fix: handle overflow when computing mmap offset during restore

Since we dropped the explicit offset field from the snapshot file, we
are implicit computing it as "sum of sizes of all preceding regions". If
the snapshot file is corrupted, it can describe regions whose sum
exceeds u64::MAX. Fix this by adding overflow checks and returning an
error in case of overflows

We also error out if it exceeds i64::MAX as the offset argument to
mmap(2) is a signed 64 bit integer value.

Fixes: d835805
Signed-off-by: Patrick Roy <[email protected]>

Author: roypat

src/vmm/src/vstate/memory.rs

@@ -52,6 +52,8 @@ pub enum MemoryError {
     Memfd(memfd::Error),
     /// Cannot resize memfd file: {0}
     MemfdSetLen(std::io::Error),
+    /// Total sum of memory regions exceeds largest possible file offset
+    OffsetTooLarge,
 }
 
 /// Defines the interface for snapshotting memory.
@@ -188,7 +190,13 @@ impl GuestMemoryExtension for GuestMemoryMmap {
                     builder = builder.with_file_offset(file_offset);
                 }
 
-                offset += size as u64;
+                offset = match offset.checked_add(size as u64) {
+                    None => return Err(MemoryError::OffsetTooLarge),
+                    Some(new_off) if new_off >= i64::MAX as u64 => {
+                        return Err(MemoryError::OffsetTooLarge)
+                    }
+                    Some(new_off) => new_off,
+                };
 
                 GuestRegionMmap::new(
                     builder.build().map_err(MemoryError::MmapRegionError)?,