Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / 3194c466151c7d1c06b226f13d3c03298a27d40a^! / . / diced / open_dice / src / dice.rs
commit3194c466151c7d1c06b226f13d3c03298a27d40a[log] [tgz]
authorAlan Stokes <alanstokes@google.com>Wed May 03 17:39:01 2023 +0100
committerAlan Stokes <alanstokes@google.com>Fri May 05 11:34:42 2023 +0100
tree3ad62d7690f49fc0865a8a444d2718cf0c4de725
parent4b7b5986f66ec57bc6acd07d99a1d484f4a7426e [diff] [blame]
Make InputValues safer

InputValues contains a pointer to the config descriptor, but we don't
do anything to ensure that the descriptor outlives it, which can lead
to a use after free. Fix that.

Bug: 280617929
Test: Previously broken calling code no longer compiles
Test: Boot Microdroid
Change-Id: If0035c568e58fc220bf33d53816a04fc1a600263

diff --git a/diced/open_dice/src/dice.rs b/diced/open_dice/src/dice.rs
index 9266b6f..6e2df81 100644
--- a/diced/open_dice/src/dice.rs
+++ b/diced/open_dice/src/dice.rs

@@ -23,7 +23,7 @@
     DICE_INLINE_CONFIG_SIZE, DICE_PRIVATE_KEY_SEED_SIZE, DICE_PRIVATE_KEY_SIZE,
     DICE_PUBLIC_KEY_SIZE, DICE_SIGNATURE_SIZE,
 };
-use std::ptr;
+use std::{marker::PhantomData, ptr};
 use zeroize::{Zeroize, ZeroizeOnDrop};
 
 /// The size of a DICE hash.
@@ -173,36 +173,44 @@
 
 /// Wrap of `DiceInputValues`.
 #[derive(Clone, Debug)]
-pub struct InputValues(DiceInputValues);
+pub struct InputValues<'a> {
+    dice_inputs: DiceInputValues,
+    // DiceInputValues contains a pointer to the separate config descriptor, which must therefore
+    // outlive it. Make sure the borrow checker can enforce that.
+    config_descriptor: PhantomData<&'a [u8]>,
+}
 
-impl InputValues {
+impl<'a> InputValues<'a> {
     /// Creates a new `InputValues`.
     pub fn new(
         code_hash: Hash,
-        config: Config,
+        config: Config<'a>,
         authority_hash: Hash,
         mode: DiceMode,
         hidden: Hidden,
     ) -> Self {
-        Self(DiceInputValues {
-            code_hash,
-            code_descriptor: ptr::null(),
-            code_descriptor_size: 0,
-            config_type: config.dice_config_type(),
-            config_value: config.inline_config(),
-            config_descriptor: config.descriptor_ptr(),
-            config_descriptor_size: config.descriptor_size(),
-            authority_hash,
-            authority_descriptor: ptr::null(),
-            authority_descriptor_size: 0,
-            mode,
-            hidden,
-        })
+        Self {
+            dice_inputs: DiceInputValues {
+                code_hash,
+                code_descriptor: ptr::null(),
+                code_descriptor_size: 0,
+                config_type: config.dice_config_type(),
+                config_value: config.inline_config(),
+                config_descriptor: config.descriptor_ptr(),
+                config_descriptor_size: config.descriptor_size(),
+                authority_hash,
+                authority_descriptor: ptr::null(),
+                authority_descriptor_size: 0,
+                mode,
+                hidden,
+            },
+            config_descriptor: PhantomData,
+        }
     }
 
     /// Returns a raw pointer to the wrapped `DiceInputValues`.
     pub fn as_ptr(&self) -> *const DiceInputValues {
-        &self.0 as *const DiceInputValues
+        &self.dice_inputs as *const DiceInputValues
     }
 }