Skip to content

Commit 2167247

Browse files
committed
fix: handle overflow when computing mmap offset during restore
Since we dropped the explicit offset field from the snapshot file, we are implicit computing it as "sum of sizes of all preceding regions". If the snapshot file is corrupted, it can describe regions whose sum exceeds u64::MAX. Fix this by adding overflow checks and returning an error in case of overflows We also error out if it exceeds i64::MAX as the offset argument to mmap(2) is a signed 64 bit integer value. Fixes: d835805 Signed-off-by: Patrick Roy <[email protected]>
1 parent 07ce762 commit 2167247

File tree

1 file changed

+9
-1
lines changed

1 file changed

+9
-1
lines changed

src/vmm/src/vstate/memory.rs

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,8 @@ pub enum MemoryError {
5252
Memfd(memfd::Error),
5353
/// Cannot resize memfd file: {0}
5454
MemfdSetLen(std::io::Error),
55+
/// Total sum of memory regions exceeds largest possible file offset
56+
OffsetTooLarge,
5557
}
5658

5759
/// Defines the interface for snapshotting memory.
@@ -188,7 +190,13 @@ impl GuestMemoryExtension for GuestMemoryMmap {
188190
builder = builder.with_file_offset(file_offset);
189191
}
190192

191-
offset += size as u64;
193+
offset = match offset.checked_add(size as u64) {
194+
None => return Err(MemoryError::OffsetTooLarge),
195+
Some(new_off) if new_off >= i64::MAX as u64 => {
196+
return Err(MemoryError::OffsetTooLarge)
197+
}
198+
Some(new_off) => new_off,
199+
};
192200

193201
GuestRegionMmap::new(
194202
builder.build().map_err(MemoryError::MmapRegionError)?,

0 commit comments

Comments
 (0)