From 6ee499aeb01eb95ae318c67d4f6bb992b803c8ab Mon Sep 17 00:00:00 2001
From: Andreas Kling <kling@serenityos.org>
Date: Sun, 14 Feb 2021 13:14:25 +0100
Subject: [PATCH] Kernel: Round old address/size in sys$mremap() to page size
 multiples

Found by fuzz-syscalls. :^)
---
 Kernel/Syscalls/mmap.cpp | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/Kernel/Syscalls/mmap.cpp b/Kernel/Syscalls/mmap.cpp
index b380858300..6f6c04e459 100644
--- a/Kernel/Syscalls/mmap.cpp
+++ b/Kernel/Syscalls/mmap.cpp
@@ -469,11 +469,17 @@ void* Process::sys$mremap(Userspace<const Syscall::SC_mremap_params*> user_param
 {
     REQUIRE_PROMISE(stdio);
 
-    Syscall::SC_mremap_params params;
+    Syscall::SC_mremap_params params {};
     if (!copy_from_user(&params, user_params))
         return (void*)-EFAULT;
 
-    auto* old_region = space().find_region_from_range(Range { VirtualAddress(params.old_address), params.old_size });
+    if (page_round_up_would_wrap(params.old_size))
+        return (void*)-EINVAL;
+
+    auto old_address = page_round_down(params.old_address);
+    auto old_size = page_round_up(params.old_size);
+
+    auto* old_region = space().find_region_from_range(Range { VirtualAddress { old_address }, old_size });
     if (!old_region)
         return (void*)-EINVAL;