From: "Theo de Raadt" <deraadt@openbsd.org>
Subject: Re: SYS_pinsyscalls question
To: Mark Kettenis <mark.kettenis@xs4all.nl>
Cc: Mateusz Guzik <mjguzik@gmail.com>, marc.espie.openbsd@gmail.com, tech@openbsd.org
Date: Sun, 02 Mar 2025 16:35:51 -0700

> I think the worst case is when the thread sees the correct pn_end,
> pn_pins and pn_npins, but pn_start is still zero.  That could
> potentially permit a syscall that shouldn't be allowed.

No.

        if (plibcpin->pn_pins &&
            addr >= plibcpin->pn_start && addr < plibcpin->pn_end)
                pin = plibcpin;

"addr" cannot be zero, because we don't allow mapping the NULL page
in userland.

I wonder if we can change >= to >