Skip to content

Commit

Permalink
fix: mem cache out of range panic caused by overflow
Browse files Browse the repository at this point in the history
  • Loading branch information
@jayantxie
jayantxie committed Jun 28, 2024
1 parent a4196f3 commit bc570ba
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 1 deletion.
11 changes: 10 additions & 1 deletion pkg/proc/mem.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,12 @@ type memCache struct {
}

func (m *memCache) contains(addr uint64, size int) bool {
return addr >= m.cacheAddr && addr <= (m.cacheAddr+uint64(len(m.cache)-size))
end := addr + uint64(size)
if end < addr {
// overflow
return false
}
return addr >= m.cacheAddr && end <= m.cacheAddr+uint64(len(m.cache))
}

func (m *memCache) ReadMemory(data []byte, addr uint64) (n int, err error) {
Expand Down Expand Up @@ -69,6 +74,10 @@ func cacheMemory(mem MemoryReadWriter, addr uint64, size int) MemoryReadWriter {
if size <= 0 {
return mem
}
if addr+uint64(size) < addr {
// overflow
return mem
}
switch cacheMem := mem.(type) {
case *memCache:
if cacheMem.contains(addr, size) {
Expand Down
13 changes: 13 additions & 0 deletions pkg/proc/proc_general_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,19 @@ func TestIssue554(t *testing.T) {
}
}

func TestIssue3760(t *testing.T) {
// unsigned integer overflow if len(m.cache) < size
mem := memCache{true, 0x20, make([]byte, 100), nil}
if mem.contains(0x20, 200) {
t.Fatalf("should be false")
}

cm := cacheMemory(nil, 0xffffffffffffffff, 10)
if cm != nil {
t.Fatalf("should be nil")
}
}

type dummyMem struct {
t *testing.T
mem []byte
Expand Down

0 comments on commit bc570ba

Please sign in to comment.