From cbd2c621f8855fb502d213c589f5aac4aa89c38d Mon Sep 17 00:00:00 2001
From: Konstantin Belousov <kib@FreeBSD.org>
Date: Fri, 22 Feb 2008 11:47:56 +0000
Subject: [PATCH] Sanitize arguments to linux_mremap(). Check that only
 MREMAP_FIXED and MREMAP_MAYMOVE flags are specified. Check for the page
 alignment of the addr argument.

Submitted by:	rdivacky
MFC after:	1 week
---
 sys/compat/linux/linux_misc.c | 15 +++++++++++++++
 sys/compat/linux/linux_misc.h |  3 +++
 2 files changed, 18 insertions(+)

diff --git a/sys/compat/linux/linux_misc.c b/sys/compat/linux/linux_misc.c
index 1adb656de4db..ee06e78463a2 100644
--- a/sys/compat/linux/linux_misc.c
+++ b/sys/compat/linux/linux_misc.c
@@ -588,6 +588,21 @@ linux_mremap(struct thread *td, struct linux_mremap_args *args)
 		    (unsigned long)args->new_len,
 		    (unsigned long)args->flags);
 #endif
+
+	if (args->flags & ~(LINUX_MREMAP_FIXED | LINUX_MREMAP_MAYMOVE)) {
+		td->td_retval[0] = 0;
+		return (EINVAL);
+	}
+
+	/*
+	 * Check for the page alignment.
+	 * Linux defines PAGE_MASK to be FreeBSD ~PAGE_MASK.
+	 */
+	if (args->addr & PAGE_MASK) {
+		td->td_retval[0] = 0;
+		return (EINVAL);
+	}
+
 	args->new_len = round_page(args->new_len);
 	args->old_len = round_page(args->old_len);
 
diff --git a/sys/compat/linux/linux_misc.h b/sys/compat/linux/linux_misc.h
index 32fa74a1cc46..c80a432f1b9a 100644
--- a/sys/compat/linux/linux_misc.h
+++ b/sys/compat/linux/linux_misc.h
@@ -42,4 +42,7 @@
 
 #define	LINUX_MAX_COMM_LEN	16	/* Maximum length of the process name. */
 
+#define	LINUX_MREMAP_MAYMOVE	1
+#define	LINUX_MREMAP_FIXED	2
+
 #endif	/* _LINUX_MISC_H_ */