search

asterinas / asterinas

Asterinas is a secure, fast, and general-purpose OS kernel, written in Rust and providing Linux-compatible ABI.
https://asterinas.github.io/
Other
811 stars 83 forks source link

Reachable assertion in `get_intersected_range()` by invalid `size` of `mmap`/`mprotect`/`munmap`/`madvise` #1172

Closed Marsman1996 closed 2 weeks ago

Marsman1996 commented 4 weeks ago

Describe the bug

There is a reachable assertion in get_intersected_range() at kernel/aster-nix/src/vm/vmar/mod.rs:844 when make a mmap syscall with specific arguments.

https://github.com/asterinas/asterinas/blob/4844e7ca7ca6d78896a51a71487a6fdfe9ca6654/kernel/aster-nix/src/vm/vmar/mod.rs#L841-L846

To Reproduce

  1. Compile a program which calls mmap with specific arguments: 
    
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/mman.h>
#include <sys/wait.h>

int main(void) { int fd = open("/proc/meminfo", O_RDONLY); mmap(NULL, 0, 3, 460833, fd, 0); return 0; }

2. Run the compiled program in Asterinas.

### Expected behavior
Asterinas reports assertion failure and is terminated.

### Environment

- Official docker asterinas/asterinas:0.6.2
- 11th Gen Intel(R) Core(TM) i7-1165G7 @ 2.80GHz
- Asterinas version: main 4844e7c

### Logs

~ # /root/mmap_test panicked at /root/asterinas/kernel/aster-nix/src/vm/vmar/mod.rs:844:5: assertion failed: is_intersected(range1, range2) Printing stack trace: 1: fn 0xffffffff88837ff0 - pc 0xffffffff88838008 / registers:

 rax               0x12; rdx 0xffffffff889edf38; rcx                0x1; rbx                0x0;
 rsi                0x0; rdi                0x0; rbp                0x0; rsp 0xffff80007f4a8b10;

2: fn 0xffffffff88837dd0 - pc 0xffffffff88837f48 / registers:

 rax               0x12; rdx 0xffffffff889edf38; rcx                0x1; rbx                0x0;
 rsi                0x0; rdi                0x0; rbp                0x0; rsp 0xffff80007f4a8b20;

3: fn 0xffffffff88049000 - pc 0xffffffff8804900a / registers:

 rax               0x12; rdx 0xffffffff889edf38; rcx                0x1; rbx                0x0;
 rsi                0x0; rdi                0x0; rbp                0x0; rsp 0xffff80007f4a8ca0;

4: fn 0xffffffff8895ce70 - pc 0xffffffff8895cef2 / registers:

 rax               0x12; rdx 0xffffffff889edf38; rcx                0x1; rbx                0x0;
 rsi                0x0; rdi                0x0; rbp                0x0; rsp 0xffff80007f4a8cb0;

5: fn 0xffffffff8895d010 - pc 0xffffffff8895d050 / registers:

 rax               0x12; rdx 0xffffffff889edf38; rcx                0x1; rbx                0x0;
 rsi                0x0; rdi                0x0; rbp                0x0; rsp 0xffff80007f4a8d40;

6: fn 0xffffffff883fdc90 - pc 0xffffffff883fdcc9 / registers:

 rax               0x12; rdx 0xffffffff889edf38; rcx                0x1; rbx                0x0;
 rsi                0x0; rdi                0x0; rbp                0x0; rsp 0xffff80007f4a8db0;

7: fn 0xffffffff883fafa0 - pc 0xffffffff883fbd1c / registers:

 rax               0x12; rdx 0xffffffff889edf38; rcx                0x1; rbx                0x0;
 rsi                0x0; rdi                0x0; rbp                0x0; rsp 0xffff80007f4a8de0;

8: fn 0xffffffff8804ba60 - pc 0xffffffff8804bc05 / registers:

 rax               0x12; rdx 0xffffffff889edf38; rcx                0x1; rbx                0x0;
 rsi                0x0; rdi                0x0; rbp                0x0; rsp 0xffff80007f4a98d0;

9: fn 0xffffffff8804c350 - pc 0xffffffff8804c4f4 / registers:

 rax               0x12; rdx 0xffffffff889edf38; rcx                0x1; rbx                0x0;
 rsi                0x0; rdi                0x0; rbp                0x0; rsp 0xffff80007f4a9cd0;

10: fn 0xffffffff88516010 - pc 0xffffffff88516c98 / registers:

 rax               0x12; rdx 0xffffffff889edf38; rcx                0x1; rbx                0x0;
 rsi                0x0; rdi                0x0; rbp                0x0; rsp 0xffff80007f4aa000;

