Skip to content

Arithmetic overflow in munmap when length is too large #236

@nuczyc

Description

@nuczyc

Describe the bug

The kernel panics with an "attempt to add with overflow" error when the munmap system call is invoked with a length of 0xffffffffffffffff (UINT64_MAX).

let end = VirtAddr::from(start + len).align_up_4k().as_usize();

To Reproduce

  1. Compile the program and run.
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <unistd.h>

int main()
{
    void *addr = mmap(NULL, 4096, 0x3, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
    munmap(addr, 0xffffffffffffffff);

    return 0;
}

2.features.txt

alloc
paging
net
multitask
irq
fs

Environment

Logs

SeaBIOS (version 1.16.3-debian-1.16.3-2)


iPXE (https://ipxe.org) 00:03.0 CA00 PCI2.10 PnP PMM+7EFCA9F0+7EF0A9F0 CA00
                                                                               


Booting from ROM..
Initialize IDT & GDT...

8888888b.                     .d88888b.   .d8888b.
888   Y88b                   d88P" "Y88b d88P  Y88b
888    888                   888     888 Y88b.
888   d88P 888  888 888  888 888     888  "Y888b.
8888888P"  888  888 `Y8bd8P' 888     888     "Y88b.
888 T88b   888  888   X88K   888     888       "888
888  T88b  Y88b 888 .d8""8b. Y88b. .d88P Y88b  d88P
888   T88b  "Y88888 888  888  "Y88888P"   "Y8888P"

arch = x86_64
platform = x86_64-qemu-q35
target = x86_64-unknown-none
smp = 1
build_mode = debug
log_level = warn

[1769077952.211025 0 axfs_ramfs::dir:68] AlreadyExists sys
[1769077952.213594 0:1 ruxruntime::lang_items:14] panicked at api/ruxos_posix_api/src/imp/mmap/api.rs:108:34:
attempt to add with overflow

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions