:12 +0800 +Subject: [PATCH] fix partial resource leak + +Conflict:NA +Reference:https://gitee.com/openeuler/secGear/pulls/79 + +--- + src/host_src/enclave.c | 49 ++++++++++++++++++------------------------ + 1 file changed, 21 insertions(+), 28 deletions(-) + +diff --git a/src/host_src/enclave.c b/src/host_src/enclave.c +index e163b58..36a50b9 100644 +--- a/src/host_src/enclave.c ++++ b/src/host_src/enclave.c +@@ -264,7 +264,7 @@ cc_enclave_result_t cc_enclave_destroy(cc_enclave_t *context) + { + int32_t ires = 0; + cc_enclave_result_t res = CC_FAIL; +- p_tee_unregistered unregistered_funcc; ++ p_tee_unregistered unregistered_funcc = NULL; + + /* check context and enclave engine context */ + if (!context || !context->list_ops_node || !context->list_ops_node->ops_desc || +@@ -273,50 +273,43 @@ cc_enclave_result_t cc_enclave_destroy(cc_enclave_t *context) + return CC_ERROR_BAD_PARAMETERS; + } + +- ires = pthread_rwlock_wrlock(&(context->rwlock)); +- if (ires) { +- return CC_ERROR_BUSY; +- } ++ (void)pthread_rwlock_wrlock(&(context->rwlock)); + if (context->list_ops_node->ops_desc->ops->cc_destroy_enclave != NULL) { + res = context->list_ops_node->ops_desc->ops->cc_destroy_enclave(context); +- SECGEAR_CHECK_RES(res); +- } else { +- print_error_goto("Enclave context no valid ops function\n"); ++ if (res != CC_SUCCESS) { ++ print_warning("destory enclave error\n"); ++ } + } + + /* look up enclave engine unregistered */ +- res = find_engine_registered(context->list_ops_node->ops_desc->handle, NULL, &unregistered_funcc); +- SECGEAR_CHECK_RES(res); ++ (void)find_engine_registered(context->list_ops_node->ops_desc->handle, NULL, &unregistered_funcc); + + /* lock call unregistered func */ +- ires = pthread_mutex_lock(&(g_list_ops.mutex_work)); +- SECGEAR_CHECK_MUTEX_RES_CC(ires, res); ++ (void)pthread_mutex_lock(&(g_list_ops.mutex_work)); + /* call enclave engine free node */ +- res = (*unregistered_funcc)(context, context->list_ops_node->ops_desc->type_version); +- SECGEAR_CHECK_RES_UNLOCK(res); ++ if (unregistered_funcc) { ++ res = (*unregistered_funcc)(context, context->list_ops_node->ops_desc->type_version); ++ if (res != CC_SUCCESS) { ++ print_warning("unregister func error\n"); ++ } ++ } + if (context->list_ops_node->ops_desc->count == 0) { + ires = dlclose(context->list_ops_node->ops_desc->handle); + if (ires != 0) { +- res = CC_FAIL; +- pthread_mutex_unlock(&(g_list_ops.mutex_work)); +- print_error_goto("Close engine failure\n"); ++ print_warning("close engine error\n"); + } + context->list_ops_node = NULL; + } + /* free enclave number resources */ + g_list_ops.enclaveState.enclave_count--; +- ires = pthread_mutex_unlock(&(g_list_ops.mutex_work)); +- SECGEAR_CHECK_MUTEX_RES_CC(ires, res); ++ (void)pthread_mutex_unlock(&(g_list_ops.mutex_work)); + +- res = CC_SUCCESS; +-done: +- if (context && context->path) { ++ if (context->path) { + free(context->path); + } +- if (context) { +- pthread_rwlock_unlock(&context->rwlock); +- pthread_rwlock_destroy(&context->rwlock); +- explicit_bzero(context, sizeof(cc_enclave_t)); +- } +- return res; ++ pthread_rwlock_unlock(&context->rwlock); ++ pthread_rwlock_destroy(&context->rwlock); ++ explicit_bzero(context, sizeof(cc_enclave_t)); ++ ++ return CC_SUCCESS; + } +-- +2.23.0 + diff --git a/0044-fix-pointer-without-init-or-check-NULL.patch b/0044-fix-pointer-without-init-or-check-NULL.patch new file mode 100644 index 0000000000000000000000000000000000000000..c1f491b3fa8436ee58d7f24ff56e460ec0fe2db1 --- /dev/null +++ b/0044-fix-pointer-without-init-or-check-NULL.patch @@ -0,0 +1,97 @@ +From d550148b0c79e1d544d7edd0eef52750d6422e40 Mon Sep 17 00:00:00 2001 +From: houmingyong +Date: Sat, 8 Jan 2022 17:01:27 +0800 +Subject: [PATCH] modify codex + +Conflict:NA +Reference:https://gitee.com/openeuler/secGear/pulls/77 +--- + src/enclave_src/gp/itrustee/error_conversion.c | 14 +++++++------- + src/host_src/gp/gp_enclave.c | 2 +- + tools/codegener/Gentrust.ml | 14 ++++++++------ + 3 files changed, 16 insertions(+), 14 deletions(-) + +diff --git a/src/enclave_src/gp/itrustee/error_conversion.c b/src/enclave_src/gp/itrustee/error_conversion.c +index 5177322..f30bc81 100644 +--- a/src/enclave_src/gp/itrustee/error_conversion.c ++++ b/src/enclave_src/gp/itrustee/error_conversion.c +@@ -28,13 +28,13 @@ cc_enclave_result_t conversion_res_status(uint32_t enclave_res) + CC_ERROR_READ_DATA, CC_ERROR_WRITE_DATA, CC_ERROR_TRUNCATE_OBJECT, CC_ERROR_SEEK_DATA, CC_ERROR_SYNC_DATA, + CC_ERROR_RENAME_OBJECT, CC_ERROR_INVALID_ENCLAVE, + }; +- const int res_table2_begin = 0x80000100U; +- const int res_table3_begin = 0x80001001U; +- const int res_table4_begin = 0xFFFF7000U; +- const int res_table5_begin = 0xFFFF7110U; +- const int res_table6_begin = 0xFFFF7118U; +- const int res_table7_begin = 0xFFFF9110U; +- const int shift = 7; ++ const uint32_t res_table2_begin = 0x80000100U; ++ const uint32_t res_table3_begin = 0x80001001U; ++ const uint32_t res_table4_begin = 0xFFFF7000U; ++ const uint32_t res_table5_begin = 0xFFFF7110U; ++ const uint32_t res_table6_begin = 0xFFFF7118U; ++ const uint32_t res_table7_begin = 0xFFFF9110U; ++ const uint32_t shift = 7; + + if (enclave_res < res_table2_begin) { + if (enclave_res < sizeof(result_table1) / sizeof(cc_enclave_result_t)) { +diff --git a/src/host_src/gp/gp_enclave.c b/src/host_src/gp/gp_enclave.c +index c7554de..0bedb71 100644 +--- a/src/host_src/gp/gp_enclave.c ++++ b/src/host_src/gp/gp_enclave.c +@@ -79,7 +79,7 @@ static cc_enclave_result_t ta_path_to_uuid(const char *path, TEEC_UUID *uuid) + const int clock_end = 7; + const int unit = 8; + const int uuid_base = 16; +- char uuid_str[UUID_LEN]; ++ char uuid_str[UUID_LEN + 1] = {0}; + uint64_t uuid_split[gp_token_nums]; + + const char *uuid_pos = NULL; +diff --git a/tools/codegener/Gentrust.ml b/tools/codegener/Gentrust.ml +index 18af7f2..b62624e 100644 +--- a/tools/codegener/Gentrust.ml ++++ b/tools/codegener/Gentrust.ml +@@ -27,23 +27,23 @@ let set_parameters_point (fd : func_decl) = + let pre (_: parameter_type) = "" in + let post = "" in + let generator_in (_ : parameter_type) (_ : parameter_type) (decl : declarator) (mem_decl : declarator) = +- sprintf "uint8_t *%s_%s_p;\n " decl.identifier mem_decl.identifier in ++ sprintf "uint8_t *%s_%s_p = NULL;\n " decl.identifier mem_decl.identifier in + let generator_inout (_ : parameter_type) (_ : parameter_type) (decl : declarator) (mem_decl : declarator) = +- (sprintf "uint8_t *%s_%s_in_p;\n " decl.identifier mem_decl.identifier) ^ (sprintf "uint8_t *%s_%s_out_p;\n " decl.identifier mem_decl.identifier) in ++ (sprintf "uint8_t *%s_%s_in_p = NULL;\n " decl.identifier mem_decl.identifier) ^ (sprintf "uint8_t *%s_%s_out_p = NULL;\n " decl.identifier mem_decl.identifier) in + [ +- (match fd.rtype with Void -> "" | _ -> "uint8_t *retval_p;"); ++ (match fd.rtype with Void -> "" | _ -> "uint8_t *retval_p = NULL;"); + concat "\n " + (List.map + (fun (_, decl) -> +- sprintf "uint8_t *%s_p;" decl.identifier) ++ sprintf "uint8_t *%s_p = NULL;" decl.identifier) + params); + concat "\n " + (List.map (deep_copy_func pre generator_in post) deep_copy_in); + concat "\n " + (List.map + (fun (_, decl) -> +- sprintf "uint8_t *%s_out_p;\n " decl.identifier ^ +- sprintf "uint8_t *%s_in_p;" decl.identifier) ++ sprintf "uint8_t *%s_out_p = NULL;\n " decl.identifier ^ ++ sprintf "uint8_t *%s_in_p = NULL;" decl.identifier) + params_inout); + concat "\n " + (List.map (deep_copy_func pre generator_inout post) deep_copy_inout); +@@ -156,6 +156,8 @@ let set_ecall_func (tf : trusted_func) = + else + " /* There