From nobody Mon Jun 8 16:44:28 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gYyYm6qqyz6gM0c for ; Mon, 08 Jun 2026 16:44:28 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gYyYm68zHz3DjN for ; Mon, 08 Jun 2026 16:44:28 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780937068; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=RuANojvttz/jDCcMkFTQA+AfoSfRIZK9HncSNplK//k=; b=P7EJslknF6n+0cfuBIrAH2mGsryza0zExr2laGtZdqUGYLgN9joC2ehrgDrn64p1QCkPkz QbxZhuAw09aXR3LkQYyWP8fkken1AQBGxFv9xnn83gX5TY2pIa1XFMWImfxosQ7/hgTMbS pLs51PivGH5bBr5fnJasrvX2h4V0n0cHu5KgUrzfB7tBbVSY2/oRhIMdR4+Yv2by215PV5 0uo7YBa5q0xIMj4nPx2kZS6VsL43KiDG77nM8CrQm5h0MnmOVFlH+2u1lHajQDNTfcwEKy UEnOze8SyYDQxn8HOkJRjv3DF+9lCyc76rszzPTj5ECkJqZXrn7Cx45upZY5hQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1780937068; a=rsa-sha256; cv=none; b=hzE4Q+VO5fXsqzXmXFgIoItSnTnlgh7Ivm+5G9LJGJ0uipXDkq9kQ5+tFNdnQix5y/BBHM sPu5jUZbcBUFCPelPE7BrQRiaqPvdoRrf/aa+IDWe1UPk/SUslttUrB+5WiqWPag5X4O3n pCmoI63a0KtGw0xyTsz5y+wW2/pKXdcr0kfyHbePKpvaxYcXr2YkYDAitLTTMcTnLjU7u0 7IFLV4i6eEvnIjXHnHemXG+zI4okN0DwkDNDwN6iqoYnAIXYMxpIWhkCXM/EocgRzKnCVg ZSSf6o6ceCFQxvUMr9NZz/6ieowc5A1CQCPfApzA2kgU9+QsJNvngT/1ipq+3w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780937068; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=RuANojvttz/jDCcMkFTQA+AfoSfRIZK9HncSNplK//k=; b=T6sZoRI0W4QVkQn8AjTw89seAk2bhgNVJWXBsVfeG3bfYefgWuZqSgo4yAKjnm7957QGzO tlsx8QKA5eva+NUDf7TXvuGCXpPNE41OwdgMSMR9G5jM4o7VloYK64jqZD1y7yYDqRgps+ VEuonRLyBe5nVIzS9plB1Af42HFF3InQFuvsTUDtUaVhxFvuoTzPT6KTSdlbD8abTEJcTd YHEUcz+fxSgvcScoZFLUVqbXKxhc5KzETByadwQ3UpbSZuEBM87E2ePmxnL+orWS9scpDS Ge+LgmTOhB6lDfHq5kxAmd5Jw2fAqDhayhxQc0V3QGm7ORqRHqHLwI6xucBbOw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gYyYm5hhTzx0v for ; Mon, 08 Jun 2026 16:44:28 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 25786 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Mon, 08 Jun 2026 16:44:28 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Warner Losh Subject: git: 8dca7fccfa65 - stable/14 - loader.efi: Fix when staging moves late List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: imp X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 8dca7fccfa6514b0a48a290683572fadbb4e2a68 Auto-Submitted: auto-generated Date: Mon, 08 Jun 2026 16:44:28 +0000 Message-Id: <6a26f16c.25786.51544913@gitrepo.freebsd.org> The branch stable/14 has been updated by imp: URL: https://cgit.FreeBSD.org/src/commit/?id=8dca7fccfa6514b0a48a290683572fadbb4e2a68 commit 8dca7fccfa6514b0a48a290683572fadbb4e2a68 Author: Warner Losh AuthorDate: 2026-06-05 05:18:40 +0000 Commit: Warner Losh CommitDate: 2026-06-08 16:34:58 +0000 loader.efi: Fix when staging moves late Prior to this commit, we'd compute the page tables and have the last entries point to the staging area. We'd then add some more metadata to the image and boot. This assumed the staging area didn't need to move for this last bit of data. However, if we go over the staging limit, when we copyin new data, we grow the staging area, usually be moving it to a lower address. This overage usually happens when we're loading modules and so things work out nicely. Sometimes we're close to the limit, and we need to do this growing inside bi_load, after we've computed the page table, making the page table wrong, and the code we jump to random rather than the btext routine we normally start at. To fix this, move computation of the table (but not its allocation) to after bi_load, but before we call the trampoline. This problem was most observed when loading microcode for many peole, but Gleb reproduced the error with a set of modules that didn't include ucode. This bug hunt was greatly assisted by Claude who looked at the crash from the EFI boot loader and surmised that we weren't jumping to the code we thought we were jumping to. After inspecting the code, I asked claude how corruption could happen (I thought overwriting the page table), but claude notice the possibility that staging might change after we computed the page table, and this fix is the result. Claude didn't suggest a diff, but did provide many helpful clues that lead me to this fix. PR: 294630 Reviewed by: kib (prior version) Sponsored by: Netflix MFC After: insta per re@ request Differential Revision: https://reviews.freebsd.org/D57462 (cherry picked from commit 3915ffb1c3e04b26d1506bf35d3f665b2e25a915) --- stand/efi/loader/arch/amd64/elf64_freebsd.c | 47 ++++++++++++++++++----------- stand/efi/loader/bootinfo.c | 19 +++++++++++- 2 files changed, 48 insertions(+), 18 deletions(-) diff --git a/stand/efi/loader/arch/amd64/elf64_freebsd.c b/stand/efi/loader/arch/amd64/elf64_freebsd.c index 91dd979a677e..72c8d558d8a6 100644 --- a/stand/efi/loader/arch/amd64/elf64_freebsd.c +++ b/stand/efi/loader/arch/amd64/elf64_freebsd.c @@ -94,7 +94,7 @@ elf64_exec(struct preloaded_file *fp) Elf_Ehdr *ehdr; vm_offset_t modulep, kernend, trampcode, trampstack; int err, i; - bool copy_auto; + bool copy_auto, needs_pt4; copy_auto = copy_staging == COPY_STAGING_AUTO; if (copy_auto) @@ -162,6 +162,7 @@ elf64_exec(struct preloaded_file *fp) PT2[i] = (pd_entry_t)i * (2 * 1024 * 1024); PT2[i] |= PG_V | PG_RW | PG_PS; } + needs_pt4 = false; } else { PT4 = (pml4_entry_t *)0x0000000100000000; /* 4G */ err = BS->AllocatePages(AllocateMaxAddress, EfiLoaderData, 9, @@ -173,7 +174,35 @@ elf64_exec(struct preloaded_file *fp) copy_staging = COPY_STAGING_AUTO; return (ENOMEM); } + needs_pt4 = true; + } + + printf("%scopying staging tramp %p PT4 %p\n", + copy_staging == COPY_STAGING_ENABLE ? "" : "not ", + trampoline, PT4); + printf("Start @ 0x%lx ...\n", ehdr->e_entry); + + /* + * we have to cleanup here because net_cleanup() doesn't work after + * we call ExitBootServices + */ + dev_cleanup(); + + efi_time_fini(); + err = bi_load(fp->f_args, &modulep, &kernend, true); + if (err != 0) { + efi_time_init(); + if (copy_auto) + copy_staging = COPY_STAGING_AUTO; + return (err); + } + /* + * staging might move in bi_load because we automatiaclly move when we + * copy data in. At this point, staging can't move anymore, so create + * PT4 with the correct value. + */ + if (needs_pt4) { bzero(PT4, 9 * EFI_PAGE_SIZE); PT3_l = &PT4[NPML4EPG * 1]; @@ -210,22 +239,6 @@ elf64_exec(struct preloaded_file *fp) } } - printf("staging %#lx (%scopying) tramp %p PT4 %p\n", - staging, copy_staging == COPY_STAGING_ENABLE ? "" : "not ", - trampoline, PT4); - printf("Start @ 0x%lx ...\n", ehdr->e_entry); - - efi_time_fini(); - err = bi_load(fp->f_args, &modulep, &kernend, true); - if (err != 0) { - efi_time_init(); - if (copy_auto) - copy_staging = COPY_STAGING_AUTO; - return (err); - } - - dev_cleanup(); - trampoline(trampstack, copy_staging == COPY_STAGING_ENABLE ? efi_copy_finish : efi_copy_finish_nop, kernend, modulep, PT4, ehdr->e_entry); diff --git a/stand/efi/loader/bootinfo.c b/stand/efi/loader/bootinfo.c index 2961b8b97fb7..e56cd90ed7b8 100644 --- a/stand/efi/loader/bootinfo.c +++ b/stand/efi/loader/bootinfo.c @@ -213,6 +213,17 @@ bi_load_efi_data(struct preloaded_file *kfp, bool exit_bs) } #endif +#if defined(__amd64__) || defined(__i386__) + extern uint64_t staging; + /* + * Staging can't move after this point, so report the final value before + * we try to exit boot services below. The metadata added is added to + * the malloced arena that we setup when we started and doesn't interact + * with boot services. + */ + printf("staging %#jx\n", (uintmax_t)staging); +#endif + do_vmap = true; efi_novmap = getenv("efi_disable_vmap"); if (efi_novmap != NULL) @@ -302,14 +313,20 @@ bi_load_efi_data(struct preloaded_file *kfp, bool exit_bs) * loader.conf(5). By default we will setup the virtual * map entries. */ - if (do_vmap) efi_do_vmap(mm, sz, dsz, mmver); + + /* + * Add the memory map to the metadata. addmetadata copies the data into + * the malloc arena, so we can safely free the memory map pages after. + * Or could if boot services was still running. + */ efihdr->memory_size = sz; efihdr->descriptor_size = dsz; efihdr->descriptor_version = mmver; file_addmetadata(kfp, MODINFOMD_EFI_MAP, efisz + sz, efihdr); + /* BS->FreePages(addr, pages); */ return (0); } From nobody Mon Jun 8 17:20:35 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gYzMR5DnDz6gQ1N for ; Mon, 08 Jun 2026 17:20:35 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gYzMR4qGTz3JYc for ; Mon, 08 Jun 2026 17:20:35 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780939235; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=hl05PxPWKHsh1eqMVwOK1xSVKz48YTYY48stguT65Z8=; b=pc8BCkgnWc1HiVPrqvqRW3hssFczpsvCk5vG9rCSsyXBdr1FUS5p40e9faTc9gnxttGy3H 33zWbo3tisvdE42dkbZ84eVDCadi1kgAMqWw6MPUl9YXy7teH5shn5aDtmfvG31L2FlYr/ vpGeW7BwFWoLredsV0my9vbKwYuWBO2DjDfOT9M4a6yXPIzu+5z5POtLsriK5PZa4Gsd7c apgKl1SNoqeVyfNM35K2DPIup+hmFim0boOor32IOSubq/ep2xQZnat9lcwQp4qjXhr3iQ wIUPlLztVR1JRP2eLLQx/eEcPpn0c0jrDp1RmIq4heaY7TQ16Wj+Cickg3EmwA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1780939235; a=rsa-sha256; cv=none; b=bo+Rya9xgX4GurKfkHlL36xMH8pxuBvhywk2vFOdcsetGWzdWuJ5BMk5UPBWhCz5FvV5ys 7LH64hxXDCo2KOVXoe+l04bZmnXdsLzhNKlRVtgyOl60QhQEn6DdzQnnOqkCSm6jIT2BIu cj6dEF7EYnZsHy7bfKA5fKWO+Wlt5zvy2LAeBIVc7t1vOL1hKwLRifdcj+G2SBf5b+iyIo 0zQvhmb9A8w4NIs7uQEZsTiFZo34mZCeSZyAcotz/wIIZ3qd0etoxy9hglk4Wg4dd3Oi17 bBI5VMgTV22GLI8RppB033at7iN74DB4pdZm8Ek4pvKFEXykdF255YJz01jr2Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780939235; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=hl05PxPWKHsh1eqMVwOK1xSVKz48YTYY48stguT65Z8=; b=f30SqoyCP04dz7kx3b466Pa2MfGKUGEe7Y1tkPh2wCP+o9nldGP+Q6XBbWafxBYojVJCVb fb1r2M/VKW+L7ZcqRyqFoO+ps5lNQpRKZEcA59mtO6IesbhVTloJ0SYBFR43b0LwlkaHFx QUiaGmQtgfR4qIeCM46P4CwNYQnY1JepqZpjFvW51kYUkwFSutKVqgLlBUYR6/1HvdQtA2 Zsct9lEIIJqwr/ctNu6EspxD1ERREi6SeI94JTj2ykjMUYT9r10OUTObJrHupLdedCgViN ZTnqougpriilZZSOHims4HFPPKCzsbOkOL7C8uf8Xgxuhs4WN94zHG3wdHZBiw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gYzMR3lY1zxTf for ; Mon, 08 Jun 2026 17:20:35 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 30e38 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Mon, 08 Jun 2026 17:20:35 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Koine Yuusuke From: Ed Maste Subject: git: 04cee2a1727e - stable/15 - intelhfi: Add IA32_PM_ENABLE bit flag define List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 04cee2a1727ea9e5b0ad20b5c4b36d8b5859ae49 Auto-Submitted: auto-generated Date: Mon, 08 Jun 2026 17:20:35 +0000 Message-Id: <6a26f9e3.30e38.58e978f9@gitrepo.freebsd.org> The branch stable/15 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=04cee2a1727ea9e5b0ad20b5c4b36d8b5859ae49 commit 04cee2a1727ea9e5b0ad20b5c4b36d8b5859ae49 Author: Koine Yuusuke AuthorDate: 2026-05-17 15:58:41 +0000 Commit: Ed Maste CommitDate: 2026-06-08 17:20:15 +0000 intelhfi: Add IA32_PM_ENABLE bit flag define Reviewed by: Minsoo Choo Differential Revision: https://reviews.freebsd.org/D56919 (cherry picked from commit 436f47a80c20a4d8395d30f81684b2d5dd35991e) --- sys/x86/include/specialreg.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sys/x86/include/specialreg.h b/sys/x86/include/specialreg.h index f14c8c56d0e3..7933291a752e 100644 --- a/sys/x86/include/specialreg.h +++ b/sys/x86/include/specialreg.h @@ -903,6 +903,9 @@ /* MSR IA32_MCU_OPT_CTRL */ #define IA32_RNGDS_MITG_DIS 0x00000001 +/* MSR IA32_PM_ENABLE */ +#define IA32_PM_ENABLE_HWP_ENABLE (1ULL << 0) + /* MSR IA32_HWP_CAPABILITIES */ #define IA32_HWP_CAPABILITIES_HIGHEST_PERFORMANCE(x) (((x) >> 0) & 0xff) #define IA32_HWP_CAPABILITIES_GUARANTEED_PERFORMANCE(x) (((x) >> 8) & 0xff) From nobody Mon Jun 8 19:54:15 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZ2ml3Xv8z6gfGK for ; Mon, 08 Jun 2026 19:54:15 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZ2ml1XbGz3mp7 for ; Mon, 08 Jun 2026 19:54:15 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780948455; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=kgd0/Bb1ANa6T6j1G3GtjNHYX3TF8jarQ5JTNUEyiLA=; b=LikTVLIeZpqB5lVxcjam63ABfDEf4lqAz5UKKCaFaGoIlcC+bl8jb0oxvocb/EOH8F7kaO +56Qvd6jjm/6CtaTiRSYraihaJaYTtwNEvIhR4/KrCnm371PvvYhfyuvcIADHNQ36wcGaC ZNqdXj7+q/Mi+k8IvqvhyzTRkRb1u7/fvh+d5jo7Evo3anyeBtLNWfVlgoGBxbCUTwl4is rb9n2DEP1eNSV9siQ24cNgZw2gKJA5CXFnibOdWn4z48Vi9XcdNTDpPsYHTD1lXXg3pQGN +lpvpqoVmKrs+gcun7y4SFBE8QiwQOYbIjhh0YIGkoKnmeL+4dQIr9qQcmRF+g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1780948455; a=rsa-sha256; cv=none; b=VMjdQpSOclXGWNwVPlD3cdGf8m2qg9G6119yqNdvX+G/6+GR+5dJgoIZL2KTtflxVsCuoS 2sN39gXB54oiSv8UfS05bSrnSBRAULeP977sDWpIM9MrZRrXC1WZbpZaUq7kUB78wf5qce cxb7+Odd78LcruD3iR/uoTXQen7ZKu2+5mdR7YqB7NU5xSMA2ze7Ylc/5Ly0cRbbDYjhwl +Ijclu6ShcB2YyknT8WX7Q0fPq9j2A5G1o02Om/+LGY17TXru7NW6pnrabLFB51/D5ryXc WsHmuJjTk1YO9xUXUfNc1gtPKiIxa5faPGGjf63lMD7ftoLhd4tWRwMrREQASA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780948455; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=kgd0/Bb1ANa6T6j1G3GtjNHYX3TF8jarQ5JTNUEyiLA=; b=hPYn+3OIVdrPVQ/TjaGCEiTrPHXco8y/nmSs/dVrynd6AJf4gR3rOUCTeNmHerzWqe6Qtk zvlymSpH8e6mFVNx5jMn3/WOuBuThkm1BLBXiLC6X9K65sN8LMJdBJJrcryqY9eWy/59ku ocJRge2rU5s2UPggdJ9RByYBC7c+eGovM78XCFO647mffzma2BHbaS9vZPV51VS5Hl2tTu TF6j/IznVbXobKfpm7ltsh9AiQzP+Rrxj8RHOcDOmwCOR2Mmpr+pwPlMwfJpvrLQdYGVF0 c0sE3y54q8XhYO7IO98JIQl+w2EArG3xvoL7CbvylyYqaelln8/SOAHV0iTBcg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZ2ml0jkdz12wK for ; Mon, 08 Jun 2026 19:54:15 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 4137c by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Mon, 08 Jun 2026 19:54:15 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: bfdc17ca8006 - stable/15 - src.opts.mk: Comment about CTF & DTRACE relationship List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: bfdc17ca8006773ca7efd8dec9d16f28a862dd0e Auto-Submitted: auto-generated Date: Mon, 08 Jun 2026 19:54:15 +0000 Message-Id: <6a271de7.4137c.5228d95@gitrepo.freebsd.org> The branch stable/15 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=bfdc17ca8006773ca7efd8dec9d16f28a862dd0e commit bfdc17ca8006773ca7efd8dec9d16f28a862dd0e Author: Ed Maste AuthorDate: 2026-05-12 17:19:46 +0000 Commit: Ed Maste CommitDate: 2026-06-08 19:53:57 +0000 src.opts.mk: Comment about CTF & DTRACE relationship WITH_CTF enables building userland components with CTF, and not the ctf* tools as one might expect. The tools are actually included with the DTRACE knob. Add a comment where the dependency is handled, as this has caused confusion. Reported by: ivy Reviewed by: markj Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D56977 (cherry picked from commit f6178451eea5b1ce6802fbb0e6eceb555c7b4841) --- share/mk/src.opts.mk | 2 ++ 1 file changed, 2 insertions(+) diff --git a/share/mk/src.opts.mk b/share/mk/src.opts.mk index a0bf8c2d454f..f9fc2dad280a 100644 --- a/share/mk/src.opts.mk +++ b/share/mk/src.opts.mk @@ -431,6 +431,8 @@ MK_KERBEROS_SUPPORT:= no MK_MITKRB5:= no .endif +# MK_DTRACE also gates ctf tools, so we cannot build userland with CTF +# if it is off. .if ${MK_DTRACE} == "no" MK_CTF:= no .endif From nobody Mon Jun 8 21:40:55 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZ57r0FKFz6gnb9 for ; Mon, 08 Jun 2026 21:40:56 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZ57q6Jjhz43rQ for ; Mon, 08 Jun 2026 21:40:55 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780954855; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=BzmV6Zu1g2VBHVkmd+xjR8I4YQU4uhzMei0nhIovG2E=; b=hWFxfKd7R2Oo2uWjslcys6ae5MoHN9WIQ8JMLcQaI2KdqJ0SBditK26bRs+3uFDo6RQo/y /V5TtXbsl+U6mGEOQSA0r2oP4ELdF3voe80MR+4s2SBxPxbSeBO/I44u6l+Jzx8wcEvgza PgIlCbnx0QacS4Plv8VdswEOCvFssX5RQiccsSIWcOHWiRnKgsmtUdWhcrd9ETeShtt5vZ o99JMCFZ1HRgygfLeRj4F3+MYSODJzaL8d9rtxShn3jd951AVcjNU26S75JHTUaRLE1/Kq 4uVzB/MPxu3T7TjAx6jeZaDSd9gpGBsjbfinOnn3d7C0flGYq+LviLsDw8+X6w== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1780954855; a=rsa-sha256; cv=none; b=RuH1/AHBr2FIkPY8z9aVgXZRBnZQoCTZ2cktaQ0tcwUy9ur93OTAE9GmUzoM6tf44djZlG TptWwKsDx9C1Dc1mKcZ8RWGlO0eJUiN/iLz8epcxCBL0KIOTlkhekpRkzXMMc7R5iukIG5 5WbMXaEsIZ+LxNmCbuNP/HCSBLXGgovBUC7IZ1L1GRY3X+p686sL2voq293Dso5tICVa4U +N1Qp7jCXiYzm9qilnOezTObB+RvWiOpfQe6Po1f7Ck7JQe8kAIRRvDtr6jvyx/LE7e9sB imh5ma+LfywPb9yAGMUgDSBMa+L9UUWkq5ceuDAnJeXmsSSo1HqYORc/wlru0A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780954855; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=BzmV6Zu1g2VBHVkmd+xjR8I4YQU4uhzMei0nhIovG2E=; b=XULEMMHvlqYnqZCd6/ePRPX1soMtgCEtVCRNK+VNXYX7vxN5xoOqh+XRL0o/kh8kpaoNlr rp2EwtOTObTSOw6LqpoBSh6kXSzMCC1Snzn6Kz60ScX2P5QxDdYa8UwuZzcd9B+7+RldL6 JmL2qk7anse4LcWr2m2iIG9dZQqFEEzKvBvqEanP8MUUC8q8Jtq2+zJLyZHYNhda9J68Ma ZBddAil2QtXqN8Z/G1SGInjXDNudxFyF/p0bR+nU/CEFxoPzEfyMFNuqGUatkfGRYDhBY9 MBNTduC3GQqph5yg2XFV+hl4OzAfk2Dro5IQTzc5Q++muOom7imikNHA6wwe2Q== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZ57q5P4zz14vR for ; Mon, 08 Jun 2026 21:40:55 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 1ca61 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Mon, 08 Jun 2026 21:40:55 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Peter Eriksson From: Rick Macklem Subject: git: 36d411987b51 - stable/15 - acl_id_to_name.c: Fix printing of uids and gids List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: rmacklem X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 36d411987b5173175d6d1b9e45337e7db218c020 Auto-Submitted: auto-generated Date: Mon, 08 Jun 2026 21:40:55 +0000 Message-Id: <6a2736e7.1ca61.2eabea7@gitrepo.freebsd.org> The branch stable/15 has been updated by rmacklem: URL: https://cgit.FreeBSD.org/src/commit/?id=36d411987b5173175d6d1b9e45337e7db218c020 commit 36d411987b5173175d6d1b9e45337e7db218c020 Author: Peter Eriksson AuthorDate: 2026-05-25 19:44:41 +0000 Commit: Rick Macklem CommitDate: 2026-06-08 20:37:52 +0000 acl_id_to_name.c: Fix printing of uids and gids uid_t and gid_t are uint32_t (unsigned 32bit integers). They are printed as signed integers when calling getfacl (and other tools using the acl_to_text() libc function). This causes uid/gids larger than 2G (214783648) to print as negative numbers - which causes problem with setfacl since the acl_from_text() libc function fails on negative numbers. (cherry picked from commit 6e7c10c79deac3c6bb6ad3bd12c8e0ad68bb59f0) --- lib/libc/posix1e/acl_id_to_name.c | 4 ++-- lib/libc/posix1e/acl_to_text_nfs4.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/libc/posix1e/acl_id_to_name.c b/lib/libc/posix1e/acl_id_to_name.c index 78e050a8648a..c90e6083cca1 100644 --- a/lib/libc/posix1e/acl_id_to_name.c +++ b/lib/libc/posix1e/acl_id_to_name.c @@ -67,7 +67,7 @@ _posix1e_acl_id_to_name(acl_tag_t tag, uid_t id, ssize_t buf_len, char *buf, else p = getpwuid(id); if (!p) - i = snprintf(buf, buf_len, "%d", id); + i = snprintf(buf, buf_len, "%ju", (uintmax_t)id); else i = snprintf(buf, buf_len, "%s", p->pw_name); @@ -83,7 +83,7 @@ _posix1e_acl_id_to_name(acl_tag_t tag, uid_t id, ssize_t buf_len, char *buf, else g = getgrgid(id); if (g == NULL) - i = snprintf(buf, buf_len, "%d", id); + i = snprintf(buf, buf_len, "%ju", (uintmax_t)id); else i = snprintf(buf, buf_len, "%s", g->gr_name); diff --git a/lib/libc/posix1e/acl_to_text_nfs4.c b/lib/libc/posix1e/acl_to_text_nfs4.c index 157215c9dd52..4f19f3a9a7b2 100644 --- a/lib/libc/posix1e/acl_to_text_nfs4.c +++ b/lib/libc/posix1e/acl_to_text_nfs4.c @@ -69,7 +69,7 @@ format_who(char *str, size_t size, const acl_entry_t entry, int numeric) else pwd = NULL; if (pwd == NULL) - snprintf(str, size, "user:%d", (unsigned int)*id); + snprintf(str, size, "user:%ju", (uintmax_t)*id); else snprintf(str, size, "user:%s", pwd->pw_name); acl_free(id); @@ -89,7 +89,7 @@ format_who(char *str, size_t size, const acl_entry_t entry, int numeric) else grp = NULL; if (grp == NULL) - snprintf(str, size, "group:%d", (unsigned int)*id); + snprintf(str, size, "group:%ju", (uintmax_t)*id); else snprintf(str, size, "group:%s", grp->gr_name); acl_free(id); From nobody Mon Jun 8 23:01:03 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZ6wH1z4fz6gtxV for ; Mon, 08 Jun 2026 23:01:03 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZ6wH0gRMz3Dt8 for ; Mon, 08 Jun 2026 23:01:03 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780959663; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=3iboUAiezFV3nn3fCZHzw/WmMzrStYUK/BT6Px/brjk=; b=rV2xSoNpcNvTB35xBkRITRbrpZair0lIeVLAHi927+GfjjHjsUQ4f4bFSV8lKoJy+Ky12B GUBf0IVkf/+Tfd3I+i8vhkegiwRJ8QT7juum9ocu9UOQixvsllVab3kAyGRLBucBIP6azQ mGIGEVF7bEZzk8G9ePwKGdrC8UBMgRKIUu/kRxF9yt1r8HBObiYTMwLNW6Zj1wSJYLgv/A bVhzPdBjZN72y8LjEly/Hdryl4S0V8pKOFEkwxob45p1wG/7lZYdEYgjpMP31x43svcjgs hwBxH/hyqcdXGEPOOT77v58f8+Oq9k/SwMIlHR68ayoRksSRBURGrx1cbQltaQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1780959663; a=rsa-sha256; cv=none; b=eNe+BdNCQjfFuuwIeUzA4c+2/63bq7T6p7kBrgKwALAGT8rIG3hqZqxseF+3y+17KQIwMh WZiwPh6IVtIicNcnh5SkKxcCAG9aspJYne3CY7JfuQueqJpLSiGzIzrg5ieTz+hCfe5M0J dQ6bp81BvoPa7wQkTITEeDjYVtiP3T3fqqcsRibf0dMmFXk+FGQgnN+bEMgONObat82S3C Pa4fSLxvh+fZ0/Rlfn8ZJaKHPcZW4oDPjZMdd37PUSv1x8ZwrxFIlI/3Hk5oj8tmJgRwFl dZ5sWaUSMdLKHhwBXFTmUlgxT+dl1gH17kEINWL++XT/fWmgmAxpYZ3jyz2XYg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780959663; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=3iboUAiezFV3nn3fCZHzw/WmMzrStYUK/BT6Px/brjk=; b=Hh+qmP/YCtmlNvSO9owo8DgY8L0nflEw08aqycxTyQxEibojCky/VfAz7wbwH7EMc7bwBh kU913dHddgwYPJDevXDsyvEK3v4Uac1H+yJEVB+jMer0pOkvZOxfm4hgwSl23XF3PXNVDl Qt73qKQaR5DA08k23mJDA/FQlwUu+Wb2RYF84TpJH/CvCfNcVqWTs/HF72B0aR0mtFRUY9 6PHJB8yVX+7NmVrVYBspTZH4xjSI4BG4SgUIqB0c9VgMoGH842jk7M1loJWtCVPquAlBR1 UC7Ooc640bwGFq0Z0D2qk95ILqKLQNEMLzFPWxvPDVhUmkP3e/JPCgxOR5IHBw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZ6wH0G2jz17VH for ; Mon, 08 Jun 2026 23:01:03 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 24cda by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Mon, 08 Jun 2026 23:01:03 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Dag-Erling=?utf-8?Q? Sm=C3=B8rg?=rav Subject: git: f4744e76333d - stable/15 - limits: Fix pipebuf resource type List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: des X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: f4744e76333deba32bd381549169f2e8b92b163d Auto-Submitted: auto-generated Date: Mon, 08 Jun 2026 23:01:03 +0000 Message-Id: <6a2749af.24cda.382417c6@gitrepo.freebsd.org> The branch stable/15 has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=f4744e76333deba32bd381549169f2e8b92b163d commit f4744e76333deba32bd381549169f2e8b92b163d Author: Dag-Erling Smørgrav AuthorDate: 2026-06-04 22:41:41 +0000 Commit: Dag-Erling Smørgrav CommitDate: 2026-06-08 23:00:42 +0000 limits: Fix pipebuf resource type * pipebuf is a size but is listed as a count PR: 295623 MFC after: 1 week Fixes: f54f41403d14 ("usr.bin/limits: support RLIMIT_PIPEBUF") Reviewed by: kib Differential Revision: https://reviews.freebsd.org/D57456 (cherry picked from commit ad524568f9fb77e270a22744d81b9cea0a2ab0eb) --- usr.bin/limits/limits.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr.bin/limits/limits.c b/usr.bin/limits/limits.c index c53066b52a9f..0a76ec5b8e4e 100644 --- a/usr.bin/limits/limits.c +++ b/usr.bin/limits/limits.c @@ -244,7 +244,7 @@ static struct { { "swapuse", login_getcapsize }, { "kqueues", login_getcapnum }, { "umtxp", login_getcapnum }, - { "pipebuf", login_getcapnum }, + { "pipebuf", login_getcapsize }, }; /* From nobody Mon Jun 8 23:01:04 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZ6wJ56Vnz6gtqp for ; Mon, 08 Jun 2026 23:01:04 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZ6wJ1x2dz3Dyd for ; Mon, 08 Jun 2026 23:01:04 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780959664; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=onC6TpSS6xZUs/SD/Io6S2Acrmj2NK/i2C3LouT85MM=; b=pPzFmbZdnU1/uJt7yC3NkcA9j3DZDmurXVDdKQaUd+6B8UWST2j/OHB+gofd2QRRu70I56 XgeanLtl44RdaMwFovRiUD6E/JgNoqxgl+gzn8ThRVEdn7Jhl6vjUFk/FuzTHY5Mk0Gnz0 UUrzkUWjYDyq+v9PtZ+zqDLKa4GGoXAAjz28wqMXDhSW5gr2W6Ai91tmK7kuJYCfsyylNu b8ei1VWt5Xd4UhQv7d+ekazrZq+AGvsLbWk0gOD5TSov9Vd+/qdJhjajFX3TTrWNB//dNB er8maHzAEhM80IPEmAl2BBNKcAFSRTIu/qdSfcQe8SFeMO9ggb7MEmPgWirheg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1780959664; a=rsa-sha256; cv=none; b=kuTvM2SRW31nQbbfhoTm1WeNYuCPt56CH5/MuJZwS1stQL0iza1wUjCwuc2105xYm5DULc 5tn792t2hq2YEqRi2dDArX82c7Wzt5StlxFHQt49VRciRKIdqlqt/3SnViGNW2wkfdQt09 oy9Jf46eAtBhBq7+3uwiWigmrffBupaKnywJgEbdTE4PnUAd+1EO26c52Dfx1gDpeTZl5v Q/YktCWHrf4VqNT1SsOvb9aUoapZ7GXLEyFuArPibZwIfs0Akz8jeqYR4XGgYRdDjSBmbZ CpgOcKVufrm9As9Evy4bnw55j+r/ZYlBKFUI0OHXBrVCGZJkqPnaxisM6DC/7A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780959664; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=onC6TpSS6xZUs/SD/Io6S2Acrmj2NK/i2C3LouT85MM=; b=IXQVnJOzay5Zyvy45qa69Qio4i5XGjqpelnszrSPaciBOXp2GzoILK2cmHc1ciN0eCBRpa +ZeBumlKC/EcAbeRUIYd8w0CfOYTQ5owt42saqwBpnWd+S1vp1cf3AxOJxSI6egbnkuIgX 3gUirsC3Ww2vV2G6RsFkGbePPJ65fwThhuMTOYi8UD0ZyoMHS36n0fKc4GlWOZVfNIGDU+ mQ6qo8bStRJOs8La3izlew1pOIBVm+G8YAkvmtv+IUPHgD1TGx6QszPHhgexKkdaAKCGqT 8Bj++KcNAVfT4nw2b+AuFUtPVOcU0f1VcLfBiJuNR1NkpAalIhw1ICD7zjO1zg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZ6wJ0zdBz177B for ; Mon, 08 Jun 2026 23:01:04 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 23c70 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Mon, 08 Jun 2026 23:01:04 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Dag-Erling=?utf-8?Q? Sm=C3=B8rg?=rav Subject: git: 70dfaf4521d4 - stable/15 - etcupdate: Make diff -l actually work List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: des X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 70dfaf4521d4e39c07180c4137b777560ffbccb5 Auto-Submitted: auto-generated Date: Mon, 08 Jun 2026 23:01:04 +0000 Message-Id: <6a2749b0.23c70.839e6d5@gitrepo.freebsd.org> The branch stable/15 has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=70dfaf4521d4e39c07180c4137b777560ffbccb5 commit 70dfaf4521d4e39c07180c4137b777560ffbccb5 Author: Dag-Erling Smørgrav AuthorDate: 2026-06-04 22:41:27 +0000 Commit: Dag-Erling Smørgrav CommitDate: 2026-06-08 23:00:42 +0000 etcupdate: Make diff -l actually work While here, remove unnecessary blank lines. MFC after: 1 week Fixes: 6d65c91b9a47 ("etcupdate: fix arguments order of diff command") Reviewed by: Boris Lytochkin Differential Revision: https://reviews.freebsd.org/D57330 (cherry picked from commit a85e39030f8c7faa3d5a33373389440de6f0fff7) --- usr.sbin/etcupdate/etcupdate.sh | 18 ++++-------------- 1 file changed, 4 insertions(+), 14 deletions(-) diff --git a/usr.sbin/etcupdate/etcupdate.sh b/usr.sbin/etcupdate/etcupdate.sh index f62343a24eee..738e4f4ef378 100755 --- a/usr.sbin/etcupdate/etcupdate.sh +++ b/usr.sbin/etcupdate/etcupdate.sh @@ -504,42 +504,32 @@ diffnode() $COMPARE_EQUAL) ;; $COMPARE_ONLYFIRST) - echo echo "Removed: $3" - echo ;; $COMPARE_ONLYSECOND) - echo echo "Added: $3" - echo ;; $COMPARE_DIFFTYPE) first=`file_type $1/$3` second=`file_type $2/$3` - echo echo "Node changed from a $first to a $second: $3" - echo ;; $COMPARE_DIFFLINKS) first=`readlink $1/$file` second=`readlink $2/$file` - echo echo "Link changed: $file" rule "=" echo "-$first" echo "+$second" - echo ;; $COMPARE_DIFFFILES) if [ -n "$difflistonly" ]; then - echo echo "Changed: $3" - echo - break; + else + echo "Index: $3" + rule "=" + diff -u $diffargs -L "$3 ($4)" -L "$3 ($5)" $1/$3 $2/$3 fi - echo "Index: $3" - rule "=" - diff -u $diffargs -L "$3 ($4)" -L "$3 ($5)" $1/$3 $2/$3 ;; esac } From nobody Mon Jun 8 23:01:01 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZ6wM4pYtz6gtxZ for ; Mon, 08 Jun 2026 23:01:07 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZ6wM0Vxpz3Ds4 for ; Mon, 08 Jun 2026 23:01:07 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780959667; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=SO8SZ95+WvZGWxUOqnsQxW0ANc5pnePAMv6rQM/MaZQ=; b=vSCxNDZ8c9ZhCBVtQBQp2l7Bl8+SJDrdfF58VE4TWIQxuTZR3L0yH9IBktnFAXazky6Gja Dex7bD/wuL1RhWSmygMSR4DGmmbdLqGl7J4lj4a7jmLOycdB+ThPnCOUkWCi9ZrwT4bczC Mo44RpOwHt4ocP7uB1x+52cqyaHKzCUybNuDpdTFQJP3Kupk1XuO7wl9lGUvywWgAoMnOh TJf2fGsnWmTIrHQJP01T1MgkzU/bTuUKrHTurQAjmrN7/Gz3izzL7xtXB4gvv6qcdaASFA hu3tm05ItMM6CkthvbTi0WNfOwb5o2aXwn5idmVAXq5kkYnSTALLWSXjeQQRSg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1780959667; a=rsa-sha256; cv=none; b=u4rk2QgwogB5GzIhARlLWFwcsSV1E2n3Aie1nxzWHZeWzUpjTTM2WkIUSayjRL54IKIlep qWlWSGDiYPJy6VOA/5bUAcWYIPeCmRmiJO0jPlvl7qwO9D/WCKPEDL5Ojm6Sxb8HIKizTF 91Ba3mf+JGbf/lxq1q9xqvx3AWbqbHGvjU0/LQouBolXCULi6/8i53e/J2UMTeQO83BJH4 6V6HEOrCfjLlZbUUAp28UGF/ytvZg1fcwR861Kb/KUDF3JuQ3ylnpH8JUIPhGGiD+daSG/ uvjCjK1ua/O1tTdJl96k/pZUG8HY+9Njg4KIHCjQsM/+bMKDKGuyAyePGKRLGQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780959667; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=SO8SZ95+WvZGWxUOqnsQxW0ANc5pnePAMv6rQM/MaZQ=; b=nU8LHjhX04C+VywEaEdJotHQFPXE59mhyYvU2POHoInp7umQ71V4URaDolWB1MCuTCYJyF ZRtKJDWNN3GM/e0qUsUCzvr3cD9+zYFvqmZghyGfGqyozNfBc1EZtUwh/Ek9LFqjxJHlqp iAOOZRPGyoxK3+rnNlZCrPDqAc0VfGb/EQZX184JdViAWJ7JYpM214OsVCN/4pkUfBs5my ywLVRfcxCMiv+X1EEsc8RocTg/btJXcWpEkUXRoAMYsU2PM847yKU5OJKBLNwYaeFrmu51 WUFONSqNJHF196cUanVC/2subVcpxbmFFGmG6tSih52kyjmp4SbvOkNh2nk7zQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZ6wL740Bz17GF for ; Mon, 08 Jun 2026 23:01:06 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 2544c by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Mon, 08 Jun 2026 23:01:01 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Dag-Erling=?utf-8?Q? Sm=C3=B8rg?=rav Subject: git: 0932e252b859 - stable/15 - libarchive: Clean up the build configuration List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: des X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 0932e252b8595afc382fb62acd6b4eddd1c1a00f Auto-Submitted: auto-generated Date: Mon, 08 Jun 2026 23:01:01 +0000 Message-Id: <6a2749ad.2544c.188d9a2e@gitrepo.freebsd.org> The branch stable/15 has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=0932e252b8595afc382fb62acd6b4eddd1c1a00f commit 0932e252b8595afc382fb62acd6b4eddd1c1a00f Author: Dag-Erling Smørgrav AuthorDate: 2026-06-04 13:12:23 +0000 Commit: Dag-Erling Smørgrav CommitDate: 2026-06-08 23:00:42 +0000 libarchive: Clean up the build configuration * Move settings duplicated in libarchive, bsdcat, bsdcpio, bsdtar, and bsdunzip into libarchive's Makefile.inc. * Drop some CFLAGS that merely duplicated some of the contents of our platform configuration header. MFC after: 1 week Reviewed by: mm Differential Revision: https://reviews.freebsd.org/D57307 (cherry picked from commit eb3a0a74a069d0f294e1596504676459282bb308) libarchive: Fix typo in sed command MFC after: 1 week Fixes: eb3a0a74a069 ("libarchive: Clean up the build configuration") Reported by: Shawn Webb (cherry picked from commit ba0d22eacd6008e9f3b7395b41056de2423aef3d) --- lib/libarchive/Makefile | 7 ++----- lib/libarchive/Makefile.inc | 16 +++++++++++----- lib/libarchive/tests/Makefile | 8 ++++---- usr.bin/bsdcat/Makefile | 17 ++++++----------- usr.bin/bsdcat/tests/Makefile | 15 +++++++-------- usr.bin/cpio/Makefile | 18 +++++------------- usr.bin/cpio/tests/Makefile | 15 +++++++-------- usr.bin/tar/Makefile | 13 +++---------- usr.bin/tar/tests/Makefile | 13 +++++++------ usr.bin/unzip/Makefile | 14 ++++---------- usr.bin/unzip/tests/Makefile | 13 +++++++------ 11 files changed, 63 insertions(+), 86 deletions(-) diff --git a/lib/libarchive/Makefile b/lib/libarchive/Makefile index 4e32dcf72341..c4b4bc67ba33 100644 --- a/lib/libarchive/Makefile +++ b/lib/libarchive/Makefile @@ -1,7 +1,8 @@ .include +.include "Makefile.inc" + PACKAGE=lib${LIB} -_LIBARCHIVEDIR= ${SRCTOP}/contrib/libarchive LIB= archive @@ -9,10 +10,6 @@ LIB= archive # It has no real relation to the libarchive version number. SHLIB_MAJOR= 7 -CFLAGS+= -I${.OBJDIR} -CFLAGS+= -I${SRCTOP}/sys/contrib/zstd/lib -.include "Makefile.inc" - .if ${MACHINE_ARCH:Marm*} != "" || ${MACHINE_ARCH:Mpowerpc*} != "" NO_WCAST_ALIGN= yes .if ${MACHINE_ARCH:M*64*} == "" diff --git a/lib/libarchive/Makefile.inc b/lib/libarchive/Makefile.inc index 755a39ec01e8..514ce205d560 100644 --- a/lib/libarchive/Makefile.inc +++ b/lib/libarchive/Makefile.inc @@ -2,11 +2,17 @@ # them in sync we can get run-time crashes while running tests due to mismatches # between structures such as archive_md5_ctx, etc. -LIBADD= z bz2 lzma bsdxml zstd -CFLAGS+= -DHAVE_BZLIB_H=1 -DHAVE_LIBLZMA=1 -DHAVE_LZMA_H=1 \ - -DHAVE_ZSTD_H=1 -DHAVE_LIBZSTD=1 -DHAVE_ZSTD_compressStream=1 \ - -DHAVE_SYSCONF=1 -CFLAGS+= -DPLATFORM_CONFIG_H=\"${.CURDIR}/config_freebsd.h\" +_LIBARCHIVEDIR= ${SRCTOP}/contrib/libarchive +LIBARCHIVE_VERSION_ONLY_STRING!= \ + sed -n '/define.*ARCHIVE_VERSION_ONLY_STRING/{s,[^0-9.],,gp;q;}' \ + ${_LIBARCHIVEDIR}/libarchive/archive.h + +LIBADD+= z bz2 lzma bsdxml zstd +CFLAGS+= -DPLATFORM_CONFIG_H=\"config_freebsd.h\" +CFLAGS+= -I${SRCTOP}/lib/libarchive +CFLAGS+= -I${_LIBARCHIVEDIR}/libarchive +CFLAGS+= -I${_LIBARCHIVEDIR}/libarchive_fe +CFLAGS+= -I${SRCTOP}/sys/contrib/zstd/lib .if ${MK_OPENSSL} != "no" CFLAGS+= -DWITH_OPENSSL diff --git a/lib/libarchive/tests/Makefile b/lib/libarchive/tests/Makefile index 3a03725054f4..3210938bc117 100644 --- a/lib/libarchive/tests/Makefile +++ b/lib/libarchive/tests/Makefile @@ -1,11 +1,11 @@ .include +.include "${SRCTOP}/lib/libarchive/Makefile.inc" + PACKAGE= tests WARNS?= 3 -_LIBARCHIVEDIR= ${SRCTOP}/contrib/libarchive - ATF_TESTS_SH+= functional_test TEST_METADATA.functional_test+= timeout="600" @@ -14,8 +14,8 @@ BINDIR= ${TESTSDIR} PROGS+= libarchive_test -CFLAGS+= -I${.CURDIR} -I${.CURDIR:H} -I${.OBJDIR} -CFLAGS+= -I${_LIBARCHIVEDIR}/libarchive -I${_LIBARCHIVEDIR}/libarchive/test +CFLAGS+= -I${.OBJDIR} +CFLAGS+= -I${_LIBARCHIVEDIR}/libarchive/test CFLAGS+= -I${_LIBARCHIVEDIR}/test_utils CFLAGS+= -I${SRCTOP}/sys/contrib/zstd/lib diff --git a/usr.bin/bsdcat/Makefile b/usr.bin/bsdcat/Makefile index 06081fc2b2f8..3f51bfc753de 100644 --- a/usr.bin/bsdcat/Makefile +++ b/usr.bin/bsdcat/Makefile @@ -1,11 +1,8 @@ .include -_LIBARCHIVEDIR= ${SRCTOP}/contrib/libarchive -_LIBARCHIVECONFDIR= ${SRCTOP}/lib/libarchive +.include "${SRCTOP}/lib/libarchive/Makefile.inc" PROG= bsdcat -BSDCAT_VERSION_STRING!= sed -n '/define.*ARCHIVE_VERSION_ONLY_STRING/{s,[^0-9.],,gp;q;}' \ - ${_LIBARCHIVEDIR}/libarchive/archive.h .PATH: ${_LIBARCHIVEDIR}/cat SRCS= bsdcat.c cmdline.c @@ -13,15 +10,13 @@ SRCS= bsdcat.c cmdline.c .PATH: ${_LIBARCHIVEDIR}/libarchive_fe SRCS+= lafe_err.c -CFLAGS+= -DBSDCAT_VERSION_STRING=\"${BSDCAT_VERSION_STRING}\" -CFLAGS+= -DPLATFORM_CONFIG_H=\"${_LIBARCHIVECONFDIR}/config_freebsd.h\" -CFLAGS+= -I${_LIBARCHIVEDIR}/cat -I${_LIBARCHIVEDIR}/libarchive_fe - LIBADD= archive -.if ${MK_ICONV} != "no" -CFLAGS+= -DHAVE_ICONV=1 -DHAVE_ICONV_H=1 -DICONV_CONST=const -.endif +CFLAGS+= -DBSDCAT_VERSION_STRING=\"${LIBARCHIVE_VERSION_ONLY_STRING}\" +CFLAGS+= -I${_LIBARCHIVEDIR}/cat + +#SYMLINKS=bsdcat ${BINDIR}/cat +#MLINKS= bsdcat.1 cat.1 HAS_TESTS= SUBDIR.${MK_TESTS}+= tests diff --git a/usr.bin/bsdcat/tests/Makefile b/usr.bin/bsdcat/tests/Makefile index c323da34e080..f75ebeac2aea 100644 --- a/usr.bin/bsdcat/tests/Makefile +++ b/usr.bin/bsdcat/tests/Makefile @@ -1,6 +1,8 @@ -PACKAGE= tests +.include + +.include "${SRCTOP}/lib/libarchive/Makefile.inc" -_LIBARCHIVEDIR= ${SRCTOP}/contrib/libarchive +PACKAGE= tests ATF_TESTS_SH+= functional_test @@ -8,13 +10,10 @@ BINDIR= ${TESTSDIR} PROGS+= bsdcat_test -CFLAGS+= -DPLATFORM_CONFIG_H=\"${SRCTOP}/lib/libarchive/config_freebsd.h\" -CFLAGS+= -I${SRCTOP}/lib/libarchive -I${.OBJDIR} - CFLAGS+= -I${.OBJDIR} -CFLAGS+= -I${_LIBARCHIVEDIR}/cat -I${_LIBARCHIVEDIR}/cat/test -CFLAGS+= -I${_LIBARCHIVEDIR}/libarchive -CFLAGS+= -I${_LIBARCHIVEDIR}/libarchive_fe -I${_LIBARCHIVEDIR}/test_utils +CFLAGS+= -I${_LIBARCHIVEDIR}/cat +CFLAGS+= -I${_LIBARCHIVEDIR}/cat/test +CFLAGS+= -I${_LIBARCHIVEDIR}/test_utils CFLAGS.test_utils.c+= -Wno-cast-align diff --git a/usr.bin/cpio/Makefile b/usr.bin/cpio/Makefile index 31b25e4199da..edc2ddf2bcb6 100644 --- a/usr.bin/cpio/Makefile +++ b/usr.bin/cpio/Makefile @@ -1,11 +1,8 @@ .include -_LIBARCHIVEDIR= ${SRCTOP}/contrib/libarchive -_LIBARCHIVECONFDIR= ${SRCTOP}/lib/libarchive +.include "${SRCTOP}/lib/libarchive/Makefile.inc" PROG= bsdcpio -BSDCPIO_VERSION_STRING!= sed -n '/define.*ARCHIVE_VERSION_ONLY_STRING/{s,[^0-9.],,gp;q;}' \ - ${_LIBARCHIVEDIR}/libarchive/archive.h .PATH: ${_LIBARCHIVEDIR}/cpio SRCS= cpio.c cmdline.c @@ -13,18 +10,13 @@ SRCS= cpio.c cmdline.c .PATH: ${_LIBARCHIVEDIR}/libarchive_fe SRCS+= lafe_err.c line_reader.c passphrase.c -CFLAGS+= -DBSDCPIO_VERSION_STRING=\"${BSDCPIO_VERSION_STRING}\" -CFLAGS+= -DPLATFORM_CONFIG_H=\"${_LIBARCHIVECONFDIR}/config_freebsd.h\" -CFLAGS+= -I${_LIBARCHIVEDIR}/cpio -I${_LIBARCHIVEDIR}/libarchive_fe - LIBADD= archive -.if ${MK_ICONV} != "no" -CFLAGS+= -DHAVE_ICONV=1 -DHAVE_ICONV_H=1 -DICONV_CONST=const -.endif +CFLAGS+= -DBSDCPIO_VERSION_STRING=\"${LIBARCHIVE_VERSION_ONLY_STRING}\" +CFLAGS+= -I${_LIBARCHIVEDIR}/tar -SYMLINKS=bsdcpio ${BINDIR}/cpio -MLINKS= bsdcpio.1 cpio.1 +SYMLINKS= bsdcpio ${BINDIR}/cpio +MLINKS= bsdcpio.1 cpio.1 HAS_TESTS= SUBDIR.${MK_TESTS}+= tests diff --git a/usr.bin/cpio/tests/Makefile b/usr.bin/cpio/tests/Makefile index ee4da15bc7e4..0db109c1e379 100644 --- a/usr.bin/cpio/tests/Makefile +++ b/usr.bin/cpio/tests/Makefile @@ -1,6 +1,8 @@ -PACKAGE= tests +.include + +.include "${SRCTOP}/lib/libarchive/Makefile.inc" -_LIBARCHIVEDIR= ${SRCTOP}/contrib/libarchive +PACKAGE= tests ATF_TESTS_SH+= functional_test @@ -8,13 +10,10 @@ BINDIR= ${TESTSDIR} PROGS+= bsdcpio_test -CFLAGS+= -DPLATFORM_CONFIG_H=\"${SRCTOP}/lib/libarchive/config_freebsd.h\" -CFLAGS+= -I${SRCTOP}/lib/libarchive -I${.OBJDIR} - CFLAGS+= -I${.OBJDIR} -CFLAGS+= -I${_LIBARCHIVEDIR}/cpio -I${_LIBARCHIVEDIR}/cpio/test -CFLAGS+= -I${_LIBARCHIVEDIR}/libarchive -CFLAGS+= -I${_LIBARCHIVEDIR}/libarchive_fe -I${_LIBARCHIVEDIR}/test_utils +CFLAGS+= -I${_LIBARCHIVEDIR}/cpio +CFLAGS+= -I${_LIBARCHIVEDIR}/cpio/test +CFLAGS+= -I${_LIBARCHIVEDIR}/test_utils # Uncomment to link against dmalloc #LDADD+= -L/usr/local/lib -ldmalloc diff --git a/usr.bin/tar/Makefile b/usr.bin/tar/Makefile index 8b0d3e4a6cf0..0452e084bee2 100644 --- a/usr.bin/tar/Makefile +++ b/usr.bin/tar/Makefile @@ -1,11 +1,9 @@ .include -_LIBARCHIVEDIR= ${SRCTOP}/contrib/libarchive +.include "${SRCTOP}/lib/libarchive/Makefile.inc" PACKAGE= runtime PROG= bsdtar -BSDTAR_VERSION_STRING!= sed -n '/define.*ARCHIVE_VERSION_ONLY_STRING/{s,[^0-9.],,gp;q;}' \ - ${_LIBARCHIVEDIR}/libarchive/archive.h .PATH: ${_LIBARCHIVEDIR}/tar SRCS= bsdtar.c \ @@ -23,14 +21,9 @@ SRCS+= lafe_err.c \ LIBADD= archive -.if ${MK_ICONV} != "no" -CFLAGS+= -DHAVE_ICONV=1 -DHAVE_ICONV_H=1 -DICONV_CONST=const -.endif +CFLAGS+= -DBSDTAR_VERSION_STRING=\"${LIBARCHIVE_VERSION_ONLY_STRING}\" +CFLAGS+= -I${_LIBARCHIVEDIR}/tar -CFLAGS+= -DBSDTAR_VERSION_STRING=\"${BSDTAR_VERSION_STRING}\" -CFLAGS+= -DPLATFORM_CONFIG_H=\"${SRCTOP}/lib/libarchive/config_freebsd.h\" -CFLAGS+= -I${_LIBARCHIVEDIR}/tar -I${_LIBARCHIVEDIR}/libarchive -CFLAGS+= -I${_LIBARCHIVEDIR}/libarchive_fe SYMLINKS= bsdtar ${BINDIR}/tar MLINKS= bsdtar.1 tar.1 diff --git a/usr.bin/tar/tests/Makefile b/usr.bin/tar/tests/Makefile index 116425b0621f..45db3abf7bc2 100644 --- a/usr.bin/tar/tests/Makefile +++ b/usr.bin/tar/tests/Makefile @@ -1,17 +1,18 @@ +.include + +.include "${SRCTOP}/lib/libarchive/Makefile.inc" + PACKAGE= tests WARNS?= 3 -_LIBARCHIVEDIR= ${SRCTOP}/contrib/libarchive - ATF_TESTS_SH+= functional_test BINDIR= ${TESTSDIR} -CFLAGS+= -DPLATFORM_CONFIG_H=\"${SRCTOP}/lib/libarchive/config_freebsd.h\" -CFLAGS+= -I${SRCTOP}/lib/libarchive -I${.OBJDIR} -CFLAGS+= -I${_LIBARCHIVEDIR}/libarchive -CFLAGS+= -I${_LIBARCHIVEDIR}/tar -I${_LIBARCHIVEDIR}/tar/test +CFLAGS+= -I${.OBJDIR} +CFLAGS+= -I${_LIBARCHIVEDIR}/tar +CFLAGS+= -I${_LIBARCHIVEDIR}/tar/test CFLAGS+= -I${_LIBARCHIVEDIR}/test_utils CFLAGS.test_utils.c+= -Wno-cast-align diff --git a/usr.bin/unzip/Makefile b/usr.bin/unzip/Makefile index 3ca95e5fa881..35d82729b718 100644 --- a/usr.bin/unzip/Makefile +++ b/usr.bin/unzip/Makefile @@ -1,25 +1,20 @@ .include -_LIBARCHIVEDIR= ${SRCTOP}/contrib/libarchive -_LIBARCHIVECONFDIR= ${SRCTOP}/lib/libarchive +.include "${SRCTOP}/lib/libarchive/Makefile.inc" PROG= bsdunzip -BSDUNZIP_VERSION_STRING!= sed -n '/define.*ARCHIVE_VERSION_ONLY_STRING/{s,[^0-9.],,gp;q;}' \ - ${_LIBARCHIVEDIR}/libarchive/archive.h - .PATH: ${_LIBARCHIVEDIR}/unzip SRCS= bsdunzip.c .PATH: ${_LIBARCHIVEDIR}/libarchive_fe SRCS+= cmdline.c lafe_err.c lafe_getline.c passphrase.c -CFLAGS+= -DBSDUNZIP_VERSION_STRING=\"${BSDUNZIP_VERSION_STRING}\" -CFLAGS+= -DPLATFORM_CONFIG_H=\"${_LIBARCHIVECONFDIR}/config_freebsd.h\" -CFLAGS+= -I${_LIBARCHIVEDIR}/unzip -I${_LIBARCHIVEDIR}/libarchive_fe - LIBADD= archive +CFLAGS+= -DBSDUNZIP_VERSION_STRING=\"${LIBARCHIVE_VERSION_ONLY_STRING}\" +CFLAGS+= -I${_LIBARCHIVEDIR}/unzip + SYMLINKS=bsdunzip ${BINDIR}/unzip MLINKS= bsdunzip.1 unzip.1 @@ -27,4 +22,3 @@ HAS_TESTS= SUBDIR.${MK_TESTS}+= tests .include -# DO NOT DELETE diff --git a/usr.bin/unzip/tests/Makefile b/usr.bin/unzip/tests/Makefile index fada172b1bd7..0e55c49d07b5 100644 --- a/usr.bin/unzip/tests/Makefile +++ b/usr.bin/unzip/tests/Makefile @@ -1,3 +1,7 @@ +.include + +.include "${SRCTOP}/lib/libarchive/Makefile.inc" + PACKAGE= tests _LIBARCHIVEDIR= ${SRCTOP}/contrib/libarchive @@ -8,13 +12,10 @@ BINDIR= ${TESTSDIR} PROGS+= bsdunzip_test -CFLAGS+= -DPLATFORM_CONFIG_H=\"${SRCTOP}/lib/libarchive/config_freebsd.h\" -CFLAGS+= -I${SRCTOP}/lib/libarchive -I${.OBJDIR} - CFLAGS+= -I${.OBJDIR} -CFLAGS+= -I${_LIBARCHIVEDIR}/unzip -I${_LIBARCHIVEDIR}/unzip/test -CFLAGS+= -I${_LIBARCHIVEDIR}/libarchive -CFLAGS+= -I${_LIBARCHIVEDIR}/libarchive_fe -I${_LIBARCHIVEDIR}/test_utils +CFLAGS+= -I${_LIBARCHIVEDIR}/unzip +CFLAGS+= -I${_LIBARCHIVEDIR}/unzip/test +CFLAGS+= -I${_LIBARCHIVEDIR}/test_utils # Uncomment to link against dmalloc #LDADD+= -L/usr/local/lib -ldmalloc From nobody Mon Jun 8 23:01:05 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZ6wL4PmGz6gv15 for ; Mon, 08 Jun 2026 23:01:06 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZ6wK5shnz3Dyq for ; Mon, 08 Jun 2026 23:01:05 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780959665; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=1SRKwFnE8sRY9NtwAhaO3NukNyVFhJDA0PvcTdSUAKs=; b=twBdTsk3a4/QoiXvMc+vc4PsX2BTXywMCY2JYSKFcZ5N6V6b8PpyLsb1e/8HagrQX5+0vy 1f7pQNAQihlyViz9UHOw/Tx3TVB/BqVtOHZ4EJ2DZh2ixY3YT5rBuGfBe81NWHUpBUN38H hGbSkwhFXWRO6wpy1ztkM6QlRKammYG6/cghcPcRmUvSXYN8tcx+p9C71Obfmzi0hKL8bq UjnUFm99Py0XaVMMyDYeBq9oIMlPrtbm3n3Ro9xSzP5ZmAUIbuvu1W64Bhordtp1csQGNk OSyFupH1yIAfH01KFftGqZ4DjaAGPnsTn3DV0PuT9MeRWiDjndHzz7grCpjZxw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1780959665; a=rsa-sha256; cv=none; b=IaL0g95oJ41dMEcdFfgkz8+zLL+qyuzrxOGQgVI/99ScBJpDFYu86RV15/9GphMeLR9IBj WR4dai+QR8La8CF4OGdUIGD4m7o7Hj7VmaF6ZOrs7HNoE19WWHjpu0liHssDJVgOr9pK5G 8OrVVqb0etfGJn9cWHXrpGG1XC67KSrjyTjvxM9QO3s1j0DJVV1u/QGuxcrguVE/DUFdUA X30TLV+KgeETPHWvYlmDfkaYqxGanwz1FqYQRo8wLJTKZkzLmrDqdlEOgW+ai02CwaJNtL bBXJ4XKyuELdEtTDIvIKqWXpKxmLpBdKraGjR8uuhNv4Kunget1CmVwGcSNRaw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780959665; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=1SRKwFnE8sRY9NtwAhaO3NukNyVFhJDA0PvcTdSUAKs=; b=VhrvaAXG2x80YNxS9pduc/b9Nf9mbTQOsQ+36s+6RoCyc/2keBW8uduRrmVgRfMQ08vzLI dXrU0RZfeUz7/cHVtWpvk5EhUCwYBvrrvEI+v2Q0CquUxWlBMSiwArclAQ9vwQsWOjWTS5 4mtqPP5+uh8c6cX34f2cRYP2FEa/441V8Gq2/Tl5dkyTTPYb6/xh62ur7v/orCUOG55Iju x2QdbcWOiDaHPuUWUzq250pZgA0pjSr+jMeKMlxrQhCBmLskSUG6O9auCpXDRq4qcqF6Y1 OxAUtj9K63KLM/Ak5zZhB+2vRPtV4D0v8CM5DlDHNofmoGKinpIqZjIf174OBQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZ6wK1rD9z17Ss for ; Mon, 08 Jun 2026 23:01:05 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 2617c by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Mon, 08 Jun 2026 23:01:05 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Dag-Erling=?utf-8?Q? Sm=C3=B8rg?=rav Subject: git: 5c12023beb94 - stable/15 - rc: Bail if /dev/null is not a device List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: des X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 5c12023beb94609fb65845b76f21748a9f49bdca Auto-Submitted: auto-generated Date: Mon, 08 Jun 2026 23:01:05 +0000 Message-Id: <6a2749b1.2617c.5014c70e@gitrepo.freebsd.org> The branch stable/15 has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=5c12023beb94609fb65845b76f21748a9f49bdca commit 5c12023beb94609fb65845b76f21748a9f49bdca Author: Dag-Erling Smørgrav AuthorDate: 2026-06-05 15:53:29 +0000 Commit: Dag-Erling Smørgrav CommitDate: 2026-06-08 23:00:43 +0000 rc: Bail if /dev/null is not a device On startup, check that /dev/null exists and is a character device. Otherwise, one of two things will happen: either /dev is a writable directory and we will immediately create /dev/null as a regular file and dump garbage into it, or it does not and we will spit out a stream of error messages about failing to create /dev/null. PR: 295782 MFC after: 1 week Reviewed by: jhb, emaste Differential Revision: https://reviews.freebsd.org/D57447 (cherry picked from commit b5a96894f67a92f78f0641763eff1e0a46f2e036) --- libexec/rc/rc | 5 +++++ share/man/man8/rc.8 | 12 +++++++++++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/libexec/rc/rc b/libexec/rc/rc index db3c3e20ab44..75eef606b7fe 100644 --- a/libexec/rc/rc +++ b/libexec/rc/rc @@ -46,6 +46,11 @@ HOME=/ PATH=/sbin:/bin:/usr/sbin:/usr/bin export HOME PATH +if ! [ -c /dev/null ]; then + echo "/dev is not populated" >&2 + exit 1 +fi + if [ "$1" = autoboot ]; then autoboot=yes _boot="faststart" diff --git a/share/man/man8/rc.8 b/share/man/man8/rc.8 index a68878f0a10a..bfdd65b52f4a 100644 --- a/share/man/man8/rc.8 +++ b/share/man/man8/rc.8 @@ -28,7 +28,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd September 20, 2024 +.Dd June 4, 2026 .Dt RC 8 .Os .Sh NAME @@ -97,6 +97,16 @@ command provides a scripting interface to modify system config files. .Ss Operation of Nm .Bl -enum .It +Verify that +.Pa /dev/null +exists and is a character device. +If that is not the case, +.Nm +prints an error message and terminates. +This is normally caused by forgetting to enable +.Xr devfs 5 +in a jail's configuration. +.It If autobooting, set .Va autoboot Ns = Ns Li yes and enable a flag From nobody Mon Jun 8 23:01:10 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZ6wQ5Dm4z6gv1F for ; Mon, 08 Jun 2026 23:01:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZ6wQ1ry4z3F2t for ; Mon, 08 Jun 2026 23:01:10 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780959670; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=7J767PmSFnhGiUfsjjw0DPoTDSS3f3OUTG+fcRCLWgM=; b=vFqdm1W2D1E9avdnnTaJSXlGmDRA8Qb8BkvAZKENo81i4BTPIXoxRw2vqFtblHQIrfv4yN Bx17mWfc4U+L+a8d3T/hlYkcpFFuULbr4zBpXqF+fD8SWtaeQj6AQgT0/6Hhw0L0dWMi0K jwv6T0P2uzTI2WNEVV7wS1xCei/kXwX6Hl5f+IKnBIgTgc9byFiqNBt7k9zJy6frGbZ6EV 8YdyUIdi6/mzEZX68zGZZSviV5AwDsQOM/4z28TnC2aO1AiU3UCPG4hOvS72PkUkvi8+lZ 4fSxcZi7qh48z2lch5ZZ/g0gJUlGyTRwmrvl/94yqOCHkHngpfCJwontbbC+1Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1780959670; a=rsa-sha256; cv=none; b=yPDXIMnOiW3Rwizry8WnVCTqjWjjiPT81aWLQ6QZHNKpfe86Vyw4KtxSjORtMEVuStCI0R r7xAsdkHNTcuRdQnp3+E/FHUZfWTJkWtDD3oXCjz8ur1ogGVKNwujfsevehL0F7btf9UG2 ObSKKV82e3dFf3UB9MZwRRUFte2R4hU+kfZiqQoV4aZGvuj/MffMaTBNTS5CO9ZSR6tp63 X2TZO669vRJE8reMmCx9GfUUWtDl00nKNPMkhweUp2lCV3gTm024W9FAh/phKCzHy1Eurb L1kSNM3hf7WSYH3OotuY1sxVzgiPavScOmNh64QsCfyprCoCRgjyW7Hl86gy9Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780959670; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=7J767PmSFnhGiUfsjjw0DPoTDSS3f3OUTG+fcRCLWgM=; b=MsD+gaVWbtaRujGM0oIE/e1Jzxtjz+oEPmfmIYRToLu5x2zvlWEJoNQLYUnSdFYonItHD7 AObU/Um7H0XUf1p4RHz26rchADsUlWNwfhC9+8bJ10CNmu5fereVDdBF92pZRHscos067Z UeerT8eb3nsQA8dhkHWcEmnZnC5A73rrVAEiHqvZog7HEgpL4CDP4Ynpv48BNlWlg7D56S e93yxjSCAXiIqahtuJfemiGyTifHmUBb2iRnm874cbygytMd/Ls4t8xWo0H6U1RW3dlSUi 0i0q93zp0VNF22R6ztWT89ukHlUMgIg41UWZR+z3g69k8HVOgTR/K6/yJuKUlQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZ6wQ1Npbz17GH for ; Mon, 08 Jun 2026 23:01:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 24d23 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Mon, 08 Jun 2026 23:01:10 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Dag-Erling=?utf-8?Q? Sm=C3=B8rg?