Missing mem::forget(b) in TA_InvokeCommand() error path? #119

a21152 · 2024-02-01T19:26:09Z

I was playing with a TA built with teaclave SDK and got a panic when using the optional session_ctx parameter with a Vec inside of it.

I am not sure if my logic is air tight. It would be great if someone could confirm.

The text was updated successfully, but these errors were encountered:

DemesneGH · 2024-02-05T11:03:29Z

Hi @a21152 , could you provide the code for reproducing the error? thanks!

a21152 · 2024-02-06T04:50:58Z

I don't have the code off my hand, but you will be able to reproduce the problem with the following simple steps.

Take any of the example TA that make use of a session ctx parameter -- for example https://github.com/apache/incubator-teaclave-trustzone-sdk/blob/master/examples/diffie_hellman-rs/ta/src/main.rs#L32
Implement the Drop trait on the session ctx object that just prints a message, for example.

impl Drop for DiffieHellman {
    fn drop(&mut self) {
        trace_println!("Dropping DiffieHellman!");
    }
}

For an Err return from fn invoke_command.
Run the example CA and you shall observe drop being printed twice which is indicative of a double-free bug.

a21152 · 2024-05-07T22:39:26Z

The following PR adds an example, test, and fix.

Provide feedback