However, this code contains a fairly obvious integer overflow in the check: what happens if (start + size) overflows its 32-bit representation, wrapping around to a smaller number? As a result, it's possible to provide
pgoff and
size values to
mmap() that circumvent this check and map arbitrary kernel memory once again.
