Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG REPORT] Integer overflow in page_align_up #1077

Open
Marsman1996 opened this issue Dec 11, 2024 · 6 comments · May be fixed by #1078
Open

[BUG REPORT] Integer overflow in page_align_up #1077

Marsman1996 opened this issue Dec 11, 2024 · 6 comments · May be fixed by #1078
Assignees
@Jomocool @MemoryShore
Labels
A-mm Area: 内存管理子系统 bug-report 这是一个bug报告(如果确认是一个bug,请管理人员添加`bug` label) needs-triage 这个问题可能需要分类处理。如果已经完成分类,请移除它。

Comments

@Marsman1996
Copy link

Marsman1996 commented Dec 11, 2024
edited
Loading

描述错误/Describe the bug
There is an integer overflow in page_align_up() at kernel/src/libs/align.rs:135 when program calls memory related syscall (i.e., mmap, munmap, and mprotect) with large len.

DragonOS/kernel/src/libs/align.rs

Lines 133 to 136 in 72423f9

pub const fn page_align_up(addr: usize) -> usize {
let page_size = MMArch::PAGE_SIZE;
return (addr + page_size - 1) & (!(page_size - 1));
}

请填写您的电脑的信息/Environment

  • OS Version:Debian GNU/Linux 11
  • DragonOS Version:72423f9
  • DADK Version:dadk 0.2.0
  • Rust Version:rustc 1.84.0-nightly (fbab78289 2024-11-04)

重现步骤/To Reproduce

  1. Compile a program which calls system call munmap with large len
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <unistd.h>

int main() {
  void *addr = mmap(NULL, 0x1000, 0x3, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
  munmap(addr, 0xffffffffffffffff);
  perror("mmap error");

  return EXIT_SUCCESS;
}
  1. Run the compiled program

期望行为/Expected behavior
DragonOS should check the add behavior first and not overflow here.

屏幕截图/Log
I add log before and after the alignment:

root@DragonOS:/$ /bin/overflow
[ WARN ] (src/syscall/mod.rs:626)        len before align: 0xffffffffffffffff
[ WARN ] (src/syscall/mod.rs:628)        len after align: 0x0
mmap error: Invalid argument
@Marsman1996 Marsman1996 added the bug-report 这是一个bug报告(如果确认是一个bug,请管理人员添加`bug` label) label Dec 11, 2024
@dragonosbot dragonosbot added the needs-triage 这个问题可能需要分类处理。如果已经完成分类,请移除它。 label Dec 11, 2024
@Marsman1996
Copy link
Author

I'm trying to add check for overflow in kernel/Cargo.toml, but after adding the check I cannot enter the DragonOS.

我尝试在 kernel/Cargo.toml 中增加对 overflow 的检查,但是这样编译后无法正常进入系统:

# The release profile, used for `cargo build --release`
[profile.release]
debug = false
overflow-checks = true

@fslongjin fslongjin added the A-mm Area: 内存管理子系统 label Dec 11, 2024
@fslongjin
Copy link
Member

cc @MemoryShore @Jomocool
麻烦看看~

@fslongjin
Copy link
Member

但是这个貌似也是正常?Linux上面传入过大的len的话,会返回什么? @Marsman1996

@Marsman1996
Copy link
Author

但是这个貌似也是正常?Linux上面传入过大的len的话,会返回什么? @Marsman1996

munmap 为例,会返回 EINVAL
https://elixir.bootlin.com/linux/v6.10.5/source/mm/mmap.c#L2738

但是在 Rust 程序中,这样的溢出在 debug 模式下会导致 panic。
不过 DragonOS 似乎写死了就以 release 编译👀
kernel/src/Makefile

kernel_rust:
	RUSTFLAGS="$(RUSTFLAGS)" cargo +nightly-2024-11-05 $(CARGO_ZBUILD) build --release --target $(TARGET_JSON)

@fslongjin
Copy link
Member

这里可以考虑在内核里面加个判断啥的,实现行为上跟Linux一致? 你方便发个pr吗 @Marsman1996

@Marsman1996
Copy link
Author

这里可以考虑在内核里面加个判断啥的,实现行为上跟Linux一致? 你方便发个pr吗 @Marsman1996

👌

@Marsman1996 Marsman1996 linked a pull request Dec 11, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Jomocool Jomocool

@MemoryShore MemoryShore

Labels
A-mm Area: 内存管理子系统 bug-report 这是一个bug报告(如果确认是一个bug,请管理人员添加`bug` label) needs-triage 这个问题可能需要分类处理。如果已经完成分类,请移除它。
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: page_align_up overflow Marsman1996/DragonOS
5 participants
@Marsman1996 @fslongjin @Jomocool @MemoryShore @dragonosbot