Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix double-free bug in optee-utee #127

Merged
merged 3 commits into from
May 10, 2024
Merged

Fix double-free bug in optee-utee #127

merged 3 commits into from
May 10, 2024

Conversation

a21152
Copy link
Contributor

@a21152 a21152 commented May 7, 2024

This PR fixes a double-free bug in optee-utee at https://github.com/apache/incubator-teaclave-trustzone-sdk/blob/master/optee-utee/macros/src/lib.rs#L393, where the forget call is forgotten for the error path.

Each time a TA returns an error from a command handler, the bug causes drop to be called on the shared session object. A double-free-induced panic happens when a second error invocation happens to the same session or when the session closes after a single invocation error.

This PR adds an example -- error_handling-rs that reproduces the error and also serve as a test in CI.

a21152 added 3 commits May 7, 2024 15:22
@a21152
examples: Add error_handling-rs
5311e9b 
Add error_handling-rs to exercise some of the failure paths in the
optee_rust stack.

This initial commit exposes a double-free bug in optee-utee.

Test: run `error_handling-rs` in the qemu environment described at
https://optee.readthedocs.io/en/latest/building/optee_with_rust.html
and observe the following output.

thread 'main' panicked at src/main.rs:42:5:
assertion `left == right` failed
  left: TargetDead
 right: Generic
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
101
@a21152
Fix double-free bug in optee-utee
a2fb339 
optee-utee needs to forget the session context on invocation error as
well.

Test: run the `error-handling-rs` example in qemu and observe no panic.

Example run:
```
Welcome to Buildroot, type root or test to login
buildroot login: root
0
```
@a21152
Add test_error_handling.sh for CI
75b4d35
@a21152 a21152 mentioned this pull request May 7, 2024
Open
@DemesneGH
Copy link
Contributor

When I run the example it fails:

# ./error_handling-rs
thread 'main' panicked at src/main.rs:32:46:        // panic at ctx.open_session()
called `Result::unwrap()` on an `Err` value: System ran out of resources. (error code 0xffff000c)

It's also the "panic" but seems not the double-free panic, and grep -q -v "panicked" screenlog.0 returns true so the test_error_handling.sh passed.

Could you check it out? thanks!

@a21152
Copy link
Contributor Author

a21152 commented May 8, 2024

hmm... that is odd.

0xffff000c indicates TEE_ERROR_OUT_OF_MEMORY upon open_session(), which I don't expect to fail in the test.

I rerun error-handling-rs manually in my local make run-only qemu and also tests/test_error_handling.sh, both passed with no panics.

Also grep -q -v "panicked" screenlog.0 should return non-zero for any panics, causing the test to fail (which is what I expect), because of the -v switch.

I suspect the vec! call in the TA when creating the session context was causing the ffff000c error for you but I can't figure out why.

Are you running against main branch by any chance (which may not work)?

If you can't figure out it either, I would need your exact test procedure so I can try to replicate your env. here to further triage.

@DemesneGH
Copy link
Contributor

@a21152 I've reproduced the bug in newer OP-TEE image (4.2.0), seems the prebuilt OP-TEE 3.20.0 (the tests/ used) is not compatible with current no-std examples. I'll update the test scripts and pre-build images further.

The fix a2fb339 looks good to me.

After fixing the bug would you prefer to keep the error_handling-rs example in our examples?

@a21152
Copy link
Contributor Author

a21152 commented May 9, 2024

Sounds good. Although my run of tests/test_error_handling.sh (presumably with the same 3.20 prebuilts) also worked fine.

Yes -- I'd like to keep the error_handling-rs example so we make sure this issue does not regress. It also allows us to add more tests against similar error paths.

@DemesneGH DemesneGH merged commit 869f57c into apache:no-std May 10, 2024
@DemesneGH
Copy link
Contributor

Merged, thanks!

@a21152
Copy link
Contributor Author

a21152 commented May 10, 2024

Thank you for your quick turn around!

@DemesneGH DemesneGH mentioned this pull request Jan 23, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DemesneGH DemesneGH DemesneGH approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@a21152 @DemesneGH