fix(sallyport): mark copy_into_slice unsafe

`Cursor::copy_into_slice` has to be unsafe, otherwise it is possible to
fill in a slice of e.g. bools with invalid values using safe rust code.

Also add a test calling `Cursor::copy_into_slice()`.

Signed-off-by: Harald Hoyer <[email protected]>

Author: haraldh

internal/shim-sgx/src/handler.rs

@@ -397,8 +397,10 @@ impl<'a> SyscallHandler for Handler<'a> {
         let mut ti = [0u8; 512];
         let ti_len = ti.len();
         let c = self.new_cursor();
-        c.copy_into_slice(buf_len, ti.as_mut(), ti_len)
-            .or(Err(libc::EFAULT))?;
+        unsafe {
+            c.copy_into_slice(buf_len, ti.as_mut(), ti_len)
+                .or(Err(libc::EFAULT))?;
+        }
         // ... Code to generate Report goes here ...
 
         // Request Quote from host
@@ -419,8 +421,10 @@ impl<'a> SyscallHandler for Handler<'a> {
             self.attacked()
         }
 
-        c.copy_into_slice(buf_len, buf.as_mut(), result_len)
-            .or(Err(libc::EFAULT))?;
+        unsafe {
+            c.copy_into_slice(buf_len, buf.as_mut(), result_len)
+                .or(Err(libc::EFAULT))?;
+        }
 
         let rep: sallyport::Reply = Ok([result[0], SGX_TECH.into()]).into();
         sallyport::Result::from(rep)

internal/syscall/src/lib.rs

@@ -201,8 +201,10 @@ pub trait SyscallHandler: AddressValidator + Sized {
         }
 
         let c = self.new_cursor();
-        c.copy_into_slice(count, buf[..count].as_mut(), result_len)
-            .or(Err(libc::EFAULT))?;
+        unsafe {
+            c.copy_into_slice(count, buf[..count].as_mut(), result_len)
+                .or(Err(libc::EFAULT))?;
+        }
 
         Ok(ret)
     }
@@ -590,8 +592,10 @@ pub trait SyscallHandler: AddressValidator + Sized {
 
         let c = self.new_cursor();
 
-        c.copy_into_slice(nfds as _, fds, nfds as _)
-            .or(Err(libc::EMSGSIZE))?;
+        unsafe {
+            c.copy_into_slice(nfds as _, fds, nfds as _)
+                .or(Err(libc::EMSGSIZE))?;
+        }
 
         Ok(result)
     }

src/sallyport/mod.rs

@@ -250,8 +250,12 @@ impl<'short, 'a: 'short> Cursor<'a> {
     }
 
     /// Copies data from a slice into the cursor buffer using self.alloc().
+    ///
+    /// # Safety
+    /// The caller has to ensure the `Cursor` contains valid data of the type
+    /// of the destination slice.
     #[allow(dead_code)]
-    pub fn copy_into_slice<T: Copy>(
+    pub unsafe fn copy_into_slice<T: Copy>(
         self,
         src_len: usize,
         dst: &mut [T],
@@ -262,9 +266,7 @@ impl<'short, 'a: 'short> Cursor<'a> {
 
         let (c, src) = self.alloc::<T>(src_len)?;
 
-        unsafe {
-            core::ptr::copy_nonoverlapping(src.as_ptr(), dst.as_mut_ptr() as _, dst_len);
-        }
+        core::ptr::copy_nonoverlapping(src.as_ptr(), dst.as_mut_ptr() as _, dst_len);
 
         Ok(c)
     }
@@ -566,4 +568,42 @@ mod tests {
 
         Ok(())
     }
+
+    #[test]
+    fn copy_into_slice() -> std::result::Result<(), OutOfSpace> {
+        let mut block = Block::default();
+
+        let c = block.cursor();
+        let (c, slab1) = c
+            .copy_from_slice::<usize>(&[1, 2])
+            .expect("allocate slab of 2 usize values for the first time");
+
+        let (c, slab2) = c
+            .copy_from_slice::<usize>(&[3, 4])
+            .expect("allocate slab of 2 usize values for the second time");
+
+        let (_c, slab3) = c
+            .copy_from_slice::<usize>(&[5, 6])
+            .expect("allocate slab of 2 usize values for the third time");
+
+        assert_eq!(slab1, &[1, 2]);
+        assert_eq!(slab2, &[3, 4]);
+        assert_eq!(slab3, &[5, 6]);
+
+        let c = block.cursor();
+
+        let mut slab_all = [0usize; 3];
+
+        let c = unsafe { c.copy_into_slice::<usize>(4, &mut slab_all, 3) }?;
+
+        assert_eq!(&slab_all, &[1, 2, 3]);
+
+        let mut slab_all = [0usize; 2];
+
+        let _ = unsafe { c.copy_into_slice::<usize>(2, &mut slab_all, 2) }?;
+
+        assert_eq!(&slab_all, &[5, 6]);
+
+        Ok(())
+    }
 }