Several Integer overflow problems in syscall `mmap`/`munmap`/`mprotect`/`madvise` caused by large `size`

asterinas / asterinas

Asterinas is a secure, fast, and general-purpose OS kernel, written in Rust and providing Linux-compatible ABI.

Other

811 stars 83 forks source link

Describe the bug

There is a add with overflow error in find_free_region() at kernel/aster-nix/src/vm/vmar/mod.rs:167 when make a mmap syscall with large size.

https://github.com/asterinas/asterinas/blob/562e64437584279783f244edba10b512beddc81d/kernel/aster-nix/src/vm/vmar/mod.rs#L167

To Reproduce

Compile a program which calls mmap:


#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <unistd.h>

int main() { void *addr = mmap(NULL, 0xfffffffffffff000, 0x3, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);

return 0; }

2. Run the compiled program in Asterinas.

### Expected behavior
Asterinas reports `attempt to add with overflow` panic and is terminated.

### Environment
- Official docker asterinas/asterinas:0.6.2
- 11th Gen Intel(R) Core(TM) i7-1165G7 @ 2.80GHz
- Asterinas version: main 562e6443

### Logs

~ # /root/munmap.c panicked at /root/asterinas/kernel/aster-nix/src/vm/vmar/mod.rs:167:43: attempt to add with overflow Printing stack trace: 1: fn 0xffffffff888695b0 - pc 0xffffffff888695c8 / registers:

 rax               0x12; rdx 0xffffffff88a38470; rcx                0x1; rbx                0x0;
 rsi                0x0; rdi                0x0; rbp                0x0; rsp 0xffff80007e4a7a70;

2: fn 0xffffffff88869390 - pc 0xffffffff88869508 / registers:

 rax               0x12; rdx 0xffffffff88a38470; rcx                0x1; rbx                0x0;
 rsi                0x0; rdi                0x0; rbp                0x0; rsp 0xffff80007e4a7a80;

3: fn 0xffffffff88049000 - pc 0xffffffff8804900a / registers:

 rax               0x12; rdx 0xffffffff88a38470; rcx                0x1; rbx                0x0;
 rsi                0x0; rdi                0x0; rbp                0x0; rsp 0xffff80007e4a7c00;

4: fn 0xffffffff889a8690 - pc 0xffffffff889a8712 / registers:

 rax               0x12; rdx 0xffffffff88a38470; rcx                0x1; rbx                0x0;
 rsi                0x0; rdi                0x0; rbp                0x0; rsp 0xffff80007e4a7c10;

5: fn 0xffffffff88983e50 - pc 0xffffffff88983e7e / registers:

 rax               0x12; rdx 0xffffffff88a38470; rcx                0x1; rbx                0x0;
 rsi                0x0; rdi                0x0; rbp                0x0; rsp 0xffff80007e4a7ca0;

6: fn 0xffffffff88470450 - pc 0xffffffff884707f7 / registers:

 rax               0x12; rdx 0xffffffff88a38470; rcx                0x1; rbx                0x0;
 rsi                0x0; rdi                0x0; rbp                0x0; rsp 0xffff80007e4a7cf0;

7: fn 0xffffffff884742b0 - pc 0xffffffff88474c1a / registers:

 rax               0x12; rdx 0xffffffff88a38470; rcx                0x1; rbx                0x0;
 rsi                0x0; rdi                0x0; rbp                0x0; rsp 0xffff80007e4a7f30;

8: fn 0xffffffff8855aa00 - pc 0xffffffff8855ab86 / registers:

 rax               0x12; rdx 0xffffffff88a38470; rcx                0x1; rbx                0x0;
 rsi                0x0; rdi                0x0; rbp                0x0; rsp 0xffff80007e4a8900;

9: fn 0xffffffff8855b6d0 - pc 0xffffffff8855b824 / registers:

 rax               0x12; rdx 0xffffffff88a38470; rcx                0x1; rbx                0x0;
 rsi                0x0; rdi                0x0; rbp                0x0; rsp 0xffff80007e4a8dd0;

10: fn 0xffffffff8844e2f0 - pc 0xffffffff8844f4da / registers:

 rax               0x12; rdx 0xffffffff88a38470; rcx                0x1; rbx                0x0;
 rsi                0x0; rdi                0x0; rbp                0x0; rsp 0xffff80007e4a90f0;

