DragonFlyBSD Kernel Audit
← dashboard
DF-0131

fp_mmap size arithmetic can wrap past SSIZE_MAX after signedness check

Summary

fp_mmap rejects (ssize_t)size<0(:409) but size+=pageoff(:416)+round_page(:417) can push past SSIZE_MAX. No wrap re-check (unlike sys_msync:474). Contained by vm_mmap downstream validation. Phantom success if wraps to 0.