From 91838816c6f7782776eaab516534fac34fa0203c Mon Sep 17 00:00:00 2001 From: deraadt Date: Fri, 5 Apr 2024 12:51:15 +0000 Subject: [PATCH] Esure the base,len range provided by ld.so is definately in the map. Being outside the map doesn't seem like it can do anything bad. Discussed with kettenis --- sys/uvm/uvm_mmap.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/sys/uvm/uvm_mmap.c b/sys/uvm/uvm_mmap.c index e9c4f7c4290..ea617dde6c5 100644 --- a/sys/uvm/uvm_mmap.c +++ b/sys/uvm/uvm_mmap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: uvm_mmap.c,v 1.188 2024/04/03 22:21:48 kettenis Exp $ */ +/* $OpenBSD: uvm_mmap.c,v 1.189 2024/04/05 12:51:15 deraadt Exp $ */ /* $NetBSD: uvm_mmap.c,v 1.49 2001/02/18 21:19:08 chs Exp $ */ /* @@ -610,6 +610,7 @@ sys_pinsyscalls(struct proc *p, void *v, register_t *retval) syscallarg(int) npins; } */ *uap = v; struct process *pr = p->p_p; + struct vm_map *map = &p->p_vmspace->vm_map; int npins, error = 0, i; vaddr_t base; size_t len; @@ -622,6 +623,8 @@ sys_pinsyscalls(struct proc *p, void *v, register_t *retval) len = (vsize_t)SCARG(uap, len); if (base > SIZE_MAX - len) return (EINVAL); /* disallow wrap-around. */ + if (base < map->min_offset || base+len > map->max_offset) + return (EINVAL); /* XXX MP unlock */ -- 2.20.1