=rav Subject: git: d6800be31a1e - stable/14 - limits: Fix pipebuf resource type List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: des X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: d6800be31a1e1e51f8fa34dfb0654402f323d109 Auto-Submitted: auto-generated Date: Mon, 08 Jun 2026 23:01:10 +0000 Message-Id: <6a2749b6.24d23.488d06cb@gitrepo.freebsd.org> The branch stable/14 has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=d6800be31a1e1e51f8fa34dfb0654402f323d109 commit d6800be31a1e1e51f8fa34dfb0654402f323d109 Author: Dag-Erling Smørgrav AuthorDate: 2026-06-04 22:41:41 +0000 Commit: Dag-Erling Smørgrav CommitDate: 2026-06-08 23:00:53 +0000 limits: Fix pipebuf resource type * pipebuf is a size but is listed as a count PR: 295623 MFC after: 1 week Fixes: f54f41403d14 ("usr.bin/limits: support RLIMIT_PIPEBUF") Reviewed by: kib Differential Revision: https://reviews.freebsd.org/D57456 (cherry picked from commit ad524568f9fb77e270a22744d81b9cea0a2ab0eb) --- usr.bin/limits/limits.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr.bin/limits/limits.c b/usr.bin/limits/limits.c index c53066b52a9f..0a76ec5b8e4e 100644 --- a/usr.bin/limits/limits.c +++ b/usr.bin/limits/limits.c @@ -244,7 +244,7 @@ static struct { { "swapuse", login_getcapsize }, { "kqueues", login_getcapnum }, { "umtxp", login_getcapnum }, - { "pipebuf", login_getcapnum }, + { "pipebuf", login_getcapsize }, }; /* From nobody Mon Jun 8 23:01:09 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZ6wP3rkbz6gtsk for ; Mon, 08 Jun 2026 23:01:09 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZ6wP1ln6z3F9j for ; Mon, 08 Jun 2026 23:01:09 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780959669; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ZFyRbL6qYzTNnZcw/qng4g/Auk/tSGwdnsIiclPT/gU=; b=wJW7hTtIst4b8saBgaRUncyR5vmudA1CPqqE092SfTsVPOuaq7fnBpH7+QF8iODiC2Wmcx 3mkczDL1QagvG/DdMAM+bNkcLSIZJ5+h8Jryutvf72SBJBgG/RguEpBexY6Y+/aDPJAbV7 u82j8VKpEM4CZhQKhdNoTwGqhhMwktZCkQScFFoU4k/tdw1WPR9eAwHh5MOEuKQo9B5zGq cZpPVfafBQfsNCtEtG5uBBOpVT/wabMFzzlQAa+37JKVvRb6c5pEYbmXPe9SN+Auc5B2Q3 gqUpzoNvNcx6jL49ErlwC3BNPaTvFWnEiE7zlpEPC7Y0rsHVidqJoHLn3tOi9A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1780959669; a=rsa-sha256; cv=none; b=oCpa3sw+x4Cph/aH0zU6+qrROyY369Ge+J2Cu1fHAxgx9/OQRwOEokEoIQYh5eR+OOjcgk WSfD7scBNo7jVvCwRQ+J8PnefL6DbZ8Vc0MZ/x+7ho5dAp3vqAy5LpXI2viFEBJT5WHcq+ Rp08aMnWiNl2mLTC3MMT/KGVeBYjyNhqnHAL9hNvw4+ty6XTAn50L9+D66yEcGqNKM5tQP m9Okugh7dwOvtQqnPCGmV7eyiN9JZHW/4AZAuabWatDVxC5FALQpv0tL7mpC1fgSfZXQcv tEmasrBukprdHrLJuvvZxP4UVUS6AZ+NnyEIRoMVG0PGvZlqEME56F7nGbEBrg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780959669; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ZFyRbL6qYzTNnZcw/qng4g/Auk/tSGwdnsIiclPT/gU=; b=RchskVaqcENb/oy3TxkiB4vRDNbTuFvrVumYXw0T0/bi8u+K1PQho9Rwr8OaXRww9Xjwdb HDFJjUsR2mELyso/vDmxoKxSS05kIhKe67tTKou4xEAv6l56NzRyDCBS+hLgOeMaJkXz5c mQ51dNFwqEsw/EnaJ5BcFO9psVhGbMzMP5ZTrcbebNngSg3744v/Floz3KgaStmSZkYfTB oWnp3y0mLi6UQ/EAGmf1hHrYA6VQHm74E22eNTnzZoycbMZaeXK9Qi/jiGsqkjiOSvXUo7 fU1N2ZvqFgRMMnV38CoTrlOabujKYvKhAX/8wgZRYPC9YvO9t7M6tWoNWPQPxw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZ6wP0wqMz177D for ; Mon, 08 Jun 2026 23:01:09 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 24afd by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Mon, 08 Jun 2026 23:01:09 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Dag-Erling=?utf-8?Q? Sm=C3=B8rg?=rav Subject: git: 62f3971e6c06 - stable/14 - libarchive: Clean up the build configuration List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: des X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 62f3971e6c062d67660e4236e6106cc51e6492f0 Auto-Submitted: auto-generated Date: Mon, 08 Jun 2026 23:01:09 +0000 Message-Id: <6a2749b5.24afd.7ce0c87a@gitrepo.freebsd.org> The branch stable/14 has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=62f3971e6c062d67660e4236e6106cc51e6492f0 commit 62f3971e6c062d67660e4236e6106cc51e6492f0 Author: Dag-Erling Smørgrav AuthorDate: 2026-06-04 13:12:23 +0000 Commit: Dag-Erling Smørgrav CommitDate: 2026-06-08 23:00:52 +0000 libarchive: Clean up the build configuration * Move settings duplicated in libarchive, bsdcat, bsdcpio, bsdtar, and bsdunzip into libarchive's Makefile.inc. * Drop some CFLAGS that merely duplicated some of the contents of our platform configuration header. MFC after: 1 week Reviewed by: mm Differential Revision: https://reviews.freebsd.org/D57307 (cherry picked from commit eb3a0a74a069d0f294e1596504676459282bb308) libarchive: Fix typo in sed command MFC after: 1 week Fixes: eb3a0a74a069 ("libarchive: Clean up the build configuration") Reported by: Shawn Webb (cherry picked from commit ba0d22eacd6008e9f3b7395b41056de2423aef3d) --- lib/libarchive/Makefile | 7 ++----- lib/libarchive/Makefile.inc | 16 +++++++++++----- lib/libarchive/tests/Makefile | 8 ++++---- usr.bin/bsdcat/Makefile | 17 ++++++----------- usr.bin/bsdcat/tests/Makefile | 14 ++++++-------- usr.bin/cpio/Makefile | 18 +++++------------- usr.bin/cpio/tests/Makefile | 14 ++++++-------- usr.bin/tar/Makefile | 13 +++---------- usr.bin/tar/tests/Makefile | 12 ++++++------ usr.bin/unzip/Makefile | 14 ++++---------- usr.bin/unzip/tests/Makefile | 12 ++++++------ 11 files changed, 59 insertions(+), 86 deletions(-) diff --git a/lib/libarchive/Makefile b/lib/libarchive/Makefile index fed73c388318..f9c5f758382c 100644 --- a/lib/libarchive/Makefile +++ b/lib/libarchive/Makefile @@ -1,7 +1,8 @@ .include +.include "Makefile.inc" + PACKAGE=lib${LIB} -_LIBARCHIVEDIR= ${SRCTOP}/contrib/libarchive LIB= archive @@ -9,10 +10,6 @@ LIB= archive # It has no real relation to the libarchive version number. SHLIB_MAJOR= 7 -CFLAGS+= -I${.OBJDIR} -CFLAGS+= -I${SRCTOP}/sys/contrib/zstd/lib -.include "Makefile.inc" - .if ${MACHINE_ARCH:Marm*} != "" || ${MACHINE_ARCH:Mpowerpc*} != "" NO_WCAST_ALIGN= yes .if ${MACHINE_ARCH:M*64*} == "" diff --git a/lib/libarchive/Makefile.inc b/lib/libarchive/Makefile.inc index 755a39ec01e8..514ce205d560 100644 --- a/lib/libarchive/Makefile.inc +++ b/lib/libarchive/Makefile.inc @@ -2,11 +2,17 @@ # them in sync we can get run-time crashes while running tests due to mismatches # between structures such as archive_md5_ctx, etc. -LIBADD= z bz2 lzma bsdxml zstd -CFLAGS+= -DHAVE_BZLIB_H=1 -DHAVE_LIBLZMA=1 -DHAVE_LZMA_H=1 \ - -DHAVE_ZSTD_H=1 -DHAVE_LIBZSTD=1 -DHAVE_ZSTD_compressStream=1 \ - -DHAVE_SYSCONF=1 -CFLAGS+= -DPLATFORM_CONFIG_H=\"${.CURDIR}/config_freebsd.h\" +_LIBARCHIVEDIR= ${SRCTOP}/contrib/libarchive +LIBARCHIVE_VERSION_ONLY_STRING!= \ + sed -n '/define.*ARCHIVE_VERSION_ONLY_STRING/{s,[^0-9.],,gp;q;}' \ + ${_LIBARCHIVEDIR}/libarchive/archive.h + +LIBADD+= z bz2 lzma bsdxml zstd +CFLAGS+= -DPLATFORM_CONFIG_H=\"config_freebsd.h\" +CFLAGS+= -I${SRCTOP}/lib/libarchive +CFLAGS+= -I${_LIBARCHIVEDIR}/libarchive +CFLAGS+= -I${_LIBARCHIVEDIR}/libarchive_fe +CFLAGS+= -I${SRCTOP}/sys/contrib/zstd/lib .if ${MK_OPENSSL} != "no" CFLAGS+= -DWITH_OPENSSL diff --git a/lib/libarchive/tests/Makefile b/lib/libarchive/tests/Makefile index 3a03725054f4..3210938bc117 100644 --- a/lib/libarchive/tests/Makefile +++ b/lib/libarchive/tests/Makefile @@ -1,11 +1,11 @@ .include +.include "${SRCTOP}/lib/libarchive/Makefile.inc" + PACKAGE= tests WARNS?= 3 -_LIBARCHIVEDIR= ${SRCTOP}/contrib/libarchive - ATF_TESTS_SH+= functional_test TEST_METADATA.functional_test+= timeout="600" @@ -14,8 +14,8 @@ BINDIR= ${TESTSDIR} PROGS+= libarchive_test -CFLAGS+= -I${.CURDIR} -I${.CURDIR:H} -I${.OBJDIR} -CFLAGS+= -I${_LIBARCHIVEDIR}/libarchive -I${_LIBARCHIVEDIR}/libarchive/test +CFLAGS+= -I${.OBJDIR} +CFLAGS+= -I${_LIBARCHIVEDIR}/libarchive/test CFLAGS+= -I${_LIBARCHIVEDIR}/test_utils CFLAGS+= -I${SRCTOP}/sys/contrib/zstd/lib diff --git a/usr.bin/bsdcat/Makefile b/usr.bin/bsdcat/Makefile index 0377a4c48f5f..ce10aefd4c58 100644 --- a/usr.bin/bsdcat/Makefile +++ b/usr.bin/bsdcat/Makefile @@ -1,12 +1,9 @@ .include -_LIBARCHIVEDIR= ${SRCTOP}/contrib/libarchive -_LIBARCHIVECONFDIR= ${SRCTOP}/lib/libarchive +.include "${SRCTOP}/lib/libarchive/Makefile.inc" PROG= bsdcat -BSDCAT_VERSION_STRING!= sed -n '/define.*ARCHIVE_VERSION_ONLY_STRING/{s,[^0-9.],,gp;q;}' \ - ${_LIBARCHIVEDIR}/libarchive/archive.h .PATH: ${_LIBARCHIVEDIR}/cat SRCS= bsdcat.c cmdline.c @@ -14,15 +11,13 @@ SRCS= bsdcat.c cmdline.c .PATH: ${_LIBARCHIVEDIR}/libarchive_fe SRCS+= lafe_err.c -CFLAGS+= -DBSDCAT_VERSION_STRING=\"${BSDCAT_VERSION_STRING}\" -CFLAGS+= -DPLATFORM_CONFIG_H=\"${_LIBARCHIVECONFDIR}/config_freebsd.h\" -CFLAGS+= -I${_LIBARCHIVEDIR}/cat -I${_LIBARCHIVEDIR}/libarchive_fe - LIBADD= archive -.if ${MK_ICONV} != "no" -CFLAGS+= -DHAVE_ICONV=1 -DHAVE_ICONV_H=1 -DICONV_CONST=const -.endif +CFLAGS+= -DBSDCAT_VERSION_STRING=\"${LIBARCHIVE_VERSION_ONLY_STRING}\" +CFLAGS+= -I${_LIBARCHIVEDIR}/cat + +#SYMLINKS=bsdcat ${BINDIR}/cat +#MLINKS= bsdcat.1 cat.1 HAS_TESTS= SUBDIR.${MK_TESTS}+= tests diff --git a/usr.bin/bsdcat/tests/Makefile b/usr.bin/bsdcat/tests/Makefile index 02382137aa16..f75ebeac2aea 100644 --- a/usr.bin/bsdcat/tests/Makefile +++ b/usr.bin/bsdcat/tests/Makefile @@ -1,7 +1,8 @@ +.include -PACKAGE= tests +.include "${SRCTOP}/lib/libarchive/Makefile.inc" -_LIBARCHIVEDIR= ${SRCTOP}/contrib/libarchive +PACKAGE= tests ATF_TESTS_SH+= functional_test @@ -9,13 +10,10 @@ BINDIR= ${TESTSDIR} PROGS+= bsdcat_test -CFLAGS+= -DPLATFORM_CONFIG_H=\"${SRCTOP}/lib/libarchive/config_freebsd.h\" -CFLAGS+= -I${SRCTOP}/lib/libarchive -I${.OBJDIR} - CFLAGS+= -I${.OBJDIR} -CFLAGS+= -I${_LIBARCHIVEDIR}/cat -I${_LIBARCHIVEDIR}/cat/test -CFLAGS+= -I${_LIBARCHIVEDIR}/libarchive -CFLAGS+= -I${_LIBARCHIVEDIR}/libarchive_fe -I${_LIBARCHIVEDIR}/test_utils +CFLAGS+= -I${_LIBARCHIVEDIR}/cat +CFLAGS+= -I${_LIBARCHIVEDIR}/cat/test +CFLAGS+= -I${_LIBARCHIVEDIR}/test_utils CFLAGS.test_utils.c+= -Wno-cast-align diff --git a/usr.bin/cpio/Makefile b/usr.bin/cpio/Makefile index a52a12ea361b..594bd86fdbd5 100644 --- a/usr.bin/cpio/Makefile +++ b/usr.bin/cpio/Makefile @@ -1,12 +1,9 @@ .include -_LIBARCHIVEDIR= ${SRCTOP}/contrib/libarchive -_LIBARCHIVECONFDIR= ${SRCTOP}/lib/libarchive +.include "${SRCTOP}/lib/libarchive/Makefile.inc" PROG= bsdcpio -BSDCPIO_VERSION_STRING!= sed -n '/define.*ARCHIVE_VERSION_ONLY_STRING/{s,[^0-9.],,gp;q;}' \ - ${_LIBARCHIVEDIR}/libarchive/archive.h .PATH: ${_LIBARCHIVEDIR}/cpio SRCS= cpio.c cmdline.c @@ -14,18 +11,13 @@ SRCS= cpio.c cmdline.c .PATH: ${_LIBARCHIVEDIR}/libarchive_fe SRCS+= lafe_err.c line_reader.c passphrase.c -CFLAGS+= -DBSDCPIO_VERSION_STRING=\"${BSDCPIO_VERSION_STRING}\" -CFLAGS+= -DPLATFORM_CONFIG_H=\"${_LIBARCHIVECONFDIR}/config_freebsd.h\" -CFLAGS+= -I${_LIBARCHIVEDIR}/cpio -I${_LIBARCHIVEDIR}/libarchive_fe - LIBADD= archive -.if ${MK_ICONV} != "no" -CFLAGS+= -DHAVE_ICONV=1 -DHAVE_ICONV_H=1 -DICONV_CONST=const -.endif +CFLAGS+= -DBSDCPIO_VERSION_STRING=\"${LIBARCHIVE_VERSION_ONLY_STRING}\" +CFLAGS+= -I${_LIBARCHIVEDIR}/tar -SYMLINKS=bsdcpio ${BINDIR}/cpio -MLINKS= bsdcpio.1 cpio.1 +SYMLINKS= bsdcpio ${BINDIR}/cpio +MLINKS= bsdcpio.1 cpio.1 HAS_TESTS= SUBDIR.${MK_TESTS}+= tests diff --git a/usr.bin/cpio/tests/Makefile b/usr.bin/cpio/tests/Makefile index e06f7fc34de3..0db109c1e379 100644 --- a/usr.bin/cpio/tests/Makefile +++ b/usr.bin/cpio/tests/Makefile @@ -1,7 +1,8 @@ +.include -PACKAGE= tests +.include "${SRCTOP}/lib/libarchive/Makefile.inc" -_LIBARCHIVEDIR= ${SRCTOP}/contrib/libarchive +PACKAGE= tests ATF_TESTS_SH+= functional_test @@ -9,13 +10,10 @@ BINDIR= ${TESTSDIR} PROGS+= bsdcpio_test -CFLAGS+= -DPLATFORM_CONFIG_H=\"${SRCTOP}/lib/libarchive/config_freebsd.h\" -CFLAGS+= -I${SRCTOP}/lib/libarchive -I${.OBJDIR} - CFLAGS+= -I${.OBJDIR} -CFLAGS+= -I${_LIBARCHIVEDIR}/cpio -I${_LIBARCHIVEDIR}/cpio/test -CFLAGS+= -I${_LIBARCHIVEDIR}/libarchive -CFLAGS+= -I${_LIBARCHIVEDIR}/libarchive_fe -I${_LIBARCHIVEDIR}/test_utils +CFLAGS+= -I${_LIBARCHIVEDIR}/cpio +CFLAGS+= -I${_LIBARCHIVEDIR}/cpio/test +CFLAGS+= -I${_LIBARCHIVEDIR}/test_utils # Uncomment to link against dmalloc #LDADD+= -L/usr/local/lib -ldmalloc diff --git a/usr.bin/tar/Makefile b/usr.bin/tar/Makefile index 8b0d3e4a6cf0..0452e084bee2 100644 --- a/usr.bin/tar/Makefile +++ b/usr.bin/tar/Makefile @@ -1,11 +1,9 @@ .include -_LIBARCHIVEDIR= ${SRCTOP}/contrib/libarchive +.include "${SRCTOP}/lib/libarchive/Makefile.inc" PACKAGE= runtime PROG= bsdtar -BSDTAR_VERSION_STRING!= sed -n '/define.*ARCHIVE_VERSION_ONLY_STRING/{s,[^0-9.],,gp;q;}' \ - ${_LIBARCHIVEDIR}/libarchive/archive.h .PATH: ${_LIBARCHIVEDIR}/tar SRCS= bsdtar.c \ @@ -23,14 +21,9 @@ SRCS+= lafe_err.c \ LIBADD= archive -.if ${MK_ICONV} != "no" -CFLAGS+= -DHAVE_ICONV=1 -DHAVE_ICONV_H=1 -DICONV_CONST=const -.endif +CFLAGS+= -DBSDTAR_VERSION_STRING=\"${LIBARCHIVE_VERSION_ONLY_STRING}\" +CFLAGS+= -I${_LIBARCHIVEDIR}/tar -CFLAGS+= -DBSDTAR_VERSION_STRING=\"${BSDTAR_VERSION_STRING}\" -CFLAGS+= -DPLATFORM_CONFIG_H=\"${SRCTOP}/lib/libarchive/config_freebsd.h\" -CFLAGS+= -I${_LIBARCHIVEDIR}/tar -I${_LIBARCHIVEDIR}/libarchive -CFLAGS+= -I${_LIBARCHIVEDIR}/libarchive_fe SYMLINKS= bsdtar ${BINDIR}/tar MLINKS= bsdtar.1 tar.1 diff --git a/usr.bin/tar/tests/Makefile b/usr.bin/tar/tests/Makefile index fe3dd3e8e6ed..45db3abf7bc2 100644 --- a/usr.bin/tar/tests/Makefile +++ b/usr.bin/tar/tests/Makefile @@ -1,18 +1,18 @@ +.include + +.include "${SRCTOP}/lib/libarchive/Makefile.inc" PACKAGE= tests WARNS?= 3 -_LIBARCHIVEDIR= ${SRCTOP}/contrib/libarchive - ATF_TESTS_SH+= functional_test BINDIR= ${TESTSDIR} -CFLAGS+= -DPLATFORM_CONFIG_H=\"${SRCTOP}/lib/libarchive/config_freebsd.h\" -CFLAGS+= -I${SRCTOP}/lib/libarchive -I${.OBJDIR} -CFLAGS+= -I${_LIBARCHIVEDIR}/libarchive -CFLAGS+= -I${_LIBARCHIVEDIR}/tar -I${_LIBARCHIVEDIR}/tar/test +CFLAGS+= -I${.OBJDIR} +CFLAGS+= -I${_LIBARCHIVEDIR}/tar +CFLAGS+= -I${_LIBARCHIVEDIR}/tar/test CFLAGS+= -I${_LIBARCHIVEDIR}/test_utils CFLAGS.test_utils.c+= -Wno-cast-align diff --git a/usr.bin/unzip/Makefile b/usr.bin/unzip/Makefile index e359ca162e73..bf00df8f1eee 100644 --- a/usr.bin/unzip/Makefile +++ b/usr.bin/unzip/Makefile @@ -1,26 +1,21 @@ .include -_LIBARCHIVEDIR= ${SRCTOP}/contrib/libarchive -_LIBARCHIVECONFDIR= ${SRCTOP}/lib/libarchive +.include "${SRCTOP}/lib/libarchive/Makefile.inc" PROG= bsdunzip -BSDUNZIP_VERSION_STRING!= sed -n '/define.*ARCHIVE_VERSION_ONLY_STRING/{s,[^0-9.],,gp;q;}' \ - ${_LIBARCHIVEDIR}/libarchive/archive.h - .PATH: ${_LIBARCHIVEDIR}/unzip SRCS= bsdunzip.c .PATH: ${_LIBARCHIVEDIR}/libarchive_fe SRCS+= cmdline.c lafe_err.c lafe_getline.c passphrase.c -CFLAGS+= -DBSDUNZIP_VERSION_STRING=\"${BSDUNZIP_VERSION_STRING}\" -CFLAGS+= -DPLATFORM_CONFIG_H=\"${_LIBARCHIVECONFDIR}/config_freebsd.h\" -CFLAGS+= -I${_LIBARCHIVEDIR}/unzip -I${_LIBARCHIVEDIR}/libarchive_fe - LIBADD= archive +CFLAGS+= -DBSDUNZIP_VERSION_STRING=\"${LIBARCHIVE_VERSION_ONLY_STRING}\" +CFLAGS+= -I${_LIBARCHIVEDIR}/unzip + SYMLINKS=bsdunzip ${BINDIR}/unzip MLINKS= bsdunzip.1 unzip.1 @@ -28,4 +23,3 @@ HAS_TESTS= SUBDIR.${MK_TESTS}+= tests .include -# DO NOT DELETE diff --git a/usr.bin/unzip/tests/Makefile b/usr.bin/unzip/tests/Makefile index fd5254a55912..0e55c49d07b5 100644 --- a/usr.bin/unzip/tests/Makefile +++ b/usr.bin/unzip/tests/Makefile @@ -1,3 +1,6 @@ +.include + +.include "${SRCTOP}/lib/libarchive/Makefile.inc" PACKAGE= tests @@ -9,13 +12,10 @@ BINDIR= ${TESTSDIR} PROGS+= bsdunzip_test -CFLAGS+= -DPLATFORM_CONFIG_H=\"${SRCTOP}/lib/libarchive/config_freebsd.h\" -CFLAGS+= -I${SRCTOP}/lib/libarchive -I${.OBJDIR} - CFLAGS+= -I${.OBJDIR} -CFLAGS+= -I${_LIBARCHIVEDIR}/unzip -I${_LIBARCHIVEDIR}/unzip/test -CFLAGS+= -I${_LIBARCHIVEDIR}/libarchive -CFLAGS+= -I${_LIBARCHIVEDIR}/libarchive_fe -I${_LIBARCHIVEDIR}/test_utils +CFLAGS+= -I${_LIBARCHIVEDIR}/unzip +CFLAGS+= -I${_LIBARCHIVEDIR}/unzip/test +CFLAGS+= -I${_LIBARCHIVEDIR}/test_utils # Uncomment to link against dmalloc #LDADD+= -L/usr/local/lib -ldmalloc From nobody Mon Jun 8 23:01:11 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZ6wR72Jfz6gtlH for ; Mon, 08 Jun 2026 23:01:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZ6wR2hXQz3F0q for ; Mon, 08 Jun 2026 23:01:11 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780959671; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=H3TQ7A1PI7OwquQTch9iSt6yR5/WHJxizsrKvq+wAy0=; b=WkOgZoP6pFSF/uTP2YAlB4ONmnN77M+NhW4wkqHzqnyZNuXeJoDiPcwVRr377/ICTDQk+p 06PhGxWvyprEiW/e160whI2oWPvxoctZVcaKYQTzf6IQQ8z1HP/VwqB9eAUCJVeu4Z35oS jGmHexniI/an1xDaVAxNBVqEF8zsZv29HHZ542q73q1tk3GL/ofZzk1zbWiR8LZ7XamQNN CuA/lsVUfFuwKMclxVgA8HP2ebwrWfn7pKIjkW5h1yfZ3s1CE8rK+DpwVd7a6uSGPR4WW8 qq5N/h+FvYNXAqmSblYuwwQDqSUSjnAKb30qp7MPXoVT0eQ1+PMci3N+3C8Yag== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1780959671; a=rsa-sha256; cv=none; b=CU2jHYPZcxZ5GQ+0tPlworsArQFYPL0ZGYWfoUV+QubVXkUhJJguSNSy/+DCInH3dQ9PUh N0FjFnF5azCQ2jNJJ+va7nJTtlH4svJHnBZWY7wPigCNHxSCzed83ou129jzLOypBmOlmk BXgJ4BCAkpb0sloRNShPHG6sFT0kGnMx1rr2uE07cSC6fBKqNxUUsVYcMVtiODybSkLkZ/ hKgmngOacfnOhfwaiDEv3eZEZnnrCp57Uk4Z7X58iTn7ECHTDH74M1bIAyChXh+ymgHQfB R2gs0rMNz8s50sXWBlZCu8FuW2Pb+CTAGD7lVWeGtsbWxXl9k9a1/goVW/KvMQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780959671; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=H3TQ7A1PI7OwquQTch9iSt6yR5/WHJxizsrKvq+wAy0=; b=wcMX4zWCKnRcO0EaYlkqHwoXTSc/1rIriehkTnyHvw5RC8PJRnD0DaFyPup3HrEa7oUmlM 2zMkeirDFDn9k9Q86vU5rrlrc1RaPxdGnP5hAhu4aMFHuLpTdQKUlufv4XVHr9UxFY1wHK MzVRs7BSfT6IcKMPs3zwottpaF62r4sEj7zsnHDaQDJAmql6GZKligFVWMnkTz8g27Dyeb cqYwabsMV5Dae+hOGCQfvL4HJJvkItwqbN5yqkO5MZW5MsQ3LG9fqMppp0fp46vKvdETql hNll5vIAtjPUHaoFi0R9zdPosklSkkXauJRYh6TR5smuMzFNv6XKEgJAhSpzpg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZ6wR2Fwtz16lQ for ; Mon, 08 Jun 2026 23:01:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 26680 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Mon, 08 Jun 2026 23:01:11 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Dag-Erling=?utf-8?Q? Sm=C3=B8rg?=rav Subject: git: c8b81d5ff2f4 - stable/14 - etcupdate: Make diff -l actually work List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: des X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: c8b81d5ff2f404570c35653a1256916b06865f28 Auto-Submitted: auto-generated Date: Mon, 08 Jun 2026 23:01:11 +0000 Message-Id: <6a2749b7.26680.187184c6@gitrepo.freebsd.org> The branch stable/14 has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=c8b81d5ff2f404570c35653a1256916b06865f28 commit c8b81d5ff2f404570c35653a1256916b06865f28 Author: Dag-Erling Smørgrav AuthorDate: 2026-06-04 22:41:27 +0000 Commit: Dag-Erling Smørgrav CommitDate: 2026-06-08 23:00:54 +0000 etcupdate: Make diff -l actually work While here, remove unnecessary blank lines. MFC after: 1 week Fixes: 6d65c91b9a47 ("etcupdate: fix arguments order of diff command") Reviewed by: Boris Lytochkin Differential Revision: https://reviews.freebsd.org/D57330 (cherry picked from commit a85e39030f8c7faa3d5a33373389440de6f0fff7) --- usr.sbin/etcupdate/etcupdate.sh | 18 ++++-------------- 1 file changed, 4 insertions(+), 14 deletions(-) diff --git a/usr.sbin/etcupdate/etcupdate.sh b/usr.sbin/etcupdate/etcupdate.sh index f62343a24eee..738e4f4ef378 100755 --- a/usr.sbin/etcupdate/etcupdate.sh +++ b/usr.sbin/etcupdate/etcupdate.sh @@ -504,42 +504,32 @@ diffnode() $COMPARE_EQUAL) ;; $COMPARE_ONLYFIRST) - echo echo "Removed: $3" - echo ;; $COMPARE_ONLYSECOND) - echo echo "Added: $3" - echo ;; $COMPARE_DIFFTYPE) first=`file_type $1/$3` second=`file_type $2/$3` - echo echo "Node changed from a $first to a $second: $3" - echo ;; $COMPARE_DIFFLINKS) first=`readlink $1/$file` second=`readlink $2/$file` - echo echo "Link changed: $file" rule "=" echo "-$first" echo "+$second" - echo ;; $COMPARE_DIFFFILES) if [ -n "$difflistonly" ]; then - echo echo "Changed: $3" - echo - break; + else + echo "Index: $3" + rule "=" + diff -u $diffargs -L "$3 ($4)" -L "$3 ($5)" $1/$3 $2/$3 fi - echo "Index: $3" - rule "=" - diff -u $diffargs -L "$3 ($4)" -L "$3 ($5)" $1/$3 $2/$3 ;; esac } From nobody Mon Jun 8 23:01:12 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZ6wT0Fnjz6gtwL for ; Mon, 08 Jun 2026 23:01:13 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZ6wS3bSlz3Dw2 for ; Mon, 08 Jun 2026 23:01:12 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780959672; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=I1ncG7n7iCNtUdTHHnm738OHM0k8NeR0XjYt4EXc4EE=; b=SeCVpjDNeOE4t4zndZUYhydhjm5cRbIWCCchSb/7+uVGMcm43ERiDncvGfRordrSIHs7II /3OUdo/MT/jXXR5I3IwZ7Grf5bZwROgNZmarzmvFV4oo+4xARMSzZXXLBc/JlwnLtDhZuE K7/iuPDfy00ElZdcD8HlH/oIlegZno7CsQROfp0XDJ89+sX/IYYPAhwl019tG1UBTxmq59 +zGqUaUgocT2HTkuizM4Rs9n5zy+Hepoee6O5M3y5o25v6/NadSU3HLXbihRBAy35LuBsU DXQwYqFNiEi9GFL1PxwUUiT38AowidM/UaqXRHVsFlsq8SDx6hIgePXqzh5Guw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1780959672; a=rsa-sha256; cv=none; b=rUdrnyRsYsvaCasKgDj5Um02GI3HyU7c/ALLpOFDCk81QoK4lEaCDzu+xxkqu4tnLljr6B aphOB58ObSZ9v8scKU1F12qmPWBdznuSzgEmdrk2+wd8q/DmHy8HRXZ7pjYzUyZCjwoym+ geenatb0ehUgLKYglEMSHKNy9LoPB3Vg2O11QYP3H2Wa1L3hC7a0ECn0BFJeJv2zGBuo/D gxzsgCzSCY7GnAoWhtMqBAlGzR0wrgMstRlPQHMR8JUX/GBJqX0L3Kah6htNcz7wXOpUu8 dUz7xUhYVUJBB4IFg6zH8DkOCqypwWEPptC4uyrp9pTw4FsJnQrGaPSgC4vAcw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780959672; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=I1ncG7n7iCNtUdTHHnm738OHM0k8NeR0XjYt4EXc4EE=; b=pFzBGpBNPLNRYR+STgujNu5nmgekjvuuyTOhIxM9pFPDd3aAQQkcwBSI9kHsIc7o1Ce2i3 hq1tJs7ywS/2aF22/G75DxOA4QO7ggB1gjy8qqtBzavtcA1gt1YQpNbNcG8E6KsRYZZmUh EhK4WRGVWuVaZQ5+j+1p90u4B6PvHbF5Zui2UnLabrTEe/l4wrad+o7BLXwDpILyhxRTvd tQe+qSyMQKgLfe3VrxFzDGlI9UK3VsCi24NUNrmY7YXTUBPyPRaV2ZEZWm5+Q8EVccPTaN y27Oy+d4OouPf/d6CUvIoHVeWfo2AY85WJZS2KX6e8tjVBIzgvo436JYLcT9Ow== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZ6wS388jz17DB for ; Mon, 08 Jun 2026 23:01:12 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 23bfe by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Mon, 08 Jun 2026 23:01:12 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Dag-Erling=?utf-8?Q? Sm=C3=B8rg?=rav Subject: git: d09b42a876bb - stable/14 - rc: Bail if /dev/null is not a device List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: des X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: d09b42a876bbd3a03edd8443976d0ad55a864e2e Auto-Submitted: auto-generated Date: Mon, 08 Jun 2026 23:01:12 +0000 Message-Id: <6a2749b8.23bfe.7991b2e9@gitrepo.freebsd.org> The branch stable/14 has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=d09b42a876bbd3a03edd8443976d0ad55a864e2e commit d09b42a876bbd3a03edd8443976d0ad55a864e2e Author: Dag-Erling Smørgrav AuthorDate: 2026-06-05 15:53:29 +0000 Commit: Dag-Erling Smørgrav CommitDate: 2026-06-08 23:00:54 +0000 rc: Bail if /dev/null is not a device On startup, check that /dev/null exists and is a character device. Otherwise, one of two things will happen: either /dev is a writable directory and we will immediately create /dev/null as a regular file and dump garbage into it, or it does not and we will spit out a stream of error messages about failing to create /dev/null. PR: 295782 MFC after: 1 week Reviewed by: jhb, emaste Differential Revision: https://reviews.freebsd.org/D57447 (cherry picked from commit b5a96894f67a92f78f0641763eff1e0a46f2e036) --- libexec/rc/rc | 5 +++++ share/man/man8/rc.8 | 13 +++++++++++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/libexec/rc/rc b/libexec/rc/rc index ae1b24a6f36d..3df98ef8a714 100644 --- a/libexec/rc/rc +++ b/libexec/rc/rc @@ -49,6 +49,11 @@ HOME=/ PATH=/sbin:/bin:/usr/sbin:/usr/bin export HOME PATH +if ! [ -c /dev/null ]; then + echo "/dev is not populated" >&2 + exit 1 +fi + if [ "$1" = autoboot ]; then autoboot=yes _boot="faststart" diff --git a/share/man/man8/rc.8 b/share/man/man8/rc.8 index fa736ce50394..beb0e86c6142 100644 --- a/share/man/man8/rc.8 +++ b/share/man/man8/rc.8 @@ -30,8 +30,7 @@ .\" .\" @(#)rc.8 8.2 (Berkeley) 12/11/93 .\" -.Dd June 1, 2023 -.Dd September 20, 2024 +.Dd June 4, 2026 .Dt RC 8 .Os .Sh NAME @@ -99,6 +98,16 @@ command provides a scripting interface to modify system config files. .Ss Operation of Nm .Bl -enum .It +Verify that +.Pa /dev/null +exists and is a character device. +If that is not the case, +.Nm +prints an error message and terminates. +This is normally caused by forgetting to enable +.Xr devfs 5 +in a jail's configuration. +.It If autobooting, set .Va autoboot Ns = Ns Li yes and enable a flag From nobody Tue Jun 9 00:48:50 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZ9Jf2hN4z6h39g for ; Tue, 09 Jun 2026 00:48:50 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZ9Jf24Qdz3Pnl for ; Tue, 09 Jun 2026 00:48:50 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780966130; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=vUqQ56NhiRsr6HLLmuiDJLKABhkFySJ/Pr70WOvfWQM=; b=GSTaX2i0DIsHn3CKs1A7bGFhQDxUnrPlrzbP2ceh0/HZINJk+kzPwzGb6zjqNf749Ba9z0 Qxjc+XCBBQyehnhYrxrJZ9p4uxZS90IJ6cBaxIDinDGddhV+qJTNMYqiwi4gyCpUw/B/m4 aCn0u/KOGToXHO0tytrvlnqyX05drCPlxQCoeeTSJn2LsGdx3bBRUJFJ8DY8IjjxdVNF3m uyDEqEL9sCyJrhBxF5DOBNNiIdkrUOcpTTgspc0ieSmXOg40ytHkmfMEcBbTx+Gt7tcDc6 6VbeoxIgtjVB/VqgWT8vQJ5WxccFlP16IbHXRt4WYIv79V0fCzVMiRRD5tmqYQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1780966130; a=rsa-sha256; cv=none; b=f2+fOnqMqH9fUnRpDiC1phbOvaFVpFReHVEvJ0NIagsnhxopumOusUwhvnnsrp9cJe/S5a 2zQqnvR56+lvQVvJi/Bjigq83oEoFtv746ONKi9Z76nNep9rsI/lx/PHx1YrbnGfIrfUzl A8uauGz5Dgw1LrG/IwWgQJpf1yt/t7X+HtI7cgVQu21kS9LalgL+TjSC3L7zFVuSbPfzNO Ju8rbBByqX4583j8tpEz0BL3lPEvM/YO3GQZrWOtzYHpYZZMV8PGcIVmOJHuz4Y5JGmvWZ z00QWKomh1B7zLgVtPGElNvtkOnlGrsYN9u0X3s/cuBX6cFRItN814YguOWtyQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780966130; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=vUqQ56NhiRsr6HLLmuiDJLKABhkFySJ/Pr70WOvfWQM=; b=FocpiJklljoA3RC+rsdqjxZusTIy62s5FphiSyhIRmjabzWYKglfuqKSZ31V2JmMQR68Ks uyqxQiktHcsc7jQGkcL8uSjaEfnOt3JNCJM0IATwWbDq7Zf5CkkaGAA7tedPpZu0LU/165 G71kLyP5X/r4+IH+fPrUbCh1mKdSgD61ATrfN3AhcZ1Yd36z+7lEzGitbZBToZmkwRE2WS eLRDv79Q5ZxMJndeyUNBkE78cEyJ6E/SxwHpaeXmVvDtPho7ogum5i1eko1It1J3LpDo1u nvrRKC+3SMoleMPLM92YtQYnAfdp0UTMWFbEwnfHC3VkJbtNzqFcyf8WWfjzYg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZ9Jf1QCnz1BLH for ; Tue, 09 Jun 2026 00:48:50 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3937d by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 00:48:50 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: 6a1e761dc47d - stable/15 - Makefile.vm: Split error condition List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 6a1e761dc47d36f550393cb90cc0e321c9cfb3fb Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 00:48:50 +0000 Message-Id: <6a2762f2.3937d.285c22c@gitrepo.freebsd.org> The branch stable/15 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=6a1e761dc47d36f550393cb90cc0e321c9cfb3fb commit 6a1e761dc47d36f550393cb90cc0e321c9cfb3fb Author: Ed Maste AuthorDate: 2026-05-05 21:12:25 +0000 Commit: Ed Maste CommitDate: 2026-06-09 00:48:29 +0000 Makefile.vm: Split error condition Make it clear which of two possible cases applies. Reviewed by: cperciva Differential Revision: https://reviews.freebsd.org/D56837 (cherry picked from commit 76d756eaa6823aad282cc53ec4e41a9777d89adc) --- release/Makefile.vm | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/release/Makefile.vm b/release/Makefile.vm index d937783f02fe..8296fc47a477 100644 --- a/release/Makefile.vm +++ b/release/Makefile.vm @@ -99,9 +99,10 @@ QEMUTGT?= .if (defined(WITH_CLOUDWARE) && !empty(WITH_CLOUDWARE)) || \ (defined(WITH_VMIMAGES) && !empty(WITH_VMIMAGES)) -.if (defined(WITHOUT_QEMU) && !defined(NO_ROOT)) || \ - (!defined(WITHOUT_QEMU) && defined(NO_ROOT)) -.error WITHOUT_QEMU requires NO_ROOT (and vice versa) +.if (defined(WITHOUT_QEMU) && !defined(NO_ROOT)) +.error WITHOUT_QEMU requires NO_ROOT +.elif (!defined(WITHOUT_QEMU) && defined(NO_ROOT)) +.error NO_ROOT requires WITHOUT_QEMU .endif .endif From nobody Tue Jun 9 08:17:44 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZMGc4xRhz6hb3j for ; Tue, 09 Jun 2026 08:17:44 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZMGc4SXqz3DHQ for ; Tue, 09 Jun 2026 08:17:44 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780993064; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=SJK4R2FsNnWOG5AVIS2YvOxwpnT07kJhz7hfrDoR9qY=; b=VKJ0QYcz1cppXufOszWJ8gKNXmBpxZSoG0CP6mrXgpdWuL9PWoYKzokFbQpssn80HGD3S8 QFTvWghn6cGDm4Ufmkn8LxySk8wzGDtMndnQvnqUAYNSaRSxnbUavqwRU201wUmiVzdI/t 74GtLOt9pzH2pfsiziuJ4Lyg/hquzH8HpCiKbXQpJ9LKiHMLZZBmHB+3M0X7Jye/zq10ez Fuj1V0tnv5Z7+f4Lh2FjAA1zVRz7gvILzz81ioWm4lQa/xjwS99Rp1ww/xKaxj4X4tpIE+ 2PYkaUrSn3nCyIKNCVJiK4/cmV+aYPpQHuCDpKGaEzKQC+xTSRa3otbktDROSg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1780993064; a=rsa-sha256; cv=none; b=qAiULPFCBkdA6RMjuukJGMFIodwDC4xbUj1/4yaZ3Sq6rzDVPVRHJ9idABqohfUfrxOAbO vrnfSCbf5OpAJKl3Wo+N4d94CzTQmDxlprgGY77fdSVn0xxuWdCcLYEtdfyz4hUnLUZtqM AgjVr1lPiu1UhwLAuqXRrSFs/di80dOTNQaoHpUTnNtTfgywU+lG89ykH0z6RFLQ1h+Jqr 9Hb+wonumgQhnvDsy8n4SxoYaFYpPtzS6CD9QwrBFeatMPstL0NMfehGVSwCcu+Z+NXJm6 sweKlqULYvSgdENnTqbGxgy8zYg4Tvl9tOfm4UKtYXxE1blOqmHF2f01RSkkxQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780993064; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=SJK4R2FsNnWOG5AVIS2YvOxwpnT07kJhz7hfrDoR9qY=; b=v9F0gEKlF8BzAsgCssnxpzISGQWanp7KK+Y/4v+sCCyP4H3BWdzm0Ri8jhMOfNxR4EekUQ FYBeLv+48SDRDcBIfvsPPviMraIQnG88ZS6Aq0+1KpitA575YnEmyCEqr6YiD2mnCszu1E g7SY/GqWAvvX9fA2+le84nOzHMqzXo1wdvZEkHOLib+aKe48FQ99FA7g/n2f1RR0QJIhYk I62D0agZMgsQ4Q6h3rxt1spn5PiHOA26u1tRsgtWbWj0INEJ38VxHm8F7ExE9keph0h17+ /LGLRj8juk8zVgVw12YeKT301j74UqiF0/dGZH+skyaYcj36e/x6uLThUR0u6Q== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZMGc3hmMzBBD for ; Tue, 09 Jun 2026 08:17:44 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 47e28 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 08:17:44 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Dag-Erling=?utf-8?Q? Sm=C3=B8rg?=rav Subject: git: 12f8971ee6b6 - stable/14 - stat: Add option to list holes List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: des X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 12f8971ee6b60ecdbfae2ff1f1b936f27d573880 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 08:17:44 +0000 Message-Id: <6a27cc28.47e28.4bd23b4@gitrepo.freebsd.org> The branch stable/14 has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=12f8971ee6b60ecdbfae2ff1f1b936f27d573880 commit 12f8971ee6b60ecdbfae2ff1f1b936f27d573880 Author: Dag-Erling Smørgrav AuthorDate: 2025-09-16 13:37:57 +0000 Commit: Dag-Erling Smørgrav CommitDate: 2026-06-09 08:10:43 +0000 stat: Add option to list holes Add a new -h option that causes stat to print a list of holes for each file argument. Sponsored by: Klara, Inc. Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D52481 (cherry picked from commit 1a7a067da456f8962ef87bfdf75c94cd12988615) --- usr.bin/stat/stat.1 | 45 +++++++++- usr.bin/stat/stat.c | 176 ++++++++++++++++++++++++++++++---------- usr.bin/stat/tests/stat_test.sh | 72 ++++++++++++++++ 3 files changed, 250 insertions(+), 43 deletions(-) diff --git a/usr.bin/stat/stat.1 b/usr.bin/stat/stat.1 index 2996781fafa6..55e64de0767e 100644 --- a/usr.bin/stat/stat.1 +++ b/usr.bin/stat/stat.1 @@ -6,6 +6,8 @@ .\" This code is derived from software contributed to The NetBSD Foundation .\" by Andrew Brown and Jan Schaumann. .\" +.\" Copyright (c) 2025 Klara, Inc. +.\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: @@ -27,7 +29,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd June 22, 2017 +.Dd September 9, 2025 .Dt STAT 1 .Os .Sh NAME @@ -36,7 +38,7 @@ .Nd display file status .Sh SYNOPSIS .Nm -.Op Fl FHLnq +.Op Fl FHhLnq .Op Fl f Ar format | Fl l | r | s | x .Op Fl t Ar timefmt .Op Ar @@ -129,6 +131,45 @@ and use instead of .Xr lstat 2 . This requires root privileges. +.It Fl h +For each file argument, print a line consisting of a comma-separated +list of holes, a space, and the file name. +Each hole is reported as its starting offset as a decimal number +followed by a hyphen and the ending offset (one less than the starting +offset of the data region that follows the hole) as a decimal number. +If the file ends in a hole, the ending offset of the final hole will +be one less than the size of the file. +Otherwise, the final entry in the list (indeed, the only entry in the +list, if the file is not sparse), is a single decimal number +corresponding to the size of the file, representing the virtual hole +at the end of the file. +.Pp +If the argument is a directory, instead of a list of holes, a single +number is printed, corresponding to the minimum hole size for that +directory as reported by +.Xr pathconf 2 , +followed by a space and the directory name. +.Pp +Please note that the only way to retrieve information about the holes +in a file is to open it and walk the list of holes and data regions +using +.Xr lseek 2 . +If the file is being modified by another process at the same time as +.Nm +is inspecting it, the result may be inconsistent. +.Pp +This option cannot be combined with the +.Fl F , +.Fl f , +.Fl H , +.Fl L , +.Fl l , +.Fl r , +.Fl s , +.Fl t , +or +.Fl x +options. .It Fl L Use .Xr stat 2 diff --git a/usr.bin/stat/stat.c b/usr.bin/stat/stat.c index 720069db3195..9c693a124f9a 100644 --- a/usr.bin/stat/stat.c +++ b/usr.bin/stat/stat.c @@ -7,6 +7,8 @@ * This code is derived from software contributed to The NetBSD Foundation * by Andrew Brown. * + * Copyright (c) 2025 Klara, Inc. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -47,18 +49,19 @@ __RCSID("$NetBSD: stat.c,v 1.33 2011/01/15 22:54:10 njoly Exp $" #endif /* HAVE_CONFIG_H */ #include -#include #include #include #include #include #include +#include #include #include #include #include #include +#include #include #include #include @@ -178,22 +181,24 @@ __RCSID("$NetBSD: stat.c,v 1.33 2011/01/15 22:54:10 njoly Exp $" #define SHOW_filename 'N' #define SHOW_sizerdev 'Z' -void usage(const char *); -void output(const struct stat *, const char *, - const char *, int, int); -int format1(const struct stat *, /* stat info */ +static void usage(const char *); +static void output(const struct stat *, const char *, const char *, int); +static int format1(const struct stat *, /* stat info */ const char *, /* the file name */ const char *, int, /* the format string itself */ char *, size_t, /* a place to put the output */ int, int, int, int, /* the parsed format */ int, int); -int hex2byte(const char [2]); +static int hex2byte(const char [2]); #if HAVE_STRUCT_STAT_ST_FLAGS -char *xfflagstostr(unsigned long); +static char *xfflagstostr(unsigned long); #endif +static int fdlistholes(int, const char *); +static int listholes(const char *); static const char *timefmt; static int linkfail; +static bool nonl; #define addchar(s, c, nl) \ do { \ @@ -205,20 +210,22 @@ int main(int argc, char *argv[]) { struct stat st; - int ch, rc, errs, am_readlink; - int lsF, fmtchar, usestat, nfs_handle, fn, nonl, quiet; - const char *statfmt, *options, *synopsis; char dname[sizeof _PATH_DEV + SPECNAMELEN] = _PATH_DEV; - fhandle_t fhnd; + const char *statfmt, *options, *synopsis; const char *file; + fhandle_t fhnd; + int ch, rc, errs, am_readlink, fn, fmtchar; + bool lsF, holes, usestat, nfs_handle, quiet; am_readlink = 0; - lsF = 0; + errs = 0; + lsF = false; fmtchar = '\0'; - usestat = 0; - nfs_handle = 0; - nonl = 0; - quiet = 0; + holes = false; + usestat = false; + nfs_handle = false; + nonl = false; + quiet = false; linkfail = 0; statfmt = NULL; timefmt = NULL; @@ -231,28 +238,35 @@ main(int argc, char *argv[]) fmtchar = 'f'; quiet = 1; } else { - options = "f:FHlLnqrst:x"; - synopsis = "[-FLnq] [-f format | -l | -r | -s | -x] " + options = "Ff:HhLlnqrst:x"; + synopsis = "[-FHhLnq] [-f format | -l | -r | -s | -x] " "[-t timefmt] [file|handle ...]"; } while ((ch = getopt(argc, argv, options)) != -1) switch (ch) { case 'F': - lsF = 1; + lsF = true; break; case 'H': - nfs_handle = 1; + nfs_handle = true; + break; + case 'h': + holes = true; break; case 'L': - usestat = 1; + usestat = true; break; case 'n': - nonl = 1; + nonl = true; + break; + case 't': + timefmt = optarg; break; case 'q': - quiet = 1; + quiet = true; break; + /* remaining cases are purposefully out of order */ case 'f': if (am_readlink) { statfmt = "%R"; @@ -269,9 +283,6 @@ main(int argc, char *argv[]) fmtchar, ch); fmtchar = ch; break; - case 't': - timefmt = optarg; - break; default: usage(synopsis); } @@ -280,6 +291,28 @@ main(int argc, char *argv[]) argv += optind; fn = 1; + if (holes) { + if (fmtchar || lsF || nfs_handle || usestat || timefmt) + usage(synopsis); + if (argc > 0) { + while (argc-- > 0) { + if (listholes(*argv) != 0) { + if (!quiet) + warn("%s", *argv); + errs++; + } + argv++; + } + } else { + if (fdlistholes(STDIN_FILENO, "stdin") != 0) { + if (!quiet) + warn("stdin"); + errs++; + } + } + exit(errs ? 1 : 0); + } + if (fmtchar == '\0') { if (lsF) fmtchar = 'l'; @@ -318,7 +351,6 @@ main(int argc, char *argv[]) if (timefmt == NULL) timefmt = TIME_FORMAT; - errs = 0; do { if (argc == 0) { if (fdevname_r(STDIN_FILENO, dname + @@ -361,8 +393,7 @@ main(int argc, char *argv[]) errno == ENOENT && (rc = lstat(file, &st)) == -1) errno = ENOENT; - } - else + } else rc = lstat(file, &st); } @@ -371,9 +402,8 @@ main(int argc, char *argv[]) linkfail = 1; if (!quiet) warn("%s", file); - } - else - output(&st, file, statfmt, fn, nonl); + } else + output(&st, file, statfmt, fn); argv++; argc--; @@ -387,7 +417,7 @@ main(int argc, char *argv[]) /* * fflagstostr() wrapper that leaks only once */ -char * +static char * xfflagstostr(unsigned long fflags) { static char *str = NULL; @@ -402,10 +432,9 @@ xfflagstostr(unsigned long fflags) } #endif /* HAVE_STRUCT_STAT_ST_FLAGS */ -void +static void usage(const char *synopsis) { - (void)fprintf(stderr, "usage: %s %s\n", getprogname(), synopsis); exit(1); } @@ -413,9 +442,8 @@ usage(const char *synopsis) /* * Parses a format string. */ -void -output(const struct stat *st, const char *file, - const char *statfmt, int fn, int nonl) +static void +output(const struct stat *st, const char *file, const char *statfmt, int fn) { int flags, size, prec, ofmt, hilo, what; char buf[PATH_MAX + 4 + 1]; @@ -606,7 +634,7 @@ output(const struct stat *st, const char *file, /* * Arranges output according to a single parsed format substring. */ -int +static int format1(const struct stat *st, const char *file, const char *fmt, int flen, @@ -1073,7 +1101,7 @@ format1(const struct stat *st, (void)strcat(lfmt, "ll"); switch (ofmt) { case FMTF_DECIMAL: (void)strcat(lfmt, "d"); break; - case FMTF_OCTAL: (void)strcat(lfmt, "o"); break; + case FMTF_OCTAL: (void)strcat(lfmt, "o"); break; case FMTF_UNSIGNED: (void)strcat(lfmt, "u"); break; case FMTF_HEX: (void)strcat(lfmt, "x"); break; } @@ -1083,9 +1111,75 @@ format1(const struct stat *st, #define hex2nibble(c) (c <= '9' ? c - '0' : toupper(c) - 'A' + 10) -int +static int hex2byte(const char c[2]) { if (!(ishexnumber(c[0]) && ishexnumber(c[1]))) return -1; return (hex2nibble(c[0]) << 4) + hex2nibble(c[1]); } + +static int +fdlistholes(int fd, const char *fn) +{ + struct stat sb; + off_t pos = 0, off; + long l; + + if (fstat(fd, &sb) < 0) + return (-1); + if (S_ISDIR(sb.st_mode)) { + if ((l = fpathconf(fd, _PC_MIN_HOLE_SIZE)) < 0) + return (-1); + printf("%ld", l); + } else if (!S_ISREG(sb.st_mode)) { + errno = ESPIPE; + return (-1); + } else { + for (;;) { + if ((off = lseek(fd, pos, SEEK_HOLE)) < 0) { + if (errno != ENXIO) + return (-1); + /* + * This can only happen if the file was + * truncated while we were scanning it, or + * on the initial seek if the file is + * empty. Report the virtual hole at the + * end of the file at this position. + */ + off = pos; + } + printf("%jd", (intmax_t)off); + pos = off; + if ((off = lseek(fd, pos, SEEK_DATA)) < 0) { + if (errno != ENXIO) + return (-1); + /* + * There are no more data regions in the + * file, or it got truncated. However, we + * may not be at the end yet. + */ + if ((off = lseek(fd, 0, SEEK_END)) > pos) + printf("-%jd", (intmax_t)off - 1); + break; + } + printf("-%jd,", (intmax_t)off - 1); + pos = off; + } + } + printf(" %s", fn); + if (!nonl) + printf("\n"); + return (0); +} + +static int +listholes(const char *fn) +{ + int fd, ret; + + if ((fd = open(fn, O_RDONLY)) < 0) + return (-1); + ret = fdlistholes(fd, fn); + close(fd); + return (ret); +} diff --git a/usr.bin/stat/tests/stat_test.sh b/usr.bin/stat/tests/stat_test.sh index e75fd0c56490..afe698575034 100755 --- a/usr.bin/stat/tests/stat_test.sh +++ b/usr.bin/stat/tests/stat_test.sh @@ -1,6 +1,7 @@ # # Copyright (c) 2017 Dell EMC # All rights reserved. +# Copyright (c) 2025 Klara, Inc. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions @@ -45,6 +46,76 @@ F_flag_body() atf_check -o match:'.* f\|' stat -Fn f } +atf_test_case h_flag cleanup +h_flag_head() +{ + atf_set "descr" "Verify the output format for -h" + atf_set "require.user" "root" +} +h_flag_body() +{ + # POSIX defines a hole as “[a] contiguous region of bytes + # within a file, all having the value of zero” and requires + # that “all seekable files shall have a virtual hole starting + # at the current size of the file” but says “it is up to the + # implementation to define when sparse files can be created + # and with what granularity for the size of holes”. It also + # defines a sparse file as “[a] file that contains more holes + # than just the virtual hole at the end of the file”. That's + # pretty much the extent of its discussion of holes, apart + # from the description of SEEK_HOLE and SEEK_DATA in the lseek + # manual page. In other words, there is no portable way to + # reliably create a hole in a file on any given file system. + # + # On FreeBSD, this test is likely to run on either tmpfs, ufs + # (ffs2), or zfs. Of those three, only tmpfs has predictable + # semantics and supports all possible configurations (the + # minimum hole size on zfs is variable for small files, and + # ufs will not allow a file to end in a hole). + atf_check mkdir mnt + atf_check mount -t tmpfs tmpfs mnt + cd mnt + + # For a directory, prints the minimum hole size, which on + # tmpfs is the system page size. + ps=$(sysctl -n hw.pagesize) + atf_check -o inline:"$((ps)) .\n" stat -h . + atf_check -o inline:"$((ps)) ." stat -hn . + + # For a file, prints a list of holes. + atf_check truncate -s 0 foo + atf_check -o inline:"0 foo" \ + stat -hn foo + atf_check truncate -s "$((ps))" foo + atf_check -o inline:"0-$((ps-1)) foo" \ + stat -hn foo + atf_check dd status=none if=/COPYRIGHT of=foo \ + oseek="$((ps))" bs=1 count=1 + atf_check -o inline:"0-$((ps-1)),$((ps+1)) foo" \ + stat -hn foo + atf_check truncate -s "$((ps*3))" foo + atf_check -o inline:"0-$((ps-1)),$((ps*2))-$((ps*3-1)) foo" \ + stat -hn foo + + # Test multiple files. + atf_check dd status=none if=/COPYRIGHT of=bar + sz=$(stat -f%z bar) + atf_check -o inline:"0-$((ps-1)),$((ps*2))-$((ps*3-1)) foo +$((sz)) bar +" \ + stat -h foo bar + + # For a device, fail. + atf_check -s exit:1 -e match:"/dev/null: Illegal seek" \ + stat -h /dev/null +} +h_flag_cleanup() +{ + if [ -d mnt ]; then + umount mnt || true + fi +} + atf_test_case l_flag l_flag_head() { @@ -233,6 +304,7 @@ atf_init_test_cases() { atf_add_test_case F_flag #atf_add_test_case H_flag + atf_add_test_case h_flag #atf_add_test_case L_flag #atf_add_test_case f_flag atf_add_test_case l_flag From nobody Tue Jun 9 08:17:45 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZMGd5nNqz6hZmL for ; Tue, 09 Jun 2026 08:17:45 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZMGd4hrSz3D2C for ; Tue, 09 Jun 2026 08:17:45 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780993065; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ZmFNqQ6W2USf4zLUZH4aKK1BBNLNqhtamHqrmtEYDxQ=; b=cHx5IXX4pqtnQjS5NoF/8y0Bi5sO5IDi0aazlRkhC7QNCyxFhz4BTPgWSX9TrL3emlCP1j nrJuKxwx3SDCZvckkQMT49wnAndPEiJV408ipfZl5dLwO8UxLvzgPnNrVG7N4+0zwT5KVM RTt56fd99ZKU/kntGzwXzwwBgeK8+Omf3GTmZJQNQE2REts0slnfDw4Ey29qtjG1gFmUvx WsTpxybisVVYdjUgnFzZWEkb/vaxraBygHQUqyXo6+SXBdT+08t2wh+jiq9L3PC7uv4mXa 0FgVk57XOhfvc/cue4XYM/84KTV4zSxI5V8PdmtJkseh8ky8DtvnKjyFP05zlg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1780993065; a=rsa-sha256; cv=none; b=FCve8L8FVkv5Jeh8Fre+bdYa7g81HBJ47Fiz4vQAeXYyDMGI8Kog3LsDQ1mBMvCaxZtcZE Ede4XamcVWuqimt3doAhZ0EmfeUX6tOA2AMIVx3gslIN25p4DBmddFTZJ7abHLTGlQg5ym BILeeuCfk65C+/EsWk3bN3QA0D8QIAdb6rJsnCfSZB2SyiaY5wPUlo7iY968omeXnPzTMm vrPzriCX+SVNA9E71lF5OnNd/IFUY5Q3DPLoNcP7YyN3tFEFn+8G8V9p5xugbnupSYCcRB IHB/xjeJzm53LRnZVQslZ+AMvgdnVuikh85ZidPo9ezmp2vwL10hpes3/jCJyQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780993065; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ZmFNqQ6W2USf4zLUZH4aKK1BBNLNqhtamHqrmtEYDxQ=; b=Xkmjyxc+I5f758EP2lHPOescwNwp9n2NFN9CM7hmFAmfKGrlzOzjMVwuRJe8+llMDcvsTB yYl0Rr8FRMd0GNIAzg2xyMRzSh987642nOW5emCnGLjz6+bRMrST/wshomjjV6QtrfELCv h//J9XkAXUlHUrPex9FWmuFsF0bQpVZ11/fzMRHjIbtgEHhyS+o5aFtWF6xhQxey9aj9pL 4kc+u6SswmXssBH+TioUMR4rwFMO1PpITBmQeU6qtb71+wfaAtrE0uRjS+hb5wzwEAYfsL UIPy8Yb0RI8qrXZWhCmfXaTCng+mknIz/E3sfOZCNgQv147W27P0ZzvwbUkU7w== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZMGd40bYz9tn for ; Tue, 09 Jun 2026 08:17:45 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 47a19 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 08:17:45 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Dag-Erling=?utf-8?Q? Sm=C3=B8rg?