The code responsible for filling a page with repeated copies of the signal trampoline code assumes that PAGE_SIZE % sigfillsz == 0.
While this is true on all currently supported OpenBSD platforms, this might not be the case in the future (and isn't the case on some no-longer official platforms). The following diff makes sure that we don't try to write more than PAGE_SIZE bytes in this page. Another possibility would be to assert that PAGE_SIZE % sigfillsz == 0 and only apply this diff once it becomes truly needed. Index: sys/kern/kern_exec.c =================================================================== RCS file: /OpenBSD/src/sys/kern/kern_exec.c,v retrieving revision 1.208 diff -u -p -r1.208 kern_exec.c --- sys/kern/kern_exec.c 2 Aug 2019 02:17:35 -0000 1.208 +++ sys/kern/kern_exec.c 25 Nov 2019 10:09:48 -0000 @@ -832,7 +832,7 @@ exec_sigcode_map(struct process *pr, str if (e->e_sigobject == NULL) { extern int sigfillsiz; extern u_char sigfill[]; - size_t off; + size_t off, left; vaddr_t va; int r; @@ -846,8 +846,12 @@ exec_sigcode_map(struct process *pr, str return (ENOMEM); } - for (off = 0; off < round_page(sz); off += sigfillsiz) - memcpy((caddr_t)va + off, sigfill, sigfillsiz); + for (off = 0, left = round_page(sz); left != 0; + off += sigfillsiz) { + size_t chunk = ulmin(left, sigfillsiz); + memcpy((caddr_t)va + off, sigfill, chunk); + left -= chunk; + } memcpy((caddr_t)va, e->e_sigcode, sz); uvm_unmap(kernel_map, va, va + round_page(sz)); }