11: fn 0xffffffff8844e000 - pc 0xffffffff8844e168 / registers:

 rax               0x12; rdx 0xffffffff88a38470; rcx                0x1; rbx                0x0;
 rsi                0x0; rdi                0x0; rbp                0x0; rsp 0xffff80007e4a9da0;

12: fn 0xffffffff8856ded0 - pc 0xffffffff88572b3c / registers:

 rax               0x12; rdx 0xffffffff88a38470; rcx                0x1; rbx                0x0;
 rsi                0x0; rdi                0x0; rbp                0x0; rsp 0xffff80007e4a9f30;

13: fn 0xffffffff880df4c0 - pc 0xffffffff880df54e / registers:

 rax               0x12; rdx 0xffffffff88a38470; rcx                0x1; rbx                0x0;
 rsi                0x0; rdi                0x0; rbp                0x0; rsp 0xffff80007e4c03d0;

14: fn 0xffffffff882db7a0 - pc 0xffffffff882dc31f / registers:

 rax               0x12; rdx 0xffffffff88a38470; rcx                0x1; rbx                0x0;
 rsi                0x0; rdi                0x0; rbp                0x0; rsp 0xffff80007e4c0570;

15: fn 0xffffffff883ffc40 - pc 0xffffffff883ffc4e / registers:

 rax               0x12; rdx 0xffffffff88a38470; rcx                0x1; rbx                0x0;
 rsi                0x0; rdi                0x0; rbp                0x0; rsp 0xffff80007e4c0f90;

16: fn 0xffffffff887c0770 - pc 0xffffffff887c0786 / registers:

 rax               0x12; rdx 0xffffffff88a38470; rcx                0x1; rbx                0x0;
 rsi                0x0; rdi                0x0; rbp                0x0; rsp 0xffff80007e4c0fb0;

17: fn 0xffffffff887a61e0 - pc 0xffffffff887a6249 / registers:

 rax               0x12; rdx 0xffffffff88a38470; rcx                0x1; rbx                0x0;
 rsi                0x0; rdi                0x0; rbp                0x0; rsp 0xffff80007e4c0fd0;

18: fn 0x0 - pc 0x0 / registers:

 rax               0x12; rdx 0xffffffff88a38470; rcx                0x1; rbx                0x0;
 rsi                0x0; rdi                0x0; rbp                0x0; rsp 0xffff80007e4c1000;

[OSDK] The kernel seems panicked. Parsing stack trace for source lines: ( 1) /root/asterinas/ostd/src/panicking.rs:107 ( 2) /root/asterinas/ostd/src/panicking.rs:59 ( 3) 0yfjuqijmdltwb3g9ceg2tyxs:? ( 4) ??:? ( 5) ??:? ( 6) axbvs75vp1k66nwsaobv39t4g:? ( 7) /root/asterinas/kernel/aster-nix/src/vm/vmar/mod.rs:607 ( 8) /root/asterinas/kernel/aster-nix/src/vm/vmar/vm_mapping.rs:102 ( 9) /root/asterinas/kernel/aster-nix/src/vm/vmar/vm_mapping.rs:695 ( 10) /root/asterinas/kernel/aster-nix/src/syscall/mmap.rs:137 ( 11) /root/asterinas/kernel/aster-nix/src/syscall/mmap.rs:33 ( 12) /root/asterinas/kernel/aster-nix/src/syscall/mod.rs:220 ( 13) /root/asterinas/kernel/aster-nix/src/syscall/mod.rs:328 ( 14) /root/asterinas/kernel/aster-nix/src/thread/task.rs:69 ( 15) /root/.rustup/toolchains/nightly-2024-06-20-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:79 ( 16) /root/.rustup/toolchains/nightly-2024-06-20-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/boxed.rs:2077 ( 17) /root/asterinas/ostd/src/task/task/mod.rs:310

