Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kernel panic when invoking mmap with MAP_FIXED and not representable bounds #2222

Open
RoundofThree opened this issue Sep 24, 2024 · 0 comments
Open

Kernel panic when invoking mmap with MAP_FIXED and not representable bounds #2222

RoundofThree opened this issue Sep 24, 2024 · 0 comments

Comments

@RoundofThree
Copy link
Member

RoundofThree commented Sep 24, 2024
edited
Loading

When running a kernel at releng/24.05, b2ad856, with GENERIC-MORELLO-PURECAP, I noticed that the kernel crashes when mmapping with MAP_FIXED and not representable hint and size. The crash reproduces in kernels with INVARIANTS compiled in. Here’s a poc that immediately crashes:

#include <stdio.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <unistd.h>
#include <errno.h>

int main() {
    size_t size = 0x100000001000;
    void *fixed_address = (void *)0x100000000000;

    void *addr = mmap(fixed_address, size, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0);
    
    if (addr == MAP_FAILED) {
        perror("mmap failed");
        return 1;
    }

    if (addr != fixed_address) {
        fprintf(stderr, "mmap did not return the expected fixed address: %p\n", addr);
        return 1;
    }

    printf("Memory successfully mapped at address %p, size: 0x%lx\n", addr, size);

    if (munmap(addr, size) == -1) {
        perror("munmap failed");
        return 1;
    }

    printf("Memory successfully unmapped.\n");

    return 0;
}

The backtrace is:

root@cheribsd-morello-purecap:~ # ./mmap_crash 
panic: Reservation length is not representable 100000001000
cpuid = 1
time = 1727185079
KDB: stack backtrace:
db_trace_self() at db_trace_self
db_trace_self_wrapper() at db_trace_self_wrapper+0x6c
kdb_backtrace() at kdb_backtrace+0x90
vpanic() at vpanic+0x328
panic() at panic+0x70
vm_map_reservation_create_locked() at vm_map_reservation_create_locked+0x254
vm_map_fixed() at vm_map_fixed+0x2fc
vm_mmap_object() at vm_mmap_object+0x7dc
kern_mmap() at kern_mmap+0x1734
sys_mmap() at sys_mmap+0x88c
syscallenter() at syscallenter+0x8d0
svc_handler() at svc_handler+0x58
do_el0_sync() at do_el0_sync+0x298
handle_el0_sync() at handle_el0_sync+0x30
--- exception, esr 0x56000000
KDB: enter: panic
[ thread pid 781 tid 100075 ]
Stopped at      breakpoint+0x13:        undefined       22c17bfd

I believe it’s this line:

cheribsd/sys/vm/vm_map.c

Line 6351 in b2ad856

KASSERT(is_aligned(*addr, CHERI_REPRESENTABLE_ALIGNMENT(length)),
.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@RoundofThree