Prevent attacker from manipulating FPU tag word used in SGX enclave

Insufficient sanitization of the x87 FPU tag word in the trusted enclave runtime allowed unprivileged adversaries in the containing host application to induce incoherent or unexpected results for ABI-compliant compiled enclave application code that uses the x87 FPU. Vulnerability was disclosed to us by Fritz Alder, Jo Van Bulck, David Oswald and Frank Piessens
2020-06-17 18:07:12 +02:00 · 2020-06-17 18:07:12 +02:00 · daedb7920f
commit daedb7920f
parent e55d3f9c52
1 changed files with 7 additions and 0 deletions
--- a/src/libstd/sys/sgx/abi/entry.S
+++ b/src/libstd/sys/sgx/abi/entry.S
@ -177,6 +177,13 @@ sgx_entry:
    jz .Lskip_debug_init
    mov %r10,%gs:tcsls_debug_panic_buf_ptr
 .Lskip_debug_init:
+/*  reset cpu state */
+    mov %rdx, %r10
+    mov $-1, %rax
+    mov $-1, %rdx
+    xrstor .Lxsave_clear(%rip)
+    mov %r10, %rdx
+
 /*  check if returning from usercall */
    mov %gs:tcsls_last_rsp,%r11
    test %r11,%r11