is no parameters point */"; + ""; ++ " if (in_buf == NULL || out_buf == NULL)"; ++ " goto done;"; + sprintf " %s_size_t *args_size = (%s_size_t *)in_buf;" tfd.fname tfd.fname; + " in_buf_offset += size_to_aligned_size(sizeof(*args_size));"; + ""; +-- +2.27.0 + diff --git a/0045-optimize-the-private-key-usage-of-the-single-step-si.patch b/0045-optimize-the-private-key-usage-of-the-single-step-si.patch new file mode 100644 index 0000000000000000000000000000000000000000..e6012267c4dca581b83bd35fddb12c55ba80f0a7 --- /dev/null +++ b/0045-optimize-the-private-key-usage-of-the-single-step-si.patch @@ -0,0 +1,69 @@ +From 4320c1816627fbeff32c4388c36b31eeea24d629 Mon Sep 17 00:00:00 2001 +From: gaoyusong +Date: Mon, 15 Nov 2021 12:39:39 +0800 +Subject: [PATCH] optimize the private key usage of the single-step signature + method + +Signed-off-by: gaoyusong +--- + docs/sign_tool.md | 3 ++- + examples/helloworld/enclave/config_cloud.ini | 1 + + examples/seal_data/enclave/config_cloud.ini | 1 + + tools/sign_tool/sign_tool.sh | 3 ++- + 4 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/docs/sign_tool.md b/docs/sign_tool.md +index a092f19..1da6d06 100644 +--- a/docs/sign_tool.md ++++ b/docs/sign_tool.md +@@ -47,7 +47,8 @@ The tool supports the following two modes: + The dump command is used to generate metadata for sgx signed enclave. + -i input parameter, which is enclave to be signed for digest/sign command, and signed enclave for + dump command. +- -k private key required for single-step method. ++ -k private key required for single-step method. NOTE: single-step method is only for the dubug mode, ++ plaintext private key does exist in the production environment. + -m additional config_cloud.ini for trustzone. + -o output parameter, the sign command outputs signed enclave, the digest command outputs signing + material, the dump command outputs data containing the SIGStruct metadata for the SGX signed +diff --git a/examples/helloworld/enclave/config_cloud.ini b/examples/helloworld/enclave/config_cloud.ini +index 552f59c..0960436 100644 +--- a/examples/helloworld/enclave/config_cloud.ini ++++ b/examples/helloworld/enclave/config_cloud.ini +@@ -27,6 +27,7 @@ encryptKeyLen = 3072 + signType = 1 + ;;; + ;private key for signing TA ++;this private key is only for the dubug mode so plaintext private key does exist in the production environment + ;[private key owned by yourself] + signKey = ../../examples/helloworld/enclave/cert/private_key.pem + ;;; +diff --git a/examples/seal_data/enclave/config_cloud.ini b/examples/seal_data/enclave/config_cloud.ini +index f0c0e39..2b8a79c 100644 +--- a/examples/seal_data/enclave/config_cloud.ini ++++ b/examples/seal_data/enclave/config_cloud.ini +@@ -27,6 +27,7 @@ encryptKeyLen = 3072 + signType = 1 + ;;; + ;private key for signing TA ++;this private key is only for the dubug mode so plaintext private key does exist in the production environment + ;[private key owned by yourself] + signKey = ../../examples/seal_data/enclave/cert/private_key.pem + ;;; +diff --git a/tools/sign_tool/sign_tool.sh b/tools/sign_tool/sign_tool.sh +index 0435a67..daca711 100755 +--- a/tools/sign_tool/sign_tool.sh ++++ b/tools/sign_tool/sign_tool.sh +@@ -31,7 +31,8 @@ print_help(){ + echo " The dump command is used to generate metadata for sgx signed enclave." + echo "-i input parameter, which is enclave to be signed for digest/sign command, and signed enclave for" + echo " dump command." +- echo "-k private key required for single-step method." ++ echo "-k private key required for single-step method. NOTE: single-step method is only for the dubug mode," ++ echo " plaintext private key does exist in the production environment." + echo "-m additional config_cloud.ini for trustzone." + echo "-o output parameter, the