Since mappings established using __MAP_NOFAULT will be converted into anonymous

memory if the file backing the mapping is truncated, we should check resource
limits.  This prevents callers from triggering a kernel panic and a potential
integer overflow in the amap code by forcing the allocation of too many slots.

Based on an analysis from Jesse Hertz and Tim Newsham.

ok deraadt@

1 files changed, 3 insertions, 3 deletions

diff --git a/sys/uvm/uvm_mmap.c b/sys/uvm/uvm_mmap.c
index ac921faa0fa..242826a1061 100644
--- a/sys/uvm/uvm_mmap.c
+++ b/sys/uvm/uvm_mmap.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: uvm_mmap.c,v 1.136 2016/07/13 17:49:00 kettenis Exp $	*/
+/*	$OpenBSD: uvm_mmap.c,v 1.137 2016/07/13 17:52:37 kettenis Exp $	*/
 /*	$NetBSD: uvm_mmap.c,v 1.49 2001/02/18 21:19:08 chs Exp $	*/
 
 /*
@@ -521,7 +521,7 @@ sys_mmap(struct proc *p, void *v, register_t *retval)
 			/* MAP_PRIVATE mappings can always write to */
 			maxprot |= PROT_WRITE;
 		}
-		if ((flags & MAP_ANON) != 0 ||
+		if ((flags & MAP_ANON) != 0 || (flags & __MAP_NOFAULT) != 0 ||
 		    ((flags & MAP_PRIVATE) != 0 && (prot & PROT_WRITE) != 0)) {
 			if (p->p_rlimit[RLIMIT_DATA].rlim_cur < size ||
 			    p->p_rlimit[RLIMIT_DATA].rlim_cur - size <
@@ -541,7 +541,7 @@ sys_mmap(struct proc *p, void *v, register_t *retval)
 
 is_anon:	/* label for SunOS style /dev/zero */
 
-		if ((flags & MAP_ANON) != 0 ||
+		if ((flags & MAP_ANON) != 0 || (flags & __MAP_NOFAULT) != 0 ||
 		    ((flags & MAP_PRIVATE) != 0 && (prot & PROT_WRITE) != 0)) {
 			if (p->p_rlimit[RLIMIT_DATA].rlim_cur < size ||
 			    p->p_rlimit[RLIMIT_DATA].rlim_cur - size <