Auto merge of #60027 - jethrogb:jb/sgx-reentry-abort, r=cramertj

bors · bors · commit e4e032a0ae82 · 2019-04-17T07:05:39.000Z
SGX target: change re-entry abort logic Even though re-entry after exit is generally not acceptable, there is a race condition where the enclave thinks it's exited but userspace doesn't know that yet. An entry during that time will currently result in an enclave panic (see #59997 (comment), #60003 (comment)). Instead of panicking, just do a regular exit on re-entry. cc @jseyfried
diff --git a/src/libstd/sys/sgx/abi/entry.S b/src/libstd/sys/sgx/abi/entry.S
@@ -65,10 +65,6 @@ IMAGE_BASE:
     /*  The size in bytes of enclacve EH_FRM_HDR section */
     globvar EH_FRM_HDR_SIZE 8
 
-.Lreentry_panic_msg:
-    .asciz "Re-entered aborted enclave!"
-.Lreentry_panic_msg_end:
-
 .org .Lxsave_clear+512
 .Lxsave_header:
     .int 0, 0 /*  XSTATE_BV */
@@ -210,10 +206,8 @@ sgx_entry:
 /*  end sgx_entry */
 
 .Lreentry_panic:
-    lea .Lreentry_panic_msg(%rip),%rdi
-    mov $.Lreentry_panic_msg_end-.Lreentry_panic_msg,%esi
     orq $8,%rsp
-    jmp panic_msg
+    jmp abort_reentry
 
 /*  This *MUST* be called with 6 parameters, otherwise register information */
 /*  might leak! */
@@ -279,10 +273,8 @@ usercall:
 /*
 The following functions need to be defined externally:
 ```
-// Called by entry code when it needs to panic
-extern "C" fn panic_msg(msg: &'static str) -> ! {
-    panic!(msg)
-}
+// Called by entry code on re-entry after exit
+extern "C" fn abort_reentry() -> !;
 
 // Called once when a TCS is first entered
 extern "C" fn tcs_init(secondary: bool);
diff --git a/src/libstd/sys/sgx/abi/mod.rs b/src/libstd/sys/sgx/abi/mod.rs
@@ -29,7 +29,7 @@ unsafe extern "C" fn tcs_init(secondary: bool) {
     static RELOC_STATE: AtomicUsize = AtomicUsize::new(UNINIT);
 
     if secondary && RELOC_STATE.load(Ordering::Relaxed) != DONE {
-        panic::panic_msg("Entered secondary TCS before main TCS!")
+        rtabort!("Entered secondary TCS before main TCS!")
     }
 
     // Try to atomically swap UNINIT with BUSY. The returned state can be:
@@ -92,3 +92,9 @@ pub(super) fn exit_with_code(code: isize) -> ! {
     }
     usercalls::exit(code != 0);
 }
+
+#[cfg(not(test))]
+#[no_mangle]
+extern "C" fn abort_reentry() -> ! {
+    usercalls::exit(false)
+}
diff --git a/src/libstd/sys/sgx/abi/panic.rs b/src/libstd/sys/sgx/abi/panic.rs
@@ -1,4 +1,4 @@
-use super::usercalls::{alloc::UserRef, self};
+use super::usercalls::alloc::UserRef;
 use crate::cmp;
 use crate::io::{self, Write};
 use crate::mem;
@@ -48,9 +48,3 @@ impl Write for SgxPanicOutput {
         Ok(())
     }
 }
-
-#[cfg_attr(not(test), no_mangle)]
-pub extern "C" fn panic_msg(msg: &str) -> ! {
-    let _ = SgxPanicOutput::new().map(|mut out| out.write(msg.as_bytes()));
-    usercalls::exit(true)
-}

Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ unsafe extern "C" fn tcs_init(secondary: bool) {`
`29`	`29`	`static RELOC_STATE: AtomicUsize = AtomicUsize::new(UNINIT);`
`30`	`30`
`31`	`31`	`if secondary && RELOC_STATE.load(Ordering::Relaxed) != DONE {`
`32`		`- panic::panic_msg("Entered secondary TCS before main TCS!")`
	`32`	`+ rtabort!("Entered secondary TCS before main TCS!")`
`33`	`33`	`}`
`34`	`34`
`35`	`35`	`// Try to atomically swap UNINIT with BUSY. The returned state can be:`
`@@ -92,3 +92,9 @@ pub(super) fn exit_with_code(code: isize) -> ! {`
`92`	`92`	`}`
`93`	`93`	`usercalls::exit(code != 0);`
`94`	`94`	`}`
	`95`	`+`
	`96`	`+#[cfg(not(test))]`
	`97`	`+#[no_mangle]`
	`98`	`+extern "C" fn abort_reentry() -> ! {`
	`99`	`+ usercalls::exit(false)`
	`100`	`+}`