sign command outputs signed enclave, the digest command outputs signing" + echo " material, the dump command outputs data containing the SIGStruct metadata for the SGX signed" +-- +2.23.0 + diff --git a/0046-fix-return-value.patch b/0046-fix-return-value.patch new file mode 100644 index 0000000000000000000000000000000000000000..ab65aec088c723811448d35e0ce4eeeafac7bcbf --- /dev/null +++ b/0046-fix-return-value.patch @@ -0,0 +1,25 @@ +From 1f6f2ff01317c6f04de7cab7c3a126e7ce485df7 Mon Sep 17 00:00:00 2001 +From: zhengxiaoxiao +Date: Sun, 15 May 2022 22:00:33 +0800 +Subject: [PATCH] fix return value + +--- + src/host_src/enclave.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/host_src/enclave.c b/src/host_src/enclave.c +index 36a50b9..87a984f 100644 +--- a/src/host_src/enclave.c ++++ b/src/host_src/enclave.c +@@ -196,7 +196,7 @@ cc_enclave_result_t cc_enclave_create(const char *path, enclave_type_t type, uin + if (l_path) { + free(l_path); + } +- return CC_FAIL; ++ return res; + } + + /* to do: gp support enter enclave debugging */ +-- +2.36.0.windows.1 + diff --git a/0047-del-print-uncontrol-form-string.patch b/0047-del-print-uncontrol-form-string.patch new file mode 100644 index 0000000000000000000000000000000000000000..91150d1caf07457cae7528fb0e35f34728a36922 --- /dev/null +++ b/0047-del-print-uncontrol-form-string.patch @@ -0,0 +1,33 @@ +From 8877dd937ccb482ab830b9a9d4ca02f6a31045b7 Mon Sep 17 00:00:00 2001 +From: zhengxiaoxiao +Date: Sun, 5 Jun 2022 21:29:41 +0800 +Subject: [PATCH] del print uncontrol form string + +--- + src/host_src/enclave.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/host_src/enclave.c b/src/host_src/enclave.c +index 8d6c8a6..6fd7510 100644 +--- a/src/host_src/enclave.c ++++ b/src/host_src/enclave.c +@@ -142,14 +142,14 @@ static bool check_transform_path(cc_enclave_result_t *res, const char *path, cha + /* check file exists and get absolute pathname */ + if (realpath(path, real_p) == NULL) { + *res = CC_ERROR_INVALID_PATH; +- print_error_term("Path %s error %s\n", path, strerror(errno)); ++ print_error_term("Path error %s\n", strerror(errno)); + return false; + } + + /* check file permission */ + if (access(real_p, R_OK) != 0) { + *res = CC_ERROR_ACCESS_DENIED; +- print_error_term("Path %s error %s\n", path, strerror(errno)); ++ print_error_term("Path error %s\n", strerror(errno)); + return false; + } + size_t len = strlen(real_p) + 1; +-- +2.33.0 + diff --git a/secGear.spec b/secGear.spec index 088addcdab0cfea509d747b17d6cb2e9a0c734f0..a5f7e4f756bfa7ba32ab78bb48b0ec104261bdb2 100644 --- a/secGear.spec +++ b/secGear.spec @@ -1,6 +1,6 @@ Name: secGear Version: 0.1.0 -Release: 21%{?dist} +Release: 22%{?dist} Summary: secGear is an SDK to develop confidential computing apps based on hardware enclave features @@ -49,6 +49,13 @@ Patch36: 0037-add-description-about-file-parameter-path-for-sign_t.patch Patch37: 0038-fix-use-after-free-in-cc_enclave_create.patch Patch38: 0039-clean-memory-when-it-come-to-error_handle.patch Patch39: 0040-fix-logs-redirection-error-and-delete-rsa_public_key.patch +Patch40: 0041-fix-double-free.patch +Patch41: 0042-destroy-rwlock-when-create-enclave-failed.patch +Patch42: 0043-fix-partial-resource-leak.patch +Patch43: 0044-fix-pointer-without-init-or-check-NULL.patch +Patch44: 0045-optimize-the-private-key-usage-of-the-single-step-si.patch +Patch45: 0046-fix-return-value.patch +Patch46: 0047-del-print-uncontrol-form-string.patch BuildRequires: gcc python automake autoconf libtool BUildRequires: glibc glibc-devel cmake ocaml-dune rpm gcc-c++ @@ -158,6 +165,9 @@ popd %endif %changelog +* Mon Jul 25 2022 gaoyusong - 0.1.0-22 +- DESC: backport some patches to fix bugs + * Mon Mar 14 2022 gaoyusong - 0.1.0-21 - DESC: fix logs redirection error and del rsa_pub.key