fix: handle overflow when computing mmap offset during restore

Since we dropped the explicit offset field from the snapshot file, we are implicit computing it as "sum of sizes of all preceding regions". If the snapshot file is corrupted, it can describe regions whose sum exceeds u64::MAX. Fix this by adding overflow checks and returning an error in case of overflows We also error out if it exceeds i64::MAX as the offset argument to mmap(2) is a signed 64 bit integer value. Fixes: d835805 Signed-off-by: Patrick Roy <[email protected]>
loopholelabs · Feb 18, 2025 · 2167247 · 2167247
1 parent 07ce762
commit 2167247
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/src/vmm/src/vstate/memory.rs b/src/vmm/src/vstate/memory.rs
@@ -52,6 +52,8 @@ pub enum MemoryError {
     Memfd(memfd::Error),
     /// Cannot resize memfd file: {0}
     MemfdSetLen(std::io::Error),
+    /// Total sum of memory regions exceeds largest possible file offset
+    OffsetTooLarge,
 }
 
 /// Defines the interface for snapshotting memory.
@@ -188,7 +190,13 @@ impl GuestMemoryExtension for GuestMemoryMmap {
                     builder = builder.with_file_offset(file_offset);
                 }
 
-                offset += size as u64;
+                offset = match offset.checked_add(size as u64) {
+                    None => return Err(MemoryError::OffsetTooLarge),
+                    Some(new_off) if new_off >= i64::MAX as u64 => {
+                        return Err(MemoryError::OffsetTooLarge)
+                    }
+                    Some(new_off) => new_off,
+                };
 
                 GuestRegionMmap::new(
                     builder.build().map_err(MemoryError::MmapRegionError)?,