Similar bugs are also found in munmap/mprotect/madvise:

https://github.com/asterinas/asterinas/blob/562e64437584279783f244edba10b512beddc81d/kernel/aster-nix/src/syscall/munmap.rs#L13

log info of munmap

``` ~ # /root/munmap.c panicked at /root/asterinas/kernel/aster-nix/src/syscall/munmap.rs:16:29: attempt to add with overflow Printing stack trace: 1: fn 0xffffffff888695b0 - pc 0xffffffff888695c8 / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e4a99c0; 2: fn 0xffffffff88869390 - pc 0xffffffff88869508 / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e4a99d0; 3: fn 0xffffffff88049000 - pc 0xffffffff8804900a / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e4a9b50; 4: fn 0xffffffff889a8690 - pc 0xffffffff889a8712 / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e4a9b60; 5: fn 0xffffffff88983e50 - pc 0xffffffff88983e7e / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e4a9bf0; 6: fn 0xffffffff883b6b10 - pc 0xffffffff883b6ffc / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e4a9c40; 7: fn 0xffffffff8856ded0 - pc 0xffffffff885734f2 / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e4a9f30; 8: fn 0xffffffff880df4c0 - pc 0xffffffff880df54e / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e4c03d0; 9: fn 0xffffffff882db7a0 - pc 0xffffffff882dc31f / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e4c0570; 10: fn 0xffffffff883ffc40 - pc 0xffffffff883ffc4e / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e4c0f90; 11: fn 0xffffffff887c0770 - pc 0xffffffff887c0786 / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e4c0fb0; 12: fn 0xffffffff887a61e0 - pc 0xffffffff887a6249 / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e4c0fd0; 13: fn 0x0 - pc 0x0 / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e4c1000; [OSDK] The kernel seems panicked. Parsing stack trace for source lines: ( 1) /root/asterinas/ostd/src/panicking.rs:107 ( 2) /root/asterinas/ostd/src/panicking.rs:59 ( 3) 0yfjuqijmdltwb3g9ceg2tyxs:? ( 4) ??:? ( 5) ??:? ( 6) 8j5o2srz7f6ei3ofqjuqjpq09:? ( 7) /root/asterinas/kernel/aster-nix/src/syscall/mod.rs:164 ( 8) /root/asterinas/kernel/aster-nix/src/syscall/mod.rs:328 ( 9) /root/asterinas/kernel/aster-nix/src/thread/task.rs:69 ( 10) /root/.rustup/toolchains/nightly-2024-06-20-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:79 ( 11) /root/.rustup/toolchains/nightly-2024-06-20-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/boxed.rs:2077 ( 12) /root/asterinas/ostd/src/task/task/mod.rs:310 make: *** [Makefile:153: run] Error 1 ```

https://github.com/asterinas/asterinas/blob/562e64437584279783f244edba10b512beddc81d/kernel/aster-nix/src/syscall/mprotect.rs#L17

log info of mprotect

``` ~ # /root/mprotect.c panicked at /root/asterinas/kernel/aster-nix/src/syscall/mprotect.rs:23:23: attempt to add with overflow Printing stack trace: 1: fn 0xffffffff888695b0 - pc 0xffffffff888695c8 / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e5a9a40; 2: fn 0xffffffff88869390 - pc 0xffffffff88869508 / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e5a9a50; 3: fn 0xffffffff88049000 - pc 0xffffffff8804900a / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e5a9bd0; 4: fn 0xffffffff889a8690 - pc 0xffffffff889a8712 / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e5a9be0; 5: fn 0xffffffff88983e50 - pc 0xffffffff88983e7e / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e5a9c70; 6: fn 0xffffffff8855a540 - pc 0xffffffff8855a91d / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e5a9cc0; 7: fn 0xffffffff8856ded0 - pc 0xffffffff88573019 / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e5a9f30; 8: fn 0xffffffff880df4c0 - pc 0xffffffff880df54e / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e5c03d0; 9: fn 0xffffffff882db7a0 - pc 0xffffffff882dc31f / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e5c0570; 10: fn 0xffffffff883ffc40 - pc 0xffffffff883ffc4e / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e5c0f90; 11: fn 0xffffffff887c0770 - pc 0xffffffff887c0786 / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e5c0fb0; 12: fn 0xffffffff887a61e0 - pc 0xffffffff887a6249 / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e5c0fd0; 13: fn 0x0 - pc 0x0 / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e5c1000; [OSDK] The kernel seems panicked. Parsing stack trace for source lines: ( 1) /root/asterinas/ostd/src/panicking.rs:107 ( 2) /root/asterinas/ostd/src/panicking.rs:59 ( 3) 0yfjuqijmdltwb3g9ceg2tyxs:? ( 4) ??:? ( 5) ??:? ( 6) d9wc6hqkevrkh55mc6uw1tmac:? ( 7) /root/asterinas/kernel/aster-nix/src/syscall/mod.rs:171 ( 8) /root/asterinas/kernel/aster-nix/src/syscall/mod.rs:328 ( 9) /root/asterinas/kernel/aster-nix/src/thread/task.rs:69 ( 10) /root/.rustup/toolchains/nightly-2024-06-20-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:79 ( 11) /root/.rustup/toolchains/nightly-2024-06-20-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/boxed.rs:2077 ( 12) /root/asterinas/ostd/src/task/task/mod.rs:310 make: *** [Makefile:153: run] Error 1 ```

