From f50da609752628d46b59a56abf13ed84daec4a53 Mon Sep 17 00:00:00 2001 From: Copilot <198982749+Copilot@users.noreply.github.com> Date: Mon, 23 Feb 2026 11:30:25 -0800 Subject: [PATCH] Fix integer overflow panics on guest-derived usize arithmetic (#3) Fix integer overflow vulnerabilities in guest-derived arithmetic Co-authored-by: CvvT <11675863+CvvT@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: CvvT <11675863+CvvT@users.noreply.github.com> --- litebox_shim_linux/src/syscalls/mm.rs | 2 +- litebox_shim_linux/src/syscalls/process.rs | 10 ++++++---- litebox_shim_optee/src/syscalls/ldelf.rs | 8 ++++---- 3 files changed, 11 insertions(+), 9 deletions(-) diff --git a/litebox_shim_linux/src/syscalls/mm.rs b/litebox_shim_linux/src/syscalls/mm.rs index d0ba581f4..a928afd84 100644 --- a/litebox_shim_linux/src/syscalls/mm.rs +++ b/litebox_shim_linux/src/syscalls/mm.rs @@ -17,7 +17,7 @@ use crate::Task; #[inline] fn align_up(addr: usize, align: usize) -> usize { debug_assert!(align.is_power_of_two()); - (addr + align - 1) & !(align - 1) + addr.wrapping_add(align - 1) & !(align - 1) } #[expect( diff --git a/litebox_shim_linux/src/syscalls/process.rs b/litebox_shim_linux/src/syscalls/process.rs index 05e015244..525e84dcb 100644 --- a/litebox_shim_linux/src/syscalls/process.rs +++ b/litebox_shim_linux/src/syscalls/process.rs @@ -468,14 +468,14 @@ fn wake_robust_list( let (mut entry, mut pi) = fetch_robust_entry(crate::ConstPtr::from_usize(head.list.next)); let (pending, ppi) = fetch_robust_entry(crate::ConstPtr::from_usize(head.list_op_pending)); let futex_offset = head.futex_offset; - let entry_head = head_ptr + offset_of!(litebox_common_linux::RobustListHead, list); + let entry_head = head_ptr.wrapping_add(offset_of!(litebox_common_linux::RobustListHead, list)); while entry.as_usize() != entry_head && limit > 0 { let nxt = entry .read_at_offset(0) .map(|e| fetch_robust_entry(crate::ConstPtr::from_usize(e.next))); if entry.as_usize() != pending.as_usize() { handle_futex_death( - crate::ConstPtr::from_usize(entry.as_usize() + futex_offset), + crate::ConstPtr::from_usize(entry.as_usize().wrapping_add(futex_offset)), pi, false, )?; @@ -491,7 +491,7 @@ fn wake_robust_list( if pending.as_usize() != 0 { let _ = handle_futex_death( - crate::ConstPtr::from_usize(pending.as_usize() + futex_offset), + crate::ConstPtr::from_usize(pending.as_usize().wrapping_add(futex_offset)), ppi, true, ); @@ -1311,7 +1311,9 @@ impl Task { } out.push(cs); // advance to next pointer - base = crate::ConstPtr::from_usize(base.as_usize() + core::mem::size_of::()); + base = crate::ConstPtr::from_usize( + base.as_usize().wrapping_add(core::mem::size_of::()), + ); } Ok(out) } diff --git a/litebox_shim_optee/src/syscalls/ldelf.rs b/litebox_shim_optee/src/syscalls/ldelf.rs index 72f6a5ab4..588d29fe4 100644 --- a/litebox_shim_optee/src/syscalls/ldelf.rs +++ b/litebox_shim_optee/src/syscalls/ldelf.rs @@ -52,8 +52,8 @@ impl Task { let total_size = num_bytes .checked_add(pad_begin) .and_then(|t| t.checked_add(pad_end)) - .ok_or(TeeResult::BadParameters)? - .next_multiple_of(PAGE_SIZE); + .and_then(|t| t.checked_next_multiple_of(PAGE_SIZE)) + .ok_or(TeeResult::BadParameters)?; if addr.checked_add(total_size).is_none() { return Err(TeeResult::BadParameters); } @@ -178,8 +178,8 @@ impl Task { let total_size = num_bytes .checked_add(pad_begin) .and_then(|t| t.checked_add(pad_end)) - .ok_or(TeeResult::BadParameters)? - .next_multiple_of(PAGE_SIZE); + .and_then(|t| t.checked_next_multiple_of(PAGE_SIZE)) + .ok_or(TeeResult::BadParameters)?; if addr.checked_add(total_size).is_none() { return Err(TeeResult::BadParameters); }