11: fn 0xffffffff88515d50 - pc 0xffffffff88515e95 / registers:

 rax               0x12; rdx 0xffffffff889edf38; rcx                0x1; rbx                0x0;
 rsi                0x0; rdi                0x0; rbp                0x0; rsp 0xffff80007f4aa9b0;

12: fn 0xffffffff88407d50 - pc 0xffffffff8840c8ae / registers:

 rax               0x12; rdx 0xffffffff889edf38; rcx                0x1; rbx                0x0;
 rsi                0x0; rdi                0x0; rbp                0x0; rsp 0xffff80007f4aab40;

13: fn 0xffffffff8834bd20 - pc 0xffffffff8834bdae / registers:

 rax               0x12; rdx 0xffffffff889edf38; rcx                0x1; rbx                0x0;
 rsi                0x0; rdi                0x0; rbp                0x0; rsp 0xffff80007f4c03d0;

14: fn 0xffffffff88520700 - pc 0xffffffff8852127f / registers:

 rax               0x12; rdx 0xffffffff889edf38; rcx                0x1; rbx                0x0;
 rsi                0x0; rdi                0x0; rbp                0x0; rsp 0xffff80007f4c0570;

15: fn 0xffffffff88075a80 - pc 0xffffffff88075a8e / registers:

 rax               0x12; rdx 0xffffffff889edf38; rcx                0x1; rbx                0x0;
 rsi                0x0; rdi                0x0; rbp                0x0; rsp 0xffff80007f4c0f90;

16: fn 0xffffffff8882cba0 - pc 0xffffffff8882cbb6 / registers:

 rax               0x12; rdx 0xffffffff889edf38; rcx                0x1; rbx                0x0;
 rsi                0x0; rdi                0x0; rbp                0x0; rsp 0xffff80007f4c0fb0;

17: fn 0xffffffff88798ad0 - pc 0xffffffff88798b39 / registers:

 rax               0x12; rdx 0xffffffff889edf38; rcx                0x1; rbx                0x0;
 rsi                0x0; rdi                0x0; rbp                0x0; rsp 0xffff80007f4c0fd0;

18: fn 0x0 - pc 0x0 / registers:

 rax               0x12; rdx 0xffffffff889edf38; rcx                0x1; rbx                0x0;
 rsi                0x0; rdi                0x0; rbp                0x0; rsp 0xffff80007f4c1000;

[OSDK] The kernel seems panicked. Parsing stack trace for source lines: ( 1) /root/asterinas/ostd/src/panicking.rs:107 ( 2) /root/asterinas/ostd/src/panicking.rs:59 ( 3) au2ndt6r5ksv2yyhocg58xyv7:? ( 4) ??:? ( 5) /root/.rustup/toolchains/nightly-2024-06-20-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/panicking.rs:220 ( 6) ??:? ( 7) /root/asterinas/kernel/aster-nix/src/vm/vmar/mod.rs:661 ( 8) /root/asterinas/kernel/aster-nix/src/vm/vmar/vm_mapping.rs:88 ( 9) /root/asterinas/kernel/aster-nix/src/vm/vmar/vm_mapping.rs:741 ( 10) /root/asterinas/kernel/aster-nix/src/syscall/mmap.rs:89 ( 11) /root/asterinas/kernel/aster-nix/src/syscall/mmap.rs:29 ( 12) /root/asterinas/kernel/aster-nix/src/syscall/mod.rs:215 ( 13) /root/asterinas/kernel/aster-nix/src/syscall/mod.rs:323 ( 14) /root/asterinas/kernel/aster-nix/src/thread/task.rs:69 ( 15) /root/.rustup/toolchains/nightly-2024-06-20-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:79 ( 16) /root/.rustup/toolchains/nightly-2024-06-20-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/boxed.rs:2077 ( 17) /root/asterinas/ostd/src/task/task.rs:295 make: *** [Makefile:153: run] Error 1



<!-- TRIAGEBOT_START -->

<!-- TRIAGEBOT_ASSIGN_START -->

<!-- TRIAGEBOT_ASSIGN_DATA_START$${"user":"StevenJiang1110"}$$TRIAGEBOT_ASSIGN_DATA_END -->

<!-- TRIAGEBOT_ASSIGN_END -->
<!-- TRIAGEBOT_END -->
StevenJiang1110 commented 3 weeks ago

Good catch!

An obvious problem is that mmap should not allow map len being zero. But I'm not sure whether there's some other problems. I will check and fix it soon.

StevenJiang1110 commented 3 weeks ago

@boterinas claim