=rav Subject: git: 6c2ea480cabd - stable/14 - stat: Nits in readlink tests List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: des X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 6c2ea480cabd69d25f7b63f610820e296c54f108 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 08:17:45 +0000 Message-Id: <6a27cc29.47a19.704ae589@gitrepo.freebsd.org> The branch stable/14 has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=6c2ea480cabd69d25f7b63f610820e296c54f108 commit 6c2ea480cabd69d25f7b63f610820e296c54f108 Author: Dag-Erling Smørgrav AuthorDate: 2026-04-08 11:26:23 +0000 Commit: Dag-Erling Smørgrav CommitDate: 2026-06-09 08:10:43 +0000 stat: Nits in readlink tests * The f_flag test may fail if a component of the full path to the temporary directory is a symbolic link. * The n_flag test had an empty head; give it a description. * Use consistent quoting. MFC after: 1 week Sponsored by: Klara, Inc. Reviewed by: kevans Differential Revision: https://reviews.freebsd.org/D56293 (cherry picked from commit 1c793e7cbe2ecded388fd51fb20274891620a6f4) --- usr.bin/stat/tests/readlink_test.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/usr.bin/stat/tests/readlink_test.sh b/usr.bin/stat/tests/readlink_test.sh index d0107e0d655e..8eff21fa7a16 100755 --- a/usr.bin/stat/tests/readlink_test.sh +++ b/usr.bin/stat/tests/readlink_test.sh @@ -33,7 +33,7 @@ basic_head() basic_body() { atf_check ln -s foo bar - atf_check -o inline:'foo\n' readlink bar + atf_check -o inline:"foo\n" readlink bar } atf_test_case f_flag @@ -44,6 +44,7 @@ f_flag_head() } f_flag_body() { + cd "$(realpath "$PWD")" atf_check touch A.file atf_check ln -s nonexistent A.link atf_check -o inline:"nonexistent\n" \ @@ -55,13 +56,15 @@ f_flag_body() atf_test_case n_flag n_flag_head() { + atf_set "descr" "Verify that calling readlink with -n will not emit " \ + "a newline character." } n_flag_body() { atf_check ln -s nonexistent.A A atf_check ln -s nonexistent.B B - atf_check -o 'inline:nonexistent.A\nnonexistent.B\n' readlink A B - atf_check -o 'inline:nonexistent.Anonexistent.B' readlink -n A B + atf_check -o inline:"nonexistent.A\nnonexistent.B\n" readlink A B + atf_check -o inline:"nonexistent.Anonexistent.B" readlink -n A B } atf_init_test_cases() From nobody Tue Jun 9 08:17:46 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZMGf6xX0z6hb2G for ; Tue, 09 Jun 2026 08:17:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZMGf5HsWz3DHR for ; Tue, 09 Jun 2026 08:17:46 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780993066; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=40pxJ+Jw3XFbEjFmipGZou/f4539RkyNoJE64bOokAA=; b=cNgXgvpZpIttWtNOHVysfTht609iRIHdKYg00gcqC2lwJGbOv3AyvGRGeymnNfdLgj598a hFbxKzvWK14aHtZ9xGA2X4p0aKka8NaBUYCtRvCy3zIiMkMzVdNw88o0znshQnq7RoIkof m//KKD8S1A/f+E9J5/5KQj04XqclQlKl0O/U3NdgRcpOWCWhzOClkeRmR9dzE0Gmra/ZLp vKQ/NsX6nq0gvJt9jAKn6DIzWYwcnWsdSyXbT8sw8cIeJeSz5dZwyR4K43ggxiKQHXbaD0 o3bYb4zsIEuMNS2qwRGIe9l+BuSMTe7LiO8SrZ9Nm24S+uUP39550ghxUELxbg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1780993066; a=rsa-sha256; cv=none; b=DTfrCcE5sxJCh/YOCRWW1XUT2g6xMr6Cjca76DcsftBu1fwfkTQctzjirLjt3jK+H8ANId eZiYyvDaZU/kLIUcdcyXLwrOpjupTLnKk0FZwPJv/oyRctTZEDgxM1hEAiOF9wV1CXclSX CcOYhBHsCpdI7PQRnfr+QTEieGCidqcJDF72sibq+3fxp6VxH5+by50PZV+8riGjS+Kq7L FgveHghA3lD/3EXtm2CN0dQce8MatXYKOW7Ym97Nn/82U9lt8EbQeoE61rPUlCWR3R1LNx tKAFjH/Ztc2D6X7hJhVHIdJUJwQPTqqaokHBDDy5PqYnEnsD1dAKT7Z/FpoHNw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780993066; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=40pxJ+Jw3XFbEjFmipGZou/f4539RkyNoJE64bOokAA=; b=q5UJlvG/EpAWXjAjnOGc1my0TK4fr6Kz6R04T6b9v38S9VOS/VI8TfS6ecN93LjVHNStez R+g0sCEzgn79mkq3vyF+5Ug6I5oqUXzUnO0y8D3Dx4iF6MOddWTkayHQx3NDnlzXkcmyrE rOzWIManJRfiIqKAZ/EjtxsCPfR+M/Dg0pugZez0gBTpAR6+UHKtBFgsVUci8BG8OBVY6Z mujJdpkEqACkNAKg725/eUQGFH0H/LCJKdSKsvdJuIJby5OvifDkrOce+eUUS2A+z1cFqY rSZwa72TjYSw/pwrEmz31p3Fhbbg8RfMmjdXgR+7sJ+sDQB9YPeAWuj/OErdhw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZMGf4q2Vz9tp for ; Tue, 09 Jun 2026 08:17:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 47c83 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 08:17:46 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Dag-Erling=?utf-8?Q? Sm=C3=B8rg?=rav Subject: git: 7062e428a627 - stable/14 - stat: Nits in stat tests List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: des X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 7062e428a6275d8624d27d4608424f6968d7e0f3 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 08:17:46 +0000 Message-Id: <6a27cc2a.47c83.1e62780c@gitrepo.freebsd.org> The branch stable/14 has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=7062e428a6275d8624d27d4608424f6968d7e0f3 commit 7062e428a6275d8624d27d4608424f6968d7e0f3 Author: Dag-Erling Smørgrav AuthorDate: 2026-04-08 15:35:35 +0000 Commit: Dag-Erling Smørgrav CommitDate: 2026-06-09 08:10:44 +0000 stat: Nits in stat tests * Use ourselves as test file instead of /COPYRIGHT, which may or may not be present in the test environment. * atf-check understands \n in strings, use it. * Some file systems don't like creating small holes, so create large ones instead. This means we need two variables: ps (page size) is the minimum size of a data region and the alignment for a hole, while hs (hole size) is the minimum size of the holes we create. This makes no difference on FreeBSD but makes it easier to port the test to other platforms. MFC after: 1 week Sponsored by: Klara, Inc. Reviewed by: kevans Differential Revision: https://reviews.freebsd.org/D56304 (cherry picked from commit 8cbd3949297d56e3960dcde73bd7e2277ac4bee8) --- usr.bin/stat/tests/stat_test.sh | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/usr.bin/stat/tests/stat_test.sh b/usr.bin/stat/tests/stat_test.sh index afe698575034..6043686396be 100755 --- a/usr.bin/stat/tests/stat_test.sh +++ b/usr.bin/stat/tests/stat_test.sh @@ -54,6 +54,7 @@ h_flag_head() } h_flag_body() { + file=$(realpath $0) # POSIX defines a hole as “[a] contiguous region of bytes # within a file, all having the value of zero” and requires # that “all seekable files shall have a virtual hole starting @@ -82,27 +83,27 @@ h_flag_body() atf_check -o inline:"$((ps)) .\n" stat -h . atf_check -o inline:"$((ps)) ." stat -hn . - # For a file, prints a list of holes. + # For a file, prints a list of holes. Some file systems don't + # like creating small holes, so we create large ones instead. + hs=$((16*1024*1024)) atf_check truncate -s 0 foo atf_check -o inline:"0 foo" \ stat -hn foo - atf_check truncate -s "$((ps))" foo - atf_check -o inline:"0-$((ps-1)) foo" \ + atf_check truncate -s "$((hs))" foo + atf_check -o inline:"0-$((hs-1)) foo" \ stat -hn foo - atf_check dd status=none if=/COPYRIGHT of=foo \ - oseek="$((ps))" bs=1 count=1 - atf_check -o inline:"0-$((ps-1)),$((ps+1)) foo" \ + atf_check dd status=none if="${file}" of=foo \ + oseek="$((hs))" bs=1 count=1 + atf_check -o inline:"0-$((hs-1)),$((hs+1)) foo" \ stat -hn foo - atf_check truncate -s "$((ps*3))" foo - atf_check -o inline:"0-$((ps-1)),$((ps*2))-$((ps*3-1)) foo" \ + atf_check truncate -s "$((hs*3))" foo + atf_check -o inline:"0-$((hs-1)),$((hs+ps))-$((hs*3-1)) foo" \ stat -hn foo # Test multiple files. - atf_check dd status=none if=/COPYRIGHT of=bar + atf_check dd status=none if="${file}" of=bar sz=$(stat -f%z bar) - atf_check -o inline:"0-$((ps-1)),$((ps*2))-$((ps*3-1)) foo -$((sz)) bar -" \ + atf_check -o inline:"0-$((hs-1)),$((hs+ps))-$((hs*3-1)) foo\n$((sz)) bar\n" \ stat -h foo bar # For a device, fail. From nobody Tue Jun 9 08:17:47 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZMGj2sdjz6hb64 for ; Tue, 09 Jun 2026 08:17:49 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZMGh5LXyz3D2P for ; Tue, 09 Jun 2026 08:17:48 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780993068; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Q+pB2ThaumztUmDPPLyc3WfSnuLc3Y08eEZ+KEVAf1c=; b=ezLyYEpTZh2zRYFbl/sa1jQM1fxOjMUukL9mZR1Rwuj5W255g31tqa+uNGQK5aMROj5e6m n8Z+szZcX5bTUY7cgDmjK6pdmu143TocZwfjE5rsxY+DcSdHJgkrrun4QfyK2aad9YuaN0 IWR6qoT2jPYPDgjLkx6jMXu0ceovOngUm9gKl035cIlp1MPVPOmh4G6EsLznj+ECkAIkAc Jm62HJZiQt/fH52+pLroXoGzP44Hw3ICDWqjfBEkU5iF9UWj6YEExXm7rGc/ko8+C2KX6c FdnIiymotoh2FZnSLNU5o4gO2o1zKQ1duw9EoI0nfxE+EcvjJ0vthBXY/fwcoQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1780993068; a=rsa-sha256; cv=none; b=XHczWKRjRKnZghLJk6D4nq/I9BU3UGAsi/mXCeScfT7bc6/m/3ARMVCS1DrptxxUPg2sTg V0sut6Xh3oGnJyRXL4PEnSK1vg4ei4W41Uavdkz/jikrdA94qyaADxKqfbi9XT8u/y9r0X PNzfse2AbsS+6UrdSEi80+X4nY1m2BBBwFydT+oGXbwfjaUYPEM0900ZdMYE3ttsHUxkGi H9dJ/VX++xHStCv8pJRVTgFywffLpu94YMVH7pbxbO7YamNX3HrZ9EH9iWx8pi6INqJPPZ xr4pYOkKsHy9s2FIvfaOolCZzz/bGMo9jNe2PIeraOGd0NDY8TgCIQf7rBZC1w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780993068; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Q+pB2ThaumztUmDPPLyc3WfSnuLc3Y08eEZ+KEVAf1c=; b=QeGekHSeYaQ6a0pDY0ibKPLZ9w6Tj3R/sY8My7G6Wy6tmMT5d487rayQr1GCkngpaJVrmQ +YV5lPylLyHNTAwul8kMyVkj9KIxySyiob3C8omNdWqnNuDPZljS3ujwS+shmflDGQVju0 yXvGZ6mQRzVEyzLfSI0EV+rj8WprLF9qQ3tb+t+sER7x+PA8uG5JgIlAs6GBZpepGbOBOY //bjlPRKqhntpW+uVZHdkTteaPk73Ga6jVfBHK7C2vp4+0kjzzPepuSgLbyYMScb7xS8dV PQqzTRSv6pGTX8K0txVA/mLXUuvWpHc1hN2af5Wdob1PL/Dt0K3RgmGLpCGP8Q== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZMGg5dZFzBBG for ; Tue, 09 Jun 2026 08:17:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 4799d by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 08:17:47 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Kyle Evans From: Dag-Erling=?utf-8?Q? Sm=C3=B8rg?=rav Subject: git: 233ece107da0 - stable/14 - stat: fix use of devname(3) List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: des X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 233ece107da0628cc6fbf7f4a8940f1d5eb52d72 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 08:17:47 +0000 Message-Id: <6a27cc2b.4799d.54f1447a@gitrepo.freebsd.org> The branch stable/14 has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=233ece107da0628cc6fbf7f4a8940f1d5eb52d72 commit 233ece107da0628cc6fbf7f4a8940f1d5eb52d72 Author: Kyle Evans AuthorDate: 2026-05-01 03:00:26 +0000 Commit: Dag-Erling Smørgrav CommitDate: 2026-06-09 08:12:23 +0000 stat: fix use of devname(3) Besides being a little hard to parse through visually, this had its own bug of inspecting st->st_mode to determine what to pass to devname(3), which is only correct for st_rdev. For st_dev, you're likely to be looking at files or directories and attempting to assess what device they're located on, so the mode is meaningless- we just have to assume that our filesystems are on character devices and attempt to resolve st_dev as such. Reviewed by: des, kib (previous version) Differential Revision: https://reviews.freebsd.org/D56565 (cherry picked from commit 4d4acdbfc22c84081037f31cff4fb03d18373036) stat: The devname test case requires root Fixes: 4d4acdbfc22c ("stat: fix use of devname(3)") (cherry picked from commit 72b1aae09bf0bcc01c76df757699e27ad7cf7ecc) stat: Set the timezone before testing -t flag The test assumes UTC, which is what I use on my development systems and clearly what is used on our CI runners. MFC after: 1 week Sponsored by: Klara, Inc. Reviewed by: kevans Differential Revision: https://reviews.freebsd.org/D56836 (cherry picked from commit 49e496d2776870fb36ed8ea4c8139b5eb9f7f747) stat: Expand devname test case Test what happens when we ask for the rdev of a non-device. MFC after: 1 week Sponsored by: Klara, Inc. Reviewed by: kevans Differential Revision: https://reviews.freebsd.org/D56838 (cherry picked from commit 2c88636e0e7a0316d5e6d146874bdb2751f75c40) --- usr.bin/stat/stat.c | 14 +++++++++++--- usr.bin/stat/tests/stat_test.sh | 40 ++++++++++++++++++++++++++++++++++++++-- 2 files changed, 49 insertions(+), 5 deletions(-) diff --git a/usr.bin/stat/stat.c b/usr.bin/stat/stat.c index 9c693a124f9a..d98447b78d18 100644 --- a/usr.bin/stat/stat.c +++ b/usr.bin/stat/stat.c @@ -650,6 +650,7 @@ format1(const struct stat *st, struct timespec ts; struct tm *tm; int l, small, formats; + mode_t dtype; tsp = NULL; formats = 0; @@ -665,9 +666,16 @@ format1(const struct stat *st, small = (sizeof(st->st_dev) == 4); data = (what == SHOW_st_dev) ? st->st_dev : st->st_rdev; #if HAVE_DEVNAME - sdata = devname(what == SHOW_st_dev ? st->st_dev : - st->st_rdev, S_ISCHR(st->st_mode) ? S_IFCHR : - (S_ISBLK(st->st_mode) ? S_IFBLK : 0)); + switch (what) { + case SHOW_st_dev: + dtype = S_IFCHR; + break; + case SHOW_st_rdev: + dtype = st->st_mode & (S_IFCHR | S_IFBLK); + break; + } + + sdata = devname(data, dtype); #endif /* HAVE_DEVNAME */ if (hilo == HIGH_PIECE) { data = major(data); diff --git a/usr.bin/stat/tests/stat_test.sh b/usr.bin/stat/tests/stat_test.sh index 6043686396be..aa8563c62ccc 100755 --- a/usr.bin/stat/tests/stat_test.sh +++ b/usr.bin/stat/tests/stat_test.sh @@ -1,7 +1,7 @@ # # Copyright (c) 2017 Dell EMC # All rights reserved. -# Copyright (c) 2025 Klara, Inc. +# Copyright (c) 2025-2026 Klara, Inc. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions @@ -25,6 +25,9 @@ # SUCH DAMAGE. # +: ${CHKPATH:="mnt"} +: ${NODEV:="#NODEV"} + atf_test_case F_flag F_flag_head() { @@ -232,9 +235,9 @@ t_flag_head() { atf_set "descr" "Verify the output format for -t" } - t_flag_body() { + export TZ=UTC atf_check touch foo atf_check touch -d 1970-01-01T00:00:42 foo atf_check -o inline:'42\n' \ @@ -301,6 +304,38 @@ x_flag_body() done } +atf_test_case devname cleanup +devname_head() +{ + atf_set "descr" "Verify that %Sd outputs a device name" + atf_set "require.user" "root" +} +devname_body() +{ + local devname devpath + + atf_check -o save:dev mdconfig -t malloc -s 16M + read devname < dev + devpath="/dev/$devname" + atf_check -o not-empty newfs "$devpath" + + atf_check mkdir "$CHKPATH" + atf_check mount "$devpath" "$CHKPATH" + + atf_check -o inline:"$devname\n" stat -f '%Sd' "$CHKPATH" + atf_check -o inline:"$devname\n" stat -f '%Sr' "$devpath" + atf_check -o inline:"$NODEV\n" stat -f '%Sr' "$CHKPATH" +} +devname_cleanup() +{ + if [ -d "$CHKPATH" ]; then + umount "$CHKPATH" || true + fi + if [ -f dev ]; then + mdconfig -d -u $(cat dev) || true + fi +} + atf_init_test_cases() { atf_add_test_case F_flag @@ -315,4 +350,5 @@ atf_init_test_cases() atf_add_test_case s_flag atf_add_test_case t_flag atf_add_test_case x_flag + atf_add_test_case devname } From nobody Tue Jun 9 10:46:53 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZQZj3gqsz6hlLn for ; Tue, 09 Jun 2026 10:46:53 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZQZj1rZ8z3V1p for ; Tue, 09 Jun 2026 10:46:53 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781002013; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=qakz0nWj3UflWrf4qpt6kQpHBFc+Il5+vzqR2tgHkHo=; b=KmeBy+YlJ5eN5KBX1KEewJyulrWMWkEq0kdna8+b5VXgXpZLD4GHaAWp+/ZWsqwzgepu7H aQgX5IjX9Mf6d9zwhsAFdv7hElrEZkY4HQaL2JH3vqjB5BJi9B2oX/QK4Zfzocjvyc1zsd 7T5KSjq1QDjOW3YNHbAtBVsyaJZcWAvw4T2hUoaG2eg3+M0p2D6nnJz97v0CuLz8jEzH22 QxMA3cb6R2KftAbQaVwFrqCvWNUGBblbhgAMQ8tJ/wbBZTFiMXnn16/K0dYoq1zycVl2Jh E7VA/DUzGEiz8obdCIaLxk2Qy5oI+PXHDOSWCQjELE1jgTe8kIZFOcnmJSv20A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781002013; a=rsa-sha256; cv=none; b=e+7D8Lk3PtR+OgaFKKy+lnmzoKVIMU9kzfbzc8qffBPMmhCwZeVjbQl4GKf4JxzmNGA4Ka 8yvvqhZ7g7wMzitEN62jEUWbDYy1AoVbV2q8OL1QHtlb4uTpzYQPlX3si9oFpTcUCKFH2I yk+eHV2GRurcLeX176gOBpPGaG8Dzp+Xt7p8VVey+uhAJYqBKyhnsRj0Fj/55pDjGWga0b apupEXeHWlOY4DoAOeq8myQ+2LVWCUtPfSMdJ3ocazV6xOpSaOoQ0htvpotAlJQLkIej8V 4Ytnn9rDo54fFTKd/YFcXPq3XkTvAFeOFcaqSKohfD0/QvoyeUWJw4Ej9DM8VQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781002013; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=qakz0nWj3UflWrf4qpt6kQpHBFc+Il5+vzqR2tgHkHo=; b=yHh//snmojB9gh8mtcdgV/8hD6bYgA6RgC0NVj33z9mfVLi6ZxmpImuF3hD67OlOPypo+E QS7v/H9w/8RUn7UTY/WOnm/slH7MzipELU62NIRf2wv/4TQOscDJRbIaBzSQsuUJfvj1fW seheYC7OUNFD5z/K0+mD2UhXRusnAUL9T/kmy5WsN4urgcOjWY+hOXuu9REXWeC96cJ72j EhRTwGgljikHG8SXZDUQORCdogCJIOI6cstC2eE8k0Vo8fy3GbvgO/aGvTm2hlTeQGZ5su 5TXKJeX2YhNg0xgjhHCzRjdXOUjo0YWAGMwGWVnTUGDrtF1+99MB2hzyW4H5pA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZQZj1NGzzWWY for ; Tue, 09 Jun 2026 10:46:53 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 2786b by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 10:46:53 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Christos Margiolis Subject: git: b896c159135d - stable/15 - bsdinstall: Add virtual_oss service option List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: christos X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: b896c159135ddb9856fcee68f1ebc151bd21dfbe Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 10:46:53 +0000 Message-Id: <6a27ef1d.2786b.2997ac45@gitrepo.freebsd.org> The branch stable/15 has been updated by christos: URL: https://cgit.FreeBSD.org/src/commit/?id=b896c159135ddb9856fcee68f1ebc151bd21dfbe commit b896c159135ddb9856fcee68f1ebc151bd21dfbe Author: Christos Margiolis AuthorDate: 2026-05-20 15:51:39 +0000 Commit: Christos Margiolis CommitDate: 2026-06-09 10:46:41 +0000 bsdinstall: Add virtual_oss service option Since virtual_oss is now part of base, there is no reason not to provide an installer option to enable it, and make it more visible to new users, who might also benefit from the devd rules in /etc/devd/snd.conf, which use virtual_oss, as well as 8532b4a43636 ("rc: virtual_oss: Create a loopback device in the default configuration"). Sponsored by: The FreeBSD Foundation MFC after: 1 week Reviewed by: ivy Pull-Request: https://ron-dev.freebsd.org/FreeBSD/src/pulls/31 (cherry picked from commit eb5aa5c337c8d52fc1a7e867f526ca770bbe6612) --- usr.sbin/bsdinstall/scripts/services | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/usr.sbin/bsdinstall/scripts/services b/usr.sbin/bsdinstall/scripts/services index 110b6f321ed1..814ce1f95753 100755 --- a/usr.sbin/bsdinstall/scripts/services +++ b/usr.sbin/bsdinstall/scripts/services @@ -71,6 +71,11 @@ if [ -x "${BSDINSTALL_CHROOT}/etc/rc.d/moused" ]; then moused \"PS/2 mouse pointer on console\" ${moused_enable:-off}" fi +if [ -x "${BSDINSTALL_CHROOT}/etc/rc.d/virtual_oss" ]; then + DAEMON_OPTIONS="$DAEMON_OPTIONS \ + virtual_oss \"Sound server\" ${virtual_oss_enable:-off}" +fi + exec 5>&1 DAEMONS=$(eval bsddialog --backtitle \"$OSNAME Installer\" \ --title \"System Configuration\" --no-cancel --separate-output \ From nobody Tue Jun 9 10:46:54 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZQZk41Nvz6hlZR for ; Tue, 09 Jun 2026 10:46:54 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZQZk2YG3z3Thd for ; Tue, 09 Jun 2026 10:46:54 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781002014; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=wYErWV3UAL+wkRxQG+dNE5wANTQBQRTxgml0nnfrM9Q=; b=DL8EmQKZXAYOGWZ1iYfP349r7cG2+0QvmU7uwZMNalyUnsWsyjhIO2sKjtZVJbhj5m2FKD SZMDo+nTKYB/JiiWbGVqwXO3+X1GDaWJAzTMrFUboaJXj1NKwtShkFa6rYzeUUl8wx2Q3T RysgShez8hS5BtyG4E0wK4r3fPT8a3by8QBXeMSpj4VccWBhx8Wyw3AMNlIyWkklXUS3Er QY8Afiz7tPRisR7Xg3JmRXN7N7e68Ma0FwznjsGxMX8fN67j6LHJPoG4TO7JnVhUDWZ3ZV wI67uLTGXb0nyn+YYhK7tTPShyz/2QFCZshbTtN8GJlq6RQR/Z2kfWE9o1vzTg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781002014; a=rsa-sha256; cv=none; b=NzRRG2OsW4ISHj/1/wdVuBid7UZCppj+f1kGxkrqQHedNeGWSOMWXOHoQ3sqkMzJIZ4g4L E61Xgw2pZ+hcMpU032+UeHu0AUS4dMiPc+PG4XpmQrrXm1OIg4HFqNBQKSnXqJaSaueLGx /hIi/8VGTQGElwG9GXhPJhdM7WWoHN0SsKE92kOl0EETWqE2Fu1f9ji1obZEOxmEeIw2Xp elXRRmWngDlNmI/LElUWxTctms2PhgWp1v+MTQCgEKOmPyOVKXdPp8H5iQBOexCNM3+lb9 NaZEHCA+SqZn/y+t86YGa296RdUH2ku7amsYvMSIyJFcHmh3dmCokIf1wl9G1w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781002014; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=wYErWV3UAL+wkRxQG+dNE5wANTQBQRTxgml0nnfrM9Q=; b=oaRc5kaSMYzpMR+RoHvEgb2Di6uqV3UHRLnxD3HTxds5E69cP28zd+hdBq/KYyQ4k8jLD8 JqNPJk3DiY/AACh4raBYXvI4RytpRWM+153rpAIa41Jac4yrD51XMABUTaAjsgq9nQXvyy gqXUBR1r3lkhKXSvTQYrghFpSNCW7H6SmiwuLxHVpcbKGablvMq9JKgZUCd79us8lCd4Wh rBoA1rymCYdbfuvvv6PkxRVm63SKCMHjTMhTP4sC2PlHLFBX1LR1VStSomcO3E4s7u4JyZ 2TV61Q6hihoCl4IXKYaaYVhNWjueuydqwFyjYtPzB5Gq3XdrEr6y2oYvcT6A8g== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZQZk29ByzXK0 for ; Tue, 09 Jun 2026 10:46:54 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 27a63 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 10:46:54 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Christos Margiolis Subject: git: 81b3a7991543 - stable/15 - virtual_oss_cmd(8): Improve error messages List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: christos X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 81b3a7991543e1cf2f279e474c9636f2a0ce2e6e Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 10:46:54 +0000 Message-Id: <6a27ef1e.27a63.827aad1@gitrepo.freebsd.org> The branch stable/15 has been updated by christos: URL: https://cgit.FreeBSD.org/src/commit/?id=81b3a7991543e1cf2f279e474c9636f2a0ce2e6e commit 81b3a7991543e1cf2f279e474c9636f2a0ce2e6e Author: Christos Margiolis AuthorDate: 2026-06-02 12:57:45 +0000 Commit: Christos Margiolis CommitDate: 2026-06-09 10:46:47 +0000 virtual_oss_cmd(8): Improve error messages Sponsored by: The FreeBSD Foundation MFC after: 1 week (cherry picked from commit 4f7092eeb22d3882f54d67a35149533fef8376ca) --- usr.sbin/virtual_oss/virtual_oss_cmd/command.c | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/usr.sbin/virtual_oss/virtual_oss_cmd/command.c b/usr.sbin/virtual_oss/virtual_oss_cmd/command.c index 64781992ddfd..99316b896e83 100644 --- a/usr.sbin/virtual_oss/virtual_oss_cmd/command.c +++ b/usr.sbin/virtual_oss/virtual_oss_cmd/command.c @@ -35,20 +35,11 @@ #include "virtual_oss.h" -static void -message(const char *fmt, ...) -{ - va_list list; - - va_start(list, fmt); - vfprintf(stderr, fmt, list); - va_end(list); -} - -static void +static void __dead2 usage(void) { - message("Usage: virtual_oss_cmd /dev/vdsp.ctl [command line arguments to pass to virtual_oss]\n"); + fprintf(stderr, "usage: %s [virtual_oss(8) command " + "line options]\n", getprogname()); exit(EX_USAGE); } @@ -66,7 +57,7 @@ main(int argc, char **argv) fd = open(argv[1], O_RDWR); if (fd < 0) - errx(EX_SOFTWARE, "Could not open '%s'", argv[1]); + err(EX_SOFTWARE, "Could not open control device: %s", argv[1]); for (int x = 2; x != argc; x++) { size_t tmp = strlen(argv[x]) + 1; From nobody Tue Jun 9 13:02:38 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZTbM1n4cz6fx9F for ; Tue, 09 Jun 2026 13:02:39 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZTbM0TkKz3nfG for ; Tue, 09 Jun 2026 13:02:39 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781010159; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=1nDpY4kfTK69A8Gfqb+IF3wTuolEaVqmvypVniM0BdY=; b=pJCWnD4MdR1r2K6C3Go6oU7kC4iUsnZODCOrJz2mH34qHfEck51mima0MLyj3hzjsDDyzg CO89YsL5hZnVIw0/3DrcE85BB7W5jH6zDzxoPueTd+IiJw0Si7tucSM+YprQDBTWKyPyrZ lD+BdVs4lYd+JpwwQESRi29WoWI/7vzV6HSzwtsDQrdoKdy2dW/p1WD6ceNV9UztbMDfz+ X45LnpYlHc2kMwGgUrWxh2xEEcdmO0lETw5kxgrqGmL3uG/qHKeI143Skx7Sg1k2a24M9u WUcRyLh4jx0X013YTTBW1BDnunVLE6tr0E6eMEZZ2rVXHC1Mxy80lUOU4mUgbA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781010159; a=rsa-sha256; cv=none; b=aTa8SJ54L/t4zXF7v9c+B3CsLa0uJlTWvTCQ/QQ3Zl6T3tkWCeAk+/fW9WUm9cZrkhSJ02 rWyYEDeaBo6EhCJHmAJsLm0EUHUfcNXVUVVXsRyHl1LeBc+sPb1fyhD7guvdCTAxNBp6iz FagAWoeCT3VAmTXWTkP2GiiPq6AXJy3ktYZTD4uv59gpg981DbRv7p1jOp9GpaWYJA5tYV io0y3GFatqxp2Y2WMQ0kM6B4klTZOhba6rdQF+RzNgjY9sooxOV5qlb5xUxqvBFDsivfaf 2TTcNcgdoiCSDRuiCr9ecooF+8A1+aFTn6xsj+seJnIKmwY+wOxi8yncTCPpjg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781010159; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=1nDpY4kfTK69A8Gfqb+IF3wTuolEaVqmvypVniM0BdY=; b=arbiNDIr9dt0E3LXHcmCu9S2kELv2uxEBLSADMrwxfj0U06cvlKTieWqe9d92hKRx9APfW Q5ZewX3wG8PC3hkLxIZtBWFHX97tJ9UOoeCpEJr3Pnj2voNwJh35eNIgrq/5orvRFT1f5u zo9U+llcXuqssY9mlrBKxpJohEpfodq5Mf4CVIBzSdlS/t8jY5cb/TJ0nii+qIdcA/gjtr QIUOhRlsYtUtTniTiBkjP/nRTwcYd6nTnDWRT0BgSQfM+CfNASB29w7o3betEcKb1Yvx+A 9R7sxtd/VWKYe+GaRdX+HC2mSHfNc75Y2M/o1evVXRaGF24VzR0N8z6V+lK7bg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZTbL70PjzcQP for ; Tue, 09 Jun 2026 13:02:38 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3f0f7 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 13:02:38 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: 2caaf8c1c717 - stable/15 - route: Fix `flush` w/o specified address family List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 2caaf8c1c717bcebf14832b4bea5766e393ad683 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 13:02:38 +0000 Message-Id: <6a280eee.3f0f7.5364fdea@gitrepo.freebsd.org> The branch stable/15 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=2caaf8c1c717bcebf14832b4bea5766e393ad683 commit 2caaf8c1c717bcebf14832b4bea5766e393ad683 Author: Ed Maste AuthorDate: 2026-05-29 16:44:09 +0000 Commit: Ed Maste CommitDate: 2026-06-09 13:02:22 +0000 route: Fix `flush` w/o specified address family PR: 291867 Reported by: gavin Reviewed by: pouria, melifaro Sponsored by: The FreeBSD Foundation Fixes: c597432e2297 ("route(8): convert to netlink") Differential Revision: https://reviews.freebsd.org/D57336 (cherry picked from commit 32a7ba251acbfb442665eed40fb4f48c8f2bd710) --- sbin/route/route_netlink.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sbin/route/route_netlink.c b/sbin/route/route_netlink.c index 5dde7501d6b4..74ebb99a9486 100644 --- a/sbin/route/route_netlink.c +++ b/sbin/route/route_netlink.c @@ -888,7 +888,8 @@ flushroutes_fib_nl(int fib, int af) struct snl_msg_info attrs = {}; print_nlmsg(&h, hdr, &attrs); } - if (r.rta_table != (uint32_t)fib || r.rtm_family != af) + if (r.rta_table != (uint32_t)fib || + (af != AF_UNSPEC && r.rtm_family != af)) continue; if ((r.rta_rtflags & RTF_GATEWAY) == 0) continue; From nobody Tue Jun 9 13:40:42 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZVRH0NGSz6g1Ct for ; Tue, 09 Jun 2026 13:40:43 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZVRG64gMz3qsH for ; Tue, 09 Jun 2026 13:40:42 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781012442; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=sjIPNcxYatknVZwRC9tOi1At3DZvLRfiutlse47SukI=; b=YSuUmrGMyfNaf0xt/D8xBmPKChyvBZ9cTGueJWiAKcViDpZXxJ52TWV0KEX91huJH8oBQk t+h8/lZkU72hN8LduNlZfAC9WX8kXGfqO5kjMeZkBxam6UKaCildMJtZ9C7g/AKtmFg4Cr BOAL9MxOhKpS5oTF22X/4EcOnaU+WgzTRhqF96DOm3tx2BtfbHe0scpfv9lrd+XcsxhrNJ 2bXXB5if2adCMKhF1ICJ2W39e9kWL3ll4Y+JtbdPmuaJTz/CoaWM9aUtOyilsgDDutOV4/ CDr3AwvQnlJMySbfcupnq/rg2uPxPuShJ1DFE5SzwX+4PtvHaJ4Ejro/Dp6x5Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781012442; a=rsa-sha256; cv=none; b=BD+44/X9GsreYVCDwgdZzr2hRmy2s5g+93pU4Ldu31gVQbJe75sumdZCA5rNXguU0yAmfx GEsZO1wfVfT8FEFkjGxDmDbvX219nHpcPQHYhwWZgJH8GsIttTKL1f2dR+gxDYDhNTZu5T DvuU6HqFCkpvMBF0F3CpM/mNNgQnLqb2ThDeBfUIjd3TX5Nj9Cndfv1E5ed3fhWVpRRhhj P4imQjPBjpu3mZkofy18jfXWhlnWRM05P5Fp6SPVlERlN+SUO+eS12zvQ9WFuEY1khHDki xdJouLr16ef4vEJW6gJTwvOI4t3UfBBoYXfk96eIxwc6vDe46MZf9IKKcskICQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781012442; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=sjIPNcxYatknVZwRC9tOi1At3DZvLRfiutlse47SukI=; b=lY2lgwVY9+iUDX8pUe9qmL2T8qURY5uQ3LDwkjUEzYq3KekAWWz+L4z5NcCXJb8oWnEezM MVPIdhVL7OaJJ0s89N0ghcH8aNI7hoJtDXm119p8T5/nFbWf0Z9aDvvkzPKUVaZLEkBo6Z b9a+0YCxxlKUzCPnCVH2idhUOVYgUzRMM767UtFJGWO3BZAJ2M6T1mBkSP7nX9oYuCD8Kp 7KIqJn73+ebbGA0T3ptTv2cVdz1oi/uVFmgMDURMeN1f5rVIs8nTboAgLZ4aqgXOYVuiN6 2N3OH6X2j92WPzjI+djyeXSMmjcGZthLIC1xI1vxwFbQniYEBIUYiS80jWMPGA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZVRG5cmnzdCj for ; Tue, 09 Jun 2026 13:40:42 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 42fa0 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 13:40:42 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: 65e0e06116f4 - stable/15 - elfdump: Decode SHT_LLVM_ADDRSIG section header type List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 65e0e06116f4f55f09c31ff11ee89673a93b29c8 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 13:40:42 +0000 Message-Id: <6a2817da.42fa0.6c72f7b1@gitrepo.freebsd.org> The branch stable/15 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=65e0e06116f4f55f09c31ff11ee89673a93b29c8 commit 65e0e06116f4f55f09c31ff11ee89673a93b29c8 Author: Ed Maste AuthorDate: 2026-05-18 15:43:41 +0000 Commit: Ed Maste CommitDate: 2026-06-09 13:40:28 +0000 elfdump: Decode SHT_LLVM_ADDRSIG section header type Reported by: bz Sponsored by: The FreeBSD Foundation (cherry picked from commit 3c07cfb25283d93f03cdac51158289853d0e17a8) --- usr.bin/elfdump/elfdump.c | 1 + 1 file changed, 1 insertion(+) diff --git a/usr.bin/elfdump/elfdump.c b/usr.bin/elfdump/elfdump.c index 49704cde1b08..3bca46c26cf3 100644 --- a/usr.bin/elfdump/elfdump.c +++ b/usr.bin/elfdump/elfdump.c @@ -354,6 +354,7 @@ sh_types(uint64_t machine, uint64_t sht) { } else if (sht < 0x70000000) { /* 0x60000000-0x6fffffff operating system-specific semantics */ switch (sht) { + case SHT_LLVM_ADDRSIG: return "SHT_LLVM_ADDRSIG"; case 0x6ffffff0: return "XXX:VERSYM"; case SHT_SUNW_dof: return "SHT_SUNW_dof"; case SHT_GNU_HASH: return "SHT_GNU_HASH"; From nobody Tue Jun 9 14:09:39 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZW4g6FrXz6g3PT for ; Tue, 09 Jun 2026 14:09:39 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZW4g5FkQz3tfw for ; Tue, 09 Jun 2026 14:09:39 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781014179; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=SHqhG9SMIj3H+cZLNCN4a2jFoU9yIklyBi+r9lH4QnQ=; b=InDjlMNYnJotz5mdBZZ3pSSlauxsFmWB3EV7dk4ettYwGl526naRXiyhVlcO5xV9A5tSJm dZjCwEwbQ4ymoGOT+EJtNrcsI0SZ2QdMYqiP7Bbfs1vunoEZDRobiikwfKgxvOKNb40qn4 bCzovg6IICURe1drWnqss4mCYcocmfeKLtv2SRxDVJ9rpmWWampGWSqPw4ZkvkLKXhz6Ga s7s420LiTdqYDQzBX1j+W1/TsgO1iqmGBUJMKqZ5CqJ3g3+HYjCBGh/nIT6OUBEjl8tru+ Wjm6CIZ+1zDn3ltW+hary//P9QxZ9xBncx50RLjSdc8p6ap3rOaEBPeuYjx4cw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781014179; a=rsa-sha256; cv=none; b=vAEGHWzsFWYmJFyZN/wyK4i493Slf876X480siA/DGW970iQlaFNbH5y71fcUMeaYGsjKJ b75wpDRYppHKBZvJ6hUuns4h/etvkPYGt33UfG1rFCs34PUEWpeHW7dnL9NLGSP7jZ9gI7 z9A5hNKHNGIL4Maks2CUBmsbsBs8+Xy5WBhVYPr0othvLrLiR2eKBhlmLMCkOXut3+jPT0 HvtcuodxlIhlYP31j3rTzo/aUkO1WTC2ozDk45avwoSnVQvfp0RRi9QypE63D9tAGFpfIf FQQhqhdo5dJRcQETUXheOnFRjBpxQ0z4PDd93b1bhz6CZ/YPv+ujojBq/s7dsg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781014179; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=SHqhG9SMIj3H+cZLNCN4a2jFoU9yIklyBi+r9lH4QnQ=; b=ouqF9gYUQ91FTKDsmb14UxVbx4/06ee1dbKaF6EL4JULFRhl91Ua7rWNzsX4qJD8apjkRH n2cAX/yE54SsemGVR22ETqQfagMFJ17gh6+u8p6gSFR6Dizx0HLUGKBmJie/hWFvQY6Um7 ILMXlUfX3c9hSiE+b9wYGFyCYevvGk01Tc3PTb3Lh2Vcdj1ci6NOPGBuaZzI8BKpgL5FVb FSdYEwYWfsB4lzLtqOr0nAbOv0UFV8FLhdR8iP13vlQQJjhlS8N17nQbEEyjp/vumNPphk 8NQotjrEdIKJthg7TLvPMdsM1C4LCY7NG8qu5WwKu9kBL+zDwRlSunhxknZeJg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZW4g4bqwzdyp for ; Tue, 09 Jun 2026 14:09:39 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 45010 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 14:09:39 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: 90c11896412d - stable/15 - netlink: Avoid undefined behaviour List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 90c11896412d59c8624c4d05b2f339685fbfd586 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 14:09:39 +0000 Message-Id: <6a281ea3.45010.4edf9e2a@gitrepo.freebsd.org> The branch stable/15 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=90c11896412d59c8624c4d05b2f339685fbfd586 commit 90c11896412d59c8624c4d05b2f339685fbfd586 Author: Ed Maste AuthorDate: 2026-05-22 00:50:00 +0000 Commit: Ed Maste CommitDate: 2026-06-09 13:40:28 +0000 netlink: Avoid undefined behaviour Even though it is not dereferenced, it is UB to take the address of an out of bounds array element. Reviewed by: pouria, bz, des, adrian Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57158 (cherry picked from commit 1a4ad649cb135501f0bee56a4214e8c904ca402e) --- sys/netlink/netlink_generic.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/netlink/netlink_generic.c b/sys/netlink/netlink_generic.c index fb74860e42b3..c2f82eed5656 100644 --- a/sys/netlink/netlink_generic.c +++ b/sys/netlink/netlink_generic.c @@ -127,13 +127,13 @@ genl_handle_message(struct nlmsghdr *hdr, struct nl_pstate *npt) } family_id = hdr->nlmsg_type - GENL_MIN_ID; - gf = &families[family_id]; if (__predict_false(family_id >= MAX_FAMILIES || - gf->family_name == NULL)) { + families[family_id].family_name == NULL)) { NLP_LOG(LOG_DEBUG, nlp, "invalid message type: %d", hdr->nlmsg_type); return (ENOTSUP); } + gf = &families[family_id]; struct genlmsghdr *ghdr = (struct genlmsghdr *)(hdr + 1); From nobody Tue Jun 9 14:09:40 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZW4j1bYYz6g3Jb for ; Tue, 09 Jun 2026 14:09:41 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZW4h5nHqz3tcL for ; Tue, 09 Jun 2026 14:09:40 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781014180; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=+iyWS350+EGLdCVAOEq1Vpzawos7AGLp2z8qhwn+5WQ=; b=BVTGvRdx5qpNHhQ/dWx+l+9lC4wJK4NIIW6anyIc+Ud4IZYElNdvLxd6t/gj95aWyyRglR FHSSKxg430Vgc9yJUhoiMHoqs8vlhQK/1mjQYILTY8BVxMM9wKayVJXQF04FSNMRRRmJgA /ihUyxYUBNg9C8cc5todS2Wwy7HQ2EjkqARgq4vG7k/CzDlwpuH8GmPtojaN1vptqY1pq2 dkmyoUy12ZVCz8DbMyfJR7njbRgNhgVgDIWxAv1fGzW3lDsEO0dqDsuiFOyUEGEA+o/pZo 5+3M76ttEtFr6bEB2xSudQaanRX1iLr9uBDTF/vak00+STcbBlXTnBVyJCBhVw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781014180; a=rsa-sha256; cv=none; b=opcgSzdlIE8OEwlo0Zgxcd6ELP2m6BtkG7Ty/YW2wfvLm79win/BEg6LOdQSfv+X50I/51 E7e0KNnUknQ/N0UFS/A7AtbldXDcE09kXpwJNFRuVe1HGJucJftPViMHL5COXR10dUajX8 w+ZILPKJFrhPGyRW3OHdILKNg+beXEHMRAwKfJ645W5+jbJfVtqaGOS0GwVnKo5BgvM/W5 TOqZKXvzuk27zYUSrUdfHZdSe8pgeIkQ3C0QzE4/uPq4B5QHyDtoDu2ISk6ldrHZEhswjK 1LtIva6Orq+qGVlSMEjbLv/j2s32tIZr8xquHW8LK+9RUdZXTO1gl1ik8gNYyw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781014180; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=+iyWS350+EGLdCVAOEq1Vpzawos7AGLp2z8qhwn+5WQ=; b=D2z8W5KrrTdcn02b7xRAsOma44b8R3UM3IH0/BTe6AWjmlSh+TjJC1Pc2sdp0EEDFIIPE1 cXkfI1NZr67yI2QI+jO35KXhdobeKFKJauegQq2UCZK4a2L8ckJIaJamh+ecEVBMdzcet3 nMCT8SIgxu17uVz+Gej0eIMOjs7mtkrKC9SdlTKR5H2ANdfHiX6LEkFsal9lw2nwL41Vl6 FF51E1h6ykrxlhHeQmV/gtc8AXYXL9XfMbvC7wzzHzwuOc94EayufBPadIQpQogmDK503f 3Nryx7ATKZVePOWJlUpDWupTdXNJeiMjnncuSpM8ZXTyQrx+FiUE67//Kaf7Mg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZW4h4shDzdyq for ; Tue, 09 Jun 2026 14:09:40 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 4551c by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 14:09:40 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: beee13213e0a - stable/15 - netlink: Fix interface type match List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: beee13213e0a50e29cd693f16aaf8785e03f6c4d Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 14:09:40 +0000 Message-Id: <6a281ea4.4551c.32e41fad@gitrepo.freebsd.org> The branch stable/15 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=beee13213e0a50e29cd693f16aaf8785e03f6c4d commit beee13213e0a50e29cd693f16aaf8785e03f6c4d Author: Ed Maste AuthorDate: 2026-05-22 13:35:52 +0000 Commit: Ed Maste CommitDate: 2026-06-09 13:40:28 +0000 netlink: Fix interface type match Reviewed by: bz, glebius, pouria Fixes: 7e5bf68495cc ("netlink: add netlink support") Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57167 (cherry picked from commit eff5f220c379d4173fdc0e5ec00380888bf7649a) --- sys/netlink/route/iface.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/netlink/route/iface.c b/sys/netlink/route/iface.c index 0095ba869c51..91d2d266822b 100644 --- a/sys/netlink/route/iface.c +++ b/sys/netlink/route/iface.c @@ -423,7 +423,7 @@ match_iface(if_t ifp, void *_arg) if (attrs->ifi_index != 0 && attrs->ifi_index != if_getindex(ifp)) return (false); - if (attrs->ifi_type != 0 && attrs->ifi_index != if_gettype(ifp)) + if (attrs->ifi_type != 0 && attrs->ifi_type != if_gettype(ifp)) return (false); if (attrs->ifla_ifname != NULL && strcmp(attrs->ifla_ifname, if_name(ifp))) return (false); From nobody Tue Jun 9 14:09:41 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZW4k1lC9z6g3MG for ; Tue, 09 Jun 2026 14:09:42 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZW4j5xJcz3tm2 for ; Tue, 09 Jun 2026 14:09:41 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781014181; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=buRykqkRMT09mU1Wsx1juOXnat2YpPZlVkvFex0TrsI=; b=K2PajZkFsiCiaB1e4+bcqhyu2tFEyH8hZLUFWOapJnubXgyI5u1txhlFYE9VCR6RzQRdhy /S78YtrEAUAGJFE51HtUySQCG3OyHmP/IC/WRWV4Voskd0aV7j9NLhrDidAHqlyYUXSJdC mUv2WZfHHxA2UL8dlVPIFwWA5gE4NpfYBZeu86TuYGv9K3mWclzMPdVqMt/hXdqMxFIF+D dtDUju5xXVYkHCR2YrmJti/vJtRTpLmvzeAkwxman7Dw455WLVmVJX77IiARgOUNxaawWT fDASLOqTcDRLcvLkvnmR7EzfhfzCG9NL9tKRmVf7bIZuR3628j5sg0Q5dcG7Mw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781014181; a=rsa-sha256; cv=none; b=Jq1O+EcdBKuUoai/Ievu4wiRcFnXC1YngC96e8ElJpHmK1uEsisXGyAIrKPnKCQzMklt8a 4I2tyfZEpkA/gygmURlFyTryVo9dPcfoNoRTc3cCK3E/FLkZmXH6RaXiROcPkjOEOaSwyZ +K3vVHPLZJ+YnPbUeY6F1XKObHKAZJVkus/rLLZgWOZhGi2fKG7FDATGlS28QoObKWHn8l aYGUAo1Wb0jvLOcR+9UtLQmwziq6U+4dm5Z86sqd7rQJxLSsKvGXKMv11Aq3GqH0HU3SQe 37/T93+r3VyTEjR1KIhdUCM6L95tLzKdy8AbP92VQ79FNQjAgX/bxtrPEU4jDg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781014181; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=buRykqkRMT09mU1Wsx1juOXnat2YpPZlVkvFex0TrsI=; b=bDCCktSKxtK2NrZYGkaLD6tHV1uQBQt1EIamL62vYhWdKaaWgy061QCBPswGtaldWZsr2g u0IaoNA9ebUsh2OKSBbBBZHAjPJHkSv58s52SGe6CNDTPacppyEv4ZQ+9kqkganmHp1gbK cdVmzmS7mJocU3gW4KX2Mz9bQKCnmE7extkaFCPbTG+ZhIQFmkoDtU5Q+nFq8+PO68kJ7Z RucjLGukhzUKZW+nr3iT0nq/9ifiWTNo/hwprY2cJdY2j47bxkmW/OhmjTPyC1OB+et7v/ 18i41ATea2XqzObNh2y19h2iaw7S8WoBv5Hg9y6avmpXdVcIEAH543Z+FYAUMA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZW4j5RLMzdNK for ; Tue, 09 Jun 2026 14:09:41 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 44650 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 14:09:41 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: e22716b6cbfc - stable/15 - netlink: Check for NULL return from npt_alloc() List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: e22716b6cbfcb4c9ff1900f19c923fb84aebcae1 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 14:09:41 +0000 Message-Id: <6a281ea5.44650.66ad1466@gitrepo.freebsd.org> The branch stable/15 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=e22716b6cbfcb4c9ff1900f19c923fb84aebcae1 commit e22716b6cbfcb4c9ff1900f19c923fb84aebcae1 Author: Ed Maste AuthorDate: 2026-05-22 14:41:16 +0000 Commit: Ed Maste CommitDate: 2026-06-09 13:40:29 +0000 netlink: Check for NULL return from npt_alloc() Reviewed by: glebius, pouria Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57171 (cherry picked from commit 1dbc104148845434575d1931d47876ae0ca1542f) --- sys/netlink/netlink_message_parser.c | 2 ++ sys/netlink/route/iface_drivers.c | 3 +++ sys/netlink/route/rt.c | 4 ++++ 3 files changed, 9 insertions(+) diff --git a/sys/netlink/netlink_message_parser.c b/sys/netlink/netlink_message_parser.c index 4c41235efaac..37c16ce3024f 100644 --- a/sys/netlink/netlink_message_parser.c +++ b/sys/netlink/netlink_message_parser.c @@ -90,6 +90,8 @@ nlmsg_report_cookie_u32(struct nl_pstate *npt, uint32_t val) { struct nlattr *nla = npt_alloc(npt, sizeof(*nla) + sizeof(uint32_t)); + if (nla == NULL) + return; nla->nla_type = NLMSGERR_ATTR_COOKIE; nla->nla_len = sizeof(*nla) + sizeof(uint32_t); memcpy(nla + 1, &val, sizeof(uint32_t)); diff --git a/sys/netlink/route/iface_drivers.c b/sys/netlink/route/iface_drivers.c index 4f1540740ead..31d2523a479b 100644 --- a/sys/netlink/route/iface_drivers.c +++ b/sys/netlink/route/iface_drivers.c @@ -155,6 +155,9 @@ _nl_store_ifp_cookie(struct nl_pstate *npt, struct ifnet *ifp) sizeof(ifindex) + NL_ITEM_ALIGN(ifname_len + 1); struct nlattr *nla_cookie = npt_alloc(npt, nla_len); + if (nla_cookie == NULL) + return; + /* Nested TLV */ nla_cookie->nla_len = nla_len; nla_cookie->nla_type = NLMSGERR_ATTR_COOKIE; diff --git a/sys/netlink/route/rt.c b/sys/netlink/route/rt.c index a76e00d34502..42ba3307b816 100644 --- a/sys/netlink/route/rt.c +++ b/sys/netlink/route/rt.c @@ -868,6 +868,10 @@ create_nexthop_from_attrs(struct nl_parsed_route *attrs, int num_nhops = attrs->rta_multipath->num_nhops; struct weightened_nhop *wn = npt_alloc(npt, sizeof(*wn) * num_nhops); + if (wn == NULL) { + *perror = ENOMEM; + return (NULL); + } for (int i = 0; i < num_nhops; i++) { struct rta_mpath_nh *mpnh = &attrs->rta_multipath->nhops[i]; From nobody Tue Jun 9 14:09:42 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZW4l1l1Nz6g3Gc for ; Tue, 09 Jun 2026 14:09:43 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZW4k6dD4z3tpD for ; Tue, 09 Jun 2026 14:09:42 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781014182; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ixH9PMi++iMgDF5rC3Hs7C98vi811JPHHjq1HBqixFc=; b=sTao4wCiMb/hq3/gcge867SLoZNB5uNq9s0nGulKptsJtQT2CXzE976+NZBd7tEXbsOEEM QyTIahYoG6xdpSRudAX5xlwLMECd0wDaU+9k+sSHfKMf1tlxC5Yp3ipAfZvU/hV5maD2pB izisqgva99rWc9fJm1yasKiQOJ1vgW5Z1gco8MVGunhSgLUNIo8AIvWixg6FLaT8NmQZ2i IuGNy8SP7o9MYBuSajIvt9FXUlRCfG2FSwgzJiDPetICTOh5xMcWoPq0Y9gW0IdY16EOeA 4wggTAPoebkXeQUeb0TrLnbL0UTpAxTScgt0+/jJ2gxFPoeCPsWiGpoDke+YlQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781014182; a=rsa-sha256; cv=none; b=wrkxyOBxms9syJuiksLCLFFvmP6cCGwouHFgwnD7trdJtqtH0SSos+l3nCS2FL8OCvkSAb K/GZouftU1ErjkrE+JljljR9nCrLpFXxdRPiyEAIb3ulPR1suXhMT7rJh2hvmPSq7aMJpC sSKrhsHYJiFDkpiNIWsbo9C7SjI7wnbV111kr5upoDbLFAazjgtabrrKZDxQ/oDWrNkjAq cNQ14KGq2tpzQ+kaYyU5CEGHXj6QAu9RLy9AWhvUe4DRmuhKjnty4fpa7U/jmLiIFnIYTJ ojHu/AJBMlyIp91BalndHEuwo360OyVrQO+cQDoLm9JN7MRQciyI26N01ZK2MA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781014182; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ixH9PMi++iMgDF5rC3Hs7C98vi811JPHHjq1HBqixFc=; b=WImC6VUD0ywndUEYt83a31iTgDAA5BIES7P0JsWQfQGPhyF6RYt45JcFT9DCYuuiOFGykj r+nF9q6gzx49t02digsLL/8U8jDeooL9OE9v2+5IFvckRtuzLp8t8A4VnLEJS6Rlu4A5Cj PMdQInjPfNWnZmY/gIgYxri5rNokEPc9AEfJs7n9TFLC/5tdvAn5GIxveQOTlKgq7lMTqJ pop45qTWAryMru2cHZMWeYTt1pTtse4o26zATEEWnCi14+8PLuWmVOEsddb37+kddbWaNo XpEKtURgdpkAciYnMDS4N7Tko211+u6CUT1OJX+e/ZfmsNCHqfVK5qjh/Bi7qA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZW4k6Dp8zdrL for ; Tue, 09 Jun 2026 14:09:42 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 45273 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 14:09:42 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: 6c81e7622211 - stable/15 - netlink: Avoid potential undefined behaviour List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 6c81e7622211bbe2928fd45422fa55ecfbba8f1b Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 14:09:42 +0000 Message-Id: <6a281ea6.45273.3fdebcfa@gitrepo.freebsd.org> The branch stable/15 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=6c81e7622211bbe2928fd45422fa55ecfbba8f1b commit 6c81e7622211bbe2928fd45422fa55ecfbba8f1b Author: Ed Maste AuthorDate: 2026-05-22 14:55:49 +0000 Commit: Ed Maste CommitDate: 2026-06-09 13:40:29 +0000 netlink: Avoid potential undefined behaviour Taking the address of an OOB array element is UB, even if not dereferenced. Reviewed by: des, bz Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57172 (cherry picked from commit 4d125ed6e7d445d574c11dc35c40ec3013559806) --- sys/netlink/netlink_generic.