[release/3.x] Cherry pick: Move ring buffer bound check early (#4514) (…

…#4519)
microsoft · Nov 11, 2022 · 5697c11 · 5697c11
1 parent 8c85b17
commit 5697c11
Showing 1 changed file with 16 additions and 29 deletions.
diff --git a/src/enclave/main.cpp b/src/enclave/main.cpp
@@ -110,6 +110,22 @@ extern "C"
     auto writer_factory = std::make_unique<oversized::WriterFactory>(
       *basic_writer_factory, ec.writer_config);
 
+    // Check that ringbuffer memory ranges are entirely outside of the enclave
+    if (
+      !ccf::pal::is_outside_enclave(
+        ec.from_enclave_buffer_start, ec.from_enclave_buffer_size) ||
+      !ccf::pal::is_outside_enclave(
+        ec.to_enclave_buffer_start, ec.to_enclave_buffer_size) ||
+      !ccf::pal::is_outside_enclave(
+        ec.to_enclave_buffer_offsets, sizeof(ringbuffer::Offsets)) ||
+      !ccf::pal::is_outside_enclave(
+        ec.from_enclave_buffer_offsets, sizeof(ringbuffer::Offsets)))
+    {
+      return CreateNodeStatus::MemoryNotOutsideEnclave;
+    }
+
+    // Note: because logger uses ringbuffer, logger can only be initialised once
+    // ringbuffer memory has been verified
     auto new_logger = std::make_unique<ccf::RingbufferLogger>(
       writer_factory->create_writer_to_outside());
     auto ringbuffer_logger = new_logger.get();
@@ -164,35 +180,6 @@ extern "C"
       ccf::host_time_us =
         static_cast<decltype(ccf::host_time_us)>(time_location);
 
-      // Check that ringbuffer memory ranges are entirely outside of the enclave
-      if (!ccf::pal::is_outside_enclave(
-            ec.to_enclave_buffer_start, ec.to_enclave_buffer_size))
-      {
-        LOG_FAIL_FMT("Memory outside enclave: to_enclave buffer start");
-        return CreateNodeStatus::MemoryNotOutsideEnclave;
-      }
-
-      if (!ccf::pal::is_outside_enclave(
-            ec.from_enclave_buffer_start, ec.from_enclave_buffer_size))
-      {
-        LOG_FAIL_FMT("Memory outside enclave: from_enclave buffer start");
-        return CreateNodeStatus::MemoryNotOutsideEnclave;
-      }
-
-      if (!ccf::pal::is_outside_enclave(
-            ec.to_enclave_buffer_offsets, sizeof(ringbuffer::Offsets)))
-      {
-        LOG_FAIL_FMT("Memory outside enclave: to_enclave buffer offset");
-        return CreateNodeStatus::MemoryNotOutsideEnclave;
-      }
-
-      if (!ccf::pal::is_outside_enclave(
-            ec.from_enclave_buffer_offsets, sizeof(ringbuffer::Offsets)))
-      {
-        LOG_FAIL_FMT("Memory outside enclave: from_enclave buffer offset");
-        return CreateNodeStatus::MemoryNotOutsideEnclave;
-      }
-
       ccf::pal::speculation_barrier();
     }