Skip to content

Commit 845885e

Browse files
committed
feat: replace shared_mem_mut() with bounds-checked guest_memory_ptr()
Replace the public shared_mem_mut() API (which exposed the full shared memory region) with a narrower guest_memory_ptr() method that takes an offset and length, bounds-checks against the allocated region, and returns the corresponding host pointer. Signed-off-by: danbugs <danilochiarlone@gmail.com>
1 parent 0df68cc commit 845885e

1 file changed

Lines changed: 37 additions & 4 deletions

File tree

src/hyperlight_host/src/sandbox/uninitialized.rs

Lines changed: 37 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -29,9 +29,10 @@ use crate::func::host_functions::{HostFunction, register_host_function};
2929
use crate::func::{ParameterTuple, SupportedReturnType};
3030
#[cfg(feature = "build-metadata")]
3131
use crate::log_build_details;
32+
use crate::mem::layout::SandboxMemoryLayout;
3233
use crate::mem::memory_region::{DEFAULT_GUEST_BLOB_MEM_FLAGS, MemoryRegionFlags};
3334
use crate::mem::mgr::SandboxMemoryManager;
34-
use crate::mem::shared_mem::ExclusiveSharedMemory;
35+
use crate::mem::shared_mem::{ExclusiveSharedMemory, SharedMemory};
3536
use crate::sandbox::SandboxConfiguration;
3637
use crate::{MultiUseSandbox, Result, new_error};
3738

@@ -169,9 +170,41 @@ impl<'a> From<GuestBinary<'a>> for GuestEnvironment<'a, '_> {
169170
}
170171

171172
impl UninitializedSandbox {
172-
/// Returns a mutable reference to the sandbox's shared memory region.
173-
pub fn shared_mem_mut(&mut self) -> &mut ExclusiveSharedMemory {
174-
&mut self.mgr.shared_mem
173+
/// Returns a host-side pointer to a specific guest physical address (GPA)
174+
/// within the sandbox's shared memory region.
175+
///
176+
/// This is the safe way to obtain host-side access to guest memory.
177+
/// The method validates that the GPA falls within the sandbox's
178+
/// allocated memory region before returning the corresponding host pointer.
179+
///
180+
/// # Safety
181+
///
182+
/// The returned pointer is valid as long as the sandbox (and its underlying
183+
/// shared memory mapping) remains alive. Dereferencing the pointer requires
184+
/// `unsafe` code and the caller must ensure proper synchronization.
185+
pub fn guest_memory_ptr(&mut self, gpa: usize) -> Result<*mut u8> {
186+
let base = SandboxMemoryLayout::BASE_ADDRESS;
187+
let mem_size = self.mgr.shared_mem.mem_size();
188+
189+
if gpa < base {
190+
return Err(new_error!(
191+
"GPA {:#x} is below the sandbox base address {:#x}",
192+
gpa,
193+
base
194+
));
195+
}
196+
197+
let offset = gpa - base;
198+
if offset >= mem_size {
199+
return Err(new_error!(
200+
"GPA {:#x} (offset {:#x}) is beyond sandbox memory size {:#x}",
201+
gpa,
202+
offset,
203+
mem_size
204+
));
205+
}
206+
207+
Ok(unsafe { self.mgr.shared_mem.base_ptr().add(offset) })
175208
}
176209

177210
// Creates a new uninitialized sandbox from a pre-built snapshot.

0 commit comments

Comments
 (0)