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/sys/netlink/netlink_generic.c b/sys/netlink/netlink_generic.c index c2f82eed5656..50c12175e14e 100644 --- a/sys/netlink/netlink_generic.c +++ b/sys/netlink/netlink_generic.c @@ -93,12 +93,10 @@ static struct genl_group { static inline struct genl_family * genl_family(uint16_t family_id) { - struct genl_family *gf; - - gf = &families[family_id - GENL_MIN_ID]; KASSERT(family_id - GENL_MIN_ID < MAX_FAMILIES && - gf->family_name != NULL, ("family %u does not exist", family_id)); - return (gf); + families[family_id - GENL_MIN_ID].family_name != NULL, + ("family %u does not exist", family_id)); + return (&families[family_id - GENL_MIN_ID]); } static inline uint16_t From nobody Tue Jun 9 14:09:43 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZW4m1nZsz6g337 for ; Tue, 09 Jun 2026 14:09:44 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZW4m0LSTz3tjV for ; Tue, 09 Jun 2026 14:09:44 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781014184; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=AcqsyiSMDiQYKaLlX3AWoV9Y7JUCnE8PjDMKC5bZRGw=; b=ub8o9qXQ74gYnR5P4IiZlXjBh7w1bFHFrf/ieUR2IYZ3gIrSsDGguoV3tuHaF2NvcNN8UA F5JBHKOIFA8WeFPgUdHqs6Sijf5fMoLvhtCcOZpFIy5P+GOdbb2eOxlPu7ewcXHHPue+YT nZ9BFtJ+KJRxJ7rdROSou8Fbm9rWHu22aYCVbLRFjeY3SfbIipeXeMU/yTka/Shy/DBihQ xpiW2uBqgu+8h1CGJLuPXMN7ohX5P2xPZZ1zJWHMFG0B62xQjqFBzym3aiiSHRfkyAjdfU Z5mEuFqdzXLpHUndQXu24Pq0Garm5Syv9+2Ua7DdZ+dfFx2SkIjFvY9siXd0ew== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781014184; a=rsa-sha256; cv=none; b=GNwRYZcRrTIymawp23BqZU27gQtyMqDfbjV+EHFEYOVKWK8yWWVrA/otXcgTEe9BkzyNzZ RxSwRfFHsZrWxGNEGDPaOuK/QnMxQviEpGLLS9H1oubtmQu403AZGUgfAPIhCjrBGOVSYL GRwVvIreF8RabwrbRWllnOXLVkwr4bZ1km/FfbMXphuOx5OADcNhV/ZI9JiVMoy3QKcfvu ty6/tC5jyePj80UZ1sFMHJ5qbesDdDDfFau4BRCzqCXU9/ORRVk3Zmti1RXwx19PVcEAwF TWCzNs6ISnjKL3jmO1khYG8jOwG+ZGJKlUH8XISxk7zY5C2+thCrKZ2qIxvTFw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781014184; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=AcqsyiSMDiQYKaLlX3AWoV9Y7JUCnE8PjDMKC5bZRGw=; b=rH0p534g9J2fHFntfRMnPIaHvq/NUUd7YIlkN6f7fLweBbKH9a/jRZI4KKAppv7BcxiPVn TVJK84HHI9p6Nx0ENOUp3vB02Yni7ZyL0QXliQokBKu7vUS/LzvHvxGxtwOvh8klxs/tDq MnG0qchfnY3kYBAYvC2rms6EZwRFjP3Rg2XEiu9bTlxJAvol1pMZBZhlr5zxC/UR0NFy53 ghWC5N7gUj6wisdRMN4Fz4vBQpgS7mOgAduUFYb3inVZ6iOXjOGF+cn0NflSxTdyK9bt8w Z5+AUtGSx1ontSr+6ZSwT/Ge/dvsPqzyuNodYi0Au2opoYWqX8ycB/PTmQDDWQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZW4l6zxYzdyr for ; Tue, 09 Jun 2026 14:09:43 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 4384c by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 14:09:43 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: 44e81e84181f - stable/15 - netlink: Fix RTM_GETROUTE loop for RT_TABLE_UNSPEC List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 44e81e84181fdf71c5b835e263be77ce45d6a227 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 14:09:43 +0000 Message-Id: <6a281ea7.4384c.36f6fa72@gitrepo.freebsd.org> The branch stable/15 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=44e81e84181fdf71c5b835e263be77ce45d6a227 commit 44e81e84181fdf71c5b835e263be77ce45d6a227 Author: Ed Maste AuthorDate: 2026-05-22 14:27:53 +0000 Commit: Ed Maste CommitDate: 2026-06-09 13:40:29 +0000 netlink: Fix RTM_GETROUTE loop for RT_TABLE_UNSPEC Reviewed by: bz, pouria Fixes: 7e5bf68495cc ("netlink: add netlink support") Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57234 (cherry picked from commit 33acf0f26b490ea4887d820a3f45c56e3913a17d) --- sys/netlink/route/rt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/netlink/route/rt.c b/sys/netlink/route/rt.c index 42ba3307b816..ce62aad1f81b 100644 --- a/sys/netlink/route/rt.c +++ b/sys/netlink/route/rt.c @@ -696,7 +696,7 @@ handle_rtm_dump(struct nlpcb *nlp, uint32_t fibnum, int family, if (fibnum == RT_TABLE_UNSPEC) { for (int i = 0; i < V_rt_numfibs; i++) { - dump_rtable_fib(&wa, fibnum, family); + dump_rtable_fib(&wa, i, family); if (wa.error != 0) break; } From nobody Tue Jun 9 14:09:45 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZW4n33xSz6g3MK for ; Tue, 09 Jun 2026 14:09:45 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZW4n18xJz3tjd for ; Tue, 09 Jun 2026 14:09:45 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781014185; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=6UdCg+pDk89CkZDq02HuSpYnwcO+NMirgJSeAjq+yII=; b=r/H6PEmz3RNPq7TLc1g0vFEcxnQitM64YD9Vqh5t6Sn7N8BLrBfwYscqTKsj+gWfs8bPqB 1ETLcu1cC4naonmLGiYuPSkG8m2TurizQg5SBIjHM7RYdNTmDbux8VJMgX66gMBO3dGWKo Ue/djqe2LUuCFNsqwoS5nY0b5qH+3PEAmqyTs1NWcaKAwS9A4/hybY3ngfwS1Ysgsklfe7 z0Iz+UE4e7qlWElMYtaS85ViTdUG+X71f/EMAWmwYHWNnwrGuRnwN6H+WnpH/jCFBEoUJA 6Qfud0V3dCEtSdLiYQA8yX0mcWKGqFNm5nJOUSZIaTAG9I2VxYnrKIV0RlyBXQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781014185; a=rsa-sha256; cv=none; b=SGkD2WUOS2BSoR0aHQGGk5cA+8xztdbAmW+JM3t7l7QH1n0g0fCc06AdsBvo1ahiOisy7R XA0FnaX44+FBf1g/XHXE3jM36Hn398US0Q+eTg2I4ehailtnQNpIFhPVEdoAjEp6GDDp4B qvSTeVL0NA8MSi37xFDOknP1sy7rTtEjEei0qJ+zdZcgLcRubhE+TAKKzgUVg3+Nv8r0sR ldaS3XUmb5/cfgCnqxukMZpoY5aiveCto7VgbdT7qYlFvatda/p9ToEj3X9w6yib9nqvbv 1sAVfXuYJUnXwCznM4QulftKN+TLwPE210iAP2YQ/1WYJ75FAD/qnsjEtyxc6g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781014185; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=6UdCg+pDk89CkZDq02HuSpYnwcO+NMirgJSeAjq+yII=; b=eNFNvNm6VpjVRPjk1O0I3LRUez68I61pp33sfAy4c99FUTg+iU5HK7LpyXH5T/FUZ7cQfG 63SIQMnh4+tgGysERdfnjVyVwOnjWZelK4EGbY2vhYeM81vLznkuY6AZekPJUTgmIXYSXA DEjDjBj6KnGwjNQnHcmx9DKHRCsxKwKdozl+FgwogfFR/0So6PbPI4hUAXxRSCC9Z4k14m LGy5w47eqtCF0aRzao6L91MCtasK+oCbNBomr5bC/EyqTE9lHKoUlrHaVT7aSu6jGrA24/ rbZs1Eqhu2Xes9ubujWuXiBQUuh2RHk4j5BBG1pvFOlYE70D2UN6Y/UCfmKT1A== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZW4n0hq6zdNL for ; Tue, 09 Jun 2026 14:09:45 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 45d5e by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 14:09:45 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: bbf019824592 - stable/15 - netlink: Use early exit pattern in _nl_modify_ifp_generic List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: bbf01982459284f08877eeac493ac272c044318c Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 14:09:45 +0000 Message-Id: <6a281ea9.45d5e.32b73e91@gitrepo.freebsd.org> The branch stable/15 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=bbf01982459284f08877eeac493ac272c044318c commit bbf01982459284f08877eeac493ac272c044318c Author: Ed Maste AuthorDate: 2026-05-29 21:08:51 +0000 Commit: Ed Maste CommitDate: 2026-06-09 13:40:29 +0000 netlink: Use early exit pattern in _nl_modify_ifp_generic No functional change. Reviewed by: pouria, melifaro Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57349 (cherry picked from commit 9ddb6064f815ebdd0cfea4b2e0d3b6f0c98ea072) --- sys/netlink/route/iface_drivers.c | 53 ++++++++++++++++++--------------------- 1 file changed, 25 insertions(+), 28 deletions(-) diff --git a/sys/netlink/route/iface_drivers.c b/sys/netlink/route/iface_drivers.c index 31d2523a479b..d26e92044ff5 100644 --- a/sys/netlink/route/iface_drivers.c +++ b/sys/netlink/route/iface_drivers.c @@ -69,17 +69,16 @@ _nl_modify_ifp_generic(struct ifnet *ifp, struct nl_parsed_link *lattrs, int error; if (lattrs->ifla_ifalias != NULL) { - if (nlp_has_priv(npt->nlp, PRIV_NET_SETIFDESCR)) { - int len = strlen(lattrs->ifla_ifalias) + 1; - char *buf = if_allocdescr(len, M_WAITOK); - - memcpy(buf, lattrs->ifla_ifalias, len); - if_setdescr(ifp, buf); - if_setlastchange(ifp); - } else { + if (!nlp_has_priv(npt->nlp, PRIV_NET_SETIFDESCR)) { nlmsg_report_err_msg(npt, "Not enough privileges to set descr"); return (EPERM); } + int len = strlen(lattrs->ifla_ifalias) + 1; + char *buf = if_allocdescr(len, M_WAITOK); + + memcpy(buf, lattrs->ifla_ifalias, len); + if_setdescr(ifp, buf); + if_setlastchange(ifp); } if ((lattrs->ifi_change & IFF_UP) != 0 || lattrs->ifi_change == 0) { @@ -91,18 +90,17 @@ _nl_modify_ifp_generic(struct ifnet *ifp, struct nl_parsed_link *lattrs, } if (lattrs->ifla_mtu > 0) { - if (nlp_has_priv(npt->nlp, PRIV_NET_SETIFMTU)) { - struct ifreq ifr = { .ifr_mtu = lattrs->ifla_mtu }; - error = ifhwioctl(SIOCSIFMTU, ifp, (char *)&ifr, - curthread); - if (error != 0) { - nlmsg_report_err_msg(npt, "Failed to set mtu"); - return (error); - } - } else { + if (!nlp_has_priv(npt->nlp, PRIV_NET_SETIFMTU)) { nlmsg_report_err_msg(npt, "Not enough privileges to set mtu"); return (EPERM); } + struct ifreq ifr = { .ifr_mtu = lattrs->ifla_mtu }; + error = ifhwioctl(SIOCSIFMTU, ifp, (char *)&ifr, + curthread); + if (error != 0) { + nlmsg_report_err_msg(npt, "Failed to set mtu"); + return (error); + } } if ((lattrs->ifi_change & IFF_PROMISC) != 0 || @@ -117,21 +115,20 @@ _nl_modify_ifp_generic(struct ifnet *ifp, struct nl_parsed_link *lattrs, if_setppromisc(ifp, (lattrs->ifi_flags & IFF_PROMISC) != 0); if (lattrs->ifla_address != NULL) { - if (nlp_has_priv(npt->nlp, PRIV_NET_SETIFMAC)) { - error = if_setlladdr(ifp, - NLA_DATA(lattrs->ifla_address), - NLA_DATA_LEN(lattrs->ifla_address)); - if (error != 0) { - nlmsg_report_err_msg(npt, - "setting IFLA_ADDRESS failed with error code: %d", - error); - return (error); - } - } else { + if (!nlp_has_priv(npt->nlp, PRIV_NET_SETIFMAC)) { nlmsg_report_err_msg(npt, "Not enough privileges to set IFLA_ADDRESS"); return (EPERM); } + error = if_setlladdr(ifp, + NLA_DATA(lattrs->ifla_address), + NLA_DATA_LEN(lattrs->ifla_address)); + if (error != 0) { + nlmsg_report_err_msg(npt, + "setting IFLA_ADDRESS failed with error code: %d", + error); + return (error); + } } return (0); From nobody Tue Jun 9 14:09:46 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZW4p6Vbsz6g381 for ; Tue, 09 Jun 2026 14:09:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZW4p2kHZz3tr9 for ; Tue, 09 Jun 2026 14:09:46 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781014186; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=RjWltcTPsMs62YSt+OthgS2pgJsbr8L2PMxRDIR6eoI=; b=kMEfX4Iebe5Y36Gf4UKgGOkReVyKRsWbH+0itLUgn1nho/7DJSsXWUpnvbu6kESrhKkdT8 jNwkoBGONFaW+eWdoJ2Ig69jjPebOaAmkzkGw95eTQaDxgGWkvkegRirDySEgWT5K9GJdM jXC80sq0p3IZn5S5R0sToW6FANXP5h/YrRc+XvsKKRxGLfjsGc/ey8ICCGZ+iY3h6LFLuA MxTw5tKtfEwqmhR76FmHPOwf/vkDdmMtI9WwYTjZW9mb9ueNlz/w5VSlOeZgKLWtpBUtQa 4wgdYafZSSSLzX3jOxjxWPZ1YsFfm+qVS6ZBeGf6Ks6TRAfnbwRTEMECzmcrbw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781014186; a=rsa-sha256; cv=none; b=iExyJpsH0YnaN3jBl0yPqwnfll7eNAaXpGnTYDuPQjl2XBCCTW+6b10USR7OBGTav2IWQ7 KFn1YquRdTOEObXvqZWElR1ZNt54DwBM7moIgPBJf3WemgR+WvS+clf52WdPRZIw3BdMHg chFC3vw64btbKDuQzp5a6n/RP5Li6p2jkE+9k0BREr/k7lB6yiqhZJ+6gzV1jDjz3Oy/7z 0Y1K48nPghrCRVY5t1zLtZCt7pjW6jq2pdDfdx+iZbq33yoCy5VyYLzZOevK3GYWSP+VmV th0ZRyrfWzHWMttTFhrPT4DqXL1zDS747hMI6GuWOhU5viPoUi3EdaRoJmEGig== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781014186; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=RjWltcTPsMs62YSt+OthgS2pgJsbr8L2PMxRDIR6eoI=; b=p+g3bBDMC5nKzqHd+P9hZYLM1EHZAidQpDpAxtXJmPahRQDVMDZqvjqkQIgtirhJPFmt5c nJxkyzS8X9tzWq9r5PNSrzSaiYsdPzWm6MeiMugh99J0UemPOIU0Wq+zhPtyDgMcGwQ2NN KUhYwsvFLId4pnwunOgaOuK7j8ZWIwwRMG6Xd79zq8qsuoRF/A8rbBLiQSVdG4nM77Ckof WRBdE/X/HqL7EVtpCXBf8iR5G9jFfncZR5bchSAPe+95FhG3KiCc5Hy+xJVZ0zQcejx3c9 PhGp+dvMwNXF643KXdDBMnP6gtetdY25HPLLYpZ2+iq0HoAf1wQvRwT7x70q6Q== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZW4p1TGZzdlM for ; Tue, 09 Jun 2026 14:09:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 4560c by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 14:09:46 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: 30d907804d7d - stable/15 - netlink: Check permissions for interface flag changes List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 30d907804d7deb488fd5b43e435bc0f1a7f805a4 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 14:09:46 +0000 Message-Id: <6a281eaa.4560c.4ab0d13@gitrepo.freebsd.org> The branch stable/15 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=30d907804d7deb488fd5b43e435bc0f1a7f805a4 commit 30d907804d7deb488fd5b43e435bc0f1a7f805a4 Author: Ed Maste AuthorDate: 2026-05-29 15:52:03 +0000 Commit: Ed Maste CommitDate: 2026-06-09 13:40:29 +0000 netlink: Check permissions for interface flag changes Reviewed by: pouria, melifaro Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57332 (cherry picked from commit 96dbc9a8de105065b6b1e55702aa648319176587) --- sys/netlink/route/iface_drivers.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/sys/netlink/route/iface_drivers.c b/sys/netlink/route/iface_drivers.c index d26e92044ff5..79daa4215dba 100644 --- a/sys/netlink/route/iface_drivers.c +++ b/sys/netlink/route/iface_drivers.c @@ -83,6 +83,10 @@ _nl_modify_ifp_generic(struct ifnet *ifp, struct nl_parsed_link *lattrs, if ((lattrs->ifi_change & IFF_UP) != 0 || lattrs->ifi_change == 0) { /* Request to up or down the interface */ + if (!nlp_has_priv(npt->nlp, PRIV_NET_SETIFFLAGS)) { + nlmsg_report_err_msg(npt, "Not enough privileges to set flags"); + return (EPERM); + } if (lattrs->ifi_flags & IFF_UP) if_up(ifp); else @@ -104,7 +108,7 @@ _nl_modify_ifp_generic(struct ifnet *ifp, struct nl_parsed_link *lattrs, } if ((lattrs->ifi_change & IFF_PROMISC) != 0 || - lattrs->ifi_change == 0) + lattrs->ifi_change == 0) { /* * When asking for IFF_PROMISC, set permanent flag instead * (IFF_PPROMISC) as we have no way of doing promiscuity @@ -112,7 +116,12 @@ _nl_modify_ifp_generic(struct ifnet *ifp, struct nl_parsed_link *lattrs, * function either sets or unsets IFF_PROMISC, and ifi_change * is usually set to 0xFFFFFFFF. */ + if (!nlp_has_priv(npt->nlp, PRIV_NET_SETIFFLAGS)) { + nlmsg_report_err_msg(npt, "Not enough privileges to set promisc"); + return (EPERM); + } if_setppromisc(ifp, (lattrs->ifi_flags & IFF_PROMISC) != 0); + } if (lattrs->ifla_address != NULL) { if (!nlp_has_priv(npt->nlp, PRIV_NET_SETIFMAC)) { From nobody Tue Jun 9 14:55:47 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZX5v4tNVz6g76K for ; Tue, 09 Jun 2026 14:55:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZX5v2nV7z41nS for ; Tue, 09 Jun 2026 14:55:47 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781016947; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=2nGRMnhsKshsJv56pj+xDynjEeGgon/EieC/JA/zVcU=; b=UTXJhLvaIepo9VnZyakGQ+VaY2mTQ7BBdJ17LhAANUpPRKyBog/gvI/Ryefme2+Igiu8Xx UEtyqeOyYO+kExvJWZiiyo4dgiFAiaoKZ/uAWxfCodFpGOOU+1GXnHLWAcz6+XJJjKMGmW PvOqI1Jx7rVE6PwehsbXjXCUFLMo35Jf9XSimZCPlKDAlhoqmw5J9H5vHCgsBPKQR2LN/w 6fDmylZbskQs4uR693ltVGpcfObDaYQoA178MV6fcl3norFR/mxezkNtKsDyyEOVTteYAC Up9iJwXIkgB1vIiSE0sO2OlFJLCbzTEqNQhYfLHTgj7aDTm3AzysoGD70hSJ0g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781016947; a=rsa-sha256; cv=none; b=oDMa8E98vgGg7MF6Jw84zCybSH12DGsBAXRQ8ClomLgDLrcxioLfdWUr8k8Om7NHu99WSU +QLG3rHfkJUh1OXol8IsfFsBcnetZ3ZM0+LXSGU+GB3UL4Y5j4vXqlzHtlKEXjsBJumUue NnfFZ8S4r0WOPRrLRyfa4l7XcDioPIDXbz5s/hHo12VneA9jxfVPDeE3q7zSfchRIY4wPR wu76B2DGn5Lx5lBEWKX0YOuJ3Yw4vYvCC+WVQz7w6RmWZ9Mm/k0S8yNvRyvRUIg+jlL4em PlkxoJvP/VxxLZ6W77geQsJ74ZkoKUx/VzM0DhqWzUnCtHWr1PEFTgf+RUM8hw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781016947; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=2nGRMnhsKshsJv56pj+xDynjEeGgon/EieC/JA/zVcU=; b=PVP+VIuRXO4VRe8aygwKerTuPtczxwz95oeFHraugCH3kgoNYadFG1GcecI/w/Dft0t9dW sOFq05/k/ofafASmUULoQ60MPLlGZRoBGMB5EUev6nX0CxkAylTBHSt+ePGvMDKqcbxuCd P06ZJBXaSaXTFzyFMzbyawchiIedGAnl72MlDmEKH/QurGvb4QKDPoJwHh4Nr0RldNRAoA ZtgcUK3ERu4w7peahRxU5H4hR13W7NuT7ktXSmE3gDJe8zBrJvEWy81l+UXTpgQENtWmmy l8Yh6TWUKXqq+yMhgFgiIc9Ldzb34/0pgA/MK2UhbCUTjICQosu7loVUz7NbBw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZX5v1nfkzffx for ; Tue, 09 Jun 2026 14:55:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 1a174 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 14:55:47 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: 471b1c4ca19b - stable/15 - smsc: Add missing newline to PHY timeout error printf List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 471b1c4ca19b16693ed410da5023739a60d063f3 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 14:55:47 +0000 Message-Id: <6a282973.1a174.685f6bb8@gitrepo.freebsd.org> The branch stable/15 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=471b1c4ca19b16693ed410da5023739a60d063f3 commit 471b1c4ca19b16693ed410da5023739a60d063f3 Author: Ed Maste AuthorDate: 2026-05-05 23:50:46 +0000 Commit: Ed Maste CommitDate: 2026-06-09 14:55:32 +0000 smsc: Add missing newline to PHY timeout error printf (cherry picked from commit 0979bfb0ec804590a782ea33b787ec0989c1f1a4) --- sys/dev/usb/net/if_smsc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/dev/usb/net/if_smsc.c b/sys/dev/usb/net/if_smsc.c index 0ebbf8482446..498a9ee3f926 100644 --- a/sys/dev/usb/net/if_smsc.c +++ b/sys/dev/usb/net/if_smsc.c @@ -1296,7 +1296,7 @@ smsc_phy_init(struct smsc_softc *sc) } while ((bmcr & BMCR_RESET) && ((ticks - start_ticks) < max_ticks)); if (((usb_ticks_t)(ticks - start_ticks)) >= max_ticks) { - smsc_err_printf(sc, "PHY reset timed-out"); + smsc_err_printf(sc, "PHY reset timed-out\n"); return (EIO); } From nobody Tue Jun 9 14:57:17 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZX7k2KhVz6g75B for ; Tue, 09 Jun 2026 14:57:22 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZX7k1pzMz423C for ; Tue, 09 Jun 2026 14:57:22 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781017042; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=+qq9EksFt6bsmq7UffVWT5hsmhEKAe1jDGBFPM8nLgA=; b=ahkb9cL5Mo5I3+nUMBkZT/iozbt2h4Z/xNYDN3SLH+YVPMx9b0+LfY56y/u/Q3ffOQpbo9 c3I1hRN8ZpZReNA3ztmzmB/BHs0CZG2kuJxQkidPr3cVg+iJLsWHAuvCenRD9A2kSkvH89 KrAjapqO2+DFW8X8A8yUTIboOERgUMzW8SAGZb/TJ/FHrkmNbjYft779JywmgP3Qo4f0fz nE86gmAMOEZSJg4WhFLLydGf4mVvwRTixN5THjllodRI6yT/nFak16Vv9Y1rMEJncWkIWe 7nTNPNZ2rWfSAAVdzcLjwYT73iQ6NTs3NIOokgBbGb5UWdKAL722F0vrdDy8aQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781017042; a=rsa-sha256; cv=none; b=ZBY77t5XxqWBafqy6NmDQMfVzfT4kUcIE6w9LRWOyag2qMIltk6NzMsIux1nwiYugtoJv1 RxgkFfAVYt4Y2SrMSfXOtgCOYtEAPvgiVPnJm+PPhTLypLUdW8iKwvaoCa9X9ek2b8HnqX 7eF0qJJdLe9yb2xcU/kEPVk1NULv8Bw9hHg9gArei2400vDmDYK36z0xJpPVkQf7WtEeL1 fNhJu3Gauu4ttKSjCwoEmQt9//5jbvk+HFBWcxCTM/9g2PeTE2DpqgInHgv74OeS/eTQV7 hY8+2QRSNFk9sbTUGrZ8lbNQyj+r0h8DP+x/PqDQeGyHNFj4hx6gUy5m+cEpkg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781017042; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=+qq9EksFt6bsmq7UffVWT5hsmhEKAe1jDGBFPM8nLgA=; b=qk3owFn2687jGV+odaZDtJbZpr47laYIxnldLQQikKr+S/hbYw993CIEi7/QBaicyBNuCu pckgXFT7rmXTlJumcFGkljmpK/ZZIIeAvXzTVGQkA4QrLYdBRAgZA1aFm7OOJuUp0A29BH 9Ilv26kLz7CC8+vgJX9e0XkO+3/TgfPqHuAEMObmvPiCQuMXcbJEGePuvYVZPfH2XNU+Y7 madBSENoOrG9IypIki7vHUhhZ9UzUg1lYgA58jV2OhZXtbjxSH6U4NvLTPARV43KzL0fRf A0cQDIJh6kb7xezaTcaDJG77vKSraxdtOHR4q7Rf7b4StmYRapEcZgCCcdrP9A== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZX7k1JFPzgCP for ; Tue, 09 Jun 2026 14:57:22 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 47fea by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 14:57:17 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Tuukka Pasanen From: Ed Maste Subject: git: a7f0ee3c5680 - stable/15 - bsdinstall: Add SPDX-License-Identifier tags List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: a7f0ee3c568083a2e63008f2992880d754ef707e Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 14:57:17 +0000 Message-Id: <6a2829cd.47fea.3d37ce09@gitrepo.freebsd.org> The branch stable/15 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=a7f0ee3c568083a2e63008f2992880d754ef707e commit a7f0ee3c568083a2e63008f2992880d754ef707e Author: Tuukka Pasanen AuthorDate: 2026-02-16 09:10:57 +0000 Commit: Ed Maste CommitDate: 2026-06-09 14:56:44 +0000 bsdinstall: Add SPDX-License-Identifier tags Reviewed by: emaste Sponsored by: The FreeBSD Foundation (cherry picked from commit 80c73c89dc6a156a119350d7c28c6db1f3b741df) --- usr.sbin/bsdinstall/partedit/partedit_efi.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr.sbin/bsdinstall/partedit/partedit_efi.c b/usr.sbin/bsdinstall/partedit/partedit_efi.c index 7c4f85a69b8b..21d03c6668ba 100644 --- a/usr.sbin/bsdinstall/partedit/partedit_efi.c +++ b/usr.sbin/bsdinstall/partedit/partedit_efi.c @@ -1,4 +1,6 @@ /* + * SPDX-License-Identifier: BSD-2-Clause + * * Copyright (C) 2016 Cavium Inc. * All rights reserved. * From nobody Tue Jun 9 16:58:30 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZZqW0GP3z6gGsr for ; Tue, 09 Jun 2026 16:58:31 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZZqV6rhWz4L3w for ; Tue, 09 Jun 2026 16:58:30 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781024311; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=mTwaRB4CnkNrRsU6djxBBZ4NxhNkK+UaZTb3MkT878s=; b=bi/lLyD1nbbDdlYMNy4bFqmRz4f/P+fxlwsI0mOq3neEhxDPpmnyMlUF+KDCXPJkiKsbwZ FgVe3VCkWKd/epdcyhNh1UEMDIrfGgE+S9GFZHiY83JKtLp3YNPYFnVKcP4ExbpPa64an1 TdoN5fBcHsVRlXYkObgNgxKfheOQxWVKPHItXX41JS2tgT/m3V2AtyNZHEVINQkofA0pV2 pqkwX3r6UIncDGXhoQfD+kV1krjMd4mKBCvodMqVJZYtxOT4B3SvVbgnI78wCRuoDYB9VQ vrpW8Sces7r/wsZYEow3Gan4twi77QaSYA0MFUWu87W654ezmXlPseYYL3gvEw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781024311; a=rsa-sha256; cv=none; b=pR//MV6H8nCOENqwNF7LKqJJegfOzJyRJ1ndil4HKvisa2RLjFPUQV91TFJPJS7J+dy+xA 75+dnJQmBs+n7RcYIFtSYplZw5rlIBesJXJJJuiQNGJ6mH8Dnp37A+D3qkrcUhMDXAJyO8 yIjtyM7Kp8dAW4nB9U7V6ySteviZo8pTS7Txvu+rBM6eBhFWL/pTj7dDsw+muEucxmhwJQ L3zMuAAzaTMPvPNWXEYIYltnv0hfTbGJ6hFV5+H/DBfPFXwplAMiM+Dxra9Q1iv+cFU12u DxQi7OOZhjPQkMrEiMOy85/KNper8fsUnhgoPPqfysx9kyb/2gg4jPQaE7/pEQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781024311; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=mTwaRB4CnkNrRsU6djxBBZ4NxhNkK+UaZTb3MkT878s=; b=iRchC7m2yttbHUsrw/0A6XZ5ZCMzrx5qYKI1+DOf1Y31FK5ks7ycv7kpH5iFg/J0bh7FX1 mYUFoT6uU8IAI6Gs9R/uq3ipk/Smpe1vyFu4jxec2pKnxGN1Ls4aVHhl6DbMnUh5gsi3ye eUR5upeTBAxqVPt1ByPZTSMeb56fsD9MahWi6N8Ro00SwvCq0Bmr/N2yZbRsqsPeP66YRr TWGhHL+PLy5YansR9WUCr0Nn2FLB5flQo9djNv1pORqSHYuq/qY0zBg9/B0Ya/EOrYRIim ab9Tj3PO6srGq3c+nKlYeYd4aRCySCGMtdU/o0hn+3g2VQjqs6k9vT1kiZ4gZw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZZqV6BmtzkJK for ; Tue, 09 Jun 2026 16:58:30 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 27c92 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 16:58:30 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: 6952ad819d6a - stable/15 - get/setpriority: Add capability mode checks List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 6952ad819d6a7c259ae1f0bd2646a35e4263f0d9 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 16:58:30 +0000 Message-Id: <6a284636.27c92.a23e87e@gitrepo.freebsd.org> The branch stable/15 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=6952ad819d6a7c259ae1f0bd2646a35e4263f0d9 commit 6952ad819d6a7c259ae1f0bd2646a35e4263f0d9 Author: Ed Maste AuthorDate: 2026-05-29 20:48:34 +0000 Commit: Ed Maste CommitDate: 2026-06-09 16:57:58 +0000 get/setpriority: Add capability mode checks Reviewed by: oshogbo Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57345 (cherry picked from commit 72e34b3e3907d5fd63abf7b2246cae80641769b3) --- sys/kern/kern_resource.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/sys/kern/kern_resource.c b/sys/kern/kern_resource.c index dcd38c6e6fbe..5850d2708a11 100644 --- a/sys/kern/kern_resource.c +++ b/sys/kern/kern_resource.c @@ -37,6 +37,7 @@ #include #include #include +#include #include #include #include @@ -99,6 +100,13 @@ kern_getpriority(struct thread *td, int which, int who) struct pgrp *pg; int error, low; + if (IN_CAPABILITY_MODE(td)) { + if (which != PRIO_PROCESS) + return (ECAPMODE); + if (who != 0 && who != td->td_proc->p_pid) + return (ECAPMODE); + } + error = 0; low = PRIO_MAX + 1; switch (which) { @@ -189,6 +197,14 @@ kern_setpriority(struct thread *td, int which, int who, int prio) int found = 0, error = 0; curp = td->td_proc; + + if (IN_CAPABILITY_MODE(td)) { + if (which != PRIO_PROCESS) + return (ECAPMODE); + if (who != 0 && who != curp->p_pid) + return (ECAPMODE); + } + switch (which) { case PRIO_PROCESS: if (who == 0) { From nobody Tue Jun 9 19:17:27 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdvr2phWz6gTrZ for ; Tue, 09 Jun 2026 19:17:28 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdvq6hh8z3LM1 for ; Tue, 09 Jun 2026 19:17:27 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032648; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=06QOUsk2ZHn2APSqPNzKP3SHypri6oeQACQ1p5GrGi4=; b=o5Q73a3fQL0Ii+WBy7nrfatZ5DjgcMP9hht0DLQRDtYbodttvlJgLp3l5HYWYMoLvbGwkL kE4EbeKhA8cfAcP2jlFkZMV+mq8IzdlVAuJ9TnNsQlemf7qp83xlKvpnYwGvIpPsIk4KJN KbR84U4ww58AZ3ae72J2gQ4NfDWUHzGzMJR0ZDoB3WjiUW7sQwxA7uJlCZ6Q0l9zM2JLUN zLKl4aeNsEMCg8YWNGId/OBNxEe4EF88KMla2eiz+0pFbemAJqU1lKJBlaQdrrNrSEhgD1 pXN2q6EgJGm5zn80rL163M2Xch+K2Ev/MlMsvQ//KoYvIq+hoksY+B8zd45bog== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032648; a=rsa-sha256; cv=none; b=r/OcN3/FJC2LpQ2kCAfBTiYOJP2E8t3JHOODiFs4Jd+2/5gdlWv3UOhfiAim+pmJpTpCaZ qMjnarV5G0BVnBCzKEufPEMVWpA0QEDOPaLLJetoiLBvmCEnci1RIScAYgZ44fpVEsIEYB h5ROTfxjNuwKVsDzXqsKDj4Kn55GY8gfqN1AAIZsyJ591QpaCBdHprvsaSAGAJfRv4OMAO Vd2nIM9eBZ4ExqRH4fek8xnNoTja4S09RwGx0nvwbjdd3FwCwLQEFTM7bLi/MlatjoyxJ4 z4eKKrh9CSorDa4lkIX/iuIC8CegaX9+m6ferOSN8/680dqmC9gN1FFmTwcfng== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032648; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=06QOUsk2ZHn2APSqPNzKP3SHypri6oeQACQ1p5GrGi4=; b=PUcWvOK59qQY1m6MHhfqR7jnEzcdUEPdWaOYe7jns3LfS5XvPMD73yK61w5J0Oo+q7RZhD 15w3nRj4XdebR5QHlRxZx1SZwM5+OFd4rulHLEa3JH3WY6IsblGyVhhufJnqA+L8aFPS/w tkpn0hoaPKi+T1Dek+kmc3ptG/G6fYhZoYn+l7YUcM2otOgEX1ublgVS21xB8wzpq50HFF i5rndPiViQnrV3+GR19+cltfAk6logSHhYkljjDRMMdBurGtl+Wqb+pKZ8eB/hwO1f2/Qs G/5b7vgn33pYJ6lZiMVLJgfWanUZ2JqD6TWJ+wWdZ26L7ZVdrsdd/cbvYc3fSw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdvq6B9YzmsX for ; Tue, 09 Jun 2026 19:17:27 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3e51d by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:17:27 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: afa0c67a1ba3 - stable/15 - thr_kill2: Respect p_cansignal() List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: afa0c67a1ba368a98600d4f059190b1d2dc9fff3 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:17:27 +0000 Message-Id: <6a2866c7.3e51d.bbc6999@gitrepo.freebsd.org> The branch stable/15 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=afa0c67a1ba368a98600d4f059190b1d2dc9fff3 commit afa0c67a1ba368a98600d4f059190b1d2dc9fff3 Author: Mark Johnston AuthorDate: 2026-05-25 15:12:57 +0000 Commit: Mark Johnston CommitDate: 2026-06-09 19:15:24 +0000 thr_kill2: Respect p_cansignal() Approved by: so Security: FreeBSD-SA-26:25.thr Security: CVE-2026-45256 Reported by: Igor Gabriel Sousa e Souza Reported by: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai Reviewed by: emaste, kib Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57237 --- sys/kern/kern_thr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/kern/kern_thr.c b/sys/kern/kern_thr.c index 4329959a2ef4..4a439eee0210 100644 --- a/sys/kern/kern_thr.c +++ b/sys/kern/kern_thr.c @@ -506,7 +506,7 @@ sys_thr_kill2(struct thread *td, struct thr_kill2_args *uap) p = ttd->td_proc; AUDIT_ARG_PROCESS(p); error = p_cansignal(td, p, uap->sig); - if (uap->sig == 0) + if (error != 0 || uap->sig == 0) ; else if (!_SIG_VALID(uap->sig)) error = EINVAL; From nobody Tue Jun 9 19:17:30 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdvt4sXLz6gTrd for ; Tue, 09 Jun 2026 19:17:30 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdvt0vNDz3LV9 for ; Tue, 09 Jun 2026 19:17:30 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032650; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=w71Do/Klozv+n+bPE2dzFrggeCdlaPIjIcp7madEckE=; b=jW0WbA7E1x7Ls8efMPmyDhVocFFQyt3yQpwKkvQ0SYpHJAwbfcn3wwYUESrXhkgeqTEWdJ WiilDQSNoSl9q4AU8IZmE82eV50bcUDt4vAivnztmt3Y5rb7CYOMfrbpYR0I3DCF4wrjCy j+vN9IqS905jIkQalzepThM5iBrNnrXWsqBbrp/J6OEowzB5vph/A7NDyVQo/HvVLzIeKh FChOw4/06oujdT0H4f2ont1k1C6g48Edg/cwCvehsZ9U8BCcdbj1Bg/lU5JJoaG7Ub5kNA 4QumkwlnzUSHSRGVyBlKQeMIZDoDoTywShNwzjsOlWeTHiOtxo+zI0piGKJ+Nw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032650; a=rsa-sha256; cv=none; b=HFarDu+leTYHaEr+z42e7CtUvfnAfjevija67K5h46R7fGLfWtOsGvjQq/fNlJ08sZ7Fnh tERt7f1nHDRK3uTAqPLAeEGVZspm67Jea6STcKEffDRybr/0oS0PcivKCTlC/rN9kiuVA+ BlyJjXhgtyCkQ6s/xQG3QWGP2LpwnikUHXCdkjZy6HgLPf6WvwLiI3ifh8amTUQpk6Zs+9 Qnl7mtCeTJE247dAO3M8MQH4aTIvriZWF/ba/tCwViTi1f+rvpOUqc1hpy5TWQG6/uV7j6 P1bxrt2SV1kxOyR+yoF94xzZ0H7sCp83V4NxamaRJHEy1bZjmAZysjIIPe+18w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032650; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=w71Do/Klozv+n+bPE2dzFrggeCdlaPIjIcp7madEckE=; b=M5sF5ee0GA+WaRn7a5CVbPr3/WYEdkWr30pguD6KddHjw8+zr1TgBFJ0owBO0LT8xj1Mr0 gtTXsg+FFmKrH9WpLM0F5PHSXebZYL6cpyhC0dQ+AjBqcK4Je+Hf8vtNfeFNLprGEdFat3 WqrFb+VYNwCNckw69ryt9dkhliek8IkSSvSyEPelt1V3ituvL+1Na4zzHEeMLWOIyADL+4 WMMsM/rs0YCfP+Y1xMFHlRDUEvl7MbFdcmVI1jvZKkVT9Du+PHxf6+2GwOpCojqLXfOAbs g9qA/ukCcUNijJiE6nampoLTWmK0NXgHawEzuLb8l1Xzn08cbABAXiV0ACZHdg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdvt0KhqznCM for ; Tue, 09 Jun 2026 19:17:30 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3e41c by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:17:30 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Christos Margiolis From: Mark Johnston Subject: git: a6a8b2759f52 - stable/15 - sound: Check for offset overflow in dsp_mmap_single() List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: a6a8b2759f526aca1cae535f1390f8ccf9661da1 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:17:30 +0000 Message-Id: <6a2866ca.3e41c.654b548b@gitrepo.freebsd.org> The branch stable/15 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=a6a8b2759f526aca1cae535f1390f8ccf9661da1 commit a6a8b2759f526aca1cae535f1390f8ccf9661da1 Author: Christos Margiolis AuthorDate: 2026-05-27 15:50:33 +0000 Commit: Mark Johnston CommitDate: 2026-06-09 19:15:24 +0000 sound: Check for offset overflow in dsp_mmap_single() Approved by: so Security: FreeBSD-SA-26:27.sound Security: CVE-2026-45258 Reviewed by: markj Sponsored by: The FreeBSD Foundation --- sys/dev/sound/pcm/dsp.c | 3 +++ tests/sys/sound/Makefile | 1 + tests/sys/sound/mmap.c | 51 ++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 55 insertions(+) diff --git a/sys/dev/sound/pcm/dsp.c b/sys/dev/sound/pcm/dsp.c index 8a2ce2422bef..a37fe842ba76 100644 --- a/sys/dev/sound/pcm/dsp.c +++ b/sys/dev/sound/pcm/dsp.c @@ -1920,6 +1920,9 @@ dsp_mmap_single(struct cdev *i_dev, vm_ooffset_t *offset, struct pcm_channel *wrch, *rdch, *c; int err; + if (*offset >= *offset + size) + return (EINVAL); + /* * https://lists.freebsd.org/pipermail/freebsd-emulation/2007-June/003698.html */ diff --git a/tests/sys/sound/Makefile b/tests/sys/sound/Makefile index ab52a7aad386..f534a8cb17e5 100644 --- a/tests/sys/sound/Makefile +++ b/tests/sys/sound/Makefile @@ -2,6 +2,7 @@ PACKAGE= tests TESTSDIR= ${TESTSBASE}/sys/sound +ATF_TESTS_C+= mmap ATF_TESTS_C+= pcm_read_write ATF_TESTS_C+= polling ATF_TESTS_C+= sndstat diff --git a/tests/sys/sound/mmap.c b/tests/sys/sound/mmap.c new file mode 100644 index 000000000000..53594b7cc962 --- /dev/null +++ b/tests/sys/sound/mmap.c @@ -0,0 +1,51 @@ +/*- + * SPDX-License-Identifier: BSD-2-Clause + * + * Copyright (c) 2026 The FreeBSD Foundation + */ + +#include +#include + +#include +#include +#include +#include + +#define FMT_ERR(s) s ": %s", strerror(errno) + +ATF_TC(mmap_offset_overflow); +ATF_TC_HEAD(mmap_offset_overflow, tc) +{ + atf_tc_set_md_var(tc, "descr", "mmap offset overflow test"); + atf_tc_set_md_var(tc, "require.kmods", "snd_dummy"); +} + +ATF_TC_BODY(mmap_offset_overflow, tc) +{ + uint8_t *buf; + off_t off; + size_t len; + int fd; + + fd = open("/dev/dsp.dummy", O_RDWR); + ATF_REQUIRE_MSG(fd >= 0, FMT_ERR("open")); + + /* off + len will overflow and wrap back to 0. */ + off = 0xfffffffffffff000; + len = 0x1000; + + buf = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_SHARED, fd, off); + ATF_REQUIRE_MSG(buf == MAP_FAILED, FMT_ERR("mmap")); + + munmap(buf, len); + + close(fd); +} + +ATF_TP_ADD_TCS(tp) +{ + ATF_TP_ADD_TC(tp, mmap_offset_overflow); + + return (atf_no_error()); +} From nobody Tue Jun 9 19:17:28 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdvs3VSVz6gTpQ for ; Tue, 09 Jun 2026 19:17:29 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdvs0GTMz3LBV for ; Tue, 09 Jun 2026 19:17:29 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032649; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=CLK9k+aer17dbm0ueLbnMlgOpkTHJ3z4be+f5CVCYXQ=; b=HGZ/uKyJli2Na9S29go9qYD4BAC2LBBT04sNy2CortNFO4qwjtHB45Cd4aDvXcwbzPiOeG GklxffjiNC+UBBavb+/WhdfTAZlnGG+LCH6l8Q2IVmW5x1ue9BZzVt35VY6q9RTJtItz1/ dA61CwBrigG7DUlve+0cARcFio7KcTPGLLcz6jwGeKF/OhodEQzlejpTU7QXpDuULtjlzW Y8VdWSz/Q+GeNtoEQ8BTRy8cT6WIllWLlr7SILV3ak5+m2Jg7KkfApRTUFnHHGSEoXEW3H HGvdA2/SJw8WgyHijlhhyR+Ecb6BKUoq3DEgTtcIthaD6gZnRR6hGYmCtzexGw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032649; a=rsa-sha256; cv=none; b=wT7DQpjpg6FbgauxZYSdzsD2GjiknRR9EhX810JGqeXBzQslGEo8nToz/0q3sAgteoGCUU ZZfUr5Pa8keN+W/JGPWQAA7fdreBsbovVrg6u1wWtgc7ECOSZGJK5r7dZnHeg0Az5WPiGg +6qMVc8tCTFP9+ZFOdU6vn0U0X5wMXeXdJ9ATSCzvtlrNsLIGiXIOTt/IHJa5wm0+a+4fY ipwVtzDZh5T1RwOqXVh2SraVVFiT5UcDYO2aSFmkRPA4NOOTHPK8XdCeKWYm+BBqQnxS/r bciS31PeNp1IiOX8Px0HMf29+dm8uHV70FNqa6qu7f0A+rj8r471ZWAHjpzc0g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032649; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=CLK9k+aer17dbm0ueLbnMlgOpkTHJ3z4be+f5CVCYXQ=; b=S5ENYuTtakck6aQSAxcLktEZjGEs8Jsk3Et1C8IwAY2MuKFCwixPQXDWGWSCpkJYuWZgSb DG4VAG1MXGYoQuu29fZ1Acz2AQNSesEa0A7xfKTna5b4WLzZl3+BlBJs37oqMl5Uoz+Ii6 PL0D8n1M5t56m04Y17W0o1hv42djBHlOi4OwLplyMIwCkx08uHFUwv/4UaGMx5Mg+/N9zw wrvtzMFpU+kpVMB3HLhiJx2oyAI7GCMsk3MSHyl/WS9EuKUjtKDPb/teSTJ+vxjLeOHIN8 htGKWQMNBsKRgxYp3VM7rwevgE4E/IG5n6Q47Bci5CfiLgsC6aFa65tM59mcdw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdvr6w1kzn9R for ; Tue, 09 Jun 2026 19:17:28 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3c4ee by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:17:28 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: John Baldwin From: Mark Johnston Subject: git: a51345704403 - stable/15 - ktls: Don't attempt to modify non-anonymous mbufs on the receive path List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: a513457044031a86cec5aa07755f1dbc3b78c497 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:17:28 +0000 Message-Id: <6a2866c8.3c4ee.14365509@gitrepo.freebsd.org> The branch stable/15 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=a513457044031a86cec5aa07755f1dbc3b78c497 commit a513457044031a86cec5aa07755f1dbc3b78c497 Author: John Baldwin AuthorDate: 2026-06-03 23:22:00 +0000 Commit: Mark Johnston CommitDate: 2026-06-09 19:15:24 +0000 ktls: Don't attempt to modify non-anonymous mbufs on the receive path Normally, data processed on the KTLS receive path is contained in anonymous mbufs that can be modified in place. Either the data originates in receive buffers from a NIC driver, or for loopback connections the data is anonymous-backed mbufs created when writing to a socket. One potential source of non-anonymous mbufs are mbufs created by sendfile(2) which borrow the pages of the underlying file, either via M_EXTPG or EXT_SFBUF that are sent over a loopback connection. For a well-formed loopback TLS session, the sender should only use sendfile(2) if KTLS is enabled. If TLS is fully handled in userspace, the sender must use write(2) or send(2) which allocate anonymous mbufs. If KTLS transmit is enabled, then sendfile(2) on a loopback connection will always use crypto via OCF and will allocate anonymous pages to hold the encrypted data. However, if sendfile(2) is used to send file-backed data directly over a loopback connection where KTLS is not enabled on the sender side, the KTLS receive path can modify the file-backed pages in place overwriting the file's data. One potential fix would be to replace non-anonymous mbufs in a received TLS record with anonymous mbufs (e.g. via m_dup()) before passing the record to OCF. However, there is no legitimate use case for using sendfile(2) over a loopback TLS connection without using KTLS on the sender side, so instead simply fail decryption requests and close the connection if non-anonymous mbufs are encountered in the RX decryption path. Add a test for this that verifies that the original data backing the file descriptor used as the source for sendfile() is unchanged after being processed. Approved by: so Security: FreeBSD-SA-26:26.ktls Security: CVE-2026-45257 Co-authored-by: Drew Gallatin Sponsored by: Chelsio Communications Sponsored by: Netflix --- sys/kern/uipc_ktls.c | 17 +++++++-- sys/sys/ktls.h | 1 + tests/sys/kern/ktls_test.c | 93 ++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 108 insertions(+), 3 deletions(-) diff --git a/sys/kern/uipc_ktls.c b/sys/kern/uipc_ktls.c index 35009ad77722..5f7d061bfb55 100644 --- a/sys/kern/uipc_ktls.c +++ b/sys/kern/uipc_ktls.c @@ -2419,8 +2419,10 @@ tls13_find_record_type(struct ktls_session *tls, struct mbuf *m, int tls_len, * Check if a mbuf chain is fully decrypted at the given offset and * length. Returns KTLS_MBUF_CRYPTO_ST_DECRYPTED if all data is * decrypted. KTLS_MBUF_CRYPTO_ST_MIXED if there is a mix of encrypted - * and decrypted data. Else KTLS_MBUF_CRYPTO_ST_ENCRYPTED if all data - * is encrypted. + * and decrypted data. KTLS_MBUF_CRYPTO_ST_ENCRYPTED if all data is + * encrypted. KTLS_MBUF_CRYPTO_ST_SHAREDMBUF if any mbuf points at + * shared data that must not be modified in place (non-anonymous + * M_EXTPG or sendfile M_EXT buffers). */ ktls_mbuf_crypto_st_t ktls_mbuf_crypto_state(struct mbuf *mb, int offset, int len) @@ -2436,6 +2438,13 @@ ktls_mbuf_crypto_state(struct mbuf *mb, int offset, int len) offset += len; for (; mb != NULL; mb = mb->m_next) { + if ((mb->m_flags & M_EXTPG) != 0 && + (mb->m_epg_flags & EPG_FLAG_ANON) == 0) + return (KTLS_MBUF_CRYPTO_ST_SHAREDMBUF); + if ((mb->m_flags & M_EXT) != 0 && + mb->m_ext.ext_type == EXT_SFBUF) + return (KTLS_MBUF_CRYPTO_ST_SHAREDMBUF); + m_flags_ored |= mb->m_flags; m_flags_anded &= mb->m_flags; @@ -2636,9 +2645,11 @@ ktls_decrypt(struct socket *so) record_type = hdr->tls_type; } break; - default: + case KTLS_MBUF_CRYPTO_ST_SHAREDMBUF: error = EINVAL; break; + default: + __assert_unreachable(); } if (error) { counter_u64_add(ktls_offload_failed_crypto, 1); diff --git a/sys/sys/ktls.h b/sys/sys/ktls.h index 6c7e7d3c5ee3..fc9c0316654e 100644 --- a/sys/sys/ktls.h +++ b/sys/sys/ktls.h @@ -241,6 +241,7 @@ typedef enum { KTLS_MBUF_CRYPTO_ST_MIXED = 0, KTLS_MBUF_CRYPTO_ST_ENCRYPTED = 1, KTLS_MBUF_CRYPTO_ST_DECRYPTED = -1, + KTLS_MBUF_CRYPTO_ST_SHAREDMBUF = -2, } ktls_mbuf_crypto_st_t; void ktls_check_rx(struct sockbuf *sb); diff --git a/tests/sys/kern/ktls_test.c b/tests/sys/kern/ktls_test.c index 72497196b945..3970083e7f72 100644 --- a/tests/sys/kern/ktls_test.c +++ b/tests/sys/kern/ktls_test.c @@ -30,6 +30,7 @@ #include #include #include +#include #include #include #include @@ -2817,6 +2818,97 @@ ATF_TC_BODY(ktls_listening_socket, tc) ATF_REQUIRE(close(s) == 0); } +/* + * Verify that the KTLS receive path does not overwrite data belonging + * to a file whose payload is transmitted over a loopback connection + * via plain sendfile. + */ +ATF_TC_WITHOUT_HEAD(ktls_receive_loopback_sendfile); +ATF_TC_BODY(ktls_receive_loopback_sendfile, tc) +{ + struct tls_enable en; + struct msghdr msg; + struct sf_hdtr hdtr; + struct iovec iov[2]; + uint64_t seqno; + off_t sbytes; + char cbuf[CMSG_SPACE(sizeof(struct tls_get_record))]; + char *plaintext, *ciphertext, *outbuf; + void *p; + const size_t payload_len = PAGE_SIZE; + ssize_t rv; + size_t len; + int mode, shm, sockets[2]; + socklen_t slen; + + ATF_REQUIRE_KTLS(); + seqno = random(); + build_tls_enable(tc, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0, + TLS_MINOR_VER_TWO, seqno, &en); + + len = tls_header_len(&en) + payload_len + tls_trailer_len(&en); + plaintext = alloc_buffer(payload_len); + ciphertext = malloc(len); + ATF_REQUIRE_INTEQ(len, encrypt_tls_record(tc, &en, TLS_RLTYPE_APP, + seqno, plaintext, payload_len, ciphertext, len, 0)); + + ATF_REQUIRE((shm = shm_open(SHM_ANON, O_RDWR, 0600)) > 0); + ATF_REQUIRE_INTEQ(0, ftruncate(shm, payload_len)); + ATF_REQUIRE((p = mmap(NULL, payload_len, PROT_READ | PROT_WRITE, + MAP_SHARED, shm, 0)) != MAP_FAILED); + memcpy(p, ciphertext + tls_header_len(&en), payload_len); + + ATF_REQUIRE_MSG(socketpair_tcp(sockets), "failed to create sockets"); + ATF_REQUIRE(setsockopt(sockets[0], IPPROTO_TCP, TCP_RXTLS_ENABLE, &en, + sizeof(en)) == 0); + slen = sizeof(mode); + ATF_REQUIRE_INTEQ(0, getsockopt(sockets[0], IPPROTO_TCP, TCP_RXTLS_MODE, + &mode, &slen)); + ATF_REQUIRE_INTEQ(TCP_TLS_MODE_SW, mode); + + fd_set_blocking(sockets[0]); + fd_set_blocking(sockets[1]); + + iov[0].iov_base = ciphertext; + iov[0].iov_len = tls_header_len(&en); + iov[1].iov_base = ciphertext + tls_header_len(&en) + payload_len; + iov[1].iov_len = tls_trailer_len(&en); + hdtr.headers = iov; + hdtr.hdr_cnt = 1; + hdtr.trailers = iov + 1; + hdtr.trl_cnt = 1; + debug_hexdump(tc, p, payload_len, "shm buffer before"); + ATF_REQUIRE_INTEQ(0, sendfile(shm, sockets[1], 0, payload_len, &hdtr, + &sbytes, 0)); + ATF_REQUIRE_INTEQ(sbytes, len); + + outbuf = calloc(payload_len, 1); + + memset(&msg, 0, sizeof(msg)); + + msg.msg_control = cbuf; + msg.msg_controllen = sizeof(cbuf); + + iov[0].iov_base = outbuf; + iov[0].iov_len = payload_len; + msg.msg_iov = iov; + msg.msg_iovlen = 1; + + rv = recvmsg(sockets[0], &msg, 0); + if (rv >= 0) { + ATF_REQUIRE_INTEQ(payload_len, rv); + ATF_REQUIRE_INTEQ(0, memcmp(outbuf, plaintext, payload_len)); + } else + ATF_REQUIRE_ERRNO(EBADMSG, true); + + debug_hexdump(tc, p, payload_len, "shm buffer after"); + ATF_REQUIRE_INTEQ(0, memcmp(p, ciphertext + tls_header_len(&en), + payload_len)); + + close_sockets_ignore_errors(sockets); + (void)close(shm); +} + ATF_TP_ADD_TCS(tp) { /* Transmit tests */ @@ -2843,6 +2935,7 @@ ATF_TP_ADD_TCS(tp) /* Miscellaneous */ ATF_TP_ADD_TC(tp, ktls_sendto_baddst); ATF_TP_ADD_TC(tp, ktls_listening_socket); + ATF_TP_ADD_TC(tp, ktls_receive_loopback_sendfile); return (atf_no_error()); } From nobody Tue Jun 9 19:17:31 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdvv55g1z6gV38 for ; Tue, 09 Jun 2026 19:17:31 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdvv1Xvmz3LbC for ; Tue, 09 Jun 2026 19:17:31 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032651; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=QnfMywaxd/XHxjs5Y216yHTVGxiQBfVWZclq7hiZG48=; b=SaN6sxL+x0RLiCC+DVOM4i9C0uy0dAQMjxtVczTZKh1o6HNnJNnHCyrk8hGe51yvCIC/9d yW22oLYBmtfsTQ7QOX5gKc3ivYSTN4tztwHDbltF1M/seEnLF2fJPgvwDBRa/s63uMpJ+n F7V0mKl83S1ZgOD2rsbKgOMbGW1CG2Cl27LacA/30FDPD+7WyQYMyyad1erVl5RnEcLBXZ 6b9VSwie2ZmfSwZX0qRJeNwShtYdavZ0WTxPaClF4XvuAVV/D1bWPFSMQ+KYQ+O4ScLreJ beOvxZUbvpLmTpg/vS6ql4CEpMuFFWCCNa5Y39H8GOtmQ6aQf6GzBnai+Knaxg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032651; a=rsa-sha256; cv=none; b=GBmyDUkIeOmsSLjHyYiqK/v1KkPOlGdRKlF5ijGtTVFDMXQNoculBCWvsYYjQwFZ52f4Ba eYpSK4n28F0b7CqaYz7eXOyrKTIf/lqpejg72xEjbwp6xUnhdXWSZQH45qa2WK6OLNLTfu edB7Y/tYsF3NOVZtxtErs73OyYbT+592VSPgLlo+LJ05Kh1dAc1sNjVkGxXvUopY8VFrH2 Rv9lveBCsr1d0BZipWeARKQ45qF8bfpCwHqMbXXoVZ5tmrHhqq5AYjdDVivmN/GYoQb8DL IoHhtjboEs2qcM4f5+GJeGjvBBOoxgy2PqxnOs0N3+QmXUlOOcX2A1AC3gS3gg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032651; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=QnfMywaxd/XHxjs5Y216yHTVGxiQBfVWZclq7hiZG48=; b=XBWSmXIkgYc6C60yj4HVEC4WbO3ab7MdlxFOK6Tz//Birg1uxNAYsbKOS3rPEfUXzqtGZY yJAC1ry/xBS5PB14Pa2iUeH/LKDQNaRyOblGHBBVcJYuvXmrG1tD3usb9WYk1RF1RhF8cf BpLdrdt1Sh0+dv9ZF+79rFtrdMMzmH3lJiMmVmTvKNaimcyFRYg3gkclf2qscKq23NFSSz 8AG2ERXshWK+/x+alzTbr5SUrXTOi+jRHt8fyNb+sbOJEON/Hnar8J6ZTrfPuMSPAi8ZLE Gsl8AeiNVvVfLxVibgozi2s8/8IB22cMDjjr6gkApe1/JhRXXfZEZLzh//WDSA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdvv13Tnznvm for ; Tue, 09 Jun 2026 19:17:31 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3d96c by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:17:31 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 7628e1ddfd52 - stable/15 - sound: Fix software buffer lifetime issues List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 7628e1ddfd529c13c5d23dfb32c67e5f6d6e4265 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:17:31 +0000 Message-Id: <6a2866cb.3d96c.19bd7087@gitrepo.freebsd.org> The branch stable/15 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=7628e1ddfd529c13c5d23dfb32c67e5f6d6e4265 commit 7628e1ddfd529c13c5d23dfb32c67e5f6d6e4265 Author: Mark Johnston AuthorDate: 2026-06-01 21:57:40 +0000 Commit: Mark Johnston CommitDate: 2026-06-09 19:15:24 +0000 sound: Fix software buffer lifetime issues The channel buffer mapped by dsp_mmap_single() may be freed when the device handle is closed, but the mapping persists beyond that, allowing userspace to read or write memory owned by a different consumer. Fix the problem by adding a reference counter to the sound buffer. Define pager ops for the VM object returned by dsp_mmap_single() and use them to manage the extra reference. Add a regression test. Approved by: so Security: FreeBSD-SA-26:27.sound Security: CVE-2026-49417 Reported by: Lexpl0it, 75Acol, Liyw979, Rob1n Reviewed by kib Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57393 --- sys/dev/sound/pcm/buffer.c | 38 ++++++++++++++++++-- sys/dev/sound/pcm/buffer.h | 4 +++ sys/dev/sound/pcm/dsp.c | 89 ++++++++++++++++++++++++++++++++++++++-------- tests/sys/sound/mmap.c | 60 +++++++++++++++++++++++++++++++ 4 files changed, 175 insertions(+), 16 deletions(-) diff --git a/sys/dev/sound/pcm/buffer.c b/sys/dev/sound/pcm/buffer.c index 0c574ae2908c..86278a46a731 100644 --- a/sys/dev/sound/pcm/buffer.c +++ b/sys/dev/sound/pcm/buffer.c @@ -36,6 +36,7 @@ #include "opt_snd.h" #endif +#include #include #include "feeder_if.h" @@ -50,6 +51,7 @@ sndbuf_create(struct pcm_channel *channel, const char *desc) struct snd_dbuf *b; b = malloc(sizeof(*b), M_DEVBUF, M_WAITOK | M_ZERO); + refcount_init(&b->refcount, 1); snprintf(b->name, SNDBUF_NAMELEN, "%s:%s", channel->name, desc); b->channel = channel; @@ -59,8 +61,30 @@ sndbuf_create(struct pcm_channel *channel, const char *desc) void sndbuf_destroy(struct snd_dbuf *b) { - sndbuf_free(b); - free(b, M_DEVBUF); + b->flags |= SNDBUF_F_DETACHED; + sndbuf_rele(b); +} + +void +sndbuf_ref(struct snd_dbuf *b) +{ + unsigned int count __diagused; + + CHN_LOCK(b->channel); + count = refcount_acquire(&b->refcount); + KASSERT(count > 0, ("sndbuf %p refcount 0", b)); + CHN_UNLOCK(b->channel); +} + +void +sndbuf_rele(struct snd_dbuf *b) +{ + if (refcount_release(&b->refcount)) { + sndbuf_free(b); + KASSERT(refcount_load(&b->refcount) == 0, + ("sndbuf %p still referenced", b)); + free(b, M_DEVBUF); + } } static void @@ -177,6 +201,11 @@ sndbuf_resize(struct snd_dbuf *b, unsigned int blkcnt, unsigned int blksz) if (bufsize > b->allocsize || bufsize < (b->allocsize >> SNDBUF_CACHE_SHIFT)) { + if (refcount_load(&b->refcount) > 1 || + (b->flags & SNDBUF_F_DETACHED) != 0) { + CHN_UNLOCK(b->channel); + return (EBUSY); + } allocsize = round_page(bufsize); CHN_UNLOCK(b->channel); tmpbuf = malloc(allocsize, M_DEVBUF, M_WAITOK); @@ -211,10 +240,15 @@ sndbuf_remalloc(struct snd_dbuf *b, unsigned int blkcnt, unsigned int blksz) if (blkcnt < 2 || blksz < 16) return EINVAL; + CHN_LOCKASSERT(b->channel); + bufsize = blksz * blkcnt; if (bufsize > b->allocsize || bufsize < (b->allocsize >> SNDBUF_CACHE_SHIFT)) { + if (refcount_load(&b->refcount) > 1 || + (b->flags & SNDBUF_F_DETACHED) != 0) + return (EBUSY); allocsize = round_page(bufsize); CHN_UNLOCK(b->channel); buf = malloc(allocsize, M_DEVBUF, M_WAITOK); diff --git a/sys/dev/sound/pcm/buffer.h b/sys/dev/sound/pcm/buffer.h index 371ba2dd94ce..fee41db2ff82 100644 --- a/sys/dev/sound/pcm/buffer.h +++ b/sys/dev/sound/pcm/buffer.h @@ -31,6 +31,7 @@ */ #define SNDBUF_F_MANAGED 0x00000001 +#define SNDBUF_F_DETACHED 0x00000002 #define SNDBUF_NAMELEN 48 @@ -53,6 +54,7 @@ struct snd_dbuf { bus_dma_tag_t dmatag; bus_addr_t buf_addr; int dmaflags; + unsigned int refcount; struct selinfo sel; struct pcm_channel *channel; char name[SNDBUF_NAMELEN]; @@ -60,6 +62,8 @@ struct snd_dbuf { struct snd_dbuf *sndbuf_create(struct pcm_channel *channel, const char *desc); void sndbuf_destroy(struct snd_dbuf *b); +void sndbuf_ref(struct snd_dbuf *b); +void sndbuf_rele(struct snd_dbuf *b); int sndbuf_alloc(struct snd_dbuf *b, bus_dma_tag_t dmatag, int dmaflags, unsigned int size); int sndbuf_setup(struct snd_dbuf *b, void *buf, unsigned int size); diff --git a/sys/dev/sound/pcm/dsp.c b/sys/dev/sound/pcm/dsp.c index a37fe842ba76..7e4b4ae2df24 100644 --- a/sys/dev/sound/pcm/dsp.c +++ b/sys/dev/sound/pcm/dsp.c @@ -77,7 +77,6 @@ static d_read_t dsp_read; static d_write_t dsp_write; static d_ioctl_t dsp_ioctl; static d_poll_t dsp_poll; -static d_mmap_t dsp_mmap; static d_mmap_single_t dsp_mmap_single; static d_kqfilter_t dsp_kqfilter; @@ -89,7 +88,6 @@ struct cdevsw dsp_cdevsw = { .d_ioctl = dsp_ioctl, .d_poll = dsp_poll, .d_kqfilter = dsp_kqfilter, - .d_mmap = dsp_mmap, .d_mmap_single = dsp_mmap_single, .d_name = "dsp", }; @@ -1898,23 +1896,81 @@ dsp_poll(struct cdev *i_dev, int events, struct thread *td) return (ret); } +struct dsp_mmap_handle { + struct cdev *cdev; + struct snd_dbuf *buf; +}; + static int -dsp_mmap(struct cdev *i_dev, vm_ooffset_t offset, vm_paddr_t *paddr, - int nprot, vm_memattr_t *memattr) +dsp_dev_pager_ctor(void *handle, vm_ooffset_t size, vm_prot_t prot, + vm_ooffset_t foff, struct ucred *cred, u_short *color) { + struct dsp_mmap_handle *h = handle; - /* - * offset is in range due to checks in dsp_mmap_single(). - * XXX memattr is not honored. - */ - *paddr = vtophys(offset); + dev_ref(h->cdev); + sndbuf_ref(h->buf); return (0); } +static void +dsp_dev_pager_dtor(void *handle) +{ + struct dsp_mmap_handle *h = handle; + + sndbuf_rele(h->buf); + dev_rel(h->cdev); + free(h, M_DEVBUF); +} + +static int +dsp_dev_pager_fault(vm_object_t object, vm_ooffset_t offset, int prot, + vm_page_t *mres) +{ + struct dsp_mmap_handle *h = object->handle; + vm_page_t m; + uintptr_t addr; + vm_paddr_t paddr; + + addr = (uintptr_t)offset; + if (addr < (uintptr_t)h->buf->buf || + addr >= (uintptr_t)h->buf->buf + h->buf->allocsize) + return (VM_PAGER_ERROR); + paddr = vtophys((void *)addr); + + if (((*mres)->flags & PG_FICTITIOUS) != 0) { + m = *mres; + vm_page_updatefake(m, paddr, object->memattr); + } else { + VM_OBJECT_WUNLOCK(object); + m = vm_page_getfake(paddr, object->memattr); + VM_OBJECT_WLOCK(object); + vm_page_replace(m, object, (*mres)->pindex, *mres); + *mres = m; + } + m->valid = VM_PAGE_BITS_ALL; + return (VM_PAGER_OK); +} + +static void +dsp_dev_pager_path(void *handle, char *path, size_t len) +{ + struct dsp_mmap_handle *h = handle; + + dev_copyname(h->cdev, path, len); +} + +static const struct cdev_pager_ops dsp_dev_pager_ops = { + .cdev_pg_ctor = dsp_dev_pager_ctor, + .cdev_pg_dtor = dsp_dev_pager_dtor, + .cdev_pg_fault = dsp_dev_pager_fault, + .cdev_pg_path = dsp_dev_pager_path, +}; + static int -dsp_mmap_single(struct cdev *i_dev, vm_ooffset_t *offset, +dsp_mmap_single(struct cdev *cdev, vm_ooffset_t *offset, vm_size_t size, struct vm_object **object, int nprot) { + struct dsp_mmap_handle *handle; struct dsp_cdevpriv *priv; struct snddev_info *d; struct pcm_channel *wrch, *rdch, *c; @@ -1968,13 +2024,18 @@ dsp_mmap_single(struct cdev *i_dev, vm_ooffset_t *offset, *offset = (uintptr_t)sndbuf_getbufofs(c->bufsoft, *offset); dsp_unlock_chans(priv, FREAD | FWRITE); - *object = vm_pager_allocate(OBJT_DEVICE, i_dev, - size, nprot, *offset, curthread->td_ucred); + handle = malloc(sizeof(*handle), M_DEVBUF, M_WAITOK); + handle->cdev = cdev; + handle->buf = c->bufsoft; + *object = cdev_pager_allocate(handle, OBJT_DEVICE, &dsp_dev_pager_ops, + size, nprot, *offset, curthread->td_ucred); PCM_GIANT_LEAVE(d); + if (*object == NULL) { + free(handle, M_DEVBUF); + return (EINVAL); + } - if (*object == NULL) - return (EINVAL); return (0); } diff --git a/tests/sys/sound/mmap.c b/tests/sys/sound/mmap.c index 53594b7cc962..b44b16e7f312 100644 --- a/tests/sys/sound/mmap.c +++ b/tests/sys/sound/mmap.c @@ -4,12 +4,14 @@ * Copyright (c) 2026 The FreeBSD Foundation */ +#include #include #include #include #include #include +#include #include #define FMT_ERR(s) s ": %s", strerror(errno) @@ -43,9 +45,67 @@ ATF_TC_BODY(mmap_offset_overflow, tc) close(fd); } +/* + * Verify that a MAP_SHARED mapping of a DSP device's software buffer remains + * valid after the file descriptor is closed. + */ +ATF_TC(mmap_buffer_lifetime); +ATF_TC_HEAD(mmap_buffer_lifetime, tc) +{ + atf_tc_set_md_var(tc, "descr", "mmap data survives close()"); + atf_tc_set_md_var(tc, "require.kmods", "snd_dummy"); +} +ATF_TC_BODY(mmap_buffer_lifetime, tc) +{ + audio_buf_info abi; + uint8_t *buf; + size_t len; + int fd, arg; + + fd = open("/dev/dsp.dummy", O_RDWR); + ATF_REQUIRE_MSG(fd >= 0, FMT_ERR("open")); + + arg = (2 << 16) | 14; /* 2*16KB */ + ATF_REQUIRE_MSG(ioctl(fd, SNDCTL_DSP_SETFRAGMENT, &arg) == 0, + FMT_ERR("SNDCTL_DSP_SETFRAGMENT")); + ATF_REQUIRE_MSG(ioctl(fd, SNDCTL_DSP_GETOSPACE, &abi) == 0, + FMT_ERR("SNDCTL_DSP_GETOSPACE")); + + len = abi.bytes; + ATF_REQUIRE_MSG(len >= PAGE_SIZE, "buffer too small: %zu", len); + + buf = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); + ATF_REQUIRE_MSG(buf != MAP_FAILED, FMT_ERR("mmap")); + + for (size_t i = 0; i < len; i++) { + ATF_REQUIRE_MSG(buf[i] == 0, + "mmap data corrupted at offset %zu: want 0 got 0x%02x", + i, buf[i]); + } + + memset(buf, 0xa5, len); + for (size_t i = 0; i < len; i++) { + ATF_REQUIRE_MSG(buf[i] == 0xa5, + "mmap data corrupted at offset %zu: want 0xa5 got 0x%02x", + i, buf[i]); + } + + ATF_REQUIRE(close(fd) == 0); + + /* Closing the device causes the buffer to be reset. */ + for (size_t i = 0; i < len; i++) { + ATF_REQUIRE_MSG(buf[i] == 0 || buf[i] == 0xa5, + "mmap data corrupted at offset %zu: got 0x%02x", i, buf[i]); + } + memset(buf, 0xa5, len); + + ATF_REQUIRE(munmap(buf, len) == 0); +} + ATF_TP_ADD_TCS(tp) { ATF_TP_ADD_TC(tp, mmap_offset_overflow); + ATF_TP_ADD_TC(tp, mmap_buffer_lifetime); return (atf_no_error()); } From nobody Tue Jun 9 19:17:32 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdvx1Nn2z6gTrm for ; Tue, 09 Jun 2026 19:17:33 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdvw2DzMz3LbP for ; Tue, 09 Jun 2026 19:17:32 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032652; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=TSCgFtBAPAQpUR2ZL4VM597WefYXLfNujq1VeaWiPfc=; b=UuaMJjOlrFOnIRi0OzsCluwZaRYkVDDw8yOyGRiYMjopbtERrSgn6lbZJICCQoQO1xfkJL 4At8be4AtFabLCDzUAXy1/wMvuRM1DqpFjJv2217oEgycbqX7c0NVCfIAFQSmpRamCyP/f 48tsS3WxeiqWh8boaYHj0XKNAN+m/gMFk1A8QZu+jpn8fosHo3ywTTdLEtJy/+pI6EVCyW 2ldZuTA8nbqufBXOOM0sZvs/fJjvEIzSw6KnOnvoN0KAO1XqoBXds3evgSMr2kjAhk23lR GgRbV5Anxk822BLOv0XQLzjUj0eEoOOU0SNsAY4Wj4BHwVGL6CO/ouWEL5+r+w== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032652; a=rsa-sha256; cv=none; b=Etife7KLCX621G9PXKnOBF7ERBSBmJMcLhBueGHWnKhHAm95pGQhgdaHquBmESvSDleV/b sKhehH8AUjDGmacXZsVh4PWxJp0+wb17jjRT0v99ApRyF9Vi5lJOJPOiP1MsuI+FEfL7m9 uBltxcUjSFlgODDUCSQ73E3XzXAtpc+K8uPYSKdZ+g8ciw+tZFjmtuObrCMzhm49zCotRR HFj+8WeMJOcL9sluDq4YUC6NjwXfbZELrKsc+kY57A2N1Q75QZtwa5Y874n1bE77hg/cjZ l7v/nEbjsahlf3hCtwAQtRI965maERwQGosxVLHoxIJ+7+Bt7NkJGtTxFaupTw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032652; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=TSCgFtBAPAQpUR2ZL4VM597WefYXLfNujq1VeaWiPfc=; b=HDZNWWI9jipqCxh0uQ9nBkibEXzVUbcA49KYwnPce09kihg/9p9n297i9CAg0/sLBaYLRl PMiFoOg4Zr3OgsGC1A+X2OSqgubtVJcWe8v7ZSzLd6ZAeJZnM4F5M7WQekUk5V1pLy9o5p VQ1wKC+jCyGS3CPiYzK/es+Rn0dns5NjuexOVQTgq6EKbueVllACSisIoo98etUpPpQiLO Xq4dQpL0HFjD8YSA5XG6+SpTs0KSp2sMZDzTaNG+lDSdFyqEqwLBm2Yn9/oD3M1ArZmngT H7P7iNU4p0c3N2wnFHb03m1aPpge1PqvoIdp1gBM8l3Cm+/8t8+RDrHAxzFjaQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdvw1jKjznr9 for ; Tue, 09 Jun 2026 19:17:32 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3eb1d by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:17:32 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: ce2b95932ec2 - stable/15 - in6_mcast: Fix a race in in6p_set_source_filter() List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: ce2b95932ec2b2196c608b095586a9b1332472d1 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:17:32 +0000 Message-Id: <6a2866cc.3eb1d.3fa3d8c6@gitrepo.freebsd.org> The branch stable/15 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=ce2b95932ec2b2196c608b095586a9b1332472d1 commit ce2b95932ec2b2196c608b095586a9b1332472d1 Author: Mark Johnston AuthorDate: 2026-05-29 20:12:24 +0000 Commit: Mark Johnston CommitDate: 2026-06-09 19:15:24 +0000 in6_mcast: Fix a race in in6p_set_source_filter() We drop the inpcb lock in order to copy in the source list, but this leaves a window where the multicast filter structure might be freed. This can be exploited to obtain root privileges. In the v4 code this race is mitigated by holding the global multicast lock across the gap. Restructure the code to copy in filters before doing anything else, so that there's no need to drop the inpcb lock and reason about the correctness of doing so. Do the same in the v4 code for consistency. Approved by: so Security: FreeBSD-SA-26:29.ip6_multicast Security: CVE-2026-49412 Reported by: Andrew Griffiths Reported by: Maik Münch Reviewed by: glebius Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57347 --- sys/netinet/in_mcast.c | 40 +++++++++++++++++----------------------- sys/netinet6/in6_mcast.c | 41 +++++++++++++++++++---------------------- 2 files changed, 36 insertions(+), 45 deletions(-) diff --git a/sys/netinet/in_mcast.c b/sys/netinet/in_mcast.c index 3206828aacff..b5636c29daeb 100644 --- a/sys/netinet/in_mcast.c +++ b/sys/netinet/in_mcast.c @@ -2524,6 +2524,7 @@ inp_set_source_filters(struct inpcb *inp, struct sockopt *sopt) { struct epoch_tracker et; struct __msfilterreq msfr; + struct sockaddr_storage *kss; sockunion_t *gsa; struct ifnet *ifp; struct in_mfilter *imf; @@ -2536,9 +2537,6 @@ inp_set_source_filters(struct inpcb *inp, struct sockopt *sopt) if (error) return (error); - if (msfr.msfr_nsrcs > in_mcast_maxsocksrc) - return (ENOBUFS); - if ((msfr.msfr_fmode != MCAST_EXCLUDE && msfr.msfr_fmode != MCAST_INCLUDE)) return (EINVAL); @@ -2551,13 +2549,24 @@ inp_set_source_filters(struct inpcb *inp, struct sockopt *sopt) if (!IN_MULTICAST(ntohl(gsa->sin.sin_addr.s_addr))) return (EINVAL); + if (msfr.msfr_nsrcs > in_mcast_maxsocksrc) + return (ENOBUFS); + kss = mallocarray(msfr.msfr_nsrcs, sizeof(struct sockaddr_storage), + M_TEMP, M_WAITOK); + error = copyin(msfr.msfr_srcs, kss, + sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs); + if (error) + goto out_inp_unlocked; + gsa->sin.sin_port = 0; /* ignore port */ NET_EPOCH_ENTER(et); ifp = ifnet_byindex(msfr.msfr_ifindex); NET_EPOCH_EXIT(et); /* XXXGL: unsafe ifp */ - if (ifp == NULL) - return (EADDRNOTAVAIL); + if (ifp == NULL) { + error = EADDRNOTAVAIL; + goto out_inp_unlocked; + } IN_MULTI_LOCK(); @@ -2589,25 +2598,9 @@ inp_set_source_filters(struct inpcb *inp, struct sockopt *sopt) if (msfr.msfr_nsrcs > 0) { struct in_msource *lims; struct sockaddr_in *psin; - struct sockaddr_storage *kss, *pkss; + struct sockaddr_storage *pkss; int i; - INP_WUNLOCK(inp); - - CTR2(KTR_IGMPV3, "%s: loading %lu source list entries", - __func__, (unsigned long)msfr.msfr_nsrcs); - kss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs, - M_TEMP, M_WAITOK); - error = copyin(msfr.msfr_srcs, kss, - sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs); - if (error) { - IN_MULTI_UNLOCK(); - free(kss, M_TEMP); - return (error); - } - - INP_WLOCK(inp); - /* * Mark all source filters as UNDEFINED at t1. * Restore new group filter mode, as imf_leave() @@ -2642,7 +2635,6 @@ inp_set_source_filters(struct inpcb *inp, struct sockopt *sopt) break; lims->imsl_st[1] = imf->imf_st[1]; } - free(kss, M_TEMP); } if (error) @@ -2679,6 +2671,8 @@ out_imf_rollback: out_inp_locked: INP_WUNLOCK(inp); IN_MULTI_UNLOCK(); +out_inp_unlocked: + free(kss, M_TEMP); return (error); } diff --git a/sys/netinet6/in6_mcast.c b/sys/netinet6/in6_mcast.c index a6186568ecb2..4ec9f36cd9ac 100644 --- a/sys/netinet6/in6_mcast.c +++ b/sys/netinet6/in6_mcast.c @@ -2489,6 +2489,7 @@ in6p_set_source_filters(struct inpcb *inp, struct sockopt *sopt) { struct __msfilterreq msfr; struct epoch_tracker et; + struct sockaddr_storage *kss; sockunion_t *gsa; struct ifnet *ifp; struct in6_mfilter *imf; @@ -2501,9 +2502,6 @@ in6p_set_source_filters(struct inpcb *inp, struct sockopt *sopt) if (error) return (error); - if (msfr.msfr_nsrcs > in6_mcast_maxsocksrc) - return (ENOBUFS); - if (msfr.msfr_fmode != MCAST_EXCLUDE && msfr.msfr_fmode != MCAST_INCLUDE) return (EINVAL); @@ -2516,19 +2514,31 @@ in6p_set_source_filters(struct inpcb *inp, struct sockopt *sopt) if (!IN6_IS_ADDR_MULTICAST(&gsa->sin6.sin6_addr)) return (EINVAL); + if (msfr.msfr_nsrcs > in6_mcast_maxsocksrc) + return (ENOBUFS); + kss = mallocarray(msfr.msfr_nsrcs, sizeof(struct sockaddr_storage), + M_TEMP, M_WAITOK); + error = copyin(msfr.msfr_srcs, kss, + sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs); + if (error) + goto out_in6p_unlocked; + gsa->sin6.sin6_port = 0; /* ignore port */ NET_EPOCH_ENTER(et); ifp = ifnet_byindex(msfr.msfr_ifindex); NET_EPOCH_EXIT(et); - if (ifp == NULL) - return (EADDRNOTAVAIL); + if (ifp == NULL) { + error = EADDRNOTAVAIL; + goto out_in6p_unlocked; + } (void)in6_setscope(&gsa->sin6.sin6_addr, ifp, NULL); /* * Take the INP write lock. * Check if this socket is a member of this group. */ + IN6_MULTI_LOCK(); imo = in6p_findmoptions(inp); imf = im6o_match_group(imo, ifp, &gsa->sa); if (imf == NULL) { @@ -2553,24 +2563,9 @@ in6p_set_source_filters(struct inpcb *inp, struct sockopt *sopt) if (msfr.msfr_nsrcs > 0) { struct in6_msource *lims; struct sockaddr_in6 *psin; - struct sockaddr_storage *kss, *pkss; + struct sockaddr_storage *pkss; int i; - INP_WUNLOCK(inp); - - CTR2(KTR_MLD, "%s: loading %lu source list entries", - __func__, (unsigned long)msfr.msfr_nsrcs); - kss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs, - M_TEMP, M_WAITOK); - error = copyin(msfr.msfr_srcs, kss, - sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs); - if (error) { - free(kss, M_TEMP); - return (error); - } - - INP_WLOCK(inp); - /* * Mark all source filters as UNDEFINED at t1. * Restore new group filter mode, as im6f_leave() @@ -2615,7 +2610,6 @@ in6p_set_source_filters(struct inpcb *inp, struct sockopt *sopt) break; lims->im6sl_st[1] = imf->im6f_st[1]; } - free(kss, M_TEMP); } if (error) @@ -2650,6 +2644,9 @@ out_im6f_rollback: out_in6p_locked: INP_WUNLOCK(inp); + IN6_MULTI_UNLOCK(); +out_in6p_unlocked: + free(kss, M_TEMP); return (error); } From nobody Tue Jun 9 19:17:33 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdvy1rCvz6gV5Q for ; Tue, 09 Jun 2026 19:17:34 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdvx4MQLz3LN4 for ; Tue, 09 Jun 2026 19:17:33 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032653; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=cDmL4q+PNmWxCb3i7zPY+LpNC2NSIxKEB9dLDR7iX5U=; b=Rs/2iFPKoR0NBkGFAyjn89SIBOrqcDrDzbRZb1q0C5Oz3FPjrmZbjw9auAoX+JWhcp/J28 SH2t89NVk2amm1SC/kZmy26I7geLiArhZhACSM0ULGtJhXKcu5r5rlUKEZ81bFc73sm42g KeitRRF7OpPs0Z36SyqQi7heZ7Va7fdWXhEPe1MROTRkGq1cqts2oZiqdDIjWJhCIJ7Y92 gFAv1GCZtOtc2NK2WmFQPvpE0m4/pxZT8ezk8af2oqR011t1YtaVAhS0J221S1tc8dq7SC EOpAzqn4V5kGiUD1cn3oQTFSlainiDX2AkB6SvU9MQ0IKcvqAb9WydWmuRQ+tg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032653; a=rsa-sha256; cv=none; b=qhOg4vmFmIxsSb3qvk3dP1k18sRRyfazpE3JLNq12jEupTG6jjOm9Lanc4cG0N8w25p16h uVuyLJqjg0s3s1VYpb4xejnTbapLpOv6tuOREey+CEivcAzEi+i+ER1448JSgFmbsr4wcq W/wEKTvE0ipuhmAskwOUKpfFnyVchPNACRjdkXwuxYugDhzoDF39BuW0mra+y8MI7xcXkP VCQCF20Ox7sKM2+YMtBXl0I2L/KFJci5DRLdv/ldpSZe6jYd9FzlIKo+pZJ+pVRJ9IMYWG Ij9DC8jwyBzBuAH29U3uIa8t9MdvcgmLnRbv8aEde/5FnFgcGL8tqIJE9T9EfA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032653; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=cDmL4q+PNmWxCb3i7zPY+LpNC2NSIxKEB9dLDR7iX5U=; b=Q+svQnYt7Ad50sPSQj9QrHLK/qDaTaVYhTRw3BjhcV9T8IulL/c9xE9uKval8cM+Fr9hoT EfoJYCyn/j+EKLkpo1x5YRrYqhv0WKcv0EXoyb5Lvh+WqyE5rg+3SLKnBSiFQJZJGubGSs SePy29nzPatcuU6BT8B1FNcoJscT1Gf2I+d/tTC0Govlz9fcBHoTwkqzvXo4YXAXCpHpKC GzfFCf5lJpPdkZOSiKEaDs3rRz1U5akwxnuzjF9BIsYCB6FuCWuUfmdglPhX5rKBxc1QWw n+eqPsbj2u/3PTfXb1XQ4uG9Q2Wg9wi3fMjuJoYYjKvyphh0KgJdbIQz+7Z0bg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdvx2Jkpzn9V for ; Tue, 09 Jun 2026 19:17:33 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3cd76 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:17:33 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 3ac9726c4269 - stable/15 - linux: Correct the issetugid check in copyout_auxargs List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 3ac9726c42693822c538367fd80f45b606a59ddf Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:17:33 +0000 Message-Id: <6a2866cd.3cd76.55b07417@gitrepo.freebsd.org> The branch stable/15 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=3ac9726c42693822c538367fd80f45b606a59ddf commit 3ac9726c42693822c538367fd80f45b606a59ddf Author: Mark Johnston AuthorDate: 2026-05-29 21:41:35 +0000 Commit: Mark Johnston CommitDate: 2026-06-09 19:15:24 +0000 linux: Correct the issetugid check in copyout_auxargs The runtime linker in glibc relies on the AT_SECURE auxv entry to know whether the executable is set-ugid, if so then various dangerous functionality such as LD_PRELOAD is disabled. The check added in commit 669414e4fb74 failed to take into account the fact that during execve, P_SUGID may not yet be set for a set-ugid process. Correct the test. Approved by: so Security: FreeBSD-SA-26:30.linux Security: CVE-2026-49413 Reported by: Minseong Kim Fixes: 669414e4fb74 ("Implement AT_SECURE properly.") Reviewed by: kib Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57350 --- sys/compat/linux/linux_elf.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/sys/compat/linux/linux_elf.c b/sys/compat/linux/linux_elf.c index c9eb6aea8373..6c9f785c97e7 100644 --- a/sys/compat/linux/linux_elf.c +++ b/sys/compat/linux/linux_elf.c @@ -492,11 +492,9 @@ __linuxN(copyout_auxargs)(struct image_params *imgp, uintptr_t base) struct thread *td = curthread; Elf_Auxargs *args; Elf_Auxinfo *aarray, *pos; - struct proc *p; int error, issetugid; - p = imgp->proc; - issetugid = p->p_flag & P_SUGID ? 1 : 0; + issetugid = imgp->credential_setid ? 1 : 0; args = imgp->auxargs; aarray = pos = malloc(LINUX_AT_COUNT * sizeof(*pos), M_TEMP, M_WAITOK | M_ZERO); From nobody Tue Jun 9 19:17:34 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdvz1rZgz6gTlg for ; Tue, 09 Jun 2026 19:17:35 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdvy3Qflz3LW8 for ; Tue, 09 Jun 2026 19:17:34 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032654; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=3A7LTvWozkDzAIHlcUCS3Lahl4OXX/29YtnXS4CDaEM=; b=QxBr3Z57aZu4ovxcSSvvvF9xTLxsnD56VrGLKjAIv8cv4X8UFjyjltUrLhDojqxgXJBvz5 mCRHsaBL7djqdSgAl5nSGLnhz+428ySukT3K0vErDjlqv20kxUeyDewDqXTzC8BfckSkxx FSMbtd+G4GaRLE/ASMx7YniGxtFxdH/zw0O3dagtMi9UsNws01mg+TnNRwO/zv7J09prAk hTKk0EhN/7BJ7mANLzUOHW0IDu/rZX5h4JJGqd2KVqRH3pnOu0fscSNxqb0adKJJxy19UR DF9UgDx3aJ6BR6qAycv3LIJuzEik2RUeby/CkcKumxMxxSggXKaeB/adL28H9g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032654; a=rsa-sha256; cv=none; b=NBeLKX7+g9Wz/NFd92y1jZ/ndsCD8Fy9VyCn5snYJaE298WH4aiW/BNb3M27fAIcoG37Fu LoT0rgFTC7DUVHP2drxQJUNJI2JlpncS3MJauAgKY+JbPq6bTQkgWEDo9fbukqlJIOcrLZ kN1PUlt9rI+aNS97f8xMr0FY1BPrhMqrl6F15fBhY5boohjiJkRxHGWJiZGtolKh4reQ6a TNDVepY4WsYw9wsRz6t/UmEpj0tXtygA7O3JE0VythFnzT7eVtWHBNScGSP5godzDgJQ8G 7vrOi+Zw1T5RbH6CQk7/inMDaCxFSi4IXqjNB0E6ctTosK1iZBt6OiRCs3XgHA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032654; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=3A7LTvWozkDzAIHlcUCS3Lahl4OXX/29YtnXS4CDaEM=; b=YY3TUfD7Q/gSh35vOSWFn+MgEkEFFJuP8gtiMCddsFRyTykBY5rugcDdclTl41LQObHzae 1pEAps4dQ6IiruQjK1Ez6hV74yIXjZ/P/fqef9GhxjTuVtmwCNn5qKrpkLtmkhi7nQ3/NB YAVNqdmK+gGSiJlsGmrHHWz6iF+1PWfb4jPFwArJ57N8UYpwJQJG2VxjQHsDN/P/bmhvj1 OFIWufFRNnXr4PvVkr46sxsZ+6GXQjlA6bhubnmSiv1E3iFe9NbXAzC0IYzg5U7Hlzp2Fq eAxg95sE3stGpX7fhYy5kXS9Gi8J4sSPVDCy9QhP1Ui53G2d2397dA+coH1azQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdvy2kDLzn9W for ; Tue, 09 Jun 2026 19:17:34 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3cd7a by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:17:34 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Andrew Turner From: Mark Johnston Subject: git: 9d9d6c6e6081 - stable/15 - arm64: Workaround the following errata List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 9d9d6c6e608166a9385422c904b585007379f9ce Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:17:34 +0000 Message-Id: <6a2866ce.3cd7a.4e209bcb@gitrepo.freebsd.org> The branch stable/15 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=9d9d6c6e608166a9385422c904b585007379f9ce commit 9d9d6c6e608166a9385422c904b585007379f9ce Author: Andrew Turner AuthorDate: 2026-05-28 09:25:30 +0000 Commit: Mark Johnston CommitDate: 2026-06-09 19:15:24 +0000 arm64: Workaround the following errata - ARM C1-Premium erratum 4193780 - ARM C1-Ultra erratum 4193780 - ARM Cortex-A76 erratum 4193800 - ARM Cortex-A76AE erratum 4193801 - ARM Cortex-A77 erratum 4193798 - ARM Cortex-A78 erratum 4193791 - ARM Cortex-A78AE erratum 4193793 - ARM Cortex-A78C erratum 4193794 - ARM Cortex-A710 erratum 4193788 - ARM Cortex-X1 erratum 4193791 - ARM Cortex-X1C erratum 4193792 - ARM Cortex-X2 erratum 4193788 - ARM Cortex-X3 erratum 4193786 - ARM Cortex-X4 erratum 4118414 - ARM Cortex-X925 erratum 4193781 - ARM Neoverse-N1 erratum 4193800 - ARM Neoverse-N2 erratum 4193789 - ARM Neoverse-V1 erratum 4193790 - ARM Neoverse-V2 erratum 4193787 - ARM Neoverse-V3 erratum 4193784 - ARM Neoverse-V3AE erratum 4193784 These are all variants on an erratum where TLBI+DSB instructions on one CPU may incorrectly complete early leading to stores to an updated address using an incorrect translation on another CPU. In all cases the workaround is to add a second TLBI+DSB. Approved by: so Security: FreeBSD-SA-26:31.arm64 Security: CVE-2025-10263 Sponsored by: Arm Ltd --- sys/arm64/arm64/pmap.c | 60 ++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 51 insertions(+), 9 deletions(-) diff --git a/sys/arm64/arm64/pmap.c b/sys/arm64/arm64/pmap.c index aa0b0e829f7a..12ab8750c77a 100644 --- a/sys/arm64/arm64/pmap.c +++ b/sys/arm64/arm64/pmap.c @@ -1743,20 +1743,62 @@ static cpu_feat_en pmap_multiple_tlbi_check(const struct cpu_feat *feat __unused, u_int midr) { /* - * Cortex-A55 erratum 2441007 (Cat B rare) + * ARM C1-Premium erratum 4193780 + * ARM C1-Ultra erratum 4193780 + * ARM Cortex-A76 erratum 4193800 + * ARM Cortex-A76AE erratum 4193801 + * ARM Cortex-A77 erratum 4193798 + * ARM Cortex-A78 erratum 4193791 + * ARM Cortex-A78AE erratum 4193793 + * ARM Cortex-A78C erratum 4193794 + * ARM Cortex-A710 erratum 4193788 + * ARM Cortex-X1 erratum 4193791 + * ARM Cortex-X1C erratum 4193792 + * ARM Cortex-X2 erratum 4193788 + * ARM Cortex-X3 erratum 4193786 + * ARM Cortex-X4 erratum 4118414 + * ARM Cortex-X925 erratum 4193781 + * ARM Neoverse-N1 erratum 4193800 + * ARM Neoverse-N2 erratum 4193789 + * ARM Neoverse-V1 erratum 4193790 + * ARM Neoverse-V2 erratum 4193787 + * ARM Neoverse-V3 erratum 4193784 + * ARM Neoverse-V3AE erratum 4193784 * Present in all revisions */ - if (CPU_IMPL(midr) == CPU_IMPL_ARM && - CPU_PART(midr) == CPU_PART_CORTEX_A55) - return (FEAT_DEFAULT_DISABLE); + if (CPU_IMPL(midr) == CPU_IMPL_ARM) { + switch(CPU_PART(midr)) { + case CPU_PART_C1_PREMIUM: + case CPU_PART_C1_ULTRA: + case CPU_PART_CORTEX_A76: + case CPU_PART_CORTEX_A76AE: + case CPU_PART_CORTEX_A77: + case CPU_PART_CORTEX_A78: + case CPU_PART_CORTEX_A78AE: + case CPU_PART_CORTEX_A78C: + case CPU_PART_CORTEX_A710: + case CPU_PART_CORTEX_X1: + case CPU_PART_CORTEX_X1C: + case CPU_PART_CORTEX_X2: + case CPU_PART_CORTEX_X3: + case CPU_PART_CORTEX_X4: + case CPU_PART_CORTEX_X925: + case CPU_PART_NEOVERSE_N1: + case CPU_PART_NEOVERSE_N2: + case CPU_PART_NEOVERSE_V1: + case CPU_PART_NEOVERSE_V2: + case CPU_PART_NEOVERSE_V3: + case CPU_PART_NEOVERSE_V3AE: + return (FEAT_DEFAULT_ENABLE); + } + } /* - * Cortex-A76 erratum 1286807 (Cat B rare) - * Present in r0p0 - r3p0 - * Fixed in r3p1 + * Cortex-A55 erratum 2441007 (Cat B rare) + * Present in all revisions */ - if (midr_check_var_part_range(midr, CPU_IMPL_ARM, CPU_PART_CORTEX_A76, - 0, 0, 3, 0)) + if (CPU_IMPL(midr) == CPU_IMPL_ARM && + CPU_PART(midr) == CPU_PART_CORTEX_A55) return (FEAT_DEFAULT_DISABLE); /* From nobody Tue Jun 9 19:17:37 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdw21vVlz6gTxm for ; Tue, 09 Jun 2026 19:17:38 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdw14qTDz3Lh1 for ; Tue, 09 Jun 2026 19:17:37 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032657; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=TY+HykSouYlZggLD78WfhyYm5RKqNHCrpj1Mee6u+g8=; b=xV8mbXm+30A3t1r2VSy51rLgLl2yJGuCp0KM3CkDVem1WemAdOMW4/EDe5RY4StmLJ8CIH 5nHgFRpwUaY3r2X3t0BJQ9nGPsp1nms8cQY5AoHemwWgs5XfNucs9xo5Zudyqt/mTVulkq m/frUpp4zLs1hhDF2I1YTTC5zRhbLhl+dSt18heZ5cE82fR12dIzbLNRINDicrJFMpv3Tq +8VjFXoXj8mwY4k/74Yhm6d7i8+Emo2fen/H9pfoRqlbN6TvAmsnYxnu3oQBbQeJDic4LV 25fxm/IsjWoSkqFXadVjrqEv36nBedDRlWuALxjkl2fLFK9EdImXaRfV9/EQFg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032657; a=rsa-sha256; cv=none; b=iymL6GP+oCqiX9ZLowf33JafOhaxHlfNwOcNx39S/BkhHujoSJi9VdoCr+y76ikdgqHVHf /pXIGmwQGqIYN1WWFtKBzBH783j54YE2GB4yVSVrBfnXlrj/Hr44TYA5WraxfQArFiy/8w qpmzJt8DO0Ghg3II9NXGGdKC9nd2kGPjD0CdMrj/aLdgIHbcdtD+sulste4n86JQ2PQgw4 dTyVedDu1G08AXN0jmtWoiTiT0iMvhsUleswQ7LgYCZFXqmQXpYl1skva7Nx6F0KwgCE/m 02h8eZvzNAW7ZSg1BLmLsDl1tGzLqFQUrRogpnfm2nTkA6cwzGraMTMhBgHbog== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032657; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=TY+HykSouYlZggLD78WfhyYm5RKqNHCrpj1Mee6u+g8=; b=Y5wPK+8aQIHwWWnBhS5XX5hyjUxrYWXJ/mO0GRXxMo2G+hOAlN8I85heQQ0sUgRnwS5Vlt SHnG0bmXFgi8zdMZXsSeg9dZ5wGbPiClqDB+MvQA12QCxcnEcS9QIPe3/qtnULacbavZgb UDY+o4qkduGGSkpBMt9zhNM/qwFmrSyWE06SegS7IgB9kuoKPypQCVCK8NIJlFU8ql5zqw NE6oeSmMB0ME1g/eS3fewEKGanLDhhUav3ofw/JtgetrdcmDKMrzThzshjUd5sWkouUMxd gcq/x3hq+g7Bd5ykJDQryV+LpEmjJP2Pwub7mdZcFhNCzELxurAd2b5czAg6/A== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdw14MDKznt6 for ; Tue, 09 Jun 2026 19:17:37 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3e788 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:17:37 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Gordon Tetlow From: Mark Johnston Subject: git: 20bfab98f8ae - stable/15 - ldns: Fix query response validation List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 20bfab98f8ae58261bd180bdc49a17eff1b08eb9 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:17:37 +0000 Message-Id: <6a2866d1.3e788.4633d0c6@gitrepo.freebsd.org> The branch stable/15 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=20bfab98f8ae58261bd180bdc49a17eff1b08eb9 commit 20bfab98f8ae58261bd180bdc49a17eff1b08eb9 Author: Gordon Tetlow AuthorDate: 2026-06-07 15:09:39 +0000 Commit: Mark Johnston CommitDate: 2026-06-09 19:15:25 +0000 ldns: Fix query response validation Approved by: so Security: FreeBSD-SA-26:36.ldns Security: CVE-2026-10846 --- contrib/ldns/error.c | 6 ++++ contrib/ldns/ldns/error.h | 5 ++- contrib/ldns/net.c | 92 +++++++++++++++++++++++++++++++++++++++++++++-- 3 files changed, 100 insertions(+), 3 deletions(-) diff --git a/contrib/ldns/error.c b/contrib/ldns/error.c index 5723aea9b4c2..4fc05d6d0d8f 100644 --- a/contrib/ldns/error.c +++ b/contrib/ldns/error.c @@ -191,6 +191,12 @@ ldns_lookup_table ldns_error_str[] = { "at least 2 bytes of option data" }, { LDNS_STATUS_EQUAL_RR, "An identical RR already existed in the zone" }, + { LDNS_STATUS_ID_DID_NOT_MATCH, + "Response ID did not match the query ID" }, + { LDNS_STATUS_QDCOUNT_MUST_BE_ONE, + "The query section MUST contain exactly one question" }, + { LDNS_STATUS_QUERY_DID_NOT_MATCH, + "The question in the response did not match the query" }, { 0, NULL } }; diff --git a/contrib/ldns/ldns/error.h b/contrib/ldns/ldns/error.h index a76eb2ecab5d..41d64cc0815f 100644 --- a/contrib/ldns/ldns/error.h +++ b/contrib/ldns/ldns/error.h @@ -144,7 +144,10 @@ enum ldns_enum_status { LDNS_STATUS_INVALID_SVCPARAM_VALUE, LDNS_STATUS_NOT_EDE, LDNS_STATUS_EDE_OPTION_MALFORMED, - LDNS_STATUS_EQUAL_RR + LDNS_STATUS_EQUAL_RR, + LDNS_STATUS_ID_DID_NOT_MATCH, + LDNS_STATUS_QDCOUNT_MUST_BE_ONE, + LDNS_STATUS_QUERY_DID_NOT_MATCH }; typedef enum ldns_enum_status ldns_status; diff --git a/contrib/ldns/net.c b/contrib/ldns/net.c index e944d018b357..4c1f405419fb 100644 --- a/contrib/ldns/net.c +++ b/contrib/ldns/net.c @@ -441,6 +441,50 @@ ldns_udp_bgsend2(ldns_buffer *qbin, return ldns_udp_bgsend_from(qbin, to, tolen, NULL, 0, timeout); } +/** helper sockaddr compare function. returns -1, 0 or 1. */ +static int +ldns_sockaddr_cmp(const struct sockaddr_storage* addr1, socklen_t len1, + const struct sockaddr_storage* addr2, socklen_t len2) +{ + struct sockaddr_in* p1_in = (struct sockaddr_in*)addr1; + struct sockaddr_in* p2_in = (struct sockaddr_in*)addr2; + struct sockaddr_in6* p1_in6 = (struct sockaddr_in6*)addr1; + struct sockaddr_in6* p2_in6 = (struct sockaddr_in6*)addr2; + if(len1 < len2) + return -1; + if(len1 > len2) + return 1; + assert(len1 == len2); + if( p1_in->sin_family < p2_in->sin_family) + return -1; + if( p1_in->sin_family > p2_in->sin_family) + return 1; + assert( p1_in->sin_family == p2_in->sin_family ); + /* compare ip4 */ + if( p1_in->sin_family == AF_INET ) { + /* just order it, ntohs not required */ + if(p1_in->sin_port < p2_in->sin_port) + return -1; + if(p1_in->sin_port > p2_in->sin_port) + return 1; + assert(p1_in->sin_port == p2_in->sin_port); + return memcmp(&p1_in->sin_addr, &p2_in->sin_addr, + sizeof(p1_in->sin_addr)); + } else if (p1_in6->sin6_family == AF_INET6) { + /* just order it, ntohs not required */ + if(p1_in6->sin6_port < p2_in6->sin6_port) + return -1; + if(p1_in6->sin6_port > p2_in6->sin6_port) + return 1; + assert(p1_in6->sin6_port == p2_in6->sin6_port); + return memcmp(&p1_in6->sin6_addr, &p2_in6->sin6_addr, + sizeof(p1_in6->sin6_addr)); + } else { + /* eek unknown type, perform this comparison for sanity. */ + return memcmp(addr1, addr2, len1); + } +} + static ldns_status ldns_udp_send_from(uint8_t **result, ldns_buffer *qbin, const struct sockaddr_storage *to , socklen_t tolen, @@ -449,6 +493,8 @@ ldns_udp_send_from(uint8_t **result, ldns_buffer *qbin, { int sockfd; uint8_t *answer; + struct sockaddr_storage reply_addr; + socklen_t reply_addr_len; sockfd = ldns_udp_bgsend_from(qbin, to, tolen, from, fromlen, timeout); @@ -467,13 +513,21 @@ ldns_udp_send_from(uint8_t **result, ldns_buffer *qbin, * but returns a 'NETWORK_ERROR' much like a timeout. */ ldns_sock_nonblock(sockfd); - answer = ldns_udp_read_wire(sockfd, answer_size, NULL, NULL); + reply_addr_len = sizeof(reply_addr); + memset(&reply_addr, 0, reply_addr_len); + answer = ldns_udp_read_wire(sockfd, answer_size, &reply_addr, + &reply_addr_len); close_socket(sockfd); if (!answer) { /* oops */ return LDNS_STATUS_NETWORK_ERR; } + /* Check that the reply came from the to addr. */ + if(ldns_sockaddr_cmp(to, tolen, &reply_addr, reply_addr_len) != 0) { + free(answer); + return LDNS_STATUS_NETWORK_ERR; + } *result = answer; return LDNS_STATUS_OK; @@ -512,6 +566,10 @@ ldns_send_buffer(ldns_pkt **result, ldns_resolver *r, ldns_buffer *qb, ldns_rdf assert(r != NULL); + /* The query should at least have one question */ + if(ldns_buffer_limit(qb) < 6 || ldns_buffer_read_u16_at(qb, 4) != 1) + return LDNS_STATUS_QDCOUNT_MUST_BE_ONE; + status = LDNS_STATUS_OK; rtt = ldns_resolver_rtt(r); ns_array = ldns_resolver_nameservers(r); @@ -599,6 +657,16 @@ ldns_send_buffer(ldns_pkt **result, ldns_resolver *r, ldns_buffer *qb, ldns_rdf ldns_resolver_set_nameserver_rtt(r, i, LDNS_RESOLV_RTT_INF); status = send_status; } + if(reply_bytes && ldns_buffer_limit(qb) >= 2) { + uint16_t txid = ldns_buffer_read_u16_at(qb, 0); + if(reply_size < 2 || + ldns_read_uint16(reply_bytes) != txid) { + status = LDNS_STATUS_ID_DID_NOT_MATCH; + LDNS_FREE(reply_bytes); + reply_bytes = NULL; + reply_size = 0; + } + } /* obey the fail directive */ if (!reply_bytes) { @@ -608,7 +676,7 @@ ldns_send_buffer(ldns_pkt **result, ldns_resolver *r, ldns_buffer *qb, ldns_rdf LDNS_FREE(src); } LDNS_FREE(ns); - return LDNS_STATUS_ERR; + return status ? status : LDNS_STATUS_ERR; } else { LDNS_FREE(ns); continue; @@ -670,6 +738,26 @@ ldns_send_buffer(ldns_pkt **result, ldns_resolver *r, ldns_buffer *qb, ldns_rdf #endif /* HAVE_SSL */ LDNS_FREE(reply_bytes); + if (reply) { + ldns_pkt *query = NULL; + + if(ldns_pkt_qdcount(reply) != 1) { + status = LDNS_STATUS_QDCOUNT_MUST_BE_ONE; + ldns_pkt_free(reply); + reply = NULL; + + } else if(ldns_wire2pkt(&query + , ldns_buffer_begin(qb) + , ldns_buffer_position(qb)) != LDNS_STATUS_OK + || ldns_pkt_qdcount(query) != 1 + || ldns_rr_compare(ldns_rr_list_rr(ldns_pkt_question(query),0) + ,ldns_rr_list_rr(ldns_pkt_question(reply),0))){ + status = LDNS_STATUS_QUERY_DID_NOT_MATCH; + ldns_pkt_free(reply); + reply = NULL; + } + ldns_pkt_free(query); + } if (result) { *result = reply; } From nobody Tue Jun 9 19:17:35 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdvz5gj9z6gTpj for ; Tue, 09 Jun 2026 19:17:35 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdvz3sP5z3LNH for ; Tue, 09 Jun 2026 19:17:35 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032655; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=LTJpqSx6B7uktGyKFXFy1Ypt0BqOccxRNTlAman7y5c=; b=OQmA8sj08+4LCb2ddiNDFUDlupmM1lRyAJNIRmLtG1ruEz97JZybu4jneTDi4B6Xr9XFJ5 4ptbnwgAcoU2LxdIhLPv1L58PfBLP6IsLipurtGEoc2lW2tEvxKN6BxLJa4hJN/y3cmkaM 8OWqaDy7nQHhsC83qWPT7Jp+0je0TmWVbaPMamRXbVBv9GAeQeOrikNppkpWvr3nhf11wk gml0zO/oJmi41KNjowqDVGN4aq+HDYLQ20ARgvzcAgeN2DMFXOrCkUt7avWzpLLlC2vnax EtTIwTqgeBNglPAmVQHVMgR/00st4I9Ep4UESRcXRAPmJEi4dhW4Mlmxq4AMlQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032655; a=rsa-sha256; cv=none; b=SwsiEdM4hHk+H35Bq456yNGcxlHSuaHi61i1Z0J/NFM+SvTKNVIT4S0M0fhWexa3dI5qVB wvaUvn5dC9W2U6wVgz9yf2NKftGQu1wo+lwcVK60JQNrgnkHCiTUNfoX1QJsZFFQOcpUuy yrH5lPjfGGHnbmAk9SrQuX3rnzQxB7NacNxY4CgrgNfzNs2gMyeU9ziCvK0xrC3Y9bjciM IpcJWVmU/P0PVsOfz1cWOsLqXvumlEyRaUoolQy801R/m9Ft1qykFLxVDbKNqY/6tPFlah I1pnSnxB2Q5G9L/skTAjeLFiADd+Pz3LmsT8hJnrw+VHcL4BsLftUc+XPcdiiA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032655; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=LTJpqSx6B7uktGyKFXFy1Ypt0BqOccxRNTlAman7y5c=; b=Bb1dt3WvW9f60/rFoV1a2EJ1YCQcd8yQ36ft8xPrk/fP6ATOPrqDeZXNjlCMAHWxZ8u0GL OlosX6gOG0GUuE/4/2gt8hja04pJ1LRSTOyFEFmugVBJyCouqNML8ffTDvdm2v9V0UFF4r pNagjPbUldSWeVrv/83lcgfFK4YNckpGO4gDjZB8+H8eFGvjijcbCHDBL+m9oWS7diJLRy tuGjxgDujWi+UcgngP8WCXH//3CJijEwsTCYekbNn1mmKSJP43fRdbfiKfYQnYOMZEIcA8 Nqk0JWpTW/9Efb0d0wSSYFINvr/wNIYVqdhVNcAGZXG8ZNTroJL0k+xhtzF8cg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdvz3CvZzmsc for ; Tue, 09 Jun 2026 19:17:35 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3e5a5 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:17:35 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: e1cdc49846c1 - stable/15 - imgact_elf: Clear no-ASLR and -WXORX flags earlier for setugid images List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: e1cdc49846c1ddd3fba7c586ad98d168962e2a82 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:17:35 +0000 Message-Id: <6a2866cf.3e5a5.1458f5b2@gitrepo.freebsd.org> The branch stable/15 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=e1cdc49846c1ddd3fba7c586ad98d168962e2a82 commit e1cdc49846c1ddd3fba7c586ad98d168962e2a82 Author: Mark Johnston AuthorDate: 2026-06-02 20:29:00 +0000 Commit: Mark Johnston CommitDate: 2026-06-09 19:15:25 +0000 imgact_elf: Clear no-ASLR and -WXORX flags earlier for setugid images Otherwise an unprivileged user can disable randomization of the base address for PIEs even if they are setugid. Add a regression test. Approved by: so Security: FreeBSD-SA-26:32.elf Security: CVE-2026-49414 Reported by: David Berard Reviewed by: kib Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57397 --- sys/kern/imgact_elf.c | 55 ++++++++--------- tests/sys/kern/Makefile | 2 + tests/sys/kern/aslr.c | 157 ++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 187 insertions(+), 27 deletions(-) diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c index 31102522ef35..15a3472731d6 100644 --- a/sys/kern/imgact_elf.c +++ b/sys/kern/imgact_elf.c @@ -1272,11 +1272,39 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *imgp) error = ENOEXEC; goto ret; } + + /* + * Avoid a possible deadlock if the current address space is destroyed + * and that address space maps the locked vnode. In the common case, + * the locked vnode's v_usecount is decremented but remains greater + * than zero. Consequently, the vnode lock is not needed by vrele(). + * However, in cases where the vnode lock is external, such as nullfs, + * v_usecount may become zero. + * + * The VV_TEXT flag prevents modifications to the executable while + * the vnode is unlocked. + */ + VOP_UNLOCK(imgp->vp); + + /* + * Decide whether to enable randomization of user mappings. First, + * reset user preferences for the setid binaries. Then, account for the + * support of randomization by the ABI, by user preferences, and make + * special treatment for PIE binaries. + */ + if (imgp->credential_setid) { + PROC_LOCK(imgp->proc); + imgp->proc->p_flag2 &= ~(P2_ASLR_ENABLE | P2_ASLR_DISABLE | + P2_WXORX_DISABLE | P2_WXORX_ENABLE_EXEC); + PROC_UNLOCK(imgp->proc); + } + sv = brand_info->sysvec; if (hdr->e_type == ET_DYN) { if ((brand_info->flags & BI_CAN_EXEC_DYN) == 0) { uprintf("Cannot execute shared object\n"); error = ENOEXEC; + (void)vn_lock(imgp->vp, LK_SHARED | LK_RETRY); goto ret; } /* @@ -1295,33 +1323,6 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *imgp) imgp->et_dyn_addr = __elfN(pie_base); } } - - /* - * Avoid a possible deadlock if the current address space is destroyed - * and that address space maps the locked vnode. In the common case, - * the locked vnode's v_usecount is decremented but remains greater - * than zero. Consequently, the vnode lock is not needed by vrele(). - * However, in cases where the vnode lock is external, such as nullfs, - * v_usecount may become zero. - * - * The VV_TEXT flag prevents modifications to the executable while - * the vnode is unlocked. - */ - VOP_UNLOCK(imgp->vp); - - /* - * Decide whether to enable randomization of user mappings. - * First, reset user preferences for the setid binaries. - * Then, account for the support of the randomization by the - * ABI, by user preferences, and make special treatment for - * PIE binaries. - */ - if (imgp->credential_setid) { - PROC_LOCK(imgp->proc); - imgp->proc->p_flag2 &= ~(P2_ASLR_ENABLE | P2_ASLR_DISABLE | - P2_WXORX_DISABLE | P2_WXORX_ENABLE_EXEC); - PROC_UNLOCK(imgp->proc); - } if ((sv->sv_flags & SV_ASLR) == 0 || (imgp->proc->p_flag2 & P2_ASLR_DISABLE) != 0 || (fctl0 & NT_FREEBSD_FCTL_ASLR_DISABLE) != 0) { diff --git a/tests/sys/kern/Makefile b/tests/sys/kern/Makefile index ca6f863fbb7d..b85e7ec53196 100644 --- a/tests/sys/kern/Makefile +++ b/tests/sys/kern/Makefile @@ -7,6 +7,7 @@ TESTSRC= ${SRCTOP}/contrib/netbsd-tests/kernel TESTSDIR= ${TESTSBASE}/sys/kern +ATF_TESTS_C+= aslr ATF_TESTS_C+= basic_signal ATF_TESTS_C+= copy_file_range .if ${MACHINE_ARCH} != "i386" && ${MACHINE_ARCH} != "powerpc" && \ @@ -91,6 +92,7 @@ PROGS+= coredump_phnum_helper PROGS+= pdeathsig_helper PROGS+= sendfile_helper +LIBADD.aslr+= util LIBADD.copy_file_range+= md LIBADD.jail_lookup_root+= jail util LIBADD.jaildesc+= pthread diff --git a/tests/sys/kern/aslr.c b/tests/sys/kern/aslr.c new file mode 100644 index 000000000000..13038054603c --- /dev/null +++ b/tests/sys/kern/aslr.c @@ -0,0 +1,157 @@ +/* + * Copyright (c) 2026 The FreeBSD Foundation + * + * This software was developed by Mark Johnston under sponsorship from the + * FreeBSD Foundation. + */ + +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include + +#include + +/* + * Spawn an unprivileged child with ASLR force-disabled, which then execs + * /sbin/ping (setuid root). + */ +static pid_t +spawn_ping(const atf_tc_t *tc) +{ + const char *user; + struct passwd *passwd; + pid_t child; + int arg, error; + + user = atf_tc_get_config_var(tc, "unprivileged_user"); + passwd = getpwnam(user); + ATF_REQUIRE(passwd != NULL); + + child = fork(); + ATF_REQUIRE(child >= 0); + if (child == 0) { + if (seteuid(passwd->pw_uid) != 0) + _exit(1); + + arg = PROC_ASLR_FORCE_DISABLE; + error = procctl(P_PID, getpid(), PROC_ASLR_CTL, &arg); + if (error != 0) + _exit(2); + + execl("/sbin/ping", "ping", "127.0.0.1", NULL); + _exit(127); + } + usleep(500000); /* XXX-MJ */ + + return (child); +} + +/* + * Return the base address of the first mapping backed by the specified + * executable in the given process, or 0 if not found. + */ +static uint64_t +text_base(pid_t pid, const char *path) +{ + struct kinfo_vmentry *vmmap; + uint64_t base; + int cnt; + + base = 0; + vmmap = kinfo_getvmmap(pid, &cnt); + if (vmmap == NULL) + return (0); + for (int i = 0; i < cnt; i++) { + if (vmmap[i].kve_type == KVME_TYPE_VNODE && + strcmp(vmmap[i].kve_path, path) == 0) { + base = vmmap[i].kve_start; + break; + } + } + free(vmmap); + return (base); +} + +/* + * Make sure that ASLR can't be disabled for a setuid executable by an + * unprivileged user. + */ +ATF_TC(aslr_setuid); +ATF_TC_HEAD(aslr_setuid, tc) +{ + atf_tc_set_md_var(tc, "require.user", "root"); + atf_tc_set_md_var(tc, "require.config", "unprivileged_user"); +} +ATF_TC_BODY(aslr_setuid, tc) +{ + struct stat sb; + uint64_t bases[5]; + pid_t child, pid; + int arg, error, st; + + if (!atf_tc_has_config_var(tc, "unprivileged_user")) + atf_tc_skip("unprivileged_user not set"); + + error = stat("/sbin/ping", &sb); + ATF_REQUIRE(error == 0); + ATF_REQUIRE_MSG(sb.st_uid == 0 && (sb.st_mode & S_ISUID) != 0, + "/sbin/ping is not setuid root"); + + child = spawn_ping(tc); + bases[0] = text_base(child, "/sbin/ping"); + ATF_REQUIRE_MSG(bases[0] != 0, + "failed to find /sbin/ping text segment"); + + arg = 0; + error = procctl(P_PID, child, PROC_ASLR_STATUS, &arg); + ATF_REQUIRE_MSG(error == 0, "procctl ASLR_STATUS failed: %s", + strerror(errno)); + ATF_REQUIRE_MSG((arg & PROC_ASLR_ACTIVE) != 0, + "ASLR is not active for setuid child"); + ATF_REQUIRE_MSG((arg & ~PROC_ASLR_ACTIVE) == PROC_ASLR_NOFORCE, + "expected NOFORCE for setuid child, got %d", + arg & ~PROC_ASLR_ACTIVE); + + error = kill(child, SIGTERM); + ATF_REQUIRE(error == 0); + pid = waitpid(child, &st, 0); + ATF_REQUIRE(pid == child); + ATF_REQUIRE(WIFSIGNALED(st) && WTERMSIG(st) == SIGTERM); + + for (size_t i = 1; i < nitems(bases); i++) { + child = spawn_ping(tc); + bases[i] = text_base(child, "/sbin/ping"); + ATF_REQUIRE_MSG(bases[i] != 0, + "failed to find /sbin/ping text segment"); + error = kill(child, SIGTERM); + ATF_REQUIRE(error == 0); + pid = waitpid(child, &st, 0); + ATF_REQUIRE(pid == child); + ATF_REQUIRE(WIFSIGNALED(st) && WTERMSIG(st) == SIGTERM); + } + + /* Verify that the text base is different across all runs. */ + for (size_t i = 0; i < nitems(bases); i++) { + for (size_t j = i + 1; j < nitems(bases); j++) { + ATF_REQUIRE_MSG(bases[i] != bases[j], + "ping text base collision 0x%jx", + (uintmax_t)bases[i]); + } + } +} + +ATF_TP_ADD_TCS(tp) +{ + ATF_TP_ADD_TC(tp, aslr_setuid); + + return (atf_no_error()); +} From nobody Tue Jun 9 19:17:36 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdw114B4z6gTlk for ; Tue, 09 Jun 2026 19:17:37 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdw04Wfpz3LYf for ; Tue, 09 Jun 2026 19:17:36 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032656; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=E2eMaBnDEo1Mj6XyqGImUdYbhlz3Rs4iLuS4ar75Q0Q=; b=UUHNPeIJsvBruSs+w7TJlvRMt1zh4DDorWwbEDT/RM9dUqHE9DuKZBdk4X+/ywGXa2o5R0 a/P01TqQBbU4Y0xndtCpWOne8wbgK6gGspWSARyWxujhqcPue6sxYnqvh2D26L0tISC5Ze pJZvzOJ57tSbld9eVWypTspGXG12WRQHSnsxo+jWuTR4XcF/Td1fwc5VgnlG2EY4DSKY42 XxobadtIazJ5v1Ab+FmX4D6r1TLWGBaXo36JiX5PgkGKKsWcWEBqCMPxFlahJEVm2BTiZk jWmIiJTVfhtbsrswyK+qUihA0dPLj1sxEqCQUOAEkfvi/heI3r6uKbITj5Q+Qg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032656; a=rsa-sha256; cv=none; b=Ic6+BnULfZQr7KlQQMBLdg8QlXWeO6WXYvlRqs2QmUsxW9uEorUVLdR0BNjpPAeWJ0ZdbB 8r7G3QsduW+qRZo04Hrzpb0s9H/7gdwywz3uA8ZjNcBjIPLnoyFRh9jhTbd3BRSDHK8UOg eJ8NSsah6zmTirBaPuqUBp1mdOQdhPbxiThA+omWYfBlfHZNbptCM0p/QnB6O/Jl953Vti 7big3ML3b0LL+rdBlSRQlscUzy74M8noldbfB0pfijchoOjjIGziOVcPQi8Wp4VOBi4lsJ L9tcljWIOlOD4LmAClcHoZ46gCsfN4Tzu1qILXmnp0/G18agtHubb9p8lIslwA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032656; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=E2eMaBnDEo1Mj6XyqGImUdYbhlz3Rs4iLuS4ar75Q0Q=; b=EAiSIsQEWr2NIuI9yAruFpnjlQTRdhEjSZrvkkYnI0YcFWlVkQipgCihDt/X/tNaQMAMqp 36M5qjIp9nNytAnMbx0Eo4E+A6wKIaoFfKo7Oi6aolX7CNx5JE1pfOLS/hvp4AoF7m0cGv //LrJP+WU9wbK95G2gKYydeNmzGigW9fy131KX7c5QdImgu8wAsEg7M0myNlvZaCdKa91j 0k18oNgpitW6FxWGNFdluIiTHw2rrf16J8Q2LYgRq/W0Gm83yiq2UcCvy7pXlDWu2NswXk MiNOurZZOW6px2YLWzVgLkv8L3t1PlRz/r6W9vM1o4W5fPxAvt25tQtE3A7xbg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdw03ntcznrC for ; Tue, 09 Jun 2026 19:17:36 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3e82d by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:17:36 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Gordon Tetlow From: Mark Johnston Subject: git: 865c8ff56693 - stable/15 - openssl: Fix multiple vulnerabilities List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 865c8ff56693db508513599cf1e03e9c612cbce2 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:17:36 +0000 Message-Id: <6a2866d0.3e82d.354576fe@gitrepo.freebsd.org> The branch stable/15 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=865c8ff56693db508513599cf1e03e9c612cbce2 commit 865c8ff56693db508513599cf1e03e9c612cbce2 Author: Gordon Tetlow AuthorDate: 2026-04-29 08:23:24 +0000 Commit: Mark Johnston CommitDate: 2026-06-09 19:15:25 +0000 openssl: Fix multiple vulnerabilities This is a rollup commit from upstream to fix: Reject oversized inputs in ASN1_mbstring_ncopy() cms: kek_unwrap_key: Fix out-of-bounds read in check-byte validation cms: kek_unwrap_key: test for fix out-of-bounds read in check-byte validation Avoid length truncation in ASN1_STRING_set pkcs12: verify that the pbmac1 key length is safe Reject potentially forged encrypted CMS AuthEnvelopedData messages QUIC stack must limit the number of PATH_CHALLENGE frames processed in RX Fix NULL dereference in QUIC address validation Fix potential NULL dereference processing CMS PasswordRecipientInfo Fix potential NULL dereference in OSSL_CRMF_ENCRYPTEDVALUE_decrypt() Enforce implicit rejection for CMS/PKCS#7 decryption Use the correct issuer when validating rootCAKeyUpdate Match the local q DHX parameter against the peer's q Apply the buffered IV on the AES-OCB EVP_Cipher() path Fix handling of empty-ciphertext messages in AES-GCM-SIV and AES-SIV Fix possible use-after-free in OpenSSL PKCS7_verify() Approved by: so Obtained from: OpenSSL Security: FreeBSD-SA-26:35.openssl Security: CVE-2026-7383 Security: CVE-2026-9076 Security: CVE-2026-34180 Security: CVE-2026-34181 Security: CVE-2026-34182 Security: CVE-2026-34183 Security: CVE-2026-42764 Security: CVE-2026-42766 Security: CVE-2026-42767 Security: CVE-2026-42768 Security: CVE-2026-42769 Security: CVE-2026-42770 Security: CVE-2026-45445 Security: CVE-2026-45446 Security: CVE-2026-45447 --- crypto/openssl/crypto/asn1/a_mbstr.c | 31 ++++- crypto/openssl/crypto/asn1/tasn_dec.c | 24 ++-- crypto/openssl/crypto/cmp/cmp_genm.c | 6 +- crypto/openssl/crypto/cms/cms_enc.c | 10 +- crypto/openssl/crypto/cms/cms_env.c | 7 -- crypto/openssl/crypto/cms/cms_pwri.c | 13 +- crypto/openssl/crypto/crmf/crmf_lib.c | 10 +- crypto/openssl/crypto/pkcs12/p12_mutl.c | 8 +- crypto/openssl/crypto/pkcs7/pk7_doit.c | 7 -- crypto/openssl/crypto/pkcs7/pk7_smime.c | 9 +- crypto/openssl/doc/man3/CMS_decrypt.pod | 4 +- crypto/openssl/doc/man3/PKCS7_decrypt.pod | 10 +- crypto/openssl/include/internal/quic_cfq.h | 1 + crypto/openssl/include/internal/quic_channel.h | 1 + crypto/openssl/include/internal/quic_fifd.h | 1 + .../ciphers/cipher_aes_gcm_siv_hw.c | 27 ++-- .../implementations/ciphers/cipher_aes_ocb.c | 13 ++ .../implementations/ciphers/cipher_aes_siv.c | 3 + .../providers/implementations/exchange/dh_exch.c | 5 +- crypto/openssl/ssl/quic/quic_cfq.c | 15 +++ crypto/openssl/ssl/quic/quic_channel.c | 6 + crypto/openssl/ssl/quic/quic_channel_local.h | 39 ++++++ crypto/openssl/ssl/quic/quic_fifd.c | 43 +++++++ crypto/openssl/ssl/quic/quic_port.c | 6 +- crypto/openssl/ssl/quic/quic_rx_depack.c | 60 +++++---- crypto/openssl/ssl/quic/quic_txp.c | 2 + crypto/openssl/test/cmsapitest.c | 48 ++++++- crypto/openssl/test/evp_extra_test.c | 140 +++++++++++++++++++++ crypto/openssl/test/recipes/80-test_cmsapi.t | 3 +- .../80-test_cmsapi_data/cms_pwri_kek_oob.der | Bin 0 -> 193 bytes crypto/openssl/test/recipes/80-test_pkcs12.t | 13 +- .../pbmac1_256_256.bad-key-len.p12 | Bin 0 -> 2803 bytes .../pbmac1_256_256.good-shorter-key-len.p12 | Bin 0 -> 2803 bytes 33 files changed, 472 insertions(+), 93 deletions(-) diff --git a/crypto/openssl/crypto/asn1/a_mbstr.c b/crypto/openssl/crypto/asn1/a_mbstr.c index 2270e63d51d4..962e19b2ceaa 100644 --- a/crypto/openssl/crypto/asn1/a_mbstr.c +++ b/crypto/openssl/crypto/asn1/a_mbstr.c @@ -174,11 +174,27 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len, break; case MBSTRING_BMP: + if (nchar > INT_MAX / 2) { + ERR_raise(ERR_LIB_ASN1, ASN1_R_STRING_TOO_LONG); + if (free_out) { + ASN1_STRING_free(dest); + *out = NULL; + } + return -1; + } outlen = nchar << 1; cpyfunc = cpy_bmp; break; case MBSTRING_UNIV: + if (nchar > INT_MAX / 4) { + ERR_raise(ERR_LIB_ASN1, ASN1_R_STRING_TOO_LONG); + if (free_out) { + ASN1_STRING_free(dest); + *out = NULL; + } + return -1; + } outlen = nchar << 2; cpyfunc = cpy_univ; break; @@ -186,8 +202,11 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len, case MBSTRING_UTF8: outlen = 0; ret = traverse_string(in, len, inform, out_utf8, &outlen); - if (ret < 0) { - ERR_raise(ERR_LIB_ASN1, ASN1_R_INVALID_UTF8STRING); + if (ret < 0) { /* error already raised in out_utf8() */ + if (free_out) { + ASN1_STRING_free(dest); + *out = NULL; + } return -1; } cpyfunc = cpy_utf8; @@ -270,9 +289,15 @@ static int out_utf8(unsigned long value, void *arg) int *outlen, len; len = UTF8_putc(NULL, -1, value); - if (len <= 0) + if (len <= 0) { + ERR_raise(ERR_LIB_ASN1, ASN1_R_INVALID_UTF8STRING); return len; + } outlen = arg; + if (*outlen > INT_MAX - len) { + ERR_raise(ERR_LIB_ASN1, ASN1_R_STRING_TOO_LONG); + return -1; + } *outlen += len; return 1; } diff --git a/crypto/openssl/crypto/asn1/tasn_dec.c b/crypto/openssl/crypto/asn1/tasn_dec.c index 91c2e524f55b..e9532b9f48f7 100644 --- a/crypto/openssl/crypto/asn1/tasn_dec.c +++ b/crypto/openssl/crypto/asn1/tasn_dec.c @@ -54,7 +54,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx); -static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, +static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, long len, int utype, char *free_cont, const ASN1_ITEM *it); /* Table to convert tags to bit values, used for MSTRING type */ @@ -855,19 +855,24 @@ err: /* Translate ASN1 content octets into a structure */ -static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, +static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, long len, int utype, char *free_cont, const ASN1_ITEM *it) { ASN1_VALUE **opval = NULL; ASN1_STRING *stmp; ASN1_TYPE *typ = NULL; int ret = 0; + int ilen = (int)len; const ASN1_PRIMITIVE_FUNCS *pf; ASN1_INTEGER **tint; pf = it->funcs; - if (pf && pf->prim_c2i) - return pf->prim_c2i(pval, cont, len, utype, free_cont, it); + if (pf && pf->prim_c2i) { + if (len == (long)ilen) + return pf->prim_c2i(pval, cont, ilen, utype, free_cont, it); + ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG); + return 0; + } /* If ANY type clear type and set pointer to internal value */ if (it->utype == V_ASN1_ANY) { if (*pval == NULL) { @@ -885,7 +890,8 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, } switch (utype) { case V_ASN1_OBJECT: - if (!ossl_c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &cont, len)) + if (len != (long)ilen + || !ossl_c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &cont, ilen)) goto err; break; @@ -940,6 +946,10 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, case V_ASN1_SET: case V_ASN1_SEQUENCE: default: + if (len != (long)ilen) { + ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG); + goto err; + } if (utype == V_ASN1_BMPSTRING && (len & 1)) { ERR_raise(ERR_LIB_ASN1, ASN1_R_BMPSTRING_IS_WRONG_LENGTH); goto err; @@ -970,10 +980,10 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, } /* If we've already allocated a buffer use it */ if (*free_cont) { - ASN1_STRING_set0(stmp, (unsigned char *)cont /* UGLY CAST! */, len); + ASN1_STRING_set0(stmp, (unsigned char *)cont /* UGLY CAST! */, ilen); *free_cont = 0; } else { - if (!ASN1_STRING_set(stmp, cont, len)) { + if (!ASN1_STRING_set(stmp, cont, ilen)) { ERR_raise(ERR_LIB_ASN1, ERR_R_ASN1_LIB); ASN1_STRING_free(stmp); *pval = NULL; diff --git a/crypto/openssl/crypto/cmp/cmp_genm.c b/crypto/openssl/crypto/cmp/cmp_genm.c index bcc121f14695..ec1f03d20c1a 100644 --- a/crypto/openssl/crypto/cmp/cmp_genm.c +++ b/crypto/openssl/crypto/cmp/cmp_genm.c @@ -202,7 +202,7 @@ static int selfsigned_verify_cb(int ok, X509_STORE_CTX *store_ctx) for (i = 0; i < sk_X509_num(trust); i++) { issuer = sk_X509_value(trust, i); if ((*check_issued)(store_ctx, cert, issuer)) { - if (X509_add_cert(chain, cert, X509_ADD_FLAG_UP_REF)) + if (X509_add_cert(chain, issuer, X509_ADD_FLAG_UP_REF)) ok = 1; break; } @@ -235,6 +235,7 @@ static int verify_ss_cert(OSSL_LIB_CTX *libctx, const char *propq, if ((csc = X509_STORE_CTX_new_ex(libctx, propq)) == NULL || !X509_STORE_CTX_init(csc, ts, target, untrusted)) goto err; + X509_STORE_CTX_set_flags(csc, X509_V_FLAG_CHECK_SS_SIGNATURE); X509_STORE_CTX_set_verify_cb(csc, selfsigned_verify_cb); ok = X509_verify_cert(csc) > 0; @@ -253,7 +254,8 @@ verify_ss_cert_trans(OSSL_CMP_CTX *ctx, X509 *trusted /* may be NULL */, int res = 0; if (trusted != NULL) { - X509_VERIFY_PARAM *vpm = X509_STORE_get0_param(ts); + X509_VERIFY_PARAM *vpm = (ts == NULL) ? NULL + : X509_STORE_get0_param(ts); if ((ts = X509_STORE_new()) == NULL) return 0; diff --git a/crypto/openssl/crypto/cms/cms_enc.c b/crypto/openssl/crypto/cms/cms_enc.c index 08afb5ab114b..ba7082cebd72 100644 --- a/crypto/openssl/crypto/cms/cms_enc.c +++ b/crypto/openssl/crypto/cms/cms_enc.c @@ -109,13 +109,15 @@ BIO *ossl_cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec, goto err; } piv = aparams.iv; - if (ec->taglen > 0 - && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, - ec->taglen, ec->tag) - <= 0) { + + if (ec->taglen < 4 || ec->taglen > 16 + || EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, (int)ec->taglen, ec->tag) <= 0) { ERR_raise(ERR_LIB_CMS, CMS_R_CIPHER_AEAD_SET_TAG_ERROR); goto err; } + } else if (auth) { + ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM); + goto err; } } len = EVP_CIPHER_CTX_get_key_length(ctx); diff --git a/crypto/openssl/crypto/cms/cms_env.c b/crypto/openssl/crypto/cms/cms_env.c index 0828d157fad6..70dd59c06169 100644 --- a/crypto/openssl/crypto/cms/cms_env.c +++ b/crypto/openssl/crypto/cms/cms_env.c @@ -619,13 +619,6 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms, if (!ossl_cms_env_asn1_ctrl(ri, 1)) goto err; - if (EVP_PKEY_is_a(pkey, "RSA")) - /* upper layer CMS code incorrectly assumes that a successful RSA - * decryption means that the key matches ciphertext (which never - * was the case, implicit rejection or not), so to make it work - * disable implicit rejection for RSA keys */ - EVP_PKEY_CTX_ctrl_str(ktri->pctx, "rsa_pkcs1_implicit_rejection", "0"); - if (evp_pkey_decrypt_alloc(ktri->pctx, &ek, &eklen, fixlen, ktri->encryptedKey->data, ktri->encryptedKey->length) diff --git a/crypto/openssl/crypto/cms/cms_pwri.c b/crypto/openssl/crypto/cms/cms_pwri.c index d62dbbde881b..faf6a164669b 100644 --- a/crypto/openssl/crypto/cms/cms_pwri.c +++ b/crypto/openssl/crypto/cms/cms_pwri.c @@ -200,18 +200,18 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen, const unsigned char *in, size_t inlen, EVP_CIPHER_CTX *ctx) { - size_t blocklen = EVP_CIPHER_CTX_get_block_size(ctx); + int blocklen = EVP_CIPHER_CTX_get_block_size(ctx); unsigned char *tmp; int outl, rv = 0; - if (blocklen == 0) + if (blocklen < 4) return 0; - if (inlen < 2 * blocklen) { + if (inlen < 2 * (size_t)blocklen) { /* too small */ return 0; } - if (inlen % blocklen) { + if (inlen > INT_MAX || inlen % blocklen) { /* Invalid size */ return 0; } @@ -367,6 +367,11 @@ int ossl_cms_RecipientInfo_pwri_crypt(const CMS_ContentInfo *cms, /* Finish password based key derivation to setup key in "ctx" */ + if (algtmp == NULL) { + ERR_raise_data(ERR_LIB_CMS, CMS_R_INVALID_KEY_ENCRYPTION_PARAMETER, + "Missing KeyDerivationAlgorithm"); + goto err; + } if (!EVP_PBE_CipherInit_ex(algtmp->algorithm, (char *)pwri->pass, (int)pwri->passlen, algtmp->parameter, kekctx, en_de, diff --git a/crypto/openssl/crypto/crmf/crmf_lib.c b/crypto/openssl/crypto/crmf/crmf_lib.c index d5c8983b2fd4..34477d52662d 100644 --- a/crypto/openssl/crypto/crmf/crmf_lib.c +++ b/crypto/openssl/crypto/crmf/crmf_lib.c @@ -766,6 +766,7 @@ unsigned char *OSSL_CRMF_ENCRYPTEDVALUE_decrypt(const OSSL_CRMF_ENCRYPTEDVALUE * EVP_CIPHER *cipher = NULL; /* used cipher */ int cikeysize = 0; /* key size from cipher */ unsigned char *iv = NULL; /* initial vector for symmetric encryption */ + int iv_len; /* iv length */ unsigned char *out = NULL; /* decryption output buffer */ int n, ret = 0; EVP_PKEY_CTX *pkctx = NULL; /* private key context */ @@ -820,11 +821,12 @@ unsigned char *OSSL_CRMF_ENCRYPTEDVALUE_decrypt(const OSSL_CRMF_ENCRYPTEDVALUE * } else { goto end; } - if ((iv = OPENSSL_malloc(EVP_CIPHER_get_iv_length(cipher))) == NULL) + iv_len = EVP_CIPHER_get_iv_length(cipher); + if ((iv = OPENSSL_malloc(iv_len)) == NULL) goto end; - if (ASN1_TYPE_get_octetstring(enc->symmAlg->parameter, iv, - EVP_CIPHER_get_iv_length(cipher)) - != EVP_CIPHER_get_iv_length(cipher)) { + if (enc->symmAlg->parameter == NULL + || ASN1_TYPE_get_octetstring(enc->symmAlg->parameter, iv, iv_len) + != iv_len) { ERR_raise(ERR_LIB_CRMF, CRMF_R_MALFORMED_IV); goto end; } diff --git a/crypto/openssl/crypto/pkcs12/p12_mutl.c b/crypto/openssl/crypto/pkcs12/p12_mutl.c index 01956252df76..15072e12f26b 100644 --- a/crypto/openssl/crypto/pkcs12/p12_mutl.c +++ b/crypto/openssl/crypto/pkcs12/p12_mutl.c @@ -144,11 +144,13 @@ static int PBMAC1_PBKDF2_HMAC(OSSL_LIB_CTX *ctx, const char *propq, } pbkdf2_salt = pbkdf2_param->salt->value.octet_string; - /* RFC 9579 specifies missing key length as invalid */ + /* RFC 9879 specifies missing key length as invalid */ if (pbkdf2_param->keylength != NULL) keylen = ASN1_INTEGER_get(pbkdf2_param->keylength); - if (keylen <= 0 || keylen > EVP_MAX_MD_SIZE) { - ERR_raise(ERR_LIB_PKCS12, PKCS12_R_PARSE_ERROR); + /* RFC 9879 specifies too short key length as untrustworthy too */ + if (keylen < 20 || keylen > EVP_MAX_MD_SIZE) { + ERR_raise_data(ERR_LIB_PKCS12, PKCS12_R_PARSE_ERROR, + "Invalid Key length (%d is not in the range 20..64)", keylen); goto err; } diff --git a/crypto/openssl/crypto/pkcs7/pk7_doit.c b/crypto/openssl/crypto/pkcs7/pk7_doit.c index d6513cf3a379..1ec7895fc197 100644 --- a/crypto/openssl/crypto/pkcs7/pk7_doit.c +++ b/crypto/openssl/crypto/pkcs7/pk7_doit.c @@ -203,13 +203,6 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen, if (EVP_PKEY_decrypt_init(pctx) <= 0) goto err; - if (EVP_PKEY_is_a(pkey, "RSA")) - /* upper layer pkcs7 code incorrectly assumes that a successful RSA - * decryption means that the key matches ciphertext (which never - * was the case, implicit rejection or not), so to make it work - * disable implicit rejection for RSA keys */ - EVP_PKEY_CTX_ctrl_str(pctx, "rsa_pkcs1_implicit_rejection", "0"); - ret = evp_pkey_decrypt_alloc(pctx, &ek, &eklen, fixlen, ri->enc_key->data, ri->enc_key->length); if (ret <= 0) diff --git a/crypto/openssl/crypto/pkcs7/pk7_smime.c b/crypto/openssl/crypto/pkcs7/pk7_smime.c index 97f20058979f..dc003ee2affd 100644 --- a/crypto/openssl/crypto/pkcs7/pk7_smime.c +++ b/crypto/openssl/crypto/pkcs7/pk7_smime.c @@ -222,6 +222,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, int i, j = 0, k, ret = 0; BIO *p7bio = NULL; BIO *tmpout = NULL; + BIO *next = NULL; const PKCS7_CTX *p7_ctx; if (p7 == NULL) { @@ -352,9 +353,11 @@ err: BIO_free(tmpout); X509_STORE_CTX_free(cert_ctx); OPENSSL_free(buf); - if (indata != NULL) - BIO_pop(p7bio); - BIO_free_all(p7bio); + while (p7bio != NULL && p7bio != indata) { + next = BIO_pop(p7bio); + BIO_free(p7bio); + p7bio = next; + } sk_X509_free(signers); sk_X509_free(untrusted); return ret; diff --git a/crypto/openssl/doc/man3/CMS_decrypt.pod b/crypto/openssl/doc/man3/CMS_decrypt.pod index 121b74a30a10..66a94287b6f5 100644 --- a/crypto/openssl/doc/man3/CMS_decrypt.pod +++ b/crypto/openssl/doc/man3/CMS_decrypt.pod @@ -68,7 +68,7 @@ then the above behaviour is modified and an error B returned if no recipient encrypted key can be decrypted B generating a random content encryption key. Applications should use this flag with B especially in automated gateways as it can leave them -open to attack. +open to attack. See L for more details. It is possible to determine the correct recipient key by other means (for example looking them up in a database) and setting them in the CMS structure @@ -103,7 +103,7 @@ mentioned in CMS_verify() also applies to CMS_decrypt(). =head1 SEE ALSO -L, L +L, L, L =head1 HISTORY diff --git a/crypto/openssl/doc/man3/PKCS7_decrypt.pod b/crypto/openssl/doc/man3/PKCS7_decrypt.pod index aea15937ab86..cfb5b3f87376 100644 --- a/crypto/openssl/doc/man3/PKCS7_decrypt.pod +++ b/crypto/openssl/doc/man3/PKCS7_decrypt.pod @@ -22,6 +22,14 @@ B is an optional set of flags. Although the recipients certificate is not needed to decrypt the data it is needed to locate the appropriate (of possible several) recipients in the PKCS#7 structure. +When RSA PKCS#1 v1.5 Key Transport is in use, the invoked EVP_PKEY_decrypt() +will use implicit rejection mechanism. It always returns the result of RSA +decryption of the symmetric key to avoid Marvin attack. This result is +deterministic and can happen to match the symmetric cipher used for the content +encryption. In case when the certificate is not provided, the last +RecipientInfo producing the key looking valid will be used. It may cause +getting garbage content on decryption. + The following flags can be passed in the B parameter. If the B flag is set MIME headers for type B are deleted @@ -43,7 +51,7 @@ mentioned in PKCS7_sign() also applies to PKCS7_verify(). =head1 SEE ALSO -L, L +L, L, L =head1 COPYRIGHT diff --git a/crypto/openssl/include/internal/quic_cfq.h b/crypto/openssl/include/internal/quic_cfq.h index 0b2a3a4cb2d6..96c8d89eb600 100644 --- a/crypto/openssl/include/internal/quic_cfq.h +++ b/crypto/openssl/include/internal/quic_cfq.h @@ -149,6 +149,7 @@ QUIC_CFQ_ITEM *ossl_quic_cfq_get_priority_head(const QUIC_CFQ *cfq, QUIC_CFQ_ITEM *ossl_quic_cfq_item_get_priority_next(const QUIC_CFQ_ITEM *item, uint32_t pn_space); +int ossl_quic_cfq_discard_unreliable(QUIC_CFQ *cfq, QUIC_CFQ_ITEM *item); #endif #endif diff --git a/crypto/openssl/include/internal/quic_channel.h b/crypto/openssl/include/internal/quic_channel.h index b917b966abeb..cfaeab728178 100644 --- a/crypto/openssl/include/internal/quic_channel.h +++ b/crypto/openssl/include/internal/quic_channel.h @@ -468,6 +468,7 @@ int ossl_quic_bind_channel(QUIC_CHANNEL *ch, const BIO_ADDR *peer, const QUIC_CONN_ID *scid, const QUIC_CONN_ID *dcid, const QUIC_CONN_ID *odcid); +void ossl_ch_reset_rx_state(QUIC_CHANNEL *ch); #endif #endif diff --git a/crypto/openssl/include/internal/quic_fifd.h b/crypto/openssl/include/internal/quic_fifd.h index 4ea7a2e0d226..afa330cbc4a2 100644 --- a/crypto/openssl/include/internal/quic_fifd.h +++ b/crypto/openssl/include/internal/quic_fifd.h @@ -83,6 +83,7 @@ int ossl_quic_fifd_pkt_commit(QUIC_FIFD *fifd, QUIC_TXPIM_PKT *pkt); void ossl_quic_fifd_set_qlog_cb(QUIC_FIFD *fifd, QLOG *(*get_qlog_cb)(void *arg), void *arg); +void ossl_quic_fifd_pkt_discard_unreliable(QUIC_FIFD *fifd, QUIC_TXPIM_PKT *tpkt); #endif #endif diff --git a/crypto/openssl/providers/implementations/ciphers/cipher_aes_gcm_siv_hw.c b/crypto/openssl/providers/implementations/ciphers/cipher_aes_gcm_siv_hw.c index d0b6ae4b070d..5bdc567b4bb1 100644 --- a/crypto/openssl/providers/implementations/ciphers/cipher_aes_gcm_siv_hw.c +++ b/crypto/openssl/providers/implementations/ciphers/cipher_aes_gcm_siv_hw.c @@ -58,6 +58,9 @@ static int aes_gcm_siv_initkey(void *vctx) memset(&data, 0, sizeof(data)); memcpy(&data.block[sizeof(data.counter)], ctx->nonce, NONCE_SIZE); + ctx->generated_tag = 0; + memset(ctx->tag, 0, TAG_SIZE); + /* msg_auth_key is always 16 bytes in size, regardless of AES128/AES256 */ /* counter is stored little-endian */ for (i = 0; i < BLOCK_SIZE; i += 8) { @@ -134,17 +137,6 @@ static int aes_gcm_siv_aad(PROV_AES_GCM_SIV_CTX *ctx, return 1; } -static int aes_gcm_siv_finish(PROV_AES_GCM_SIV_CTX *ctx) -{ - int ret = 0; - - if (ctx->enc) - return ctx->generated_tag; - ret = !CRYPTO_memcmp(ctx->tag, ctx->user_tag, sizeof(ctx->tag)); - ret &= ctx->have_user_tag; - return ret; -} - static int aes_gcm_siv_encrypt(PROV_AES_GCM_SIV_CTX *ctx, const unsigned char *in, unsigned char *out, size_t len) { @@ -271,6 +263,19 @@ static int aes_gcm_siv_decrypt(PROV_AES_GCM_SIV_CTX *ctx, const unsigned char *i return !error; } +static int aes_gcm_siv_finish(PROV_AES_GCM_SIV_CTX *ctx) +{ + int ret = 0; + + if (ctx->enc) + return ctx->generated_tag; + if (!ctx->generated_tag) + aes_gcm_siv_decrypt(ctx, NULL, NULL, 0); + ret = !CRYPTO_memcmp(ctx->tag, ctx->user_tag, sizeof(ctx->tag)); + ret &= ctx->have_user_tag; + return ret; +} + static int aes_gcm_siv_cipher(void *vctx, unsigned char *out, const unsigned char *in, size_t len) { diff --git a/crypto/openssl/providers/implementations/ciphers/cipher_aes_ocb.c b/crypto/openssl/providers/implementations/ciphers/cipher_aes_ocb.c index b724c425e392..99254cb49a88 100644 --- a/crypto/openssl/providers/implementations/ciphers/cipher_aes_ocb.c +++ b/crypto/openssl/providers/implementations/ciphers/cipher_aes_ocb.c @@ -514,6 +514,19 @@ static int aes_ocb_cipher(void *vctx, unsigned char *out, size_t *outl, return 0; } + /* + * Mirror the streaming handler: refuse if the key has not been set, + * and push the buffered IV into the OCB context before any data is + * processed. Without this, CRYPTO_ocb128_encrypt/decrypt runs with + * Offset_0 = 0 regardless of the caller's IV -- catastrophic + * (key, nonce) reuse, and a subsequent EVP_*Final_ex() emits a tag + * that is a function of (key, iv) only. + */ + if (!ctx->key_set || !update_iv(ctx)) { + ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED); + return 0; + } + if (!aes_generic_ocb_cipher(ctx, in, out, inl)) { ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED); return 0; diff --git a/crypto/openssl/providers/implementations/ciphers/cipher_aes_siv.c b/crypto/openssl/providers/implementations/ciphers/cipher_aes_siv.c index 96f26757abe2..754e0757cda3 100644 --- a/crypto/openssl/providers/implementations/ciphers/cipher_aes_siv.c +++ b/crypto/openssl/providers/implementations/ciphers/cipher_aes_siv.c @@ -192,6 +192,7 @@ static int aes_siv_set_ctx_params(void *vctx, const OSSL_PARAM params[]) PROV_AES_SIV_CTX *ctx = (PROV_AES_SIV_CTX *)vctx; const OSSL_PARAM *p; unsigned int speed = 0; + SIV128_CONTEXT *sctx = &ctx->siv; if (ossl_param_is_empty(params)) return 1; @@ -226,6 +227,8 @@ static int aes_siv_set_ctx_params(void *vctx, const OSSL_PARAM params[]) if (keylen != ctx->keylen) return 0; } + sctx->final_ret = -1; + return 1; } diff --git a/crypto/openssl/providers/implementations/exchange/dh_exch.c b/crypto/openssl/providers/implementations/exchange/dh_exch.c index 94d4254ed5d2..2bfefc0aedf4 100644 --- a/crypto/openssl/providers/implementations/exchange/dh_exch.c +++ b/crypto/openssl/providers/implementations/exchange/dh_exch.c @@ -146,12 +146,15 @@ static int dh_init(void *vpdhctx, void *vdh, const OSSL_PARAM params[]) static int dh_match_params(DH *priv, DH *peer) { int ret; + int ignore_q = 1; FFC_PARAMS *dhparams_priv = ossl_dh_get0_params(priv); FFC_PARAMS *dhparams_peer = ossl_dh_get0_params(peer); + if (dhparams_priv != NULL && dhparams_priv->q != NULL) + ignore_q = 0; ret = dhparams_priv != NULL && dhparams_peer != NULL - && ossl_ffc_params_cmp(dhparams_priv, dhparams_peer, 1); + && ossl_ffc_params_cmp(dhparams_priv, dhparams_peer, ignore_q); if (!ret) ERR_raise(ERR_LIB_PROV, PROV_R_MISMATCHING_DOMAIN_PARAMETERS); return ret; diff --git a/crypto/openssl/ssl/quic/quic_cfq.c b/crypto/openssl/ssl/quic/quic_cfq.c index 3c59234ff0ff..16818e55f57d 100644 --- a/crypto/openssl/ssl/quic/quic_cfq.c +++ b/crypto/openssl/ssl/quic/quic_cfq.c @@ -7,6 +7,7 @@ * https://www.openssl.org/source/license.html */ +#include "internal/quic_channel.h" #include "internal/quic_cfq.h" #include "internal/numbers.h" @@ -307,6 +308,20 @@ void ossl_quic_cfq_mark_lost(QUIC_CFQ *cfq, QUIC_CFQ_ITEM *item, } } +int ossl_quic_cfq_discard_unreliable(QUIC_CFQ *cfq, QUIC_CFQ_ITEM *item) +{ + int discarded; + + if (ossl_quic_cfq_item_is_unreliable(item)) { + ossl_quic_cfq_release(cfq, item); + discarded = 1; + } else { + discarded = 0; + } + + return discarded; +} + /* * Releases a CFQ item. The item may be in either state (NEW or TX) prior to the * call. The QUIC_CFQ_ITEM pointer must not be used following this call. diff --git a/crypto/openssl/ssl/quic/quic_channel.c b/crypto/openssl/ssl/quic/quic_channel.c index 13692e5bd09e..5f81a8560d5f 100644 --- a/crypto/openssl/ssl/quic/quic_channel.c +++ b/crypto/openssl/ssl/quic/quic_channel.c @@ -2213,6 +2213,12 @@ static void ch_rx_check_forged_pkt_limit(QUIC_CHANNEL *ch) "forgery limit"); } +void ossl_ch_reset_rx_state(QUIC_CHANNEL *ch) +{ + ch->did_crypto_frame = 0; + ch->seen_path_challenge = 0; +} + /* Process queued incoming packets and handle frames, if any. */ static int ch_rx(QUIC_CHANNEL *ch, int channel_only, int *notify_other_threads) { diff --git a/crypto/openssl/ssl/quic/quic_channel_local.h b/crypto/openssl/ssl/quic/quic_channel_local.h index ae443fccca1e..e40b4901cbc7 100644 --- a/crypto/openssl/ssl/quic/quic_channel_local.h +++ b/crypto/openssl/ssl/quic/quic_channel_local.h @@ -12,6 +12,28 @@ #include "internal/quic_stream_map.h" #include "internal/quic_tls.h" +/* + * This is a part of PATH_CHALLENGE flood [1] mitigation. This limits the + * number of PATH_CHALLENGE frames QUIC stack is willing to process for + * connection. Local QUIC stack creates PATH_RESPONSE frame for PATH_CHALLENGE + * frame it receives from remote peer. The response frame is put Control Frame + * Queue waiting to be dispatched. The PATH_RESPONSE frame is removed from CFQ + * after it is dispatched. The QUIC_PATH_RESPONSE_QLEN limits the number of + * PATH_RESPONSE frames waiting to be dispatched. No new PATH_RESPONSE frames + * are inserted into CFQ if queue limit is exceeded. + * + * QUIC implementations use different limits for PATH_RESPONSE queue lengths: + * quic-go defines maxPathResponses as 256 + * quiche from cloadflare sets DEFAULT_MAX_PATH_CHALLENGE_RX_QUEUE_LEN to 3 + * t-quic from tencent chooses MAX_PATH_CHALS_RECV to be 8 + * + * OpenSSL here introduces QUIC_PATH_RESPONSE_QLEN as 32. + * + * [1] https://www.ietf.org/archive/id/draft-chen-quic-logical-vuln-mitigations-00.txt + * (section 4.2) + */ +#define QUIC_PATH_RESPONSE_QLEN 32 + /* * QUIC Channel Structure * ====================== @@ -457,6 +479,18 @@ struct quic_channel_st { /* Has qlog been requested? */ unsigned int is_tserver_ch : 1; + /* + * RFC 9000 Section 9.2.1 says: + * However, an endpoint SHOULD NOT send multiple + * PATH_CHALLENGE frames in a single packet. + * The counter here allows us to detect multiple presence + * of PATH_CHALLENGE frame in packet. We process only the + * first PATH_CHALLENGE frame found in packet. Remaining PATH_CHALLENGE + * frames are ignored. + * seen_path_challenge flag is always reset before + * ossl_quic_handle_frames() gets called. + */ + unsigned int seen_path_challenge : 1; /* Saved error stack in case permanent error was encountered */ ERR_STATE *err_state; @@ -467,6 +501,11 @@ struct quic_channel_st { /* Title for qlog purposes. We own this copy. */ char *qlog_title; + /* + * number of path responses waiting to be dispatched + * from control frame queue (CFQ) + */ + unsigned int path_response_limit; }; #endif diff --git a/crypto/openssl/ssl/quic/quic_fifd.c b/crypto/openssl/ssl/quic/quic_fifd.c index 03b8cebd3057..e80483b501d7 100644 --- a/crypto/openssl/ssl/quic/quic_fifd.c +++ b/crypto/openssl/ssl/quic/quic_fifd.c @@ -310,3 +310,46 @@ void ossl_quic_fifd_set_qlog_cb(QUIC_FIFD *fifd, QLOG *(*get_qlog_cb)(void *arg) fifd->get_qlog_cb = get_qlog_cb; fifd->get_qlog_cb_arg = get_qlog_cb_arg; } + +static void txpim_pkt_remove_cfq_item(QUIC_TXPIM_PKT *pkt, QUIC_CFQ_ITEM *cfq_item) +{ + QUIC_CFQ_ITEM *prev = cfq_item->pkt_prev; + + if (prev != NULL) { + prev->pkt_next = cfq_item->pkt_next; + } else { + pkt->retx_head = cfq_item->pkt_next; + } + + if (cfq_item->pkt_next != NULL) + cfq_item->pkt_next->pkt_prev = prev; + + cfq_item->pkt_prev = NULL; + cfq_item->pkt_next = NULL; +} + +void ossl_quic_fifd_pkt_discard_unreliable(QUIC_FIFD *fifd, QUIC_TXPIM_PKT *pkt) +{ + QUIC_CFQ_ITEM *cfq_item, *cfq_next; + + /* + * The packet has been written to network. We can discard frames we don't + * retransmit when loss is detected. + */ + cfq_item = pkt->retx_head; + while (cfq_item != NULL) { + /* + * Discarded items are moved to free list. If item + * got moved to free list we must also remove it from + * cfq list kept in pkt, so ACKM does not find it when + * receives an ACK for pkt. + */ + if (ossl_quic_cfq_discard_unreliable(fifd->cfq, cfq_item)) { + cfq_next = cfq_item->pkt_next; + txpim_pkt_remove_cfq_item(pkt, cfq_item); + cfq_item = cfq_next; + } else { + cfq_item = cfq_item->pkt_next; + } + } +} diff --git a/crypto/openssl/ssl/quic/quic_port.c b/crypto/openssl/ssl/quic/quic_port.c index 1e247e1ec624..dc79485b96a5 100644 --- a/crypto/openssl/ssl/quic/quic_port.c +++ b/crypto/openssl/ssl/quic/quic_port.c @@ -1666,8 +1666,10 @@ static void port_default_packet_handler(QUIC_URXE *e, void *arg, * forget qrx so channel can create a new one * with valid initial encryption level keys. */ - qrx_src = qrx; - qrx = NULL; + if (qrx != NULL) { + qrx_src = qrx; + qrx = NULL; + } } port_bind_channel(port, &e->peer, &scid, &hdr.dst_conn_id, diff --git a/crypto/openssl/ssl/quic/quic_rx_depack.c b/crypto/openssl/ssl/quic/quic_rx_depack.c index 786af9b4c221..1bdb43b7d639 100644 --- a/crypto/openssl/ssl/quic/quic_rx_depack.c +++ b/crypto/openssl/ssl/quic/quic_rx_depack.c @@ -931,6 +931,12 @@ static int depack_do_frame_retire_conn_id(PACKET *pkt, static void free_path_response(unsigned char *buf, size_t buf_len, void *arg) { + QUIC_CHANNEL *ch = (QUIC_CHANNEL *)arg; + + assert(ch->path_response_limit > 0); + + ch->path_response_limit--; + OPENSSL_free(buf); } @@ -951,33 +957,39 @@ static int depack_do_frame_path_challenge(PACKET *pkt, return 0; } - /* - * RFC 9000 s. 8.2.2: On receiving a PATH_CHALLENGE frame, an endpoint MUST - * respond by echoing the data contained in the PATH_CHALLENGE frame in a - * PATH_RESPONSE frame. - * - * TODO(QUIC FUTURE): We should try to avoid allocation here in the future. - */ - encoded_len = sizeof(uint64_t) + 1; - if ((encoded = OPENSSL_malloc(encoded_len)) == NULL) - goto err; + if (ch->seen_path_challenge == 0 + && ch->path_response_limit < QUIC_PATH_RESPONSE_QLEN) { + /* + * RFC 9000 s. 8.2.2: On receiving a PATH_CHALLENGE frame, an endpoint + * MUST respond by echoing the data contained in the PATH_CHALLENGE + * frame in a PATH_RESPONSE frame. + * + * TODO(QUIC FUTURE): We should try to avoid allocation here in the + * future. + */ + encoded_len = sizeof(uint64_t) + 1; + if ((encoded = OPENSSL_malloc(encoded_len)) == NULL) + goto err; - if (!WPACKET_init_static_len(&wpkt, encoded, encoded_len, 0)) - goto err; + if (!WPACKET_init_static_len(&wpkt, encoded, encoded_len, 0)) + goto err; - if (!ossl_quic_wire_encode_frame_path_response(&wpkt, frame_data)) { - WPACKET_cleanup(&wpkt); - goto err; - } + if (!ossl_quic_wire_encode_frame_path_response(&wpkt, frame_data)) { + WPACKET_cleanup(&wpkt); + goto err; + } - WPACKET_finish(&wpkt); + WPACKET_finish(&wpkt); - if (!ossl_quic_cfq_add_frame(ch->cfq, 0, QUIC_PN_SPACE_APP, - OSSL_QUIC_FRAME_TYPE_PATH_RESPONSE, - QUIC_CFQ_ITEM_FLAG_UNRELIABLE, - encoded, encoded_len, - free_path_response, NULL)) - goto err; + if (!ossl_quic_cfq_add_frame(ch->cfq, 0, QUIC_PN_SPACE_APP, + OSSL_QUIC_FRAME_TYPE_PATH_RESPONSE, + QUIC_CFQ_ITEM_FLAG_UNRELIABLE, + encoded, encoded_len, + free_path_response, ch)) + goto err; + ch->seen_path_challenge = 1; + ch->path_response_limit++; + } return 1; @@ -1432,7 +1444,7 @@ int ossl_quic_handle_frames(QUIC_CHANNEL *ch, OSSL_QRX_PKT *qpacket) if (ch == NULL) return 0; - ch->did_crypto_frame = 0; + ossl_ch_reset_rx_state(ch); /* Initialize |ackm_data| (and reinitialize |ok|)*/ memset(&ackm_data, 0, sizeof(ackm_data)); diff --git a/crypto/openssl/ssl/quic/quic_txp.c b/crypto/openssl/ssl/quic/quic_txp.c index 44aaad868d2f..b2565c1a9fee 100644 --- a/crypto/openssl/ssl/quic/quic_txp.c +++ b/crypto/openssl/ssl/quic/quic_txp.c @@ -3133,6 +3133,8 @@ static int txp_pkt_commit(OSSL_QUIC_TX_PACKETISER *txp, --probe_info->pto[pn_space]; } + ossl_quic_fifd_pkt_discard_unreliable(&txp->fifd, tpkt); + return rc; } diff --git a/crypto/openssl/test/cmsapitest.c b/crypto/openssl/test/cmsapitest.c index 0752d14df09c..d908bc6fc4c4 100644 --- a/crypto/openssl/test/cmsapitest.c +++ b/crypto/openssl/test/cmsapitest.c @@ -21,6 +21,7 @@ static X509 *cert = NULL; static EVP_PKEY *privkey = NULL; static char *derin = NULL; static char *too_long_iv_cms_in = NULL; +static char *pwri_kek_oob_der_in = NULL; static int test_encrypt_decrypt(const EVP_CIPHER *cipher) { @@ -512,7 +513,48 @@ end: return ret; } -OPT_TEST_DECLARE_USAGE("certfile privkeyfile derfile\n") +/* + * CMS EnvelopedData with a single PasswordRecipientInfo using + * id-alg-PWRI-KEK and an AES-128-CFB key encryption cipher + * (1-byte effective block size). The encryptedKey OCTET STRING is + * only two bytes long, so the wrapped key buffer is shorter than + * the seven octets read by the check-byte test in kek_unwrap_key(). + * Prior to CVE-2026-9076 this triggered an out-of-bounds heap read; + * CMS_decrypt() must now fail cleanly. + */ +static int test_pwri_kek_unwrap_short_encrypted_key(void) +{ + BIO *in = NULL; + CMS_ContentInfo *cms = NULL; + unsigned long err = 0; + int ret = 0; + + if (!TEST_ptr(in = BIO_new_file(pwri_kek_oob_der_in, "rb")) + || !TEST_ptr(cms = d2i_CMS_bio(in, NULL))) + goto end; + + /* + * The unwrap is attempted eagerly inside CMS_decrypt_set1_password(). + * It must fail cleanly (no OOB read) and report CMS_R_UNWRAP_FAILURE. + */ + if (!TEST_false(CMS_decrypt_set1_password(cms, + (unsigned char *)"password", -1))) + goto end; + + err = ERR_peek_last_error(); + if (!TEST_int_eq(ERR_GET_LIB(err), ERR_LIB_CMS) + || !TEST_int_eq(ERR_GET_REASON(err), CMS_R_UNWRAP_FAILURE)) + goto end; + + ERR_clear_error(); + ret = 1; +end: + CMS_ContentInfo_free(cms); + BIO_free(in); + return ret; +} + +OPT_TEST_DECLARE_USAGE("certfile privkeyfile derfile tooLongIVpem pwriKekOobDer\n") int setup_tests(void) { @@ -527,7 +569,8 @@ int setup_tests(void) if (!TEST_ptr(certin = test_get_argument(0)) || !TEST_ptr(privkeyin = test_get_argument(1)) || !TEST_ptr(derin = test_get_argument(2)) - || !TEST_ptr(too_long_iv_cms_in = test_get_argument(3))) + || !TEST_ptr(too_long_iv_cms_in = test_get_argument(3)) + || !TEST_ptr(pwri_kek_oob_der_in = test_get_argument(4))) *** 235 LINES SKIPPED *** From nobody Tue Jun 9 19:17:46 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdwC06jsz6gTy4 for ; Tue, 09 Jun 2026 19:17:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdwB3lVmz3LjV for ; Tue, 09 Jun 2026 19:17:46 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032666; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=RtXaf338Tz15LuacecngWMf7/rd8s4ct1Dr8P7FRH34=; b=aZpD5O+mc8b0LspxjFd7pWKZklOdqZMt+waIRZfJp4hquzMndsbwKmjNbxbTOmOeU6OASx yrXiwv9SEJxFUKbkmVWmeLDtF+Y6+C7zihqZ8lhKnq8f4XKqnfy14zLVS4LoxYT56l/Z99 6Vs3jARFVQSmke5jFT0Ngawp0PFyLJ/7X+WiCIGo/2C1WyxVH/wk8Pnz8dxJpaFXCFovDp 8o9GL5exDDMoZFrouPiAMAYeCH8BImgkWdBcCeI3zMYTRk7sBtHZmyE+fx/FQn58tjfzjA /V3Qmn4OLnupbfpiz6luda3lh54UYHVaUcIBypLsYxEqjODnHO8vp3yoP+5VOg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032666; a=rsa-sha256; cv=none; b=QGwrkBcDJ+52NpMQbowLLuitLINwl1fic8adJNW0cWY3+Eq+yQ0OEE9YonhwnaIbpcMxw6 EyZI+4xAwjc7GpZdtGpd2HHfWmEHZ2/o2IGeXnT1sy5+wi6XhZTe0KFH4slUl3cKcVswec 32TZckM99EOZcMgcSwEvN8K/Ex4dNB/buwjSmMydVkzBNjj3Pfc+5Cq/yFP+mHQDi3HuL7 eULQuDiEaZ9nWXXkmkn0DErJmRbgqHLt+Cb2Z1AhqqNrULlMvZ9oOkDztE1FxAgn0av5Qh pKS8794BhHLLHyMRtAHBF6xPqXiK2WOB2egPPXXG6UFbVLt06rS6v1OX2qVUYg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032666; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=RtXaf338Tz15LuacecngWMf7/rd8s4ct1Dr8P7FRH34=; b=N1Ar+kN2VszldmvpRJzOvWvTRYLOgrDNuK/htGuIV4yrT6uK9RG8ws7kGbHIYRe3O5R/89 J5ju6q188COezWGejILLPhoV9l0s9zgrCEPoZzmETXXmIOxuX5sRLAHlatyUnLrDkjniBF rgyYc01pyW0TQYb15Ipn/Sjc5joga2QsBOK9pMS0ATzBuOdFpoXBXfRuHDbv6/0cd+UY9A Cc7qGTUXDPxWp7QDySVstUhyFjpC0JY+1zfYPl+j72EvtmlEqZnG3UAosALVpf17zRfyjl ZvH28EfX0v8SKGfDYNfIBKDzE6zc/6hTrh3T0cGpKCm/gq/RBC66ANSaTK0yQw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdwB32Jxzn9Z for ; Tue, 09 Jun 2026 19:17:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3f41f by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:17:46 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: John Baldwin From: Mark Johnston Subject: git: 333bdd7e9427 - stable/14 - ktls: Don't attempt to modify non-anonymous mbufs on the receive path List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 333bdd7e942783680aa1cff5bfa347d173e84adc Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:17:46 +0000 Message-Id: <6a2866da.3f41f.6cde323@gitrepo.freebsd.org> The branch stable/14 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=333bdd7e942783680aa1cff5bfa347d173e84adc commit 333bdd7e942783680aa1cff5bfa347d173e84adc Author: John Baldwin AuthorDate: 2026-06-03 23:22:00 +0000 Commit: Mark Johnston CommitDate: 2026-06-09 19:15:21 +0000 ktls: Don't attempt to modify non-anonymous mbufs on the receive path Normally, data processed on the KTLS receive path is contained in anonymous mbufs that can be modified in place. Either the data originates in receive buffers from a NIC driver, or for loopback connections the data is anonymous-backed mbufs created when writing to a socket. One potential source of non-anonymous mbufs are mbufs created by sendfile(2) which borrow the pages of the underlying file, either via M_EXTPG or EXT_SFBUF that are sent over a loopback connection. For a well-formed loopback TLS session, the sender should only use sendfile(2) if KTLS is enabled. If TLS is fully handled in userspace, the sender must use write(2) or send(2) which allocate anonymous mbufs. If KTLS transmit is enabled, then sendfile(2) on a loopback connection will always use crypto via OCF and will allocate anonymous pages to hold the encrypted data. However, if sendfile(2) is used to send file-backed data directly over a loopback connection where KTLS is not enabled on the sender side, the KTLS receive path can modify the file-backed pages in place overwriting the file's data. One potential fix would be to replace non-anonymous mbufs in a received TLS record with anonymous mbufs (e.g. via m_dup()) before passing the record to OCF. However, there is no legitimate use case for using sendfile(2) over a loopback TLS connection without using KTLS on the sender side, so instead simply fail decryption requests and close the connection if non-anonymous mbufs are encountered in the RX decryption path. Add a test for this that verifies that the original data backing the file descriptor used as the source for sendfile() is unchanged after being processed. Approved by: so Security: FreeBSD-SA-26:26.ktls Security: CVE-2026-45257 Co-authored-by: Drew Gallatin Sponsored by: Chelsio Communications Sponsored by: Netflix --- sys/kern/uipc_ktls.c | 17 +++++++-- sys/sys/ktls.h | 1 + tests/sys/kern/ktls_test.c | 93 ++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 108 insertions(+), 3 deletions(-) diff --git a/sys/kern/uipc_ktls.c b/sys/kern/uipc_ktls.c index 64150086658a..dc370d033a7a 100644 --- a/sys/kern/uipc_ktls.c +++ b/sys/kern/uipc_ktls.c @@ -2337,8 +2337,10 @@ tls13_find_record_type(struct ktls_session *tls, struct mbuf *m, int tls_len, * Check if a mbuf chain is fully decrypted at the given offset and * length. Returns KTLS_MBUF_CRYPTO_ST_DECRYPTED if all data is * decrypted. KTLS_MBUF_CRYPTO_ST_MIXED if there is a mix of encrypted - * and decrypted data. Else KTLS_MBUF_CRYPTO_ST_ENCRYPTED if all data - * is encrypted. + * and decrypted data. KTLS_MBUF_CRYPTO_ST_ENCRYPTED if all data is + * encrypted. KTLS_MBUF_CRYPTO_ST_SHAREDMBUF if any mbuf points at + * shared data that must not be modified in place (non-anonymous + * M_EXTPG or sendfile M_EXT buffers). */ ktls_mbuf_crypto_st_t ktls_mbuf_crypto_state(struct mbuf *mb, int offset, int len) @@ -2354,6 +2356,13 @@ ktls_mbuf_crypto_state(struct mbuf *mb, int offset, int len) offset += len; for (; mb != NULL; mb = mb->m_next) { + if ((mb->m_flags & M_EXTPG) != 0 && + (mb->m_epg_flags & EPG_FLAG_ANON) == 0) + return (KTLS_MBUF_CRYPTO_ST_SHAREDMBUF); + if ((mb->m_flags & M_EXT) != 0 && + mb->m_ext.ext_type == EXT_SFBUF) + return (KTLS_MBUF_CRYPTO_ST_SHAREDMBUF); + m_flags_ored |= mb->m_flags; m_flags_anded &= mb->m_flags; @@ -2554,9 +2563,11 @@ ktls_decrypt(struct socket *so) record_type = hdr->tls_type; } break; - default: + case KTLS_MBUF_CRYPTO_ST_SHAREDMBUF: error = EINVAL; break; + default: + __assert_unreachable(); } if (error) { counter_u64_add(ktls_offload_failed_crypto, 1); diff --git a/sys/sys/ktls.h b/sys/sys/ktls.h index 693864394ffe..0fdf4c4ceac7 100644 --- a/sys/sys/ktls.h +++ b/sys/sys/ktls.h @@ -210,6 +210,7 @@ typedef enum { KTLS_MBUF_CRYPTO_ST_MIXED = 0, KTLS_MBUF_CRYPTO_ST_ENCRYPTED = 1, KTLS_MBUF_CRYPTO_ST_DECRYPTED = -1, + KTLS_MBUF_CRYPTO_ST_SHAREDMBUF = -2, } ktls_mbuf_crypto_st_t; void ktls_check_rx(struct sockbuf *sb); diff --git a/tests/sys/kern/ktls_test.c b/tests/sys/kern/ktls_test.c index 72497196b945..3970083e7f72 100644 --- a/tests/sys/kern/ktls_test.c +++ b/tests/sys/kern/ktls_test.c @@ -30,6 +30,7 @@ #include #include #include +#include #include #include #include @@ -2817,6 +2818,97 @@ ATF_TC_BODY(ktls_listening_socket, tc) ATF_REQUIRE(close(s) == 0); } +/* + * Verify that the KTLS receive path does not overwrite data belonging + * to a file whose payload is transmitted over a loopback connection + * via plain sendfile. + */ +ATF_TC_WITHOUT_HEAD(ktls_receive_loopback_sendfile); +ATF_TC_BODY(ktls_receive_loopback_sendfile, tc) +{ + struct tls_enable en; + struct msghdr msg; + struct sf_hdtr hdtr; + struct iovec iov[2]; + uint64_t seqno; + off_t sbytes; + char cbuf[CMSG_SPACE(sizeof(struct tls_get_record))]; + char *plaintext, *ciphertext, *outbuf; + void *p; + const size_t payload_len = PAGE_SIZE; + ssize_t rv; + size_t len; + int mode, shm, sockets[2]; + socklen_t slen; + + ATF_REQUIRE_KTLS(); + seqno = random(); + build_tls_enable(tc, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0, + TLS_MINOR_VER_TWO, seqno, &en); + + len = tls_header_len(&en) + payload_len + tls_trailer_len(&en); + plaintext = alloc_buffer(payload_len); + ciphertext = malloc(len); + ATF_REQUIRE_INTEQ(len, encrypt_tls_record(tc, &en, TLS_RLTYPE_APP, + seqno, plaintext, payload_len, ciphertext, len, 0)); + + ATF_REQUIRE((shm = shm_open(SHM_ANON, O_RDWR, 0600)) > 0); + ATF_REQUIRE_INTEQ(0, ftruncate(shm, payload_len)); + ATF_REQUIRE((p = mmap(NULL, payload_len, PROT_READ | PROT_WRITE, + MAP_SHARED, shm, 0)) != MAP_FAILED); + memcpy(p, ciphertext + tls_header_len(&en), payload_len); + + ATF_REQUIRE_MSG(socketpair_tcp(sockets), "failed to create sockets"); + ATF_REQUIRE(setsockopt(sockets[0], IPPROTO_TCP, TCP_RXTLS_ENABLE, &en, + sizeof(en)) == 0); + slen = sizeof(mode); + ATF_REQUIRE_INTEQ(0, getsockopt(sockets[0], IPPROTO_TCP, TCP_RXTLS_MODE, + &mode, &slen)); + ATF_REQUIRE_INTEQ(TCP_TLS_MODE_SW, mode); + + fd_set_blocking(sockets[0]); + fd_set_blocking(sockets[1]); + + iov[0].iov_base = ciphertext; + iov[0].iov_len = tls_header_len(&en); + iov[1].iov_base = ciphertext + tls_header_len(&en) + payload_len; + iov[1].iov_len = tls_trailer_len(&en); + hdtr.headers = iov; + hdtr.hdr_cnt = 1; + hdtr.trailers = iov + 1; + hdtr.trl_cnt = 1; + debug_hexdump(tc, p, payload_len, "shm buffer before"); + ATF_REQUIRE_INTEQ(0, sendfile(shm, sockets[1], 0, payload_len, &hdtr, + &sbytes, 0)); + ATF_REQUIRE_INTEQ(sbytes, len); + + outbuf = calloc(payload_len, 1); + + memset(&msg, 0, sizeof(msg)); + + msg.msg_control = cbuf; + msg.msg_controllen = sizeof(cbuf); + + iov[0].iov_base = outbuf; + iov[0].iov_len = payload_len; + msg.msg_iov = iov; + msg.msg_iovlen = 1; + + rv = recvmsg(sockets[0], &msg, 0); + if (rv >= 0) { + ATF_REQUIRE_INTEQ(payload_len, rv); + ATF_REQUIRE_INTEQ(0, memcmp(outbuf, plaintext, payload_len)); + } else + ATF_REQUIRE_ERRNO(EBADMSG, true); + + debug_hexdump(tc, p, payload_len, "shm buffer after"); + ATF_REQUIRE_INTEQ(0, memcmp(p, ciphertext + tls_header_len(&en), + payload_len)); + + close_sockets_ignore_errors(sockets); + (void)close(shm); +} + ATF_TP_ADD_TCS(tp) { /* Transmit tests */ @@ -2843,6 +2935,7 @@ ATF_TP_ADD_TCS(tp) /* Miscellaneous */ ATF_TP_ADD_TC(tp, ktls_sendto_baddst); ATF_TP_ADD_TC(tp, ktls_listening_socket); + ATF_TP_ADD_TC(tp, ktls_receive_loopback_sendfile); return (atf_no_error()); } From nobody Tue Jun 9 19:17:45 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdw941fRz6gTy1 for ; Tue, 09 Jun 2026 19:17:45 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdw92mcZz3Lny for ; Tue, 09 Jun 2026 19:17:45 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032665; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=mE+RgwWB2s8veGrz+2gAV+scjjq9PJOyER3LG2SJiPI=; b=bxvfzsEl00St9yTDNNq0fba79FUiqMqaKvbYlQ+1sXsSaqc+qmMxex1JrUAtTo1JHXhN1w WLMCL3fOTFrpNtfsf/dCpr8gmjolCnMJWaHCQ8It6FegyFOFF3rVDniLKuJOVSBy2HAMby vYgtjBA/Y/lo4lLg1ipUhoYXFCZzqzraQIbhWKW2HH0WD+l6dzjh5E4hc7TXKuSeO6TFIj tR9DovzzruMbZsf/Pq06EWf1+dXH495FfeJ+RxeccsqqFymhXZ7nviJYeOEIrY7DJpioty zhWA54HGGbZOImmDN0Y0oXNIP9LZuOiW8sL0ZGLJVAjd37BntfkoL1wZ/qd3wQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032665; a=rsa-sha256; cv=none; b=wARYr3iAdFZLLeIDqDz7GANJe9LqnGBBA/omHWC4TXW6JwQQLlu76cBVXVqNkQsydv8hx1 qujdfwLoO59TqX2ZVfad4LXjpxUHe4K1LDVqxM3DyofGX10+1FjvuzhyVauyJdvxZtpElb BYWFIMSc8hHgzuDylF23Du1bSo1MRgi3NYBDxSDHlXR2J85FBaKsgcOqgfb76SPVp78HX7 KyyWZioRSJ3aFCxdfDkIWGyqLz7u+g0lsqcj7+haIpUXNgLugLHK7et9/aqVdTVtw34xcH rLnV62TnDycjPX1dkGGESeIc16u32UwAXrIGKxc8G54sr+CTUepZTqrqBlc6tQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032665; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=mE+RgwWB2s8veGrz+2gAV+scjjq9PJOyER3LG2SJiPI=; b=DKSG7Kb4RQo9BaCP8yMIIWuQZaWAD6PGWI1WO3FC8jtVRsN4YQIg/JM9X2Wnh0oCSsaRBH AerLRD1ALE8xrinvO1nmqIlk01DNvu79MZFusf+9Gowur09EynVjzSKiAeDceetf9GatWS +Jy7PHyjknTRb2V8cNRyy9wVkgdLCL5bvAc4QejLmgdqcX5/Bd5oul5E8mdrMwTngccyfM FfHFq9de/IzjcqBDK52sKlIYZuRTfl0mb/iiloflOLMuJRyzZAWyy6SfSJZO4GU2CWX/nS Bt86Ioxz9xyCUgEV3/nosaKy8SBzo6qaRpze97BXIJB8sxeor40NJ328OOwnow== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdw92BzNzn9Y for ; Tue, 09 Jun 2026 19:17:45 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3e832 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:17:45 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 72ad7baa99c7 - stable/14 - thr_kill2: Respect p_cansignal() List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 72ad7baa99c774916b04a086f4a404c62b52e852 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:17:45 +0000 Message-Id: <6a2866d9.3e832.1087b012@gitrepo.freebsd.org> The branch stable/14 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=72ad7baa99c774916b04a086f4a404c62b52e852 commit 72ad7baa99c774916b04a086f4a404c62b52e852 Author: Mark Johnston AuthorDate: 2026-05-25 15:12:57 +0000 Commit: Mark Johnston CommitDate: 2026-06-09 19:15:21 +0000 thr_kill2: Respect p_cansignal() Approved by: so Security: FreeBSD-SA-26:25.thr Security: CVE-2026-45256 Reported by: Igor Gabriel Sousa e Souza Reported by: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai Reviewed by: emaste, kib Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57237 --- sys/kern/kern_thr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/kern/kern_thr.c b/sys/kern/kern_thr.c index 1b5f0b1a33ad..11ceea58e849 100644 --- a/sys/kern/kern_thr.c +++ b/sys/kern/kern_thr.c @@ -499,7 +499,7 @@ sys_thr_kill2(struct thread *td, struct thr_kill2_args *uap) p = ttd->td_proc; AUDIT_ARG_PROCESS(p); error = p_cansignal(td, p, uap->sig); - if (uap->sig == 0) + if (error != 0 || uap->sig == 0) ; else if (!