There are times when a len==0 parameter to mmap is okay. But on a

32-bit machine, a len parameter just a few bytes short of 4G, rounded up to a page boundary and hitting zero then, is not okay. Return failure in that case. Reported by: pho Reviewed by: alc, kib (mentor) Tested by: pho Differential Revision: https://reviews.freebsd.org/D20580
svn path=/head/; revision=348843
2019-06-10 03:07:10 +00:00 · 2019-06-10 03:07:10 +00:00 · 97220a279f · 2020-12-20 02:59:44 +00:00
commit 97220a279f
parent c851fce6d7
1 changed files with 4 additions and 1 deletions
--- a/sys/vm/vm_mmap.c
+++ b/sys/vm/vm_mmap.c
@ -257,7 +257,10 @@ kern_mmap(struct thread *td, uintptr_t addr0, size_t size, int prot, int flags,

 	/* Adjust size for rounding (on both ends). */
 	size += pageoff;			/* low end... */
-	size = (vm_size_t) round_page(size);	/* hi end */
+	/* Check for rounding up to zero. */
+	if (round_page(size) < size)
+		return (EINVAL);
+	size = round_page(size);		/* hi end */

 	/* Ensure alignment is at least a page and fits in a pointer. */
 	align = flags & MAP_ALIGNMENT_MASK;