diff --git a/kernel/src/syscall/madvise.rs b/kernel/src/syscall/madvise.rs
index a2d72402c..84b1a092d 100644
--- a/kernel/src/syscall/madvise.rs
+++ b/kernel/src/syscall/madvise.rs
@@ -20,7 +20,10 @@ pub fn sys_madvise(
     if start % PAGE_SIZE != 0 {
         return_errno_with_message!(Errno::EINVAL, "the start address should be page aligned");
     }
-    if len == 0 || len > usize::MAX - PAGE_SIZE + 1 {
+    if len > usize::MAX - PAGE_SIZE + 1 {
+        return_errno_with_message!(Errno::EINVAL, "len align overflow");
+    }
+    if len == 0 {
         return Ok(SyscallReturn::Return(0));
     }
 
diff --git a/kernel/src/syscall/mmap.rs b/kernel/src/syscall/mmap.rs
index 8e6f34cee..a25633cc2 100644
--- a/kernel/src/syscall/mmap.rs
+++ b/kernel/src/syscall/mmap.rs
@@ -57,8 +57,8 @@ fn do_sys_mmap(
     if len == 0 {
         return_errno_with_message!(Errno::EINVAL, "mmap len cannot be zero");
     }
-    if len > usize::MAX - PAGE_SIZE + 1 {
-        return_errno_with_message!(Errno::ENOMEM, "mmap len align overflow");
+    if len > isize::MAX as usize {
+        return_errno_with_message!(Errno::ENOMEM, "mmap len too large");
     }
 
     let len = len.align_up(PAGE_SIZE);
@@ -66,6 +66,13 @@ fn do_sys_mmap(
     if offset % PAGE_SIZE != 0 {
         return_errno_with_message!(Errno::EINVAL, "mmap only support page-aligned offset");
     }
+    offset.checked_add(len).ok_or(Error::with_message(
+        Errno::EOVERFLOW,
+        "integer overflow when (offset + len)",
+    ))?;
+    if addr > isize::MAX as usize - len {
+        return_errno_with_message!(Errno::ENOMEM, "mmap (addr + len) too large");
+    }
 
     let root_vmar = ctx.process.root_vmar();
     let vm_map_options = {
diff --git a/kernel/src/vm/vmar/mod.rs b/kernel/src/vm/vmar/mod.rs
index 2df3271fd..af91f2e64 100644
--- a/kernel/src/vm/vmar/mod.rs
+++ b/kernel/src/vm/vmar/mod.rs
@@ -169,7 +169,7 @@ impl VmarInner {
                         .checked_add(child_size)
                         .ok_or(Error::with_message(
                             Errno::ENOMEM,
-                            "integer overflow whem (child_vmar_real_start + child_size)",
+                            "integer overflow when (child_vmar_real_start + child_size)",
                         ))?;
                 if region_start <= child_vmar_real_start && child_vmar_real_end <= region_end {
                     return Ok((*region_base, child_vmar_real_start));