From 39faf7cbc87419a74eec50db921fe02b6245458f Mon Sep 17 00:00:00 2001
From: dougm <dougm@FreeBSD.org>
Date: Mon, 10 Jun 2019 03:07:10 +0000
Subject: [PATCH] There are times when a len==0 parameter to mmap is okay. But
 on a 32-bit machine, a len parameter just a few bytes short of 4G, rounded up
 to a page boundary and hitting zero then, is not okay. Return failure in that
 case.

Reported by: pho
Reviewed by: alc, kib (mentor)
Tested by: pho
Differential Revision: https://reviews.freebsd.org/D20580
---
 sys/vm/vm_mmap.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/sys/vm/vm_mmap.c b/sys/vm/vm_mmap.c
index 597ffe29d95..f50f4f8747d 100644
--- a/sys/vm/vm_mmap.c
+++ b/sys/vm/vm_mmap.c
@@ -257,7 +257,10 @@ kern_mmap(struct thread *td, uintptr_t addr0, size_t size, int prot, int flags,
 
 	/* Adjust size for rounding (on both ends). */
 	size += pageoff;			/* low end... */
-	size = (vm_size_t) round_page(size);	/* hi end */
+	/* Check for rounding up to zero. */
+	if (round_page(size) < size)
+		return (EINVAL);
+	size = round_page(size);		/* hi end */
 
 	/* Ensure alignment is at least a page and fits in a pointer. */
 	align = flags & MAP_ALIGNMENT_MASK;
-- 
2.45.0