@@ -148,6 +148,23 @@ lookup_module_by_handle(uint32 handle_id)
148148 return module ;
149149}
150150
151+ static void
152+ release_module_handle (uint32 handle_id)
153+ {
154+ os_mutex_lock (&module_table_lock);
155+
156+ for (uint32 i = 0 ; i < MAX_MODULES; i++) {
157+ if (module_table[i].in_use && module_table[i].id == handle_id) {
158+ module_table[i].id = 0 ;
159+ module_table[i].module_ref = NULL ;
160+ module_table[i].in_use = false ;
161+ break ;
162+ }
163+ }
164+
165+ os_mutex_unlock (&module_table_lock);
166+ }
167+
151168/* SECURITY FIX: Handle table for secure wasm_module_inst_t reference management
152169 */
153170#define MAX_INSTANCES 128
@@ -215,6 +232,23 @@ lookup_instance_by_handle(uint32 handle_id)
215232 return inst;
216233}
217234
235+ static void
236+ release_instance_handle (uint32 handle_id)
237+ {
238+ os_mutex_lock (&instance_table_lock);
239+
240+ for (uint32 i = 0 ; i < MAX_INSTANCES; i++) {
241+ if (instance_table[i].in_use && instance_table[i].id == handle_id) {
242+ instance_table[i].id = 0 ;
243+ instance_table[i].inst_ref = NULL ;
244+ instance_table[i].in_use = false ;
245+ break ;
246+ }
247+ }
248+
249+ os_mutex_unlock (&instance_table_lock);
250+ }
251+
218252#if WASM_ENABLE_GLOBAL_HEAP_POOL != 0
219253static char global_heap_buf[WASM_GLOBAL_HEAP_SIZE] = { 0 };
220254#endif
@@ -444,7 +478,8 @@ handle_cmd_load_module(uint64 *args, uint32 argc)
444478static void
445479handle_cmd_unload_module (uint64 *args, uint32 argc)
446480{
447- EnclaveModule *enclave_module = *(EnclaveModule **)args++;
481+ uint32 module_handle_id = *(uint32 *)args++;
482+ EnclaveModule *enclave_module = lookup_module_by_handle (module_handle_id);
448483
449484 bh_assert (argc == 1 );
450485
@@ -473,6 +508,9 @@ handle_cmd_unload_module(uint64 *args, uint32 argc)
473508 os_mutex_unlock (&enclave_module_list_lock);
474509#endif
475510
511+ /* Release module handle */
512+ release_module_handle (module_handle_id);
513+
476514 /* Destroy enclave module resources */
477515 if (enclave_module->wasi_arg_buf )
478516 wasm_runtime_free (enclave_module->wasi_arg_buf );
@@ -552,7 +590,8 @@ handle_cmd_instantiate_module(uint64 *args, uint32 argc)
552590static void
553591handle_cmd_deinstantiate_module (uint64 *args, uint32 argc)
554592{
555- wasm_module_inst_t module_inst = *(wasm_module_inst_t *)args++;
593+ uint32 instance_handle_id = *(uint32 *)args++;
594+ wasm_module_inst_t module_inst = lookup_instance_by_handle (instance_handle_id);
556595
557596 bh_assert (argc == 1 );
558597
@@ -562,14 +601,17 @@ handle_cmd_deinstantiate_module(uint64 *args, uint32 argc)
562601
563602 wasm_runtime_deinstantiate (module_inst);
564603
604+ release_instance_handle (instance_handle_id);
605+
565606 LOG_VERBOSE (" Deinstantiate module success.\n "
566607}
567608
568609static void
569610handle_cmd_get_exception (uint64 *args, uint32 argc)
570611{
571612 uint64 *args_org = args;
572- wasm_module_inst_t module_inst = *(wasm_module_inst_t *)args++;
613+ uint32 instance_handle_id = *(uint32 *)args++;
614+ wasm_module_inst_t module_inst = lookup_instance_by_handle (instance_handle_id);
573615 char *exception = *(char **)args++;
574616 uint32 exception_size = *(uint32 *)args++;
575617 const char *exception1;
@@ -593,7 +635,8 @@ handle_cmd_get_exception(uint64 *args, uint32 argc)
593635static void
594636handle_cmd_exec_app_main (uint64 *args, int32 argc)
595637{
596- wasm_module_inst_t module_inst = *(wasm_module_inst_t *)args++;
638+ uint32 instance_handle_id = *(uint32*)args++;
639+ wasm_module_inst_t module_inst = lookup_instance_by_handle (instance_handle_id);
597640 uint32 app_argc = *(uint32 *)args++;
598641 char **app_argv = NULL ;
599642 uint64 total_size;
@@ -626,7 +669,8 @@ handle_cmd_exec_app_main(uint64 *args, int32 argc)
626669static void
627670handle_cmd_exec_app_func (uint64 *args, int32 argc)
628671{
629- wasm_module_inst_t module_inst = *(wasm_module_inst_t *)args++;
672+ uint32 instance_handle_id = *(uint32*)args++;
673+ wasm_module_inst_t module_inst = lookup_instance_by_handle (instance_handle_id);
630674 char *func_name = *(char **)args++;
631675 uint32 app_argc = *(uint32 *)args++;
632676 char **app_argv = NULL ;
@@ -894,17 +938,19 @@ ecall_handle_command(unsigned cmd, unsigned char *cmd_buf,
894938 unsigned cmd_buf_size)
895939{
896940 /* SECURITY FIX: Validate buffer before processing */
897- if (!cmd_buf || cmd_buf_size < sizeof (uint64)) {
941+ // cmd_buf can be NULL if cmd_buf_size is 0, but if cmd_buf_size is non-zero, cmd_buf must be valid
942+ if ((!cmd_buf && cmd_buf_size > 0 ) || (cmd_buf && cmd_buf_size == 0 )) {
898943 int bytes_written = 0 ;
899944 ocall_print (&bytes_written,
900945 " SECURITY ERROR: Invalid buffer parameters\n "
901946 return ;
902947 }
903948
904- if (!sgx_is_outside_enclave (cmd_buf, cmd_buf_size)) {
949+ // Because of [in, out] cmd_buf in edl, it is allocated inside enclave.
950+ if (cmd_buf && sgx_is_outside_enclave (cmd_buf, cmd_buf_size)) {
905951 int bytes_written = 0 ;
906952 ocall_print (&bytes_written,
907- " SECURITY ERROR: Buffer not outside enclave\n "
953+ " SECURITY ERROR: Buffer should be inside enclave\n "
908954 return ;
909955 }
910956
@@ -918,6 +964,8 @@ ecall_handle_command(unsigned cmd, unsigned char *cmd_buf,
918964 uint64 *args = (uint64 *)cmd_buf;
919965 uint32 argc = cmd_buf_size / sizeof (uint64);
920966
967+ LOG_VERBOSE (" Received command %d with %u arguments.\n "
968+
921969 switch (cmd) {
922970 case CMD_INIT_RUNTIME:
923971 handle_cmd_init_runtime (args, argc);
0 commit comments