Auto merge of #101442 - joboet:null_check_tcs, r=thomcc

bors · bors · commit 98e1f041b6e3 · 2022-09-11T22:19:24.000Z
Check if TCS is a null pointer on SGX

The `EENTER` instruction only checks if the TCS is aligned, not if it zero. Saying the address returned is a `NonNull&lt;u8&gt;` (for which `Tcs` is a type alias) is unsound. As well-behaved runners will not put the TCS at address zero, so the definition of `Tcs` is correct. However, `std` should check the address before casting it to a `NonNull`.

ping `@jethrogb` `@raoulstrackx`
`@rustbot` label I-unsound
diff --git a/library/std/src/sys/sgx/abi/thread.rs b/library/std/src/sys/sgx/abi/thread.rs
@@ -7,7 +7,11 @@ use fortanix_sgx_abi::Tcs;
 #[unstable(feature = "sgx_platform", issue = "56975")]
 pub fn current() -> Tcs {
     extern "C" {
-        fn get_tcs_addr() -> Tcs;
+        fn get_tcs_addr() -> *mut u8;
+    }
+    let addr = unsafe { get_tcs_addr() };
+    match Tcs::new(addr) {
+        Some(tcs) => tcs,
+        None => rtabort!("TCS must not be placed at address zero (this is a linker error)"),
     }
-    unsafe { get_tcs_addr() }
 }

Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,11 @@ use fortanix_sgx_abi::Tcs;`
`7`	`7`	`#[unstable(feature = "sgx_platform", issue = "56975")]`
`8`	`8`	`pub fn current() -> Tcs {`
`9`	`9`	`extern "C" {`
`10`		`- fn get_tcs_addr() -> Tcs;`
	`10`	`+ fn get_tcs_addr() -> *mut u8;`
	`11`	`+ }`
	`12`	`+ let addr = unsafe { get_tcs_addr() };`
	`13`	`+ match Tcs::new(addr) {`
	`14`	`+ Some(tcs) => tcs,`
	`15`	`+ None => rtabort!("TCS must not be placed at address zero (this is a linker error)"),`
`11`	`16`	`}`
`12`		`- unsafe { get_tcs_addr() }`
`13`	`17`	`}`