https://github.com/asterinas/asterinas/blob/562e64437584279783f244edba10b512beddc81d/kernel/aster-nix/src/syscall/madvise.rs#L48

log info of madvise

``` ~ # /root/madvise.c panicked at /root/asterinas/kernel/aster-nix/src/syscall/madvise.rs:48:32: attempt to add with overflow Printing stack trace: 1: fn 0xffffffff888695b0 - pc 0xffffffff888695c8 / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e7a9880; 2: fn 0xffffffff88869390 - pc 0xffffffff88869508 / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e7a9890; 3: fn 0xffffffff88049000 - pc 0xffffffff8804900a / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e7a9a10; 4: fn 0xffffffff889a8690 - pc 0xffffffff889a8712 / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e7a9a20; 5: fn 0xffffffff88983e50 - pc 0xffffffff88983e7e / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e7a9ab0; 6: fn 0xffffffff88534cd0 - pc 0xffffffff88534d63 / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e7a9b00; 7: fn 0xffffffff885344a0 - pc 0xffffffff88534b58 / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e7a9b80; 8: fn 0xffffffff8856ded0 - pc 0xffffffff88577deb / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e7a9f30; 9: fn 0xffffffff880df4c0 - pc 0xffffffff880df54e / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e7c03d0; 10: fn 0xffffffff882db7a0 - pc 0xffffffff882dc31f / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e7c0570; 11: fn 0xffffffff883ffc40 - pc 0xffffffff883ffc4e / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e7c0f90; 12: fn 0xffffffff887c0770 - pc 0xffffffff887c0786 / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e7c0fb0; 13: fn 0xffffffff887a61e0 - pc 0xffffffff887a6249 / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e7c0fd0; 14: fn 0x0 - pc 0x0 / registers: rax 0x12; rdx 0xffffffff88a38470; rcx 0x1; rbx 0x0; rsi 0x0; rdi 0x0; rbp 0x0; rsp 0xffff80007e7c1000; [OSDK] The kernel seems panicked. Parsing stack trace for source lines: ( 1) /root/asterinas/ostd/src/panicking.rs:107 ( 2) /root/asterinas/ostd/src/panicking.rs:59 ( 3) 0yfjuqijmdltwb3g9ceg2tyxs:? ( 4) ??:? ( 5) ??:? ( 6) cgf2wirtt588u1sy2ej5ns7nw:? ( 7) /root/asterinas/kernel/aster-nix/src/syscall/madvise.rs:40 ( 8) /root/asterinas/kernel/aster-nix/src/syscall/mod.rs:171 ( 9) /root/asterinas/kernel/aster-nix/src/syscall/mod.rs:328 ( 10) /root/asterinas/kernel/aster-nix/src/thread/task.rs:69 ( 11) /root/.rustup/toolchains/nightly-2024-06-20-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:79 ( 12) /root/.rustup/toolchains/nightly-2024-06-20-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/boxed.rs:2077 ( 13) /root/asterinas/ostd/src/task/task/mod.rs:310 make: *** [Makefile:153: run] Error 1 ```

asterinas / asterinas

Several Integer overflow problems in syscall `mmap`/`munmap`/`mprotect`/`madvise` caused by large `size` #1213

Describe the bug

To Reproduce