*session_ptr and *pp_quote_config may be leaked if overwrites to #441
Description
https://github.com/apache/incubator-teaclave-sgx-sdk/blob/3c903bdac4e503dd27b9b1f761c4abfc55f2464c/samplecode/localattestation/attestation/src/func.rs#L144-L145
https://github.com/apache/incubator-teaclave-sgx-sdk/blob/3c903bdac4e503dd27b9b1f761c4abfc55f2464c/samplecode/dcap-pckretrieval/qpl/src/lib.rs#L138-L142
with Box::into_raw(), the pointee is on the heap. Multiple assignments will cause leak of the old value.
Probable fix is like:
If session_request_safe should only be called once, adding an Atomic to guarantee assigning only once.
const UNINITIALIZED: usize = 0;
const INITIALIZING: usize = 1;
const INITIALIZED: usize = 2;
static GLOBAL_INIT: AtomicUsize = AtomicUsize::new(UNINITIALIZED);
pub struct SetGlobalDefaultError {
_no_construct: (),
}
// in `session_request_safe`
if GLOBAL_INIT
.compare_exchange(
UNINITIALIZED,
INITIALIZING,
Ordering::SeqCst,
Ordering::SeqCst,
)
.is_ok()
{
let ptr = Box::into_raw(Box::new(session_info));
*session_ptr = ptr as * mut _ as usize;
}Otherwise add the else branch:
else {
drop(Box::from_raw(*session_ptr));
let ptr = Box::into_raw(Box::new(session_info));
*session_ptr = ptr as * mut _ as usize;
}