Apply bit masks to explicitly allow some wrapping

In these cases, values are intentionally truncated, either to split them
into multiple values or to ensure that user-supplied data does not cause
Firecracker to panic with a try_from/unwrap failure.

Clippy will allow us to use "as" when we use bit masks to limit the size
of an explicitly-sized value (u16, u32, u64). It doesn't work on usize
values or on some more complicated expressions.

Signed-off-by: Jonathan Browne <[email protected]>

Author: JBYoshi

src/seccompiler/src/backend.rs

@@ -279,7 +279,7 @@ impl SeccompCondition {
     /// [`SeccompCondition`]: struct.SeccompCondition.html
     fn value_segments(&self) -> (u32, u32, u8, u8) {
         // Splits the specified value into its most significant and least significant halves.
-        let (msb, lsb) = ((self.value >> 32) as u32, self.value as u32);
+        let (msb, lsb) = ((self.value >> 32) as u32, (self.value & 0xFFFFFFFF) as u32);
 
         // Offset to the argument specified by `arg_number`.
         // Cannot overflow because the value will be at most 16 + 6 * 8 = 64.
@@ -431,8 +431,11 @@ impl SeccompCondition {
     fn into_masked_eq_bpf(self, offset: u8, mask: u64) -> Vec<sock_filter> {
         let (_, _, msb_offset, lsb_offset) = self.value_segments();
         let masked_value = self.value & mask;
-        let (msb, lsb) = ((masked_value >> 32) as u32, masked_value as u32);
-        let (mask_msb, mask_lsb) = ((mask >> 32) as u32, mask as u32);
+        let (msb, lsb) = (
+            (masked_value >> 32) as u32,
+            (masked_value & 0xFFFFFFFF) as u32,
+        );
+        let (mask_msb, mask_lsb) = ((mask >> 32) as u32, (mask & 0xFFFFFFFF) as u32);
 
         let mut bpf = match self.arg_len {
             SeccompCmpArgLen::Dword => vec![],

src/utils/src/lib.rs

@@ -21,6 +21,7 @@ pub mod time;
 pub mod validators;
 pub mod vm_memory;
 
+use std::num::Wrapping;
 use std::result::Result;
 
 /// Return the default page size of the platform, in bytes.
@@ -40,3 +41,9 @@ pub fn get_page_size() -> Result<usize, errno::Error> {
 pub const fn u64_to_usize(num: u64) -> usize {
     num as usize
 }
+
+/// Converts a usize into a wrapping u32.
+#[inline]
+pub const fn wrap_usize_to_u32(num: usize) -> Wrapping<u32> {
+    Wrapping(((num as u64) & 0xFFFFFFFF) as u32)
+}

src/vmm/src/arch/x86_64/gdt.rs

@@ -25,7 +25,7 @@ fn get_base(entry: u64) -> u64 {
 }
 
 fn get_limit(entry: u64) -> u32 {
-    ((((entry) & 0x000F_0000_0000_0000) >> 32) | ((entry) & 0x0000_0000_0000_FFFF)) as u32
+    ((((entry) & 0x000F_0000_0000_0000) >> 32) as u32) | (((entry) & 0x0000_0000_0000_FFFF) as u32)
 }
 
 fn get_g(entry: u64) -> u8 {

src/vmm/src/devices/virtio/block/device.rs

@@ -182,7 +182,7 @@ impl DiskProperties {
         // The config space is little endian.
         let mut config = Vec::with_capacity(BLOCK_CONFIG_SPACE_SIZE);
         for i in 0..BLOCK_CONFIG_SPACE_SIZE {
-            config.push((self.nsectors >> (8 * i)) as u8);
+            config.push(((self.nsectors >> (8 * i)) & 0xff) as u8);
         }
         config
     }

src/vmm/src/devices/virtio/device.rs

@@ -128,7 +128,7 @@ pub trait VirtioDevice: AsAny + Send {
         let avail_features = self.avail_features();
         match page {
             // Get the lower 32-bits of the features bitfield.
-            0 => avail_features as u32,
+            0 => (avail_features & 0xFFFFFFFF) as u32,
             // Get the upper 32-bits of the features bitfield.
             1 => (avail_features >> 32) as u32,
             _ => {

src/vmm/src/devices/virtio/mmio.rs

@@ -288,7 +288,7 @@ impl MmioTransport {
                     }
                     0x24 => self.acked_features_select = v,
                     0x30 => self.queue_select = v,
-                    0x38 => self.update_queue_field(|q| q.size = v as u16),
+                    0x38 => self.update_queue_field(|q| q.size = (v & 0xffff) as u16),
                     0x44 => self.update_queue_field(|q| q.ready = v == 1),
                     0x64 => {
                         if self.check_device_status(device_status::DRIVER_OK, 0) {

src/vmm/src/devices/virtio/vsock/csm/connection.rs

@@ -85,6 +85,7 @@ use std::time::{Duration, Instant};
 use log::{debug, error, info, warn};
 use utils::epoll::EventSet;
 use utils::vm_memory::{GuestMemoryError, GuestMemoryMmap, ReadVolatile, WriteVolatile};
+use utils::wrap_usize_to_u32;
 
 use super::super::defs::uapi;
 use super::super::packet::VsockPacket;
@@ -475,7 +476,7 @@ where
                     };
                     0
                 });
-            self.fwd_cnt += Wrapping(flushed as u32);
+            self.fwd_cnt += wrap_usize_to_u32(flushed);
             METRICS.vsock.tx_bytes_count.add(flushed as u64);
 
             // If this connection was shutting down, but is waiting to drain the TX buffer
@@ -627,7 +628,8 @@ where
             }
         };
         // Move the "forwarded bytes" counter ahead by how much we were able to send out.
-        self.fwd_cnt += Wrapping(written as u32);
+        // Safe to unwrap because the maximum value is pkt.len(), which is a u32.
+        self.fwd_cnt += wrap_usize_to_u32(written);
         METRICS.vsock.tx_bytes_count.add(written as u64);
 
         // If we couldn't write the whole slice, we'll need to push the remaining data to our

src/vmm/src/devices/virtio/vsock/csm/txbuf.rs

@@ -7,6 +7,7 @@ use std::io::Write;
 use std::num::Wrapping;
 
 use utils::vm_memory::{BitmapSlice, Bytes, VolatileMemoryError, VolatileSlice, WriteVolatile};
+use utils::wrap_usize_to_u32;
 
 use super::{defs, VsockCsmError};
 
@@ -76,7 +77,7 @@ impl TxBuf {
 
         // Either way, we've just pushed exactly `src.len()` bytes, so that's the amount by
         // which the (wrapping) buffer head needs to move forward.
-        self.head += Wrapping(src.len() as u32);
+        self.head += wrap_usize_to_u32(src.len());
 
         Ok(())
     }
@@ -111,7 +112,7 @@ impl TxBuf {
             .map_err(VsockCsmError::TxBufFlush)?;
 
         // Move the buffer tail ahead by the amount (of bytes) we were able to flush out.
-        self.tail += Wrapping(written as u32);
+        self.tail += wrap_usize_to_u32(written);
 
         // If we weren't able to flush out as much as we tried, there's no point in attempting
         // our second write.