From b4e1c71261ee475034707c9fd945f4bfd49dc371 Mon Sep 17 00:00:00 2001
From: kettenis <kettenis@openbsd.org>
Date: Wed, 13 Jul 2016 15:57:35 +0000
Subject: [PATCH] Since mappings established using __MAP_NOFAIL will be
 converted into anonymous memory if the file backing the mapping is truncated,
 we should check resource limits.  This prevents callers from triggering a
 kernel panic and a potential integer overflow in the amap code by forcing the
 allocation of too many slots.

Based on an analysis from Jesse Hertz and Tim Newsham.

ok deraadt@
---
 sys/uvm/uvm_mmap.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sys/uvm/uvm_mmap.c b/sys/uvm/uvm_mmap.c
index e2d05d02fd5..66c5b81a1f3 100644
--- a/sys/uvm/uvm_mmap.c
+++ b/sys/uvm/uvm_mmap.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: uvm_mmap.c,v 1.134 2016/06/08 15:38:28 deraadt Exp $	*/
+/*	$OpenBSD: uvm_mmap.c,v 1.135 2016/07/13 15:57:35 kettenis Exp $	*/
 /*	$NetBSD: uvm_mmap.c,v 1.49 2001/02/18 21:19:08 chs Exp $	*/
 
 /*
@@ -521,7 +521,7 @@ sys_mmap(struct proc *p, void *v, register_t *retval)
 			/* MAP_PRIVATE mappings can always write to */
 			maxprot |= PROT_WRITE;
 		}
-		if ((flags & MAP_ANON) != 0 ||
+		if ((flags & MAP_ANON) != 0 || (flags & __MAP_NOFAULT) == 0 ||
 		    ((flags & MAP_PRIVATE) != 0 && (prot & PROT_WRITE) != 0)) {
 			if (p->p_rlimit[RLIMIT_DATA].rlim_cur < size ||
 			    p->p_rlimit[RLIMIT_DATA].rlim_cur - size <
@@ -541,7 +541,7 @@ sys_mmap(struct proc *p, void *v, register_t *retval)
 
 is_anon:	/* label for SunOS style /dev/zero */
 
-		if ((flags & MAP_ANON) != 0 ||
+		if ((flags & MAP_ANON) != 0 || (flags & __MAP_NOFAULT) == 0 ||
 		    ((flags & MAP_PRIVATE) != 0 && (prot & PROT_WRITE) != 0)) {
 			if (p->p_rlimit[RLIMIT_DATA].rlim_cur < size ||
 			    p->p_rlimit[RLIMIT_DATA].rlim_cur - size <
-- 
2.20.1