Hi, I am scanning this crate in the latest version using my own static analyzer tool.
Unsafe pointer conversion is found at:
pub unsafe extern "C" fn sev_inject_launch_secret(
vm_fd: c_int,
header_bytes: *const c_uchar,
ct_bytes: *const c_uchar,
ct_size: u32,
paddr: *const c_void,
fw_err: *mut c_int,
) -> c_int {
let mut map = MEASURED_MAP.lock().unwrap();
let launcher = match map.get_mut(&vm_fd) {
Some(l) => l,
None => return -1,
};
let header = header_bytes as *const Header;
let ciphertext = {
let bytes: &[u8] = unsafe { from_raw_parts(ct_bytes, ct_size as usize) };
bytes.to_owned().to_vec()
};
let secret = Secret {
header: unsafe { *header },
ciphertext,
};
match launcher.inject(&secret, paddr as usize) {
Ok(()) => 0,
Err(e) => {
set_fw_err(fw_err, e);
-1
}
}
}
This unsound implementation would create memory issues such as overflow, underflow, or misalignment. The attacker can manipulate the argument ct_size associated with the raw pointer ct_bytes with a large value, which can lead to an out-of-bounds memory access bug. The raw pointer and its associated size argument are converted into a Rust slice through from_raw_parts, and the c_void pointer paddr is also passed into the launch secret injection path, which can further corrupt the C/C++ code.
This would cause undefined behaviors in Rust. Adversaries can manipulate the associated size argument to cause memory safety bugs. I am reporting this issue for your attention.
Hi, I am scanning this crate in the latest version using my own static analyzer tool.
Unsafe pointer conversion is found at:
This unsound implementation would create memory issues such as overflow, underflow, or misalignment. The attacker can manipulate the argument
ct_sizeassociated with the raw pointerct_byteswith a large value, which can lead to an out-of-bounds memory access bug. The raw pointer and its associated size argument are converted into a Rust slice throughfrom_raw_parts, and thec_voidpointerpaddris also passed into the launch secret injection path, which can further corrupt the C/C++ code.This would cause undefined behaviors in Rust. Adversaries can manipulate the associated size argument to cause memory safety bugs. I am reporting this issue for your attention.