From 5711bf30daa21bd07829f094ea4110ea301b6721 Mon Sep 17 00:00:00 2001
From: John Baldwin <jhb@FreeBSD.org>
Date: Tue, 23 Mar 2010 21:08:07 +0000
Subject: [PATCH] Reject attempts to create a MAP_ANON mapping with a non-zero
 offset.

PR:		kern/71258
Submitted by:	Alexander Best
MFC after:	2 weeks
---
 lib/libc/sys/mmap.2 | 7 ++++++-
 sys/vm/vm_mmap.c    | 3 +--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/lib/libc/sys/mmap.2 b/lib/libc/sys/mmap.2
index 48499731b58b..b633cb11942e 100644
--- a/lib/libc/sys/mmap.2
+++ b/lib/libc/sys/mmap.2
@@ -105,7 +105,7 @@ The file descriptor used for creating
 must be \-1.
 The
 .Fa offset
-argument is ignored.
+argument must be 0.
 .\".It Dv MAP_FILE
 .\"Mapped from a regular file or character-special device memory.
 .It Dv MAP_ANONYMOUS
@@ -316,6 +316,11 @@ was equal to zero.
 was specified and the
 .Fa fd
 argument was not -1.
+.It Bq Er EINVAL
+.Dv MAP_ANON
+was specified and the
+.Fa offset
+argument was not 0.
 .It Bq Er ENODEV
 .Dv MAP_ANON
 has not been specified and
diff --git a/sys/vm/vm_mmap.c b/sys/vm/vm_mmap.c
index 4963a6038339..a47cd6a0f888 100644
--- a/sys/vm/vm_mmap.c
+++ b/sys/vm/vm_mmap.c
@@ -233,7 +233,7 @@ mmap(td, uap)
 	/* Make sure mapping fits into numeric range, etc. */
 	if ((uap->len == 0 && !SV_CURPROC_FLAG(SV_AOUT) &&
 	     curproc->p_osrel >= 800104) ||
-	    ((flags & MAP_ANON) && uap->fd != -1))
+	    ((flags & MAP_ANON) && (uap->fd != -1 || pos != 0)))
 		return (EINVAL);
 
 	if (flags & MAP_STACK) {
@@ -300,7 +300,6 @@ mmap(td, uap)
 		handle = NULL;
 		handle_type = OBJT_DEFAULT;
 		maxprot = VM_PROT_ALL;
-		pos = 0;
 	} else {
 		/*
 		 * Mapping file, get fp for validation and