Auto merge of #60027 - jethrogb:jb/sgx-reentry-abort, r=cramertj

SGX target: change re-entry abort logic Even though re-entry after exit is generally not acceptable, there is a race condition where the enclave thinks it's exited but userspace doesn't know that yet. An entry during that time will currently result in an enclave panic (see #59997 (comment), #60003 (comment)). Instead of panicking, just do a regular exit on re-entry. cc @jseyfried
rust-lang · Apr 17, 2019 · e4e032a · e4e032a
2 parents 258e3b3 + d0a1c2d
commit e4e032a
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 19 deletions.
diff --git a/src/libstd/sys/sgx/abi/entry.S b/src/libstd/sys/sgx/abi/entry.S
@@ -65,10 +65,6 @@ IMAGE_BASE:
     /*  The size in bytes of enclacve EH_FRM_HDR section */
     globvar EH_FRM_HDR_SIZE 8
 
-.Lreentry_panic_msg:
-    .asciz "Re-entered aborted enclave!"
-.Lreentry_panic_msg_end:
-
 .org .Lxsave_clear+512
 .Lxsave_header:
     .int 0, 0 /*  XSTATE_BV */
@@ -210,10 +206,8 @@ sgx_entry:
 /*  end sgx_entry */
 
 .Lreentry_panic:
-    lea .Lreentry_panic_msg(%rip),%rdi
-    mov $.Lreentry_panic_msg_end-.Lreentry_panic_msg,%esi
     orq $8,%rsp
-    jmp panic_msg
+    jmp abort_reentry
 
 /*  This *MUST* be called with 6 parameters, otherwise register information */
 /*  might leak! */
@@ -279,10 +273,8 @@ usercall:
 /*
 The following functions need to be defined externally:
 ```
-// Called by entry code when it needs to panic
-extern "C" fn panic_msg(msg: &'static str) -> ! {
-    panic!(msg)
-}
+// Called by entry code on re-entry after exit
+extern "C" fn abort_reentry() -> !;
 
 // Called once when a TCS is first entered
 extern "C" fn tcs_init(secondary: bool);

diff --git a/src/libstd/sys/sgx/abi/mod.rs b/src/libstd/sys/sgx/abi/mod.rs
@@ -29,7 +29,7 @@ unsafe extern "C" fn tcs_init(secondary: bool) {
     static RELOC_STATE: AtomicUsize = AtomicUsize::new(UNINIT);
 
     if secondary && RELOC_STATE.load(Ordering::Relaxed) != DONE {
-        panic::panic_msg("Entered secondary TCS before main TCS!")
+        rtabort!("Entered secondary TCS before main TCS!")
     }
 
     // Try to atomically swap UNINIT with BUSY. The returned state can be:
@@ -92,3 +92,9 @@ pub(super) fn exit_with_code(code: isize) -> ! {
     }
     usercalls::exit(code != 0);
 }
+
+#[cfg(not(test))]
+#[no_mangle]
+extern "C" fn abort_reentry() -> ! {
+    usercalls::exit(false)
+}
diff --git a/src/libstd/sys/sgx/abi/panic.rs b/src/libstd/sys/sgx/abi/panic.rs
@@ -1,4 +1,4 @@
-use super::usercalls::{alloc::UserRef, self};
+use super::usercalls::alloc::UserRef;
 use crate::cmp;
 use crate::io::{self, Write};
 use crate::mem;
@@ -48,9 +48,3 @@ impl Write for SgxPanicOutput {
         Ok(())
     }
 }
-
-#[cfg_attr(not(test), no_mangle)]
-pub extern "C" fn panic_msg(msg: &str) -> ! {
-    let _ = SgxPanicOutput::new().map(|mut out| out.write(msg.as_bytes()));
-    usercalls::exit(true)
-}