_SIG_VALID(uap->sig)) error = EINVAL; From nobody Tue Jun 9 19:17:48 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdwF40fGz6gTsQ for ; Tue, 09 Jun 2026 19:17:49 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdwD58z9z3M0X for ; Tue, 09 Jun 2026 19:17:48 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032668; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=aoX8i6YtZQIB1QNrANSpc2JFo3iSDXSOxjBJyCAe+YE=; b=pc5fVB3XqPLdtw2a1NwysghdpQj0+RVcxWE9ob+u1SIaqz3c3U0sKxj2jPWuMS2qUgSlic c78q5c/JpaIcHsVhMkwGytzLQKraWn/IIAA1PRivC/LojWHDwXfId0pfUWO3pItOz5sVoA 7VZBmQnmcxhej8GWV/aYklpSut9mK26cb4hvgLGIZPTsMLdc0zOftMOTibdPxT2QRwHXow keqQBcEbZoeylOyYtpjEAUTGjNeQITZpNh1dHB8+BK613SeE/1KrwFDGi3X0jMtIYUmRx5 UTM9ITbUmolHbnqx3GSuI5emyG8cXr3vwekc2dzTJhpTAXf6d8JUy5ukrbSMOg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032668; a=rsa-sha256; cv=none; b=tN4oKYhqvJqB8xynBiGDkTvlgKAMaIve3lL19UsFDkA2TcM9aClvlkzPylc4bnEoBIeO/l b4LIfQR/hUlxP3r913BCTVOg5thYHVpp2otxI/NZB4ERpIpqciu1inarQSeOSzNyGEFbpS 6s7fnSYaeyUe5xvQMfyt2KtwGqSWi63TeW64ld2bPJ7UrUWG1V5WlpyZ7tLHcIaxY9ZnOc O3SDFqddmmoQlTTUUsD1PSDmdTa6H/X/ZoBPT1bwSEth/wDyOSaRMUQzjJm0eOsIaYri1l jFSV9Cv6GK1DyWw11mJzyWk/dRLJR1b5YpzA0//VPn574hmJ8wm2ln4G5zQihw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032668; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=aoX8i6YtZQIB1QNrANSpc2JFo3iSDXSOxjBJyCAe+YE=; b=bOKca1JybconPMMQ7lzGTWwu2xB/NMonDwrOd2WB0S/EeXPk1Bxz2G97akPHLVWTPtcT3B i2jEag4FietAEopavddMhn56lemhSaSb2YL09QJjZV/jR+e5CpDlwtnS/VE+dUBkTo7Nwd yUGCG4+72dktJMPdCUA13+tD6ZLAlwOir/c8A1GLIiygF9jXBM2xm9rVmcbKiKMCK2ZzQ7 N4r0ni6WnWABe+occqQjLv2uqW2QfESC9y6rJGRikvTzWYMtnjycqxvOV6yEFQ1OebAqfj Jgmkg9BDqFPkAksDtv22CEpXEVZPRhMURDwivldmsopf1PYYRVFldTk9BrI8Cg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdwD4ZZfznrH for ; Tue, 09 Jun 2026 19:17:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3e526 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:17:48 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: f8f9050d61dd - stable/14 - sound: Fix software buffer lifetime issues List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: f8f9050d61dd0687be17165d044e91d9c02eb101 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:17:48 +0000 Message-Id: <6a2866dc.3e526.2c8d7dac@gitrepo.freebsd.org> The branch stable/14 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=f8f9050d61dd0687be17165d044e91d9c02eb101 commit f8f9050d61dd0687be17165d044e91d9c02eb101 Author: Mark Johnston AuthorDate: 2026-06-01 21:57:40 +0000 Commit: Mark Johnston CommitDate: 2026-06-09 19:15:21 +0000 sound: Fix software buffer lifetime issues The channel buffer mapped by dsp_mmap_single() may be freed when the device handle is closed, but the mapping persists beyond that, allowing userspace to read or write memory owned by a different consumer. Fix the problem by adding a reference counter to the sound buffer. Define pager ops for the VM object returned by dsp_mmap_single() and use them to manage the extra reference. Add a regression test. Approved by: so Security: FreeBSD-SA-26:27.sound Security: CVE-2026-49417 Reported by: Lexpl0it, 75Acol, Liyw979, Rob1n Reviewed by kib Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57393 --- sys/dev/sound/pcm/buffer.c | 38 ++++++++++++++++++++-- sys/dev/sound/pcm/buffer.h | 4 +++ sys/dev/sound/pcm/dsp.c | 80 ++++++++++++++++++++++++++++++++++++++-------- tests/sys/sound/mmap.c | 60 ++++++++++++++++++++++++++++++++++ 4 files changed, 166 insertions(+), 16 deletions(-) diff --git a/sys/dev/sound/pcm/buffer.c b/sys/dev/sound/pcm/buffer.c index de535ec2dcba..ddcf14fbc1c2 100644 --- a/sys/dev/sound/pcm/buffer.c +++ b/sys/dev/sound/pcm/buffer.c @@ -32,6 +32,7 @@ #include "opt_snd.h" #endif +#include #include #include "feeder_if.h" @@ -46,6 +47,7 @@ sndbuf_create(device_t dev, char *drv, char *desc, struct pcm_channel *channel) struct snd_dbuf *b; b = malloc(sizeof(*b), M_DEVBUF, M_WAITOK | M_ZERO); + refcount_init(&b->refcount, 1); snprintf(b->name, SNDBUF_NAMELEN, "%s:%s", drv, desc); b->dev = dev; b->channel = channel; @@ -56,8 +58,30 @@ sndbuf_create(device_t dev, char *drv, char *desc, struct pcm_channel *channel) void sndbuf_destroy(struct snd_dbuf *b) { - sndbuf_free(b); - free(b, M_DEVBUF); + b->flags |= SNDBUF_F_DETACHED; + sndbuf_rele(b); +} + +void +sndbuf_ref(struct snd_dbuf *b) +{ + unsigned int count __diagused; + + CHN_LOCK(b->channel); + count = refcount_acquire(&b->refcount); + KASSERT(count > 0, ("sndbuf %p refcount 0", b)); + CHN_UNLOCK(b->channel); +} + +void +sndbuf_rele(struct snd_dbuf *b) +{ + if (refcount_release(&b->refcount)) { + sndbuf_free(b); + KASSERT(refcount_load(&b->refcount) == 0, + ("sndbuf %p still referenced", b)); + free(b, M_DEVBUF); + } } bus_addr_t @@ -183,6 +207,11 @@ sndbuf_resize(struct snd_dbuf *b, unsigned int blkcnt, unsigned int blksz) if (bufsize > b->allocsize || bufsize < (b->allocsize >> SNDBUF_CACHE_SHIFT)) { + if (refcount_load(&b->refcount) > 1 || + (b->flags & SNDBUF_F_DETACHED) != 0) { + CHN_UNLOCK(b->channel); + return (EBUSY); + } allocsize = round_page(bufsize); CHN_UNLOCK(b->channel); tmpbuf = malloc(allocsize, M_DEVBUF, M_WAITOK); @@ -218,10 +247,15 @@ sndbuf_remalloc(struct snd_dbuf *b, unsigned int blkcnt, unsigned int blksz) if (blkcnt < 2 || blksz < 16) return EINVAL; + CHN_LOCKASSERT(b->channel); + bufsize = blksz * blkcnt; if (bufsize > b->allocsize || bufsize < (b->allocsize >> SNDBUF_CACHE_SHIFT)) { + if (refcount_load(&b->refcount) > 1 || + (b->flags & SNDBUF_F_DETACHED) != 0) + return (EBUSY); allocsize = round_page(bufsize); CHN_UNLOCK(b->channel); buf = malloc(allocsize, M_DEVBUF, M_WAITOK); diff --git a/sys/dev/sound/pcm/buffer.h b/sys/dev/sound/pcm/buffer.h index ddf4083ec19f..99bc6c0611d2 100644 --- a/sys/dev/sound/pcm/buffer.h +++ b/sys/dev/sound/pcm/buffer.h @@ -27,6 +27,7 @@ */ #define SNDBUF_F_MANAGED 0x00000008 +#define SNDBUF_F_DETACHED 0x00000010 #define SNDBUF_NAMELEN 48 @@ -50,6 +51,7 @@ struct snd_dbuf { bus_dma_tag_t dmatag; bus_addr_t buf_addr; int dmaflags; + unsigned int refcount; struct selinfo sel; struct pcm_channel *channel; char name[SNDBUF_NAMELEN]; @@ -57,6 +59,8 @@ struct snd_dbuf { struct snd_dbuf *sndbuf_create(device_t dev, char *drv, char *desc, struct pcm_channel *channel); void sndbuf_destroy(struct snd_dbuf *b); +void sndbuf_ref(struct snd_dbuf *b); +void sndbuf_rele(struct snd_dbuf *b); void sndbuf_dump(struct snd_dbuf *b, char *s, u_int32_t what); diff --git a/sys/dev/sound/pcm/dsp.c b/sys/dev/sound/pcm/dsp.c index 75293ae9bd8a..4d69f176225c 100644 --- a/sys/dev/sound/pcm/dsp.c +++ b/sys/dev/sound/pcm/dsp.c @@ -79,7 +79,6 @@ static d_read_t dsp_read; static d_write_t dsp_write; static d_ioctl_t dsp_ioctl; static d_poll_t dsp_poll; -static d_mmap_t dsp_mmap; static d_mmap_single_t dsp_mmap_single; struct cdevsw dsp_cdevsw = { @@ -89,7 +88,6 @@ struct cdevsw dsp_cdevsw = { .d_write = dsp_write, .d_ioctl = dsp_ioctl, .d_poll = dsp_poll, - .d_mmap = dsp_mmap, .d_mmap_single = dsp_mmap_single, .d_name = "dsp", }; @@ -1932,23 +1930,72 @@ dsp_poll(struct cdev *i_dev, int events, struct thread *td) return (ret); } +struct dsp_mmap_handle { + struct cdev *cdev; + struct snd_dbuf *buf; +}; + static int -dsp_mmap(struct cdev *i_dev, vm_ooffset_t offset, vm_paddr_t *paddr, - int nprot, vm_memattr_t *memattr) +dsp_dev_pager_ctor(void *handle, vm_ooffset_t size, vm_prot_t prot, + vm_ooffset_t foff, struct ucred *cred, u_short *color) { + struct dsp_mmap_handle *h = handle; - /* - * offset is in range due to checks in dsp_mmap_single(). - * XXX memattr is not honored. - */ - *paddr = vtophys(offset); + dev_ref(h->cdev); + sndbuf_ref(h->buf); return (0); } +static void +dsp_dev_pager_dtor(void *handle) +{ + struct dsp_mmap_handle *h = handle; + + sndbuf_rele(h->buf); + dev_rel(h->cdev); + free(h, M_DEVBUF); +} + static int -dsp_mmap_single(struct cdev *i_dev, vm_ooffset_t *offset, +dsp_dev_pager_fault(vm_object_t object, vm_ooffset_t offset, int prot, + vm_page_t *mres) +{ + struct dsp_mmap_handle *h = object->handle; + vm_page_t m; + uintptr_t addr; + vm_paddr_t paddr; + + addr = (uintptr_t)offset; + if (addr < (uintptr_t)h->buf->buf || + addr >= (uintptr_t)h->buf->buf + h->buf->allocsize) + return (VM_PAGER_ERROR); + paddr = vtophys((void *)addr); + + if (((*mres)->flags & PG_FICTITIOUS) != 0) { + m = *mres; + vm_page_updatefake(m, paddr, object->memattr); + } else { + VM_OBJECT_WUNLOCK(object); + m = vm_page_getfake(paddr, object->memattr); + VM_OBJECT_WLOCK(object); + vm_page_replace(m, object, (*mres)->pindex, *mres); + *mres = m; + } + m->valid = VM_PAGE_BITS_ALL; + return (VM_PAGER_OK); +} + +static const struct cdev_pager_ops dsp_dev_pager_ops = { + .cdev_pg_ctor = dsp_dev_pager_ctor, + .cdev_pg_dtor = dsp_dev_pager_dtor, + .cdev_pg_fault = dsp_dev_pager_fault, +}; + +static int +dsp_mmap_single(struct cdev *cdev, vm_ooffset_t *offset, vm_size_t size, struct vm_object **object, int nprot) { + struct dsp_mmap_handle *handle; struct dsp_cdevpriv *priv; struct snddev_info *d; struct pcm_channel *wrch, *rdch, *c; @@ -2011,13 +2058,18 @@ dsp_mmap_single(struct cdev *i_dev, vm_ooffset_t *offset, *offset = (uintptr_t)sndbuf_getbufofs(c->bufsoft, *offset); dsp_unlock_chans(priv, FREAD | FWRITE); - *object = vm_pager_allocate(OBJT_DEVICE, i_dev, - size, nprot, *offset, curthread->td_ucred); + handle = malloc(sizeof(*handle), M_DEVBUF, M_WAITOK); + handle->cdev = cdev; + handle->buf = c->bufsoft; + *object = cdev_pager_allocate(handle, OBJT_DEVICE, &dsp_dev_pager_ops, + size, nprot, *offset, curthread->td_ucred); PCM_GIANT_LEAVE(d); + if (*object == NULL) { + free(handle, M_DEVBUF); + return (EINVAL); + } - if (*object == NULL) - return (EINVAL); return (0); } diff --git a/tests/sys/sound/mmap.c b/tests/sys/sound/mmap.c index ab203a39194c..f775c0f8da8a 100644 --- a/tests/sys/sound/mmap.c +++ b/tests/sys/sound/mmap.c @@ -4,12 +4,14 @@ * Copyright (c) 2026 The FreeBSD Foundation */ +#include #include #include #include #include #include +#include #include #define FMT_ERR(s) s ": %s", strerror(errno) @@ -43,9 +45,67 @@ ATF_TC_BODY(mmap_offset_overflow, tc) close(fd); } +/* + * Verify that a MAP_SHARED mapping of a DSP device's software buffer remains + * valid after the file descriptor is closed. + */ +ATF_TC(mmap_buffer_lifetime); +ATF_TC_HEAD(mmap_buffer_lifetime, tc) +{ + atf_tc_set_md_var(tc, "descr", "mmap data survives close()"); + atf_tc_set_md_var(tc, "require.kmods", "snd_dummy"); +} +ATF_TC_BODY(mmap_buffer_lifetime, tc) +{ + audio_buf_info abi; + uint8_t *buf; + size_t len; + int fd, arg; + + fd = open("/dev/dsp0", O_RDWR); + ATF_REQUIRE_MSG(fd >= 0, FMT_ERR("open")); + + arg = (2 << 16) | 14; /* 2*16KB */ + ATF_REQUIRE_MSG(ioctl(fd, SNDCTL_DSP_SETFRAGMENT, &arg) == 0, + FMT_ERR("SNDCTL_DSP_SETFRAGMENT")); + ATF_REQUIRE_MSG(ioctl(fd, SNDCTL_DSP_GETOSPACE, &abi) == 0, + FMT_ERR("SNDCTL_DSP_GETOSPACE")); + + len = abi.bytes; + ATF_REQUIRE_MSG(len >= PAGE_SIZE, "buffer too small: %zu", len); + + buf = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); + ATF_REQUIRE_MSG(buf != MAP_FAILED, FMT_ERR("mmap")); + + for (size_t i = 0; i < len; i++) { + ATF_REQUIRE_MSG(buf[i] == 0, + "mmap data corrupted at offset %zu: want 0 got 0x%02x", + i, buf[i]); + } + + memset(buf, 0xa5, len); + for (size_t i = 0; i < len; i++) { + ATF_REQUIRE_MSG(buf[i] == 0xa5, + "mmap data corrupted at offset %zu: want 0xa5 got 0x%02x", + i, buf[i]); + } + + ATF_REQUIRE(close(fd) == 0); + + /* Closing the device causes the buffer to be reset. */ + for (size_t i = 0; i < len; i++) { + ATF_REQUIRE_MSG(buf[i] == 0 || buf[i] == 0xa5, + "mmap data corrupted at offset %zu: got 0x%02x", i, buf[i]); + } + memset(buf, 0xa5, len); + + ATF_REQUIRE(munmap(buf, len) == 0); +} + ATF_TP_ADD_TCS(tp) { ATF_TP_ADD_TC(tp, mmap_offset_overflow); + ATF_TP_ADD_TC(tp, mmap_buffer_lifetime); return (atf_no_error()); } From nobody Tue Jun 9 19:17:49 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdwG1XZBz6gTmd for ; Tue, 09 Jun 2026 19:17:50 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdwF5qxvz3M0l for ; Tue, 09 Jun 2026 19:17:49 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032669; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Q9WTZ/UT3xOh+W5gityrZKUdjESZ/rKXuh+FoPQJ39Q=; b=wI5CwVvUSOrTDNSRnet1aooEYsleyPLh/QIk+EuZsFXqsIjw1tUxb4+Ie0haeqpEsX5VtK CUCNQhNR03SZmRhcwdvnVAszKqI3LBmvijEwXdgCzqSkspy4NcNsEMVt4jwzFd9Bd32v/H 1N7XK6eUmfI04nAIvqarpWKRzwnROtBKzKWAcWSYzbbQm1zQaZaWLcpu4hHJ5dHKrS7NwT d8ZjYZAZn34jIlFwdXVQkyQYSr96ji7S0KkPptLcrFRLgT1T8LCBmhL5FzJ5iZvSDNsk1q nSax0xbEEhcfx/9M+6bD9NZQKMnop9NmUUekcXijCrbBpsexbAy1SmqWz8OWiw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032669; a=rsa-sha256; cv=none; b=YrpXjFRi7s+nMxKEiGoOwoNkMgH9c1ILZ1s/q/q3eWYD6YvPtgwsPzumUvCaJB2XjpH9wE ro/kg37Xd2Q7LlkOcQwIrYaAL85p6zqyK8JlSAldi2JKT207IR5e5/S8m3w3PgrcUH5by4 nzIZaB76ZzZQi8/QxLuZjqMjh1HpWiHxtbo3wulcxQj8FZMbo5iFnscpuyXMpN2jreHJhp fVCDcwHaKVL1H+DwA8V0+lWDWod6kXzVXiRprPAB/92UA0MFuUP0Q3QrEog2Qn6XRPSO+M 1rdtrAc/eBkyfmFM0PmTW9qAqGZbwHhVPoKXH4k8CrHm0f4R8ZuQYtFyG7lYNA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032669; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Q9WTZ/UT3xOh+W5gityrZKUdjESZ/rKXuh+FoPQJ39Q=; b=N9hLNKqLQ4KItR2LhNtDxNbDRoc6GM+qGtguxx7ZUqg39xAIAm2qWcO1SlWTSbdt6Nx1bQ EUMprhBaIeyPrkCSa8YPoT0m20W3ib4xeSFxS9L64E6DDfkH6Bs/a7egb+iCnwIvKuhphn /f+T5JzFui7/e//a/5eazCZgVowuneJFta6BdxRnl654RC/vJWna1GxxRkDa0ClCqCPtwU pqkWZE9BuTtCh/HNdeGPnEOQbufKo38PA7mI9zm+xS6Zy+pPCFpHhPtOQKqsI8Ggn4Fo7W 23so5rew5vVn6KQ6PUUNjI9FQ/UHlbW0/KhaoIwaRblQh8VeNuoYT2G5BWObew== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdwF5MKVznrJ for ; Tue, 09 Jun 2026 19:17:49 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3ebbb by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:17:49 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 522182827ea1 - stable/14 - in6_mcast: Fix a race in in6p_set_source_filter() List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 522182827ea173e07668b1ac40a8173c620bb99e Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:17:49 +0000 Message-Id: <6a2866dd.3ebbb.42687757@gitrepo.freebsd.org> The branch stable/14 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=522182827ea173e07668b1ac40a8173c620bb99e commit 522182827ea173e07668b1ac40a8173c620bb99e Author: Mark Johnston AuthorDate: 2026-05-29 20:12:24 +0000 Commit: Mark Johnston CommitDate: 2026-06-09 19:15:21 +0000 in6_mcast: Fix a race in in6p_set_source_filter() We drop the inpcb lock in order to copy in the source list, but this leaves a window where the multicast filter structure might be freed. This can be exploited to obtain root privileges. In the v4 code this race is mitigated by holding the global multicast lock across the gap. Restructure the code to copy in filters before doing anything else, so that there's no need to drop the inpcb lock and reason about the correctness of doing so. Do the same in the v4 code for consistency. Approved by: so Security: FreeBSD-SA-26:29.ip6_multicast Security: CVE-2026-49412 Reported by: Andrew Griffiths Reported by: Maik Münch Reviewed by: glebius Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57347 --- sys/netinet/in_mcast.c | 40 +++++++++++++++++----------------------- sys/netinet6/in6_mcast.c | 41 +++++++++++++++++++---------------------- 2 files changed, 36 insertions(+), 45 deletions(-) diff --git a/sys/netinet/in_mcast.c b/sys/netinet/in_mcast.c index b0be48b65437..4fd00bac3ae4 100644 --- a/sys/netinet/in_mcast.c +++ b/sys/netinet/in_mcast.c @@ -2524,6 +2524,7 @@ inp_set_source_filters(struct inpcb *inp, struct sockopt *sopt) { struct epoch_tracker et; struct __msfilterreq msfr; + struct sockaddr_storage *kss; sockunion_t *gsa; struct ifnet *ifp; struct in_mfilter *imf; @@ -2536,9 +2537,6 @@ inp_set_source_filters(struct inpcb *inp, struct sockopt *sopt) if (error) return (error); - if (msfr.msfr_nsrcs > in_mcast_maxsocksrc) - return (ENOBUFS); - if ((msfr.msfr_fmode != MCAST_EXCLUDE && msfr.msfr_fmode != MCAST_INCLUDE)) return (EINVAL); @@ -2551,13 +2549,24 @@ inp_set_source_filters(struct inpcb *inp, struct sockopt *sopt) if (!IN_MULTICAST(ntohl(gsa->sin.sin_addr.s_addr))) return (EINVAL); + if (msfr.msfr_nsrcs > in_mcast_maxsocksrc) + return (ENOBUFS); + kss = mallocarray(msfr.msfr_nsrcs, sizeof(struct sockaddr_storage), + M_TEMP, M_WAITOK); + error = copyin(msfr.msfr_srcs, kss, + sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs); + if (error) + goto out_inp_unlocked; + gsa->sin.sin_port = 0; /* ignore port */ NET_EPOCH_ENTER(et); ifp = ifnet_byindex(msfr.msfr_ifindex); NET_EPOCH_EXIT(et); /* XXXGL: unsafe ifp */ - if (ifp == NULL) - return (EADDRNOTAVAIL); + if (ifp == NULL) { + error = EADDRNOTAVAIL; + goto out_inp_unlocked; + } IN_MULTI_LOCK(); @@ -2589,25 +2598,9 @@ inp_set_source_filters(struct inpcb *inp, struct sockopt *sopt) if (msfr.msfr_nsrcs > 0) { struct in_msource *lims; struct sockaddr_in *psin; - struct sockaddr_storage *kss, *pkss; + struct sockaddr_storage *pkss; int i; - INP_WUNLOCK(inp); - - CTR2(KTR_IGMPV3, "%s: loading %lu source list entries", - __func__, (unsigned long)msfr.msfr_nsrcs); - kss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs, - M_TEMP, M_WAITOK); - error = copyin(msfr.msfr_srcs, kss, - sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs); - if (error) { - IN_MULTI_UNLOCK(); - free(kss, M_TEMP); - return (error); - } - - INP_WLOCK(inp); - /* * Mark all source filters as UNDEFINED at t1. * Restore new group filter mode, as imf_leave() @@ -2642,7 +2635,6 @@ inp_set_source_filters(struct inpcb *inp, struct sockopt *sopt) break; lims->imsl_st[1] = imf->imf_st[1]; } - free(kss, M_TEMP); } if (error) @@ -2679,6 +2671,8 @@ out_imf_rollback: out_inp_locked: INP_WUNLOCK(inp); IN_MULTI_UNLOCK(); +out_inp_unlocked: + free(kss, M_TEMP); return (error); } diff --git a/sys/netinet6/in6_mcast.c b/sys/netinet6/in6_mcast.c index a6186568ecb2..4ec9f36cd9ac 100644 --- a/sys/netinet6/in6_mcast.c +++ b/sys/netinet6/in6_mcast.c @@ -2489,6 +2489,7 @@ in6p_set_source_filters(struct inpcb *inp, struct sockopt *sopt) { struct __msfilterreq msfr; struct epoch_tracker et; + struct sockaddr_storage *kss; sockunion_t *gsa; struct ifnet *ifp; struct in6_mfilter *imf; @@ -2501,9 +2502,6 @@ in6p_set_source_filters(struct inpcb *inp, struct sockopt *sopt) if (error) return (error); - if (msfr.msfr_nsrcs > in6_mcast_maxsocksrc) - return (ENOBUFS); - if (msfr.msfr_fmode != MCAST_EXCLUDE && msfr.msfr_fmode != MCAST_INCLUDE) return (EINVAL); @@ -2516,19 +2514,31 @@ in6p_set_source_filters(struct inpcb *inp, struct sockopt *sopt) if (!IN6_IS_ADDR_MULTICAST(&gsa->sin6.sin6_addr)) return (EINVAL); + if (msfr.msfr_nsrcs > in6_mcast_maxsocksrc) + return (ENOBUFS); + kss = mallocarray(msfr.msfr_nsrcs, sizeof(struct sockaddr_storage), + M_TEMP, M_WAITOK); + error = copyin(msfr.msfr_srcs, kss, + sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs); + if (error) + goto out_in6p_unlocked; + gsa->sin6.sin6_port = 0; /* ignore port */ NET_EPOCH_ENTER(et); ifp = ifnet_byindex(msfr.msfr_ifindex); NET_EPOCH_EXIT(et); - if (ifp == NULL) - return (EADDRNOTAVAIL); + if (ifp == NULL) { + error = EADDRNOTAVAIL; + goto out_in6p_unlocked; + } (void)in6_setscope(&gsa->sin6.sin6_addr, ifp, NULL); /* * Take the INP write lock. * Check if this socket is a member of this group. */ + IN6_MULTI_LOCK(); imo = in6p_findmoptions(inp); imf = im6o_match_group(imo, ifp, &gsa->sa); if (imf == NULL) { @@ -2553,24 +2563,9 @@ in6p_set_source_filters(struct inpcb *inp, struct sockopt *sopt) if (msfr.msfr_nsrcs > 0) { struct in6_msource *lims; struct sockaddr_in6 *psin; - struct sockaddr_storage *kss, *pkss; + struct sockaddr_storage *pkss; int i; - INP_WUNLOCK(inp); - - CTR2(KTR_MLD, "%s: loading %lu source list entries", - __func__, (unsigned long)msfr.msfr_nsrcs); - kss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs, - M_TEMP, M_WAITOK); - error = copyin(msfr.msfr_srcs, kss, - sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs); - if (error) { - free(kss, M_TEMP); - return (error); - } - - INP_WLOCK(inp); - /* * Mark all source filters as UNDEFINED at t1. * Restore new group filter mode, as im6f_leave() @@ -2615,7 +2610,6 @@ in6p_set_source_filters(struct inpcb *inp, struct sockopt *sopt) break; lims->im6sl_st[1] = imf->im6f_st[1]; } - free(kss, M_TEMP); } if (error) @@ -2650,6 +2644,9 @@ out_im6f_rollback: out_in6p_locked: INP_WUNLOCK(inp); + IN6_MULTI_UNLOCK(); +out_in6p_unlocked: + free(kss, M_TEMP); return (error); } From nobody Tue Jun 9 19:17:47 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdwD2G6Nz6gV3W for ; Tue, 09 Jun 2026 19:17:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdwC4GZQz3M2M for ; Tue, 09 Jun 2026 19:17:47 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032667; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=bFstC+NCWfTnSLp3D4iv44Nnjz4QdALuSuLhgi8odzQ=; b=xF+5eCwcjBg5tUcLWtSQ0DdHONXG5mZp+KG3TCSCFmfB7EHIT/cvIxmsHAIKXmU0ci7I/l qjzlwzsBh47npObN+NzaeuhBJTmCdhKnIJL9Ze6ioDGGUZqtEL0VlVmLt8P+5iwyYhkcJj qB+u/cOJ3x3g9a8S6tXqjd2LbyXHlQ5/c3Lld8sCQAqgMM8ZoZ2y0SBec5/9lf343wc3gM L4PltVN3AdJNKMcx4EztGBAkhuS4zBTwdD0I6ZVaDSObu5mX7aufyScDBXyXgVW4nCboUs g4dS8TJhTv1457s19nuceYsl4UwaH4g52p7RrUi0YKiquHUYwaUkTkbw9iCYFQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032667; a=rsa-sha256; cv=none; b=yj668zneE23lclk0GFS6HW5YGOi23PXb+zMgQUwizWVMoeX1xDiAKqIZqC2KNCjqsn+HuD moOOV1Jo1v6CZP0ugXq8+EbwU4kBtXe4P14D5SW7zD3SVZ5543/+8kQTl+u1QtOytT7ztZ SWmlcg4AFKRIGK1G7oM3bwxC9NOWniEDPwKn98fIb6HPM/JHdfTLXhmJvtvSBfcXF2JJwB oCdof9i0+Zy2PfYELlGA2vjsOHFeisBOP+YGvhaU07bZ/mUTeL61gpl2zWge3NbUlKMup4 /4IQuH+O+ksOuRAwRcBxLbnAMJc8G4NKDyrXX+YvbI9plToJKK1vLzNmF7svMA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032667; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=bFstC+NCWfTnSLp3D4iv44Nnjz4QdALuSuLhgi8odzQ=; b=H6KM7v5LzwkVNtY1YZQvq58PfjFSmvFVoMNy5f6HVV1RkccbJtHlkKDa65EfcChR/5GBQW MMU9RK2b16Y+TV0qRFCvg4hYZgO5mvmaL9DHtIo+1IfCjL0wmEUkmX61yYkIHEMn3soS5C 54iuFDeC1fwODZWYzBgtvYSkY4mM7EXtzIvBHtdISfE8M08f3VsDmm5wAkRjWA9DLadMvi mRvE385oRU7XC9FggxC6CVYgeaj0/wlYiSAOBGFsZ8QfPvFD04U/4dFdLiGQDqui44HviS PdPQaDv3Yl1BqC8DPYj8EkrPDU0I4yh2ynVX/u0uYrPUl73gAvSoc0pxFyDs3Q== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdwC3pvJznrG for ; Tue, 09 Jun 2026 19:17:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3e521 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:17:47 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Christos Margiolis From: Mark Johnston Subject: git: 144f59e06f9b - stable/14 - sound: Check for offset overflow in dsp_mmap_single() List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 144f59e06f9bff4afb56370a9d03965ab158058f Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:17:47 +0000 Message-Id: <6a2866db.3e521.5867a12d@gitrepo.freebsd.org> The branch stable/14 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=144f59e06f9bff4afb56370a9d03965ab158058f commit 144f59e06f9bff4afb56370a9d03965ab158058f Author: Christos Margiolis AuthorDate: 2026-05-27 15:50:33 +0000 Commit: Mark Johnston CommitDate: 2026-06-09 19:15:21 +0000 sound: Check for offset overflow in dsp_mmap_single() Approved by: so Security: FreeBSD-SA-26:27.sound Security: CVE-2026-45258 Reviewed by: markj Sponsored by: The FreeBSD Foundation --- sys/dev/sound/pcm/dsp.c | 3 +++ tests/sys/sound/Makefile | 1 + tests/sys/sound/mmap.c | 51 ++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 55 insertions(+) diff --git a/sys/dev/sound/pcm/dsp.c b/sys/dev/sound/pcm/dsp.c index 1856a348ac12..75293ae9bd8a 100644 --- a/sys/dev/sound/pcm/dsp.c +++ b/sys/dev/sound/pcm/dsp.c @@ -1954,6 +1954,9 @@ dsp_mmap_single(struct cdev *i_dev, vm_ooffset_t *offset, struct pcm_channel *wrch, *rdch, *c; int err; + if (*offset >= *offset + size) + return (EINVAL); + /* * Reject PROT_EXEC by default. It just doesn't makes sense. * Unfortunately, we have to give up this one due to linux_mmap diff --git a/tests/sys/sound/Makefile b/tests/sys/sound/Makefile index 74a0765a0540..ce156ae8c4cf 100644 --- a/tests/sys/sound/Makefile +++ b/tests/sys/sound/Makefile @@ -2,6 +2,7 @@ PACKAGE= tests TESTSDIR= ${TESTSBASE}/sys/sound +ATF_TESTS_C+= mmap ATF_TESTS_C+= pcm_read_write ATF_TESTS_C+= sndstat diff --git a/tests/sys/sound/mmap.c b/tests/sys/sound/mmap.c new file mode 100644 index 000000000000..ab203a39194c --- /dev/null +++ b/tests/sys/sound/mmap.c @@ -0,0 +1,51 @@ +/*- + * SPDX-License-Identifier: BSD-2-Clause + * + * Copyright (c) 2026 The FreeBSD Foundation + */ + +#include +#include + +#include +#include +#include +#include + +#define FMT_ERR(s) s ": %s", strerror(errno) + +ATF_TC(mmap_offset_overflow); +ATF_TC_HEAD(mmap_offset_overflow, tc) +{ + atf_tc_set_md_var(tc, "descr", "mmap offset overflow test"); + atf_tc_set_md_var(tc, "require.kmods", "snd_dummy"); +} + +ATF_TC_BODY(mmap_offset_overflow, tc) +{ + uint8_t *buf; + off_t off; + size_t len; + int fd; + + fd = open("/dev/dsp0", O_RDWR); + ATF_REQUIRE_MSG(fd >= 0, FMT_ERR("open")); + + /* off + len will overflow and wrap back to 0. */ + off = 0xfffffffffffff000; + len = 0x1000; + + buf = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_SHARED, fd, off); + ATF_REQUIRE_MSG(buf == MAP_FAILED, FMT_ERR("mmap")); + + munmap(buf, len); + + close(fd); +} + +ATF_TP_ADD_TCS(tp) +{ + ATF_TP_ADD_TC(tp, mmap_offset_overflow); + + return (atf_no_error()); +} From nobody Tue Jun 9 19:17:54 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdwL4G46z6gTyV for ; Tue, 09 Jun 2026 19:17:54 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdwL1hWcz3LyH for ; Tue, 09 Jun 2026 19:17:54 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032674; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Y9fXkiGYScb6EJYTur9kyzRngpFcy6OOMIXUsUi30NE=; b=qFvIHEi9K6zvTjCfP/aen5s8ARUTv4JRM8QgOyiyt4gOkIBSoMEhZm/CL3nCPjF96miKtz 2b5Sy8HMfiu+px06Powu70mHMV9igSiVuShXv3IQJDY12lRK/d3bukUjuSQi5W4R5O9s8c 0HLsq7dBH69FdhRu2XHN+T06bPLkp8YO2NkiKLKU93YnDas3L9J0zPvkZby+JUR7nik5dy Eb+0vfcQOi0bWfRGF7Omjd7if92r1glA+18LYkQa3f20rDxgKdHxYAjmyCTUbqruxEpH4L zTrSASdMSGw9rk/9lGc+pTak68V6sm/j+SMLnuB1wPfl0idEvGCZKui1d8ZppQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032674; a=rsa-sha256; cv=none; b=iQtw8AbqKjTjq/2K+EFPYKVyHXHRaOKic7cCpH+MtH8tEc0vtMEkALosuprCmQSZClKKPD FxarM8EN0FbRBP1ZbArgYocutGB4QHjKc4lJ9OUZ0SxopXfOyRGETLY6WQvcRrI+cD8srN MPDyw6hyrhEz+uOKPlSTJd2VI4KKHLLsb8htrC5drms7g1C0xu8XSV2YqVvMcH3NqqjJWO 4kXCAe3WdVfk+Ho5mgrZv6KuwB57s9Zxu8Pele/rIJt78Q3LRR/DsQG7hImuAIrA5UxdiO Mzbtgw8PBEjObcTzO8BzjI6ZKpWA4LTygjPQHzB0Vw33B/BzMfHtof+mxrrKOA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032674; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Y9fXkiGYScb6EJYTur9kyzRngpFcy6OOMIXUsUi30NE=; b=Lo3zacPuldPBTWX98iDvetVke84WiirBRXic+3x1Sd7lLSq1g9Rx36S6jQ3RdCElBZ3BMD Ch2b3RD6+XeJLw2F7nX9Nj7pgdu9+pVZ8SBu2t9KePA4XtDb7fqL1VSabxWJMwkZP/kGq9 5awE4Kk8JsdNv7khIHrgIpCTLbNk+Dqk4Jf2FJkzGuPuaPCqAVE9dchoOZPpRxCjKiTNvQ I1si0tbMTdTD5DHzoxtCdTbvVdLWbwBxHn3v2bMkXkCtbhxOuHXZ7O0parretU3SmaBg7T 33AlFdaovZQx4D81ktwOHDVLuW4pi+YcNDPNtVcmFjrklQMx7LqnAeAYFSs1hQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdwL1FfpznFq for ; Tue, 09 Jun 2026 19:17:54 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3e5ae by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:17:54 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Gordon Tetlow From: Mark Johnston Subject: git: ec6bfa889b83 - stable/14 - openssl: Fix multiple vulnerabilities List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: ec6bfa889b839645961113344186b85ed8477f48 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:17:54 +0000 Message-Id: <6a2866e2.3e5ae.3e394f0d@gitrepo.freebsd.org> The branch stable/14 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=ec6bfa889b839645961113344186b85ed8477f48 commit ec6bfa889b839645961113344186b85ed8477f48 Author: Gordon Tetlow AuthorDate: 2026-06-07 03:24:17 +0000 Commit: Mark Johnston CommitDate: 2026-06-09 19:15:22 +0000 openssl: Fix multiple vulnerabilities This is a rollup commit from upstream to fix: Reject oversized inputs in ASN1_mbstring_ncopy() cms: kek_unwrap_key: Fix out-of-bounds read in check-byte validation cms: kek_unwrap_key: test for fix out-of-bounds read in check-byte validation Avoid length truncation in ASN1_STRING_set Reject potentially forged encrypted CMS AuthEnvelopedData messages Fix potential NULL dereference processing CMS PasswordRecipientInfo Match the local q DHX parameter against the peer's q Apply the buffered IV on the AES-OCB EVP_Cipher() path Fix handling of empty-ciphertext messages in AES-GCM-SIV and AES-SIV Fix possible use-after-free in OpenSSL PKCS7_verify() Approved by: so Obtained from: OpenSSL Security: FreeBSD-SA-26:35.openssl Security: CVE-2026-7383 Security: CVE-2026-9076 Security: CVE-2026-34180 Security: CVE-2026-34182 Security: CVE-2026-42766 Security: CVE-2026-42770 Security: CVE-2026-45445 Security: CVE-2026-45446 Security: CVE-2026-45447 --- crypto/openssl/crypto/asn1/a_mbstr.c | 31 ++++++++++- crypto/openssl/crypto/asn1/tasn_dec.c | 24 +++++--- crypto/openssl/crypto/cms/cms_enc.c | 18 ++++-- crypto/openssl/crypto/cms/cms_env.c | 6 +- crypto/openssl/crypto/cms/cms_err.c | 4 +- crypto/openssl/crypto/cms/cms_local.h | 2 +- crypto/openssl/crypto/cms/cms_pwri.c | 15 ++++- crypto/openssl/crypto/err/openssl.txt | 3 +- crypto/openssl/crypto/pkcs7/pk7_smime.c | 9 +-- crypto/openssl/include/crypto/cmserr.h | 2 +- crypto/openssl/include/openssl/cmserr.h | 4 +- .../implementations/ciphers/cipher_aes_ocb.c | 13 +++++ .../implementations/ciphers/cipher_aes_siv.c | 3 + .../providers/implementations/exchange/dh_exch.c | 5 +- .../cms-msg/enveloped-content-type-for-aes-gcm.pem | 7 +++ crypto/openssl/test/cmsapitest.c | 54 +++++++++++++++++- crypto/openssl/test/evp_extra_test.c | 61 +++++++++++++++++++++ crypto/openssl/test/recipes/80-test_cms.t | 12 +++- crypto/openssl/test/recipes/80-test_cmsapi.t | 3 +- .../80-test_cmsapi_data/cms_pwri_kek_oob.der | Bin 0 -> 193 bytes 20 files changed, 239 insertions(+), 37 deletions(-) diff --git a/crypto/openssl/crypto/asn1/a_mbstr.c b/crypto/openssl/crypto/asn1/a_mbstr.c index 531e01d33257..9329e5795a9e 100644 --- a/crypto/openssl/crypto/asn1/a_mbstr.c +++ b/crypto/openssl/crypto/asn1/a_mbstr.c @@ -174,11 +174,27 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len, break; case MBSTRING_BMP: + if (nchar > INT_MAX / 2) { + ERR_raise(ERR_LIB_ASN1, ASN1_R_STRING_TOO_LONG); + if (free_out) { + ASN1_STRING_free(dest); + *out = NULL; + } + return -1; + } outlen = nchar << 1; cpyfunc = cpy_bmp; break; case MBSTRING_UNIV: + if (nchar > INT_MAX / 4) { + ERR_raise(ERR_LIB_ASN1, ASN1_R_STRING_TOO_LONG); + if (free_out) { + ASN1_STRING_free(dest); + *out = NULL; + } + return -1; + } outlen = nchar << 2; cpyfunc = cpy_univ; break; @@ -186,8 +202,11 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len, case MBSTRING_UTF8: outlen = 0; ret = traverse_string(in, len, inform, out_utf8, &outlen); - if (ret < 0) { - ERR_raise(ERR_LIB_ASN1, ASN1_R_INVALID_UTF8STRING); + if (ret < 0) { /* error already raised in out_utf8() */ + if (free_out) { + ASN1_STRING_free(dest); + *out = NULL; + } return -1; } cpyfunc = cpy_utf8; @@ -271,9 +290,15 @@ static int out_utf8(unsigned long value, void *arg) int *outlen, len; len = UTF8_putc(NULL, -1, value); - if (len <= 0) + if (len <= 0) { + ERR_raise(ERR_LIB_ASN1, ASN1_R_INVALID_UTF8STRING); return len; + } outlen = arg; + if (*outlen > INT_MAX - len) { + ERR_raise(ERR_LIB_ASN1, ASN1_R_STRING_TOO_LONG); + return -1; + } *outlen += len; return 1; } diff --git a/crypto/openssl/crypto/asn1/tasn_dec.c b/crypto/openssl/crypto/asn1/tasn_dec.c index 9138ad381f7d..4cbc6275cc35 100644 --- a/crypto/openssl/crypto/asn1/tasn_dec.c +++ b/crypto/openssl/crypto/asn1/tasn_dec.c @@ -54,7 +54,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx); -static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, +static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, long len, int utype, char *free_cont, const ASN1_ITEM *it); /* Table to convert tags to bit values, used for MSTRING type */ @@ -855,19 +855,24 @@ err: /* Translate ASN1 content octets into a structure */ -static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, +static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, long len, int utype, char *free_cont, const ASN1_ITEM *it) { ASN1_VALUE **opval = NULL; ASN1_STRING *stmp; ASN1_TYPE *typ = NULL; int ret = 0; + int ilen = (int)len; const ASN1_PRIMITIVE_FUNCS *pf; ASN1_INTEGER **tint; pf = it->funcs; - if (pf && pf->prim_c2i) - return pf->prim_c2i(pval, cont, len, utype, free_cont, it); + if (pf && pf->prim_c2i) { + if (len == (long)ilen) + return pf->prim_c2i(pval, cont, ilen, utype, free_cont, it); + ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG); + return 0; + } /* If ANY type clear type and set pointer to internal value */ if (it->utype == V_ASN1_ANY) { if (*pval == NULL) { @@ -885,7 +890,8 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, } switch (utype) { case V_ASN1_OBJECT: - if (!ossl_c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &cont, len)) + if (len != (long)ilen + || !ossl_c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &cont, ilen)) goto err; break; @@ -940,6 +946,10 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, case V_ASN1_SET: case V_ASN1_SEQUENCE: default: + if (len != (long)ilen) { + ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG); + goto err; + } if (utype == V_ASN1_BMPSTRING && (len & 1)) { ERR_raise(ERR_LIB_ASN1, ASN1_R_BMPSTRING_IS_WRONG_LENGTH); goto err; @@ -964,10 +974,10 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, if (*free_cont) { OPENSSL_free(stmp->data); stmp->data = (unsigned char *)cont; /* UGLY CAST! RL */ - stmp->length = len; + stmp->length = ilen; *free_cont = 0; } else { - if (!ASN1_STRING_set(stmp, cont, len)) { + if (!ASN1_STRING_set(stmp, cont, ilen)) { ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE); ASN1_STRING_free(stmp); *pval = NULL; diff --git a/crypto/openssl/crypto/cms/cms_enc.c b/crypto/openssl/crypto/cms/cms_enc.c index 8c1a15aeda71..367617576175 100644 --- a/crypto/openssl/crypto/cms/cms_enc.c +++ b/crypto/openssl/crypto/cms/cms_enc.c @@ -23,7 +23,7 @@ /* Return BIO based on EncryptedContentInfo and key */ BIO *ossl_cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec, - const CMS_CTX *cms_ctx) + const CMS_CTX *cms_ctx, int auth) { BIO *b; EVP_CIPHER_CTX *ctx; @@ -104,14 +104,20 @@ BIO *ossl_cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec, goto err; } if ((EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)) { + if (!auth) { + ERR_raise(ERR_LIB_CMS, CMS_R_CIPHER_AEAD_IN_ENVELOPED_DATA); + goto err; + } piv = aparams.iv; - if (ec->taglen > 0 - && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, - ec->taglen, ec->tag) - <= 0) { + + if (ec->taglen < 4 || ec->taglen > 16 + || EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, (int)ec->taglen, ec->tag) <= 0) { ERR_raise(ERR_LIB_CMS, CMS_R_CIPHER_AEAD_SET_TAG_ERROR); goto err; } + } else if (auth) { + ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM); + goto err; } } len = EVP_CIPHER_CTX_get_key_length(ctx); @@ -263,5 +269,5 @@ BIO *ossl_cms_EncryptedData_init_bio(const CMS_ContentInfo *cms) if (enc->encryptedContentInfo->cipher && enc->unprotectedAttrs) enc->version = 2; return ossl_cms_EncryptedContent_init_bio(enc->encryptedContentInfo, - ossl_cms_get0_cmsctx(cms)); + ossl_cms_get0_cmsctx(cms), 0); } diff --git a/crypto/openssl/crypto/cms/cms_env.c b/crypto/openssl/crypto/cms/cms_env.c index 2326253b6743..d2eace4fef5d 100644 --- a/crypto/openssl/crypto/cms/cms_env.c +++ b/crypto/openssl/crypto/cms/cms_env.c @@ -1099,7 +1099,7 @@ static BIO *cms_EnvelopedData_Decryption_init_bio(CMS_ContentInfo *cms) { CMS_EncryptedContentInfo *ec = cms->d.envelopedData->encryptedContentInfo; BIO *contentBio = ossl_cms_EncryptedContent_init_bio(ec, - ossl_cms_get0_cmsctx(cms)); + ossl_cms_get0_cmsctx(cms), 0); EVP_CIPHER_CTX *ctx = NULL; if (contentBio == NULL) @@ -1137,7 +1137,7 @@ static BIO *cms_EnvelopedData_Encryption_init_bio(CMS_ContentInfo *cms) /* Get BIO first to set up key */ ec = env->encryptedContentInfo; - ret = ossl_cms_EncryptedContent_init_bio(ec, ossl_cms_get0_cmsctx(cms)); + ret = ossl_cms_EncryptedContent_init_bio(ec, ossl_cms_get0_cmsctx(cms), 0); /* If error end of processing */ if (!ret) @@ -1189,7 +1189,7 @@ BIO *ossl_cms_AuthEnvelopedData_init_bio(CMS_ContentInfo *cms) ec->tag = aenv->mac->data; ec->taglen = aenv->mac->length; } - ret = ossl_cms_EncryptedContent_init_bio(ec, ossl_cms_get0_cmsctx(cms)); + ret = ossl_cms_EncryptedContent_init_bio(ec, ossl_cms_get0_cmsctx(cms), 1); /* If error or no cipher end of processing */ if (ret == NULL || ec->cipher == NULL) diff --git a/crypto/openssl/crypto/cms/cms_err.c b/crypto/openssl/crypto/cms/cms_err.c index 37e52963e16d..bc922d0ee03d 100644 --- a/crypto/openssl/crypto/cms/cms_err.c +++ b/crypto/openssl/crypto/cms/cms_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2026 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -25,6 +25,8 @@ static const ERR_STRING_DATA CMS_str_reasons[] = { "certificate has no keyid" }, { ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CERTIFICATE_VERIFY_ERROR), "certificate verify error" }, + { ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CIPHER_AEAD_IN_ENVELOPED_DATA), + "cipher aead in enveloped data" }, { ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CIPHER_AEAD_SET_TAG_ERROR), "cipher aead set tag error" }, { ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CIPHER_GET_TAG), "cipher get tag" }, diff --git a/crypto/openssl/crypto/cms/cms_local.h b/crypto/openssl/crypto/cms/cms_local.h index a92a67fa8b24..d80689f64d68 100644 --- a/crypto/openssl/crypto/cms/cms_local.h +++ b/crypto/openssl/crypto/cms/cms_local.h @@ -429,7 +429,7 @@ int ossl_cms_set1_ias(CMS_IssuerAndSerialNumber **pias, X509 *cert); int ossl_cms_set1_keyid(ASN1_OCTET_STRING **pkeyid, X509 *cert); BIO *ossl_cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec, - const CMS_CTX *ctx); + const CMS_CTX *ctx, int auth); BIO *ossl_cms_EncryptedData_init_bio(const CMS_ContentInfo *cms); int ossl_cms_EncryptedContent_init(CMS_EncryptedContentInfo *ec, const EVP_CIPHER *cipher, diff --git a/crypto/openssl/crypto/cms/cms_pwri.c b/crypto/openssl/crypto/cms/cms_pwri.c index 46313f2bfe2c..8b0ea233fd6d 100644 --- a/crypto/openssl/crypto/cms/cms_pwri.c +++ b/crypto/openssl/crypto/cms/cms_pwri.c @@ -189,14 +189,18 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen, const unsigned char *in, size_t inlen, EVP_CIPHER_CTX *ctx) { - size_t blocklen = EVP_CIPHER_CTX_get_block_size(ctx); + int blocklen = EVP_CIPHER_CTX_get_block_size(ctx); unsigned char *tmp; int outl, rv = 0; - if (inlen < 2 * blocklen) { + + if (blocklen < 4) + return 0; + + if (inlen < 2 * (size_t)blocklen) { /* too small */ return 0; } - if (inlen % blocklen) { + if (inlen > INT_MAX || inlen % blocklen) { /* Invalid size */ return 0; } @@ -350,6 +354,11 @@ int ossl_cms_RecipientInfo_pwri_crypt(const CMS_ContentInfo *cms, /* Finish password based key derivation to setup key in "ctx" */ + if (algtmp == NULL) { + ERR_raise_data(ERR_LIB_CMS, CMS_R_INVALID_KEY_ENCRYPTION_PARAMETER, + "Missing KeyDerivationAlgorithm"); + goto err; + } if (!EVP_PBE_CipherInit_ex(algtmp->algorithm, (char *)pwri->pass, (int)pwri->passlen, algtmp->parameter, kekctx, en_de, diff --git a/crypto/openssl/crypto/err/openssl.txt b/crypto/openssl/crypto/err/openssl.txt index 756fafdfa24a..dc4e3f310f08 100644 --- a/crypto/openssl/crypto/err/openssl.txt +++ b/crypto/openssl/crypto/err/openssl.txt @@ -1,4 +1,4 @@ -# Copyright 1999-2025 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1999-2026 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -284,6 +284,7 @@ CMS_R_ATTRIBUTE_ERROR:161:attribute error CMS_R_CERTIFICATE_ALREADY_PRESENT:175:certificate already present CMS_R_CERTIFICATE_HAS_NO_KEYID:160:certificate has no keyid CMS_R_CERTIFICATE_VERIFY_ERROR:100:certificate verify error +CMS_R_CIPHER_AEAD_IN_ENVELOPED_DATA:182:cipher aead in enveloped data CMS_R_CIPHER_AEAD_SET_TAG_ERROR:184:cipher aead set tag error CMS_R_CIPHER_GET_TAG:185:cipher get tag CMS_R_CIPHER_INITIALISATION_ERROR:101:cipher initialisation error diff --git a/crypto/openssl/crypto/pkcs7/pk7_smime.c b/crypto/openssl/crypto/pkcs7/pk7_smime.c index 001b96d31183..fadf543e9db7 100644 --- a/crypto/openssl/crypto/pkcs7/pk7_smime.c +++ b/crypto/openssl/crypto/pkcs7/pk7_smime.c @@ -218,6 +218,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, int i, j = 0, k, ret = 0; BIO *p7bio = NULL; BIO *tmpin = NULL, *tmpout = NULL; + BIO *next = NULL; const PKCS7_CTX *p7_ctx; if (p7 == NULL) { @@ -366,11 +367,11 @@ err: BIO_free(tmpout); X509_STORE_CTX_free(cert_ctx); OPENSSL_free(buf); - if (tmpin == indata) { - if (indata) - BIO_pop(p7bio); + while (p7bio != NULL && p7bio != indata) { + next = BIO_pop(p7bio); + BIO_free(p7bio); + p7bio = next; } - BIO_free_all(p7bio); sk_X509_free(signers); return ret; } diff --git a/crypto/openssl/include/crypto/cmserr.h b/crypto/openssl/include/crypto/cmserr.h index f9fd933682e5..8b896822d091 100644 --- a/crypto/openssl/include/crypto/cmserr.h +++ b/crypto/openssl/include/crypto/cmserr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2026 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/openssl/include/openssl/cmserr.h b/crypto/openssl/include/openssl/cmserr.h index c584b90574e2..6c0baf2362fc 100644 --- a/crypto/openssl/include/openssl/cmserr.h +++ b/crypto/openssl/include/openssl/cmserr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2026 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -17,7 +17,6 @@ #include #ifndef OPENSSL_NO_CMS - /* * CMS reason codes. */ @@ -26,6 +25,7 @@ #define CMS_R_CERTIFICATE_ALREADY_PRESENT 175 #define CMS_R_CERTIFICATE_HAS_NO_KEYID 160 #define CMS_R_CERTIFICATE_VERIFY_ERROR 100 +#define CMS_R_CIPHER_AEAD_IN_ENVELOPED_DATA 182 #define CMS_R_CIPHER_AEAD_SET_TAG_ERROR 184 #define CMS_R_CIPHER_GET_TAG 185 #define CMS_R_CIPHER_INITIALISATION_ERROR 101 diff --git a/crypto/openssl/providers/implementations/ciphers/cipher_aes_ocb.c b/crypto/openssl/providers/implementations/ciphers/cipher_aes_ocb.c index 8a8eddf36eec..70c0703ddb7c 100644 --- a/crypto/openssl/providers/implementations/ciphers/cipher_aes_ocb.c +++ b/crypto/openssl/providers/implementations/ciphers/cipher_aes_ocb.c @@ -516,6 +516,19 @@ static int aes_ocb_cipher(void *vctx, unsigned char *out, size_t *outl, return 0; } + /* + * Mirror the streaming handler: refuse if the key has not been set, + * and push the buffered IV into the OCB context before any data is + * processed. Without this, CRYPTO_ocb128_encrypt/decrypt runs with + * Offset_0 = 0 regardless of the caller's IV -- catastrophic + * (key, nonce) reuse, and a subsequent EVP_*Final_ex() emits a tag + * that is a function of (key, iv) only. + */ + if (!ctx->key_set || !update_iv(ctx)) { + ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED); + return 0; + } + if (!aes_generic_ocb_cipher(ctx, in, out, inl)) { ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED); return 0; diff --git a/crypto/openssl/providers/implementations/ciphers/cipher_aes_siv.c b/crypto/openssl/providers/implementations/ciphers/cipher_aes_siv.c index 510c1581b593..c3facacfbcf4 100644 --- a/crypto/openssl/providers/implementations/ciphers/cipher_aes_siv.c +++ b/crypto/openssl/providers/implementations/ciphers/cipher_aes_siv.c @@ -203,6 +203,7 @@ static int aes_siv_set_ctx_params(void *vctx, const OSSL_PARAM params[]) PROV_AES_SIV_CTX *ctx = (PROV_AES_SIV_CTX *)vctx; const OSSL_PARAM *p; unsigned int speed = 0; + SIV128_CONTEXT *sctx = &ctx->siv; if (params == NULL) return 1; @@ -237,6 +238,8 @@ static int aes_siv_set_ctx_params(void *vctx, const OSSL_PARAM params[]) if (keylen != ctx->keylen) return 0; } + sctx->final_ret = -1; + return 1; } diff --git a/crypto/openssl/providers/implementations/exchange/dh_exch.c b/crypto/openssl/providers/implementations/exchange/dh_exch.c index bb2d355c8143..668602a5e523 100644 --- a/crypto/openssl/providers/implementations/exchange/dh_exch.c +++ b/crypto/openssl/providers/implementations/exchange/dh_exch.c @@ -113,12 +113,15 @@ static int dh_init(void *vpdhctx, void *vdh, const OSSL_PARAM params[]) static int dh_match_params(DH *priv, DH *peer) { int ret; + int ignore_q = 1; FFC_PARAMS *dhparams_priv = ossl_dh_get0_params(priv); FFC_PARAMS *dhparams_peer = ossl_dh_get0_params(peer); + if (dhparams_priv != NULL && dhparams_priv->q != NULL) + ignore_q = 0; ret = dhparams_priv != NULL && dhparams_peer != NULL - && ossl_ffc_params_cmp(dhparams_priv, dhparams_peer, 1); + && ossl_ffc_params_cmp(dhparams_priv, dhparams_peer, ignore_q); if (!ret) ERR_raise(ERR_LIB_PROV, PROV_R_MISMATCHING_DOMAIN_PARAMETERS); return ret; diff --git a/crypto/openssl/test/cms-msg/enveloped-content-type-for-aes-gcm.pem b/crypto/openssl/test/cms-msg/enveloped-content-type-for-aes-gcm.pem new file mode 100644 index 000000000000..b0610a7ec8a2 --- /dev/null +++ b/crypto/openssl/test/cms-msg/enveloped-content-type-for-aes-gcm.pem @@ -0,0 +1,7 @@ +-----BEGIN PKCS7----- +MIAGCSqGSIb3DQEHA6CAMIACAQIxNqI0AgEEMAgEBkMwRkVFMDALBglghkgBZQME +AQUEGPN0q9rM3neSiY7HIADpnqWym33mRZC4JDCABgkqhkiG9w0BBwEwHgYJYIZI +AWUDBAEGMBEEDIExQGiHZFSYa0ZBqQIBEKCABGNap+JL1B21Mq7ojKPzVuxtRkg3 +LWt8khnK1EzfmV7e64l5KnTdjq9+gfbwOfbuhTavfBI7VK/ZtpH3HII4fCOe37kV +mju8/YnYeRq2KcxESmJBySV/veMwxqmHGAw71JyHpg4AAAAAAAAAAAAA +-----END PKCS7----- diff --git a/crypto/openssl/test/cmsapitest.c b/crypto/openssl/test/cmsapitest.c index 7e74c5daf221..0a7e536bbe75 100644 --- a/crypto/openssl/test/cmsapitest.c +++ b/crypto/openssl/test/cmsapitest.c @@ -20,6 +20,7 @@ static X509 *cert = NULL; static EVP_PKEY *privkey = NULL; static char *derin = NULL; static char *too_long_iv_cms_in = NULL; +static char *pwri_kek_oob_der_in = NULL; static int test_encrypt_decrypt(const EVP_CIPHER *cipher) { @@ -45,6 +46,12 @@ static int test_encrypt_decrypt(const EVP_CIPHER *cipher) CMS_TEXT))) goto end; + if (!(EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) + && !TEST_ptr(contentbio = CMS_EnvelopedData_decrypt(content->d.envelopedData, + NULL, privkey, cert, NULL, + CMS_TEXT, NULL, NULL))) + goto end; + /* Check we got the message we first started with */ if (!TEST_int_eq(BIO_gets(outmsgbio, buf, sizeof(buf)), strlen(msg)) || !TEST_int_eq(strcmp(buf, msg), 0)) @@ -484,7 +491,48 @@ end: return ret; } -OPT_TEST_DECLARE_USAGE("certfile privkeyfile derfile\n") +/* + * CMS EnvelopedData with a single PasswordRecipientInfo using + * id-alg-PWRI-KEK and an AES-128-CFB key encryption cipher + * (1-byte effective block size). The encryptedKey OCTET STRING is + * only two bytes long, so the wrapped key buffer is shorter than + * the seven octets read by the check-byte test in kek_unwrap_key(). + * Prior to CVE-2026-9076 this triggered an out-of-bounds heap read; + * CMS_decrypt() must now fail cleanly. + */ +static int test_pwri_kek_unwrap_short_encrypted_key(void) +{ + BIO *in = NULL; + CMS_ContentInfo *cms = NULL; + unsigned long err = 0; + int ret = 0; + + if (!TEST_ptr(in = BIO_new_file(pwri_kek_oob_der_in, "rb")) + || !TEST_ptr(cms = d2i_CMS_bio(in, NULL))) + goto end; + + /* + * The unwrap is attempted eagerly inside CMS_decrypt_set1_password(). + * It must fail cleanly (no OOB read) and report CMS_R_UNWRAP_FAILURE. + */ + if (!TEST_false(CMS_decrypt_set1_password(cms, + (unsigned char *)"password", -1))) + goto end; + + err = ERR_peek_last_error(); + if (!TEST_int_eq(ERR_GET_LIB(err), ERR_LIB_CMS) + || !TEST_int_eq(ERR_GET_REASON(err), CMS_R_UNWRAP_FAILURE)) + goto end; + + ERR_clear_error(); + ret = 1; +end: + CMS_ContentInfo_free(cms); + BIO_free(in); + return ret; +} + +OPT_TEST_DECLARE_USAGE("certfile privkeyfile derfile tooLongIVpem pwriKekOobDer\n") int setup_tests(void) { @@ -499,7 +547,8 @@ int setup_tests(void) if (!TEST_ptr(certin = test_get_argument(0)) || !TEST_ptr(privkeyin = test_get_argument(1)) || !TEST_ptr(derin = test_get_argument(2)) - || !TEST_ptr(too_long_iv_cms_in = test_get_argument(3))) + || !TEST_ptr(too_long_iv_cms_in = test_get_argument(3)) + || !TEST_ptr(pwri_kek_oob_der_in = test_get_argument(4))) return 0; certbio = BIO_new_file(certin, "r"); @@ -535,6 +584,7 @@ int setup_tests(void) ADD_TEST(test_encrypted_data_aead); ADD_ALL_TESTS(test_d2i_CMS_decode, 2); ADD_TEST(test_cms_aesgcm_iv_too_long); + ADD_TEST(test_pwri_kek_unwrap_short_encrypted_key); return 1; } diff --git a/crypto/openssl/test/evp_extra_test.c b/crypto/openssl/test/evp_extra_test.c index 1b0f0711cb57..7bd41db115ca 100644 --- a/crypto/openssl/test/evp_extra_test.c +++ b/crypto/openssl/test/evp_extra_test.c @@ -5414,6 +5414,64 @@ static int test_aes_rc4_keylen_change_cve_2023_5363(void) } #endif +/* + * AES-SIV reuse-without-rekey: + * msg1: legit non-empty CT, tag verifies, final_ret=0 + * msg2: no reinit (or reinit with key=NULL), set forged tag, + * AAD only, DecryptFinal -> does stale final_ret leak through? + */ +static int test_aes_siv_ctx_reuse(void) +{ + unsigned char key[32] = { 7 }; /* AES-128-SIV => 2*16 */ + unsigned char pt[9] = "payload!"; + unsigned char ct[9], tagbuf[16], out[16], zero16[16] = { 0 }; + unsigned char aad[14] = "forged header"; + int outl, ret = 0; + EVP_CIPHER_CTX *e = NULL, *d = NULL; + EVP_CIPHER *c = EVP_CIPHER_fetch(NULL, "AES-128-SIV", NULL); + + if (c == NULL) { + return TEST_skip("AES-128-SIV cipher is not available"); + } + + /* produce a valid (ct,tag) for msg1 */ + e = EVP_CIPHER_CTX_new(); + if (!TEST_ptr(e) + || !TEST_true(EVP_EncryptInit_ex2(e, c, key, NULL, NULL)) + || !TEST_true(EVP_EncryptUpdate(e, NULL, &outl, (unsigned char *)"hdr1", 4)) + || !TEST_true(EVP_EncryptUpdate(e, ct, &outl, pt, sizeof(pt))) + || !TEST_true(EVP_EncryptFinal_ex(e, out, &outl)) + || !TEST_true(EVP_CIPHER_CTX_ctrl(e, EVP_CTRL_AEAD_GET_TAG, 16, tagbuf))) { + EVP_CIPHER_CTX_free(e); + goto err; + } + EVP_CIPHER_CTX_free(e); + + /* msg1 decrypt */ + d = EVP_CIPHER_CTX_new(); + if (!TEST_ptr(d) + || !TEST_true(EVP_DecryptInit_ex2(d, c, key, NULL, NULL)) + || !TEST_true(EVP_CIPHER_CTX_ctrl(d, EVP_CTRL_AEAD_SET_TAG, 16, tagbuf)) + || !TEST_true(EVP_DecryptUpdate(d, NULL, &outl, (unsigned char *)"hdr1", 4)) + || !TEST_true(EVP_DecryptUpdate(d, out, &outl, ct, sizeof(ct))) + || !TEST_true(EVP_DecryptFinal_ex(d, out, &outl))) + goto err; + + /* msg2 on SAME ctx, reinit with key=NULL => initkey skipped, final_ret should be reset */ + if (!TEST_true(EVP_DecryptInit_ex2(d, NULL, NULL, NULL, NULL)) + || !TEST_true(EVP_CIPHER_CTX_ctrl(d, EVP_CTRL_AEAD_SET_TAG, 16, zero16)) + || !TEST_true(EVP_DecryptUpdate(d, NULL, &outl, aad, sizeof(aad))) /* forged AAD */ + || !TEST_false(EVP_DecryptFinal_ex(d, out, &outl))) + goto err; + + ret = 1; + +err: + EVP_CIPHER_CTX_free(d); + EVP_CIPHER_free(c); + return ret; +} + static int test_invalid_ctx_for_digest(void) { int ret; @@ -5637,6 +5695,9 @@ int setup_tests(void) ADD_TEST(test_aes_rc4_keylen_change_cve_2023_5363); #endif + /* Test case for CVE-2026-45446 */ + ADD_TEST(test_aes_siv_ctx_reuse); + ADD_TEST(test_invalid_ctx_for_digest); ADD_TEST(test_evp_cipher_negative_length); diff --git a/crypto/openssl/test/recipes/80-test_cms.t b/crypto/openssl/test/recipes/80-test_cms.t index b6ee61464409..f573651e26bc 100644 --- a/crypto/openssl/test/recipes/80-test_cms.t +++ b/crypto/openssl/test/recipes/80-test_cms.t @@ -51,7 +51,7 @@ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib) $no_rc2 = 1 if disabled("legacy"); -plan tests => 23; +plan tests => 24; ok(run(test(["pkcs7_test"])), "test pkcs7"); @@ -1054,6 +1054,16 @@ ok(!run(app(['openssl', 'cms', '-verify', ])), "issue#19643"); +# Check that users get error when using incorrect envelope type for AEAD algorithms +ok(!run(app(['openssl', 'cms', '-decrypt', + '-inform', 'PEM', '-stream', + '-secretkey', '000102030405060708090A0B0C0D0E0F', + '-secretkeyid', 'C0FEE0', + '-in', srctop_file("test/cms-msg", + "enveloped-content-type-for-aes-gcm.pem") + ])), + "Error AES-GCM in enveloped content type"); + # Check that kari encryption with originator does not segfault with({ exit_checker => sub { return shift == 3; } }, sub { diff --git a/crypto/openssl/test/recipes/80-test_cmsapi.t b/crypto/openssl/test/recipes/80-test_cmsapi.t index 8d9371e005c0..3d1dae846464 100644 --- a/crypto/openssl/test/recipes/80-test_cmsapi.t +++ b/crypto/openssl/test/recipes/80-test_cmsapi.t @@ -19,5 +19,6 @@ plan tests => 1; ok(run(test(["cmsapitest", srctop_file("test", "certs", "servercert.pem"), srctop_file("test", "certs", "serverkey.pem"), srctop_file("test", "recipes", "80-test_cmsapi_data", "encryptedData.der"), - srctop_file("test", "recipes", "80-test_cmsapi_data", "encDataWithTooLongIV.pem")])), + srctop_file("test", "recipes", "80-test_cmsapi_data", "encDataWithTooLongIV.pem"), + srctop_file("test", "recipes", "80-test_cmsapi_data", "cms_pwri_kek_oob.der")])), "running cmsapitest"); diff --git a/crypto/openssl/test/recipes/80-test_cmsapi_data/cms_pwri_kek_oob.der b/crypto/openssl/test/recipes/80-test_cmsapi_data/cms_pwri_kek_oob.der new file mode 100644 index 000000000000..c3ef3abd10e6 Binary files /dev/null and b/crypto/openssl/test/recipes/80-test_cmsapi_data/cms_pwri_kek_oob.der differ From nobody Tue Jun 9 19:17:51 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdwJ5DCHz6gTsW for ; Tue, 09 Jun 2026 19:17:52 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdwJ0JdJz3M0x for ; Tue, 09 Jun 2026 19:17:52 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032672; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=5DeNZll9V/edpH+3f3Q3UsygWnYvdkuQVC8gI7gPgAs=; b=KAgA5FkrhyX2kh1ulB34+iFg0nouSCWFqZ8PsgQLCNXs9DCdpgzeOMtX/qgY/zBK24p//x lZA3Af7VDYoxZGvEEKV+CnUAK+sKRzIcxZOhJ0VEUQzWYouFXbuM0dkQB9r1ezOkx6SY1R ZJDN7H7xR1uxBx8iyItT2NJ59kdsMGMp2peILrrw67OWhRSMAUNGx1OLTlxA5R9rmUT4pe DM+8Yb9vEPh4mjqIZb0XjpPi9HH5i0dWwRqHBxxTqoFDwG0HNR1MgCBXuAFecHvV+hm6KB nyBF4odXByuEpTDRsmOZyir34ruSKrQS7il6B7TIRmBmj4GncYfVDroMjo7Fwg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032672; a=rsa-sha256; cv=none; b=TI9yudNT1GD3Qc+mnqXlu8kW/YN1xkBp39xX6hFlg/QG/BniENN7Dt/GcDWIJoifZIOfjU R0cNykwdRhldI2EFD7UvifnEq9n7tcyJdC1kcwT6fX4+ImWOJxHdadVB1PYyzYZbCsGbWX N1JiYFE3nl9PmDXJl1IEH8ArrXVuDk3yeEiGRWE4kSS+VNvEINf4GwFD/NFASPgeotiPn8 0cHceQw4TFQMDKehog9MlAqWLZ3BTDgqb/en8/ZRAziDXDUwiMFjlp1nwxnzfBX3+PJV2V 9icBwhR1UqLpNpn/V1H02pMt23DbTLFzhOuKKohI4YmSWTTBOhh89S8Q5RDSDA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032672; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=5DeNZll9V/edpH+3f3Q3UsygWnYvdkuQVC8gI7gPgAs=; b=M2WFQhUgOpxn6eVMbEuMUls8X/s466LplDYtvIdcG62YsFQM4V0zP+qWpKZnu7ILuPcOLI dk8q0JMSBXW3GYAP+/zFPhCSV5UwTFdeq7Zpy7KasdwofFxYYc9F7vpf+KRpN0dGgmMqut KAHj5WlrSxsKkEHBN3Oyp+Bkr2VqSNabkHCiZl+4vfYugFiBIV01cU3Tmk+9XP0G0kHGEM a9vouqQ1cXvRuF/QIOpYlfNLmiKCDdcdX8sKfEjHn9RAycTChM5pFBjgPD1zPRqjBx14yg Jc9Gp9lrlxd9sL71jsrGJezD2Sspyg71M3/Qqf9VZfYUL6T1zg+sIiDKtIRhvw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdwH6x5pznFn for ; Tue, 09 Jun 2026 19:17:51 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3e5a9 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:17:51 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Andrew Turner From: Mark Johnston Subject: git: e99aa8682dba - stable/14 - arm64: Workaround the following errata List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: e99aa8682dba0ebd04c50cbe9a57213557ecd130 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:17:51 +0000 Message-Id: <6a2866df.3e5a9.97b4941@gitrepo.freebsd.org> The branch stable/14 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=e99aa8682dba0ebd04c50cbe9a57213557ecd130 commit e99aa8682dba0ebd04c50cbe9a57213557ecd130 Author: Andrew Turner AuthorDate: 2026-05-28 09:25:30 +0000 Commit: Mark Johnston CommitDate: 2026-06-09 19:15:22 +0000 arm64: Workaround the following errata - ARM C1-Premium erratum 4193780 - ARM C1-Ultra erratum 4193780 - ARM Cortex-A76 erratum 4193800 - ARM Cortex-A76AE erratum 4193801 - ARM Cortex-A77 erratum 4193798 - ARM Cortex-A78 erratum 4193791 - ARM Cortex-A78AE erratum 4193793 - ARM Cortex-A78C erratum 4193794 - ARM Cortex-A710 erratum 4193788 - ARM Cortex-X1 erratum 4193791 - ARM Cortex-X1C erratum 4193792 - ARM Cortex-X2 erratum 4193788 - ARM Cortex-X3 erratum 4193786 - ARM Cortex-X4 erratum 4118414 - ARM Cortex-X925 erratum 4193781 - ARM Neoverse-N1 erratum 4193800 - ARM Neoverse-N2 erratum 4193789 - ARM Neoverse-V1 erratum 4193790 - ARM Neoverse-V2 erratum 4193787 - ARM Neoverse-V3 erratum 4193784 - ARM Neoverse-V3AE erratum 4193784 These are all variants on an erratum where TLBI+DSB instructions on one CPU may incorrectly complete early leading to stores to an updated address using an incorrect translation on another CPU. In all cases the workaround is to add a second TLBI+DSB. Approved by: so Security: FreeBSD-SA-26:31.arm64 Security: CVE-2025-10263 Sponsored by: Arm Ltd --- sys/arm64/arm64/pmap.c | 60 ++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 51 insertions(+), 9 deletions(-) diff --git a/sys/arm64/arm64/pmap.c b/sys/arm64/arm64/pmap.c index 7c38ecfe16a2..4d597deb6d67 100644 --- a/sys/arm64/arm64/pmap.c +++ b/sys/arm64/arm64/pmap.c @@ -1547,20 +1547,62 @@ static cpu_feat_en pmap_multiple_tlbi_check(const struct cpu_feat *feat __unused, u_int midr) { /* - * Cortex-A55 erratum 2441007 (Cat B rare) + * ARM C1-Premium erratum 4193780 + * ARM C1-Ultra erratum 4193780 + * ARM Cortex-A76 erratum 4193800 + * ARM Cortex-A76AE erratum 4193801 + * ARM Cortex-A77 erratum 4193798 + * ARM Cortex-A78 erratum 4193791 + * ARM Cortex-A78AE erratum 4193793 + * ARM Cortex-A78C erratum 4193794 + * ARM Cortex-A710 erratum 4193788 + * ARM Cortex-X1 erratum 4193791 + * ARM Cortex-X1C erratum 4193792 + * ARM Cortex-X2 erratum 4193788 + * ARM Cortex-X3 erratum 4193786 + * ARM Cortex-X4 erratum 4118414 + * ARM Cortex-X925 erratum 4193781 + * ARM Neoverse-N1 erratum 4193800 + * ARM Neoverse-N2 erratum 4193789 + * ARM Neoverse-V1 erratum 4193790 + * ARM Neoverse-V2 erratum 4193787 + * ARM Neoverse-V3 erratum 4193784 + * ARM Neoverse-V3AE erratum 4193784 * Present in all revisions */ - if (CPU_IMPL(midr) == CPU_IMPL_ARM && - CPU_PART(midr) == CPU_PART_CORTEX_A55) - return (FEAT_DEFAULT_DISABLE); + if (CPU_IMPL(midr) == CPU_IMPL_ARM) { + switch(CPU_PART(midr)) { + case CPU_PART_C1_PREMIUM: + case CPU_PART_C1_ULTRA: + case CPU_PART_CORTEX_A76: + case CPU_PART_CORTEX_A76AE: + case CPU_PART_CORTEX_A77: + case CPU_PART_CORTEX_A78: + case CPU_PART_CORTEX_A78AE: + case CPU_PART_CORTEX_A78C: + case CPU_PART_CORTEX_A710: + case CPU_PART_CORTEX_X1: + case CPU_PART_CORTEX_X1C: + case CPU_PART_CORTEX_X2: + case CPU_PART_CORTEX_X3: + case CPU_PART_CORTEX_X4: + case CPU_PART_CORTEX_X925: + case CPU_PART_NEOVERSE_N1: + case CPU_PART_NEOVERSE_N2: + case CPU_PART_NEOVERSE_V1: + case CPU_PART_NEOVERSE_V2: + case CPU_PART_NEOVERSE_V3: + case CPU_PART_NEOVERSE_V3AE: + return (FEAT_DEFAULT_ENABLE); + } + } /* - * Cortex-A76 erratum 1286807 (Cat B rare) - * Present in r0p0 - r3p0 - * Fixed in r3p1 + * Cortex-A55 erratum 2441007 (Cat B rare) + * Present in all revisions */ - if (midr_check_var_part_range(midr, CPU_IMPL_ARM, CPU_PART_CORTEX_A76, - 0, 0, 3, 0)) + if (CPU_IMPL(midr) == CPU_IMPL_ARM && + CPU_PART(midr) == CPU_PART_CORTEX_A55) return (FEAT_DEFAULT_DISABLE); /* From nobody Tue Jun 9 19:17:53 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdwK4hSCz6gTq7 for ; Tue, 09 Jun 2026 19:17:53 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdwK1BDDz3MB0 for ; Tue, 09 Jun 2026 19:17:53 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032673; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=hPjykpwUnmlIfngvWuctUqt4qCz7+QnseXLhwZqQlpM=; b=rO1LD2250/2fiAkwqOIQS/WEdgbwoyy5OVKB0c8+jSxK1v43YbEl9pz5m/EtJG+Lj7PLg1 8fSSZp/xWtf7/gf6Dp2g4ImM4/QgWzoo0MwSSKiA091BL73IcHiR9UIWxN4LPUXJgen9zo NaiGis5jhDIxjabzTU7jAr0/ablYtPoKm2Cp7B4emB+myb1eMCcXtqgWrQyiMHZpGsQruE 83PYLTJJPavYiSA5WfrfPYeW9T4DhHANJF8Xmxt2p4mRQkNSFKVDspcRIOjABnewNNfU9M epoa0F8cRLPlOHrt/eahNGpKGxTqjn1A7i3nwN+LM57qXRKH4ZhKDZ7QIDgxYw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032673; a=rsa-sha256; cv=none; b=AYu8IwHh8uW4jkz+WZYiJ5u4PF5htil92ZJONx3YEpVU5ajv6XuEt90lYiBNzRcRV4qZ7k Lstm295VrX2e5Vy8JaAWRdTTKwi34fr2jYiCRgekWnxuEuNS8wHs5JIlCzpTFakBsnTfi5 bUS/WQk+Elzqob85v6KJSq3dE1XbyCBllqG7o/Z+C95zlDwdMEorKd0AIt9jOoj9CQ7zqc LMEMFbpw1g/XbMMLDf0DpPZJtL8xeEB1wdVloO+/2D51N9LR1zRl601Tv+psGAept2DT4F m8yzAAUhqxvmutX2AKplm0lhgnyLnWBx8h4vBDBSIWToy3CperaIa8V2uVH9xA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032673; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=hPjykpwUnmlIfngvWuctUqt4qCz7+QnseXLhwZqQlpM=; b=O1vmD9RrX/gl0Y54StTq0wQiwcmGzlO+Kmk+OsMfJRpd+upWRjjAp/AzpRPSVrMKhcWFnr EGB4xdVJvWns3LDlqWNrBWu2PfF7VkNvuks5XX/Y7URvKzShHXePtCrhAa4Xsn3tWgZVwX 9TLCBeCuXxN/KmB+AC5LgUhlg+mJd9BCC8K2x9xlJE6gKkt0D8PjcRepuxW9ZoL6APUTNi UWs3QfI9PWFV3VLACVjntabN4s0mS3sUFD7VBdIK2eRpq0d2dxMNRXO41NjdNxDVh6kosZ Zog6lKfE8lwwETtMmCq0brCs+xwn/Kw6E+pfThSOCVgIWlgRW+nmsXn8LQUGvQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdwK0NgHznrM for ; Tue, 09 Jun 2026 19:17:53 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3f424 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:17:53 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: e417948e6139 - stable/14 - imgact_elf: Clear no-ASLR and -WXORX flags earlier for setugid images List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: e417948e6139cc69ebff46ecb747695db82cd14a Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:17:53 +0000 Message-Id: <6a2866e1.3f424.4b1ac774@gitrepo.freebsd.org> The branch stable/14 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=e417948e6139cc69ebff46ecb747695db82cd14a commit e417948e6139cc69ebff46ecb747695db82cd14a Author: Mark Johnston AuthorDate: 2026-06-02 20:29:00 +0000 Commit: Mark Johnston CommitDate: 2026-06-09 19:15:22 +0000 imgact_elf: Clear no-ASLR and -WXORX flags earlier for setugid images Otherwise an unprivileged user can disable randomization of the base address for PIEs even if they are setugid. Add a regression test. Approved by: so Security: FreeBSD-SA-26:32.elf Security: CVE-2026-49414 Reported by: David Berard Reviewed by: kib Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57397 --- sys/kern/imgact_elf.c | 55 ++++++++--------- tests/sys/kern/Makefile | 2 + tests/sys/kern/aslr.c | 157 ++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 187 insertions(+), 27 deletions(-) diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c index 5261e94846a0..ff482ca5d658 100644 --- a/sys/kern/imgact_elf.c +++ b/sys/kern/imgact_elf.c @@ -1230,11 +1230,39 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *imgp) error = ENOEXEC; goto ret; } + + /* + * Avoid a possible deadlock if the current address space is destroyed + * and that address space maps the locked vnode. In the common case, + * the locked vnode's v_usecount is decremented but remains greater + * than zero. Consequently, the vnode lock is not needed by vrele(). + * However, in cases where the vnode lock is external, such as nullfs, + * v_usecount may become zero. + * + * The VV_TEXT flag prevents modifications to the executable while + * the vnode is unlocked. + */ + VOP_UNLOCK(imgp->vp); + + /* + * Decide whether to enable randomization of user mappings. First, + * reset user preferences for the setid binaries. Then, account for the + * support of randomization by the ABI, by user preferences, and make + * special treatment for PIE binaries. + */ + if (imgp->credential_setid) { + PROC_LOCK(imgp->proc); + imgp->proc->p_flag2 &= ~(P2_ASLR_ENABLE | P2_ASLR_DISABLE | + P2_WXORX_DISABLE | P2_WXORX_ENABLE_EXEC); + PROC_UNLOCK(imgp->proc); + } + sv = brand_info->sysvec; if (hdr->e_type == ET_DYN) { if ((brand_info->flags & BI_CAN_EXEC_DYN) == 0) { uprintf("Cannot execute shared object\n"); error = ENOEXEC; + (void)vn_lock(imgp->vp, LK_SHARED | LK_RETRY); goto ret; } /* @@ -1253,33 +1281,6 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *imgp) imgp->et_dyn_addr = __elfN(pie_base); } } - - /* - * Avoid a possible deadlock if the current address space is destroyed - * and that address space maps the locked vnode. In the common case, - * the locked vnode's v_usecount is decremented but remains greater - * than zero. Consequently, the vnode lock is not needed by vrele(). - * However, in cases where the vnode lock is external, such as nullfs, - * v_usecount may become zero. - * - * The VV_TEXT flag prevents modifications to the executable while - * the vnode is unlocked. - */ - VOP_UNLOCK(imgp->vp); - - /* - * Decide whether to enable randomization of user mappings. - * First, reset user preferences for the setid binaries. - * Then, account for the support of the randomization by the - * ABI, by user preferences, and make special treatment for - * PIE binaries. - */ - if (imgp->credential_setid) { - PROC_LOCK(imgp->proc); - imgp->proc->p_flag2 &= ~(P2_ASLR_ENABLE | P2_ASLR_DISABLE | - P2_WXORX_DISABLE | P2_WXORX_ENABLE_EXEC); - PROC_UNLOCK(imgp->proc); - } if ((sv->sv_flags & SV_ASLR) == 0 || (imgp->proc->p_flag2 & P2_ASLR_DISABLE) != 0 || (fctl0 & NT_FREEBSD_FCTL_ASLR_DISABLE) != 0) { diff --git a/tests/sys/kern/Makefile b/tests/sys/kern/Makefile index c455b40747e8..9f0c29736257 100644 --- a/tests/sys/kern/Makefile +++ b/tests/sys/kern/Makefile @@ -8,6 +8,7 @@ TESTSRC= ${SRCTOP}/contrib/netbsd-tests/kernel TESTSDIR= ${TESTSBASE}/sys/kern +ATF_TESTS_C+= aslr ATF_TESTS_C+= basic_signal ATF_TESTS_C+= copy_file_range .if ${MACHINE_ARCH} != "i386" && ${MACHINE_ARCH} != "powerpc" && \ @@ -79,6 +80,7 @@ PROGS+= coredump_phnum_helper PROGS+= pdeathsig_helper PROGS+= sendfile_helper +LIBADD.aslr+= util LIBADD.copy_file_range+= md LIBADD.jail_lookup_root+= jail util CFLAGS.sys_getrandom+= -I${SRCTOP}/sys/contrib/zstd/lib diff --git a/tests/sys/kern/aslr.c b/tests/sys/kern/aslr.c new file mode 100644 index 000000000000..13038054603c --- /dev/null +++ b/tests/sys/kern/aslr.c @@ -0,0 +1,157 @@ +/* + * Copyright (c) 2026 The FreeBSD Foundation + * + * This software was developed by Mark Johnston under sponsorship from the + * FreeBSD Foundation. + */ + +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include + +#include + +/* + * Spawn an unprivileged child with ASLR force-disabled, which then execs + * /sbin/ping (setuid root). + */ +static pid_t +spawn_ping(const atf_tc_t *tc) +{ + const char *user; + struct passwd *passwd; + pid_t child; + int arg, error; + + user = atf_tc_get_config_var(tc, "unprivileged_user"); + passwd = getpwnam(user); + ATF_REQUIRE(passwd != NULL); + + child = fork(); + ATF_REQUIRE(child >= 0); + if (child == 0) { + if (seteuid(passwd->pw_uid) != 0) + _exit(1); + + arg = PROC_ASLR_FORCE_DISABLE; + error = procctl(P_PID, getpid(), PROC_ASLR_CTL, &arg); + if (error != 0) + _exit(2); + + execl("/sbin/ping", "ping", "127.0.0.1", NULL); + _exit(127); + } + usleep(500000); /* XXX-MJ */ + + return (child); +} + +/* + * Return the base address of the first mapping backed by the specified + * executable in the given process, or 0 if not found. + */ +static uint64_t +text_base(pid_t pid, const char *path) +{ + struct kinfo_vmentry *vmmap; + uint64_t base; + int cnt; + + base = 0; + vmmap = kinfo_getvmmap(pid, &cnt); + if (vmmap == NULL) + return (0); + for (int i = 0; i < cnt; i++) { + if (vmmap[i].kve_type == KVME_TYPE_VNODE && + strcmp(vmmap[i].kve_path, path) == 0) { + base = vmmap[i].kve_start; + break; + } + } + free(vmmap); + return (base); +} + +/* + * Make sure that ASLR can't be disabled for a setuid executable by an + * unprivileged user. + */ +ATF_TC(aslr_setuid); +ATF_TC_HEAD(aslr_setuid, tc) +{ + atf_tc_set_md_var(tc, "require.user", "root"); + atf_tc_set_md_var(tc, "require.config", "unprivileged_user"); +} +ATF_TC_BODY(aslr_setuid, tc) +{ + struct stat sb; + uint64_t bases[5]; + pid_t child, pid; + int arg, error, st; + + if (!atf_tc_has_config_var(tc, "unprivileged_user")) + atf_tc_skip("unprivileged_user not set"); + + error = stat("/sbin/ping", &sb); + ATF_REQUIRE(error == 0); + ATF_REQUIRE_MSG(sb.st_uid == 0 && (sb.st_mode & S_ISUID) != 0, + "/sbin/ping is not setuid root"); + + child = spawn_ping(tc); + bases[0] = text_base(child, "/sbin/ping"); + ATF_REQUIRE_MSG(bases[0] != 0, + "failed to find /sbin/ping text segment"); + + arg = 0; + error = procctl(P_PID, child, PROC_ASLR_STATUS, &arg); + ATF_REQUIRE_MSG(error == 0, "procctl ASLR_STATUS failed: %s", + strerror(errno)); + ATF_REQUIRE_MSG((arg & PROC_ASLR_ACTIVE) != 0, + "ASLR is not active for setuid child"); + ATF_REQUIRE_MSG((arg & ~PROC_ASLR_ACTIVE) == PROC_ASLR_NOFORCE, + "expected NOFORCE for setuid child, got %d", + arg & ~PROC_ASLR_ACTIVE); + + error = kill(child, SIGTERM); + ATF_REQUIRE(error == 0); + pid = waitpid(child, &st, 0); + ATF_REQUIRE(pid == child); + ATF_REQUIRE(WIFSIGNALED(st) && WTERMSIG(st) == SIGTERM); + + for (size_t i = 1; i < nitems(bases); i++) { + child = spawn_ping(tc); + bases[i] = text_base(child, "/sbin/ping"); + ATF_REQUIRE_MSG(bases[i] != 0, + "failed to find /sbin/ping text segment"); + error = kill(child, SIGTERM); + ATF_REQUIRE(error == 0); + pid = waitpid(child, &st, 0); + ATF_REQUIRE(pid == child); + ATF_REQUIRE(WIFSIGNALED(st) && WTERMSIG(st) == SIGTERM); + } + + /* Verify that the text base is different across all runs. */ + for (size_t i = 0; i < nitems(bases); i++) { + for (size_t j = i + 1; j < nitems(bases); j++) { + ATF_REQUIRE_MSG(bases[i] != bases[j], + "ping text base collision 0x%jx", + (uintmax_t)bases[i]); + } + } +} + +ATF_TP_ADD_TCS(tp) +{ + ATF_TP_ADD_TC(tp, aslr_setuid); + + return (atf_no_error()); +} From nobody Tue Jun 9 19:17:50 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdwJ1cyzz6gV3X for ; Tue, 09 Jun 2026 19:17:52 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdwG6pK7z3Lw0 for ; Tue, 09 Jun 2026 19:17:50 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032671; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=DMuuq5oXY0Q8a4eOwL7uwXqFO5zOZFF3IKxrvuQz1n8=; b=t/IrFdy3wUjaoi9qF3l6TBiUca5NrRykC5X1DYOTqXdpQRMeCb7u0R7FX5ljwZYClF0GLo ZwFdUpvdfPIeMZYl6d8NHy8fdovQ6tMTbS7b4zGVwDqzOIzDfq5MeTWbcKYE6pt7CKb8ZS ZUAUgarpWT3CxXxyuvIXvRjwASQtIVgTe8jTCrDrKS9h8ZANX44cxCihNQUlxMH5vogrdk pFOwmkQiFynrfYNLUTyP5RTKanukOZadlPERIl+5FPwjyu9CZ8dxMzegpK4LuYsPF4rLw1 I7235mF31heQ8AgQZo3NhgXLE1Y3t70+pbcnUStmxU7wtaRsLiU8GwXzd0OSOw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032671; a=rsa-sha256; cv=none; b=xcE8C7ZvkuzAw8hfzq7JVOuZljc6fvxL8pcTQdFsM7mGLae+IgoJdMG/kdgVak4ywLJJdZ i1G1ACzZrbiP8aAsrpdQwjuKkdxJrP81+FMmm08XEzoikX0TM/lE4JJ0Hyymb++nCq43bU P7K2RNH/yj2UsnMW/7bwQjxFlrjsCN9fkyNvt22SFKbV3P4CEVcK2Iu9COki/gJ5LVjPlm KVoxOgH5rXE+8VPM/0TpFYVM61Uh5JBlDopyI82PdaZrn/R26Omc0tYdODBRQ+8aUNUgAc PImycZPT2VptCQLOczmCwUcjCOzzrZ20QD2okALBPTBZL+PbmOVdparx9jDVCw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032671; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=DMuuq5oXY0Q8a4eOwL7uwXqFO5zOZFF3IKxrvuQz1n8=; b=rBbsNEX/8PwTjiRfU0aQLTIBMZ0pmkdBejVgqR3MbXgMaHwVtcw22xFA9YKae37HUs2415 N7qProzhBfe/0Nrzx4cqEkGU9O56AmaKgSKxap2uAc5wNy8nhymgKgA42VDM1IjeE+q2m4 kInji/qTX2J12IVfSHdl4pGnLXNu6JCzKCb201AWjviZE3U9wdPRF9dnmglPNcvLzth5Wk WNMj+Fvlh2WNN4eCHZI1SBV+7hlqWi+uCjOYIvU/kQov/wAZYnqbrtrxpYGRtJd+59pORG 4QbtPvunsNi9AFeCUuEbWxE3LYbzEONAkaIUTz9tL1Ck5A9+dmuuI0Imjkjqeg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdwG67tVznt7 for ; Tue, 09 Jun 2026 19:17:50 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3c4f3 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:17:50 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: ff411cc40cd4 - stable/14 - linux: Correct the issetugid check in copyout_auxargs List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: ff411cc40cd4001b4ce40c83480df527f30c2dfc Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:17:50 +0000 Message-Id: <6a2866de.3c4f3.7adb7dad@gitrepo.freebsd.org> The branch stable/14 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=ff411cc40cd4001b4ce40c83480df527f30c2dfc commit ff411cc40cd4001b4ce40c83480df527f30c2dfc Author: Mark Johnston AuthorDate: 2026-05-29 21:41:35 +0000 Commit: Mark Johnston CommitDate: 2026-06-09 19:15:21 +0000 linux: Correct the issetugid check in copyout_auxargs The runtime linker in glibc relies on the AT_SECURE auxv entry to know whether the executable is set-ugid, if so then various dangerous functionality such as LD_PRELOAD is disabled. The check added in commit 669414e4fb74 failed to take into account the fact that during execve, P_SUGID may not yet be set for a set-ugid process. Correct the test. Approved by: so Security: FreeBSD-SA-26:30.linux Security: CVE-2026-49413 Reported by: Minseong Kim Fixes: 669414e4fb74 ("Implement AT_SECURE properly.") Reviewed by: kib Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57350 --- sys/compat/linux/linux_elf.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/sys/compat/linux/linux_elf.c b/sys/compat/linux/linux_elf.c index c9eb6aea8373..6c9f785c97e7 100644 --- a/sys/compat/linux/linux_elf.c +++ b/sys/compat/linux/linux_elf.c @@ -492,11 +492,9 @@ __linuxN(copyout_auxargs)(struct image_params *imgp, uintptr_t base) struct thread *td = curthread; Elf_Auxargs *args; Elf_Auxinfo *aarray, *pos; - struct proc *p; int error, issetugid; - p = imgp->proc; - issetugid = p->p_flag & P_SUGID ? 1 : 0; + issetugid = imgp->credential_setid ? 1 : 0; args = imgp->auxargs; aarray = pos = malloc(LINUX_AT_COUNT * sizeof(*pos), M_TEMP, M_WAITOK | M_ZERO); From nobody Tue Jun 9 19:17:55 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdwM5zfHz6gTyc for ; Tue, 09 Jun 2026 19:17:55 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdwM2XT3z3M1V for ; Tue, 09 Jun 2026 19:17:55 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032675; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=W2kjtUYkj9f2Kj2uVZl7NSwR6d0I8JiUo+TdlkscwiQ=; b=NeMHZs4wOUzTd2Z7sf9DrYbshCQPxHNgkZDn2Z88RI6pA+cKys99VYloiiWsU4jINrRuBg F3NOV68Rg6hCI9f95pig7amVjjJ4u4/x1DiVaEBoNRDwmdBi02cgxzyZOae3ymHO0ZkMB1 dhZV0LCkeNPPnI8eXVUmVLOSJENXZ8Rg2rhFMUJV+ETfyQ644eh4EVN940TaxdhPtLBUI+ JK1xGLlXJF1rEenrUy8XAWqySl6o/zJUAt/+3zCOO5juOURiIzPNvQPl3axWoaQrMV6ckv VthKI7J7fr/E9AtHpuN3hhqWGCYL+K04qk/LkL+pL1Q3AMv/vOuXkB2Hrha9ag== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032675; a=rsa-sha256; cv=none; b=eENW2MpexyQHkLsCmzfbhe15koWLgmdv4uSEvSokjEKCD9kx+V9pDzCHGAH78azwsW6MK0 Onm0qYNMPgIhgw30SbBQFPpN4wUBNMjPSHzCXHzXEW5nekhaK8djBfgVU3MJQXRrWM+9gx hROQ9SwJNLKyzNrJOVWUKi63CTD7FAcwZpJ0Rva6xlaff5exy6tJBEGsr2EI/99aT0fRB9 /m87iSBV8YpbeychB4bfw0Hvgv8TKhG+glhJrtxoQiQ+oTDnrdHtcPZ8CIkrsazLW5/wMk vH7X6l5B32C0DsSfqSyaNVUb8RZRs0hCwEqRGn9wK1zc95aIzwBN/43gVBGADg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032675; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=W2kjtUYkj9f2Kj2uVZl7NSwR6d0I8JiUo+TdlkscwiQ=; b=LLsQWsPRvivmjz/skpuXyVmz48Bum5c9BB5e6RDbRl4DMXHBiv+Y72F2Oi1deFxjst8vBV 77rrCSExGdA8WsuMS877Fi8Z9P2dkBJ9ozEc9oFCUAEyCwaYZrgqoI6dj4HsBDVtg4aPdB DQxGDCovQx4gsSdqqEkcld8ji0fvhoMyyCRscXnUxB/o9P+uCkzUhy3Au0M3QzJNgHOe0r EmrafwmH0grl+q/tOMi2PIMarsnRat5QSiz8PsTc8Kso9InsPeztn10hv4hHkOzDzvUoAZ iBEGlhvq+eO0+96wwObo2lRfnx875CG/9DuHudc7s5Hr97JfGwxi44y+yMWfmg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdwM1lbzznkc for ; Tue, 09 Jun 2026 19:17:55 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3e3ba by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:17:55 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Gordon Tetlow From: Mark Johnston Subject: git: 5719a342555b - stable/14 - ldns: Fix query response validation List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 5719a342555bc56b552db27b1852193968b86323 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:17:55 +0000 Message-Id: <6a2866e3.3e3ba.e0dcf93@gitrepo.freebsd.org> The branch stable/14 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=5719a342555bc56b552db27b1852193968b86323 commit 5719a342555bc56b552db27b1852193968b86323 Author: Gordon Tetlow AuthorDate: 2026-06-07 15:27:56 +0000 Commit: Mark Johnston CommitDate: 2026-06-09 19:15:22 +0000 ldns: Fix query response validation Approved by: so Security: FreeBSD-SA-26:36.ldns Security: CVE-2026-10846 --- contrib/ldns/error.c | 6 ++++ contrib/ldns/ldns/error.h | 5 ++- contrib/ldns/net.c | 92 +++++++++++++++++++++++++++++++++++++++++++++-- 3 files changed, 100 insertions(+), 3 deletions(-) diff --git a/contrib/ldns/error.c b/contrib/ldns/error.c index 5723aea9b4c2..4fc05d6d0d8f 100644 --- a/contrib/ldns/error.c +++ b/contrib/ldns/error.c @@ -191,6 +191,12 @@ ldns_lookup_table ldns_error_str[] = { "at least 2 bytes of option data" }, { LDNS_STATUS_EQUAL_RR, "An identical RR already existed in the zone" }, + { LDNS_STATUS_ID_DID_NOT_MATCH, + "Response ID did not match the query ID" }, + { LDNS_STATUS_QDCOUNT_MUST_BE_ONE, + "The query section MUST contain exactly one question" }, + { LDNS_STATUS_QUERY_DID_NOT_MATCH, + "The question in the response did not match the query" }, { 0, NULL } }; diff --git a/contrib/ldns/ldns/error.h b/contrib/ldns/ldns/error.h index a76eb2ecab5d..41d64cc0815f 100644 --- a/contrib/ldns/ldns/error.h +++ b/contrib/ldns/ldns/error.h @@ -144,7 +144,10 @@ enum ldns_enum_status { LDNS_STATUS_INVALID_SVCPARAM_VALUE, LDNS_STATUS_NOT_EDE, LDNS_STATUS_EDE_OPTION_MALFORMED, - LDNS_STATUS_EQUAL_RR + LDNS_STATUS_EQUAL_RR, + LDNS_STATUS_ID_DID_NOT_MATCH, + LDNS_STATUS_QDCOUNT_MUST_BE_ONE, + LDNS_STATUS_QUERY_DID_NOT_MATCH }; typedef enum ldns_enum_status ldns_status; diff --git a/contrib/ldns/net.c b/contrib/ldns/net.c index e944d018b357..4c1f405419fb 100644 --- a/contrib/ldns/net.c +++ b/contrib/ldns/net.c @@ -441,6 +441,50 @@ ldns_udp_bgsend2(ldns_buffer *qbin, return ldns_udp_bgsend_from(qbin, to, tolen, NULL, 0, timeout); } +/** helper sockaddr compare function. returns -1, 0 or 1. */ +static int +ldns_sockaddr_cmp(const struct sockaddr_storage* addr1, socklen_t len1, + const struct sockaddr_storage* addr2, socklen_t len2) +{ + struct sockaddr_in* p1_in = (struct sockaddr_in*)addr1; + struct sockaddr_in* p2_in = (struct sockaddr_in*)addr2; + struct sockaddr_in6* p1_in6 = (struct sockaddr_in6*)addr1; + struct sockaddr_in6* p2_in6 = (struct sockaddr_in6*)addr2; + if(len1 < len2) + return -1; + if(len1 > len2) + return 1; + assert(len1 == len2); + if( p1_in->sin_family < p2_in->sin_family) + return -1; + if( p1_in->sin_family > p2_in->sin_family) + return 1; + assert( p1_in->sin_family == p2_in->sin_family ); + /* compare ip4 */ + if( p1_in->sin_family == AF_INET ) { + /* just order it, ntohs not required */ + if(p1_in->sin_port < p2_in->sin_port) + return -1; + if(p1_in->sin_port > p2_in->sin_port) + return 1; + assert(p1_in->sin_port == p2_in->sin_port); + return memcmp(&p1_in->sin_addr, &p2_in->sin_addr, + sizeof(p1_in->sin_addr)); + } else if (p1_in6->sin6_family == AF_INET6) { + /* just order it, ntohs not required */ + if(p1_in6->sin6_port < p2_in6->sin6_port) + return -1; + if(p1_in6->sin6_port > p2_in6->sin6_port) + return 1; + assert(p1_in6->sin6_port == p2_in6->sin6_port); + return memcmp(&p1_in6->sin6_addr, &p2_in6->sin6_addr, + sizeof(p1_in6->sin6_addr)); + } else { + /* eek unknown type, perform this comparison for sanity. */ + return memcmp(addr1, addr2, len1); + } +} + static ldns_status ldns_udp_send_from(uint8_t **result, ldns_buffer *qbin, const struct sockaddr_storage *to , socklen_t tolen, @@ -449,6 +493,8 @@ ldns_udp_send_from(uint8_t **result, ldns_buffer *qbin, { int sockfd; uint8_t *answer; + struct sockaddr_storage reply_addr; + socklen_t reply_addr_len; sockfd = ldns_udp_bgsend_from(qbin, to, tolen, from, fromlen, timeout); @@ -467,13 +513,21 @@ ldns_udp_send_from(uint8_t **result, ldns_buffer *qbin, * but returns a 'NETWORK_ERROR' much like a timeout. */ ldns_sock_nonblock(sockfd); - answer = ldns_udp_read_wire(sockfd, answer_size, NULL, NULL); + reply_addr_len = sizeof(reply_addr); + memset(&reply_addr, 0, reply_addr_len); + answer = ldns_udp_read_wire(sockfd, answer_size, &reply_addr, + &reply_addr_len); close_socket(sockfd); if (!answer) { /* oops */ return LDNS_STATUS_NETWORK_ERR; } + /* Check that the reply came from the to addr. */ + if(ldns_sockaddr_cmp(to, tolen, &reply_addr, reply_addr_len) != 0) { + free(answer); + return LDNS_STATUS_NETWORK_ERR; + } *result = answer; return LDNS_STATUS_OK; @@ -512,6 +566,10 @@ ldns_send_buffer(ldns_pkt **result, ldns_resolver *r, ldns_buffer *qb, ldns_rdf assert(r != NULL); + /* The query should at least have one question */ + if(ldns_buffer_limit(qb) < 6 || ldns_buffer_read_u16_at(qb, 4) != 1) + return LDNS_STATUS_QDCOUNT_MUST_BE_ONE; + status = LDNS_STATUS_OK; rtt = ldns_resolver_rtt(r); ns_array = ldns_resolver_nameservers(r); @@ -599,6 +657,16 @@ ldns_send_buffer(ldns_pkt **result, ldns_resolver *r, ldns_buffer *qb, ldns_rdf ldns_resolver_set_nameserver_rtt(r, i, LDNS_RESOLV_RTT_INF); status = send_status; } + if(reply_bytes && ldns_buffer_limit(qb) >= 2) { + uint16_t txid = ldns_buffer_read_u16_at(qb, 0); + if(reply_size < 2 || + ldns_read_uint16(reply_bytes) != txid) { + status = LDNS_STATUS_ID_DID_NOT_MATCH; + LDNS_FREE(reply_bytes); + reply_bytes = NULL; + reply_size = 0; + } + } /* obey the fail directive */ if (!reply_bytes) { @@ -608,7 +676,7 @@ ldns_send_buffer(ldns_pkt **result, ldns_resolver *r, ldns_buffer *qb, ldns_rdf LDNS_FREE(src); } LDNS_FREE(ns); - return LDNS_STATUS_ERR; + return status ? status : LDNS_STATUS_ERR; } else { LDNS_FREE(ns); continue; @@ -670,6 +738,26 @@ ldns_send_buffer(ldns_pkt **result, ldns_resolver *r, ldns_buffer *qb, ldns_rdf #endif /* HAVE_SSL */ LDNS_FREE(reply_bytes); + if (reply) { + ldns_pkt *query = NULL; + + if(ldns_pkt_qdcount(reply) != 1) { + status = LDNS_STATUS_QDCOUNT_MUST_BE_ONE; + ldns_pkt_free(reply); + reply = NULL; + + } else if(ldns_wire2pkt(&query + , ldns_buffer_begin(qb) + , ldns_buffer_position(qb)) != LDNS_STATUS_OK + || ldns_pkt_qdcount(query) != 1 + || ldns_rr_compare(ldns_rr_list_rr(ldns_pkt_question(query),0) + ,ldns_rr_list_rr(ldns_pkt_question(reply),0))){ + status = LDNS_STATUS_QUERY_DID_NOT_MATCH; + ldns_pkt_free(reply); + reply = NULL; + } + ldns_pkt_free(query); + } if (result) { *result = reply; } From nobody Tue Jun 9 19:18:25 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdx52gHYz6gTsn for ; Tue, 09 Jun 2026 19:18:33 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdx51LQgz3NJc for ; Tue, 09 Jun 2026 19:18:33 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032713; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=PaFrZJevbkljy+ln7F2aN2JKm7t4ITiTZqMZ59+34iA=; b=HDo4zO59WVy4G8miwT/017WH5rvu5Qj3gTvJ64wgt9hcTquR4JhumyB7hiLMKMw8CVsFJA VimVJGMVT2KWIRSMr+ZVUCI47jZzEMIQRyzUSh1Tsa8sJjdsNHRwJXgUELm2sPtnzkzU+E DwIrR8LtFKkAB4YpHz7Y2NY1axrCSdjkJDU0qvbjIe68Kk746h5MfDkvBQSzbx/4hJikI6 HqDQ8ihyi56Fh3bBfPMn6Yv2YJkXG2euSLcU7tLd/dSOONdq7K+e902kyTaD6RUuZvb9xu d152GBfVyoB/W/q8QVOPNa4MUzI1ZM8/m0lUor7FYJkcKAEmF40Dizh7uaIC5A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032713; a=rsa-sha256; cv=none; b=CgfKmzhyo/uzyzJEPPCT0JQbz0KCqh3ZvQouFo5UCJfSV0Uwx7xkoEQl6TXkSJCyhafcUh U/zAnfOjDwGNpabhiO8LQ084RNoYNKF930uRGhdbacXywtQOdaRzBTPakSlshDRE6VvGnr j+iXTwVxkNbBvraXXdGBoB85rI6fkC654lHDswntvUziqPpLqskekjngZS1N1+0thn7y1d U5XoMUbwI/xY+TdE279liQSvLLDCGHynAsx2w7GLqu6InoHOmcheHBuhj7Q+CRLrixC7mO qjWp8dFioa6mwNE1y+aWqYW2B87C0YHVKcpmlDvDXDh9/ruoQPBDwiQ9nGTd7w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032713; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=PaFrZJevbkljy+ln7F2aN2JKm7t4ITiTZqMZ59+34iA=; b=HHd//dVK+IM4H3CfSLLVABZ8kzarpQJNHcsulxn48frdKLW+nPnywUZ8GC0P3ebEIqjxNI 6vV5/S2wkvq/H+dpBeosIIULKAdVVo4RvkxmuMGY+/R8pg2F6Wj4cYv+zx9f5LTOZtGPUr Rs0PuUQQ5tK50HUFW2z5rftwfXMd29U5mv1O9A3iwMESa3xbhJwrqz4jORDgEIBvkXhDuI ThuaUvaiYajI2sCyXoDFkJH1QU9cN54k1Oa4JsiCtzInfmELgyIfzD73BQ+iEbM+RQVWdV QKd/uU4uvcC7rqtNMCIEUYaIfqlh5XVCXr4eymDroSefdiNgYGQU6mUw5wmFPw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdx50X2yznrQ for ; Tue, 09 Jun 2026 19:18:33 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3e986 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:18:25 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Enji Cooper From: Mark Johnston Subject: git: d95a8c20f3bc - releng/14.3 - crypto/openssl: Update to 3.0.20 List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.3 X-Git-Reftype: branch X-Git-Commit: d95a8c20f3bccf1cebfef97328aebd8108c0ae8b Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:18:25 +0000 Message-Id: <6a286701.3e986.40b6f61b@gitrepo.freebsd.org> The branch releng/14.3 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=d95a8c20f3bccf1cebfef97328aebd8108c0ae8b commit d95a8c20f3bccf1cebfef97328aebd8108c0ae8b Author: Enji Cooper AuthorDate: 2025-05-28 02:34:44 +0000 Commit: Mark Johnston CommitDate: 2026-06-07 15:53:08 +0000 crypto/openssl: Update to 3.0.20 This particular change contains all functional and security fixes made between 3.0.16 and 3.0.20. OSSL_HTTP_get(): Reset redirection_url in each iteration (cherry picked from commit 4b286fc6d5f1762a17180ab86b5cf7debf78d020) crypto/openssl: make vendor imports easier/less error prone (cherry picked from commit d03be8cf3346dae1e438ded3aae4453045b77486) crypto/openssl: apply polish to new vendor import process (cherry picked from commit 79f62601c73d875123b9c800e688f3c4b70e0b73) crypto/openssl: fix importing new versions from pristine trees (cherry picked from commit 026e3d12ba24188fbe84207e55195defb31bf81a) crypto/openssl: remove autogenerated files (cherry picked from commit 913d1916e3e265098fdd87d9b9f6c12a930c71bc) OpenSSL: update build artifacts to match 3.0.16 release (cherry picked from commit aed5a47b3a8a105f1452554a176a7d6c0a750854) OpenSSL: install .pc files from the exporters subdir (cherry picked from commit 9a64f277bf5b422d1ebb3d960f8f6a5920dc3131) crypto/openssl: update from 3.0.16 to 3.0.20 (cherry picked from commit 27ac9d336f715b4ce91bf447f73d5c3621d099ce) Approved by: so Security: FreeBSD-EN-26:15.openssl Security: CVE-2026-2673 Security: CVE-2026-28387 Security: CVE-2026-28388 Security: CVE-2026-28389 Security: CVE-2026-31789 Security: CVE-2026-31790 --- crypto/.gitignore | 78 + crypto/openssl/ACKNOWLEDGEMENTS.md | 4 +- crypto/openssl/BSDmakefile | 101 + crypto/openssl/CHANGES.md | 781 +- crypto/openssl/Configurations/10-main.conf | 3 +- crypto/openssl/Configurations/50-nonstop.conf | 2 + crypto/openssl/Configurations/unix-Makefile.tmpl | 17 +- .../openssl/Configurations/windows-makefile.tmpl | 5 +- crypto/openssl/Configure | 7 +- crypto/openssl/INSTALL.md | 4 +- crypto/openssl/NEWS.md | 460 +- crypto/openssl/NOTES-WINDOWS.md | 5 + crypto/openssl/README-ENGINES.md | 2 +- crypto/openssl/README.md | 9 +- crypto/openssl/VERSION.dat | 4 +- crypto/openssl/apps/CA.pl | 383 + crypto/openssl/apps/CA.pl.in | 260 +- crypto/openssl/apps/asn1parse.c | 72 +- crypto/openssl/apps/ca.c | 742 +- crypto/openssl/apps/ciphers.c | 55 +- crypto/openssl/apps/cmp.c | 1163 +- crypto/openssl/apps/cms.c | 491 +- crypto/openssl/apps/crl.c | 124 +- crypto/openssl/apps/crl2pkcs7.c | 36 +- crypto/openssl/apps/dgst.c | 141 +- crypto/openssl/apps/dhparam.c | 152 +- crypto/openssl/apps/dsa.c | 78 +- crypto/openssl/apps/dsaparam.c | 64 +- crypto/openssl/apps/ec.c | 78 +- crypto/openssl/apps/ecparam.c | 127 +- crypto/openssl/apps/enc.c | 180 +- crypto/openssl/apps/engine.c | 112 +- crypto/openssl/apps/errstr.c | 17 +- crypto/openssl/apps/fipsinstall.c | 192 +- crypto/openssl/apps/gendsa.c | 39 +- crypto/openssl/apps/genpkey.c | 67 +- crypto/openssl/apps/genrsa.c | 57 +- crypto/openssl/apps/include/app_libctx.h | 4 +- crypto/openssl/apps/include/app_params.h | 1 - crypto/openssl/apps/include/apps.h | 262 +- crypto/openssl/apps/include/apps_ui.h | 5 +- crypto/openssl/apps/include/cmp_mock_srv.h | 18 +- crypto/openssl/apps/include/engine_loader.h | 8 +- crypto/openssl/apps/include/fmt.h | 32 +- crypto/openssl/apps/include/function.h | 17 +- crypto/openssl/apps/include/http_server.h | 86 +- crypto/openssl/apps/include/names.h | 2 +- crypto/openssl/apps/include/opt.h | 544 +- crypto/openssl/apps/include/platform.h | 12 +- crypto/openssl/apps/include/s_apps.h | 56 +- crypto/openssl/apps/include/vms_term_sock.h | 12 +- crypto/openssl/apps/info.c | 36 +- crypto/openssl/apps/kdf.c | 45 +- crypto/openssl/apps/lib/app_libctx.c | 3 +- crypto/openssl/apps/lib/app_params.c | 7 +- crypto/openssl/apps/lib/app_provider.c | 5 +- crypto/openssl/apps/lib/app_rand.c | 7 +- crypto/openssl/apps/lib/app_x509.c | 54 +- crypto/openssl/apps/lib/apps.c | 825 +- crypto/openssl/apps/lib/apps_ui.c | 39 +- crypto/openssl/apps/lib/cmp_mock_srv.c | 121 +- crypto/openssl/apps/lib/columns.c | 1 - crypto/openssl/apps/lib/engine.c | 15 +- crypto/openssl/apps/lib/engine_loader.c | 38 +- crypto/openssl/apps/lib/http_server.c | 126 +- crypto/openssl/apps/lib/names.c | 2 +- crypto/openssl/apps/lib/opt.c | 271 +- crypto/openssl/apps/lib/s_cb.c | 625 +- crypto/openssl/apps/lib/s_socket.c | 119 +- crypto/openssl/apps/lib/tlssrp_depr.c | 47 +- crypto/openssl/apps/lib/vms_decc_argv.c | 2 +- crypto/openssl/apps/lib/vms_term_sock.c | 517 +- crypto/openssl/apps/lib/win32_init.c | 31 +- crypto/openssl/apps/list.c | 484 +- crypto/openssl/apps/mac.c | 42 +- crypto/openssl/apps/nseq.c | 22 +- crypto/openssl/apps/ocsp.c | 487 +- crypto/openssl/apps/openssl.c | 58 +- crypto/openssl/apps/passwd.c | 253 +- crypto/openssl/apps/pkcs12.c | 342 +- crypto/openssl/apps/pkcs7.c | 39 +- crypto/openssl/apps/pkcs8.c | 88 +- crypto/openssl/apps/pkey.c | 100 +- crypto/openssl/apps/pkeyparam.c | 32 +- crypto/openssl/apps/pkeyutl.c | 244 +- crypto/openssl/apps/prime.c | 39 +- crypto/openssl/apps/progs.c | 2 +- crypto/openssl/apps/progs.h | 2 +- crypto/openssl/apps/progs.pl | 11 +- crypto/openssl/apps/rand.c | 28 +- crypto/openssl/apps/rehash.c | 169 +- crypto/openssl/apps/req.c | 450 +- crypto/openssl/apps/rsa.c | 103 +- crypto/openssl/apps/rsautl.c | 91 +- crypto/openssl/apps/s_client.c | 1742 +- crypto/openssl/apps/s_server.c | 929 +- crypto/openssl/apps/s_time.c | 164 +- crypto/openssl/apps/sess_id.c | 42 +- crypto/openssl/apps/smime.c | 208 +- crypto/openssl/apps/speed.c | 1256 +- crypto/openssl/apps/spkac.c | 56 +- crypto/openssl/apps/srp.c | 196 +- crypto/openssl/apps/storeutl.c | 181 +- crypto/openssl/apps/testdsa.h | 1490 +- crypto/openssl/apps/testrsa.h | 4912 +++- crypto/openssl/apps/timeouts.h | 8 +- crypto/openssl/apps/ts.c | 269 +- crypto/openssl/apps/verify.c | 137 +- crypto/openssl/apps/version.c | 53 +- crypto/openssl/apps/vms_decc_init.c | 73 +- crypto/openssl/apps/x509.c | 389 +- crypto/openssl/configdata.pm.in | 4 +- crypto/openssl/crypto/LPdir_nyi.c | 2 +- crypto/openssl/crypto/LPdir_unix.c | 23 +- crypto/openssl/crypto/LPdir_vms.c | 24 +- crypto/openssl/crypto/LPdir_win.c | 35 +- crypto/openssl/crypto/LPdir_win32.c | 2 + crypto/openssl/crypto/LPdir_wince.c | 2 + crypto/openssl/crypto/aes/aes_cbc.c | 8 +- crypto/openssl/crypto/aes/aes_cfb.c | 18 +- crypto/openssl/crypto/aes/aes_core.c | 3589 ++- crypto/openssl/crypto/aes/aes_ecb.c | 2 +- crypto/openssl/crypto/aes/aes_ige.c | 56 +- crypto/openssl/crypto/aes/aes_local.h | 51 +- crypto/openssl/crypto/aes/aes_misc.c | 6 +- crypto/openssl/crypto/aes/aes_ofb.c | 6 +- crypto/openssl/crypto/aes/aes_wrap.c | 12 +- crypto/openssl/crypto/aes/aes_x86core.c | 594 +- crypto/openssl/crypto/aes/asm/aes-s390x.pl | 5 +- crypto/openssl/crypto/aes/asm/aesv8-armx.pl | 8 +- crypto/openssl/crypto/aria/aria.c | 337 +- crypto/openssl/crypto/arm_arch.h | 165 +- crypto/openssl/crypto/armcap.c | 154 +- crypto/openssl/crypto/asn1/a_bitstr.c | 12 +- crypto/openssl/crypto/asn1/a_d2i_fp.c | 40 +- crypto/openssl/crypto/asn1/a_digest.c | 9 +- crypto/openssl/crypto/asn1/a_dup.c | 6 +- crypto/openssl/crypto/asn1/a_gentm.c | 8 +- crypto/openssl/crypto/asn1/a_i2d_fp.c | 4 +- crypto/openssl/crypto/asn1/a_int.c | 33 +- crypto/openssl/crypto/asn1/a_mbstr.c | 58 +- crypto/openssl/crypto/asn1/a_object.c | 32 +- crypto/openssl/crypto/asn1/a_octet.c | 4 +- crypto/openssl/crypto/asn1/a_print.c | 3 +- crypto/openssl/crypto/asn1/a_sign.c | 43 +- crypto/openssl/crypto/asn1/a_strex.c | 91 +- crypto/openssl/crypto/asn1/a_strnid.c | 16 +- crypto/openssl/crypto/asn1/a_time.c | 53 +- crypto/openssl/crypto/asn1/a_type.c | 12 +- crypto/openssl/crypto/asn1/a_utctm.c | 2 +- crypto/openssl/crypto/asn1/a_utf8.c | 4 +- crypto/openssl/crypto/asn1/a_verify.c | 27 +- crypto/openssl/crypto/asn1/ameth_lib.c | 172 +- crypto/openssl/crypto/asn1/asn1_err.c | 366 +- crypto/openssl/crypto/asn1/asn1_gen.c | 103 +- crypto/openssl/crypto/asn1/asn1_item_list.h | 4 +- crypto/openssl/crypto/asn1/asn1_lib.c | 12 +- crypto/openssl/crypto/asn1/asn1_local.h | 28 +- crypto/openssl/crypto/asn1/asn1_parse.c | 74 +- crypto/openssl/crypto/asn1/asn_mime.c | 123 +- crypto/openssl/crypto/asn1/asn_mstbl.c | 12 +- crypto/openssl/crypto/asn1/asn_pack.c | 4 +- crypto/openssl/crypto/asn1/bio_asn1.c | 44 +- crypto/openssl/crypto/asn1/bio_ndef.c | 17 +- crypto/openssl/crypto/asn1/d2i_param.c | 2 +- crypto/openssl/crypto/asn1/d2i_pr.c | 41 +- crypto/openssl/crypto/asn1/d2i_pu.c | 4 +- crypto/openssl/crypto/asn1/evp_asn1.c | 26 +- crypto/openssl/crypto/asn1/f_int.c | 7 +- crypto/openssl/crypto/asn1/f_string.c | 4 +- crypto/openssl/crypto/asn1/i2d_evp.c | 34 +- crypto/openssl/crypto/asn1/n_pkey.c | 23 +- crypto/openssl/crypto/asn1/nsseq.c | 6 +- crypto/openssl/crypto/asn1/p5_pbe.c | 19 +- crypto/openssl/crypto/asn1/p5_pbev2.c | 55 +- crypto/openssl/crypto/asn1/p5_scrypt.c | 67 +- crypto/openssl/crypto/asn1/p8_pkey.c | 22 +- crypto/openssl/crypto/asn1/standard_methods.h | 1 - crypto/openssl/crypto/asn1/t_bitst.c | 4 +- crypto/openssl/crypto/asn1/t_pkey.c | 19 +- crypto/openssl/crypto/asn1/t_spki.c | 6 +- crypto/openssl/crypto/asn1/tasn_dec.c | 227 +- crypto/openssl/crypto/asn1/tasn_enc.c | 56 +- crypto/openssl/crypto/asn1/tasn_new.c | 30 +- crypto/openssl/crypto/asn1/tasn_prn.c | 92 +- crypto/openssl/crypto/asn1/tasn_scn.c | 2 +- crypto/openssl/crypto/asn1/tasn_typ.c | 26 +- crypto/openssl/crypto/asn1/tasn_utl.c | 22 +- crypto/openssl/crypto/asn1/tbl_standard.h | 85 +- crypto/openssl/crypto/asn1/x_algor.c | 21 +- crypto/openssl/crypto/asn1/x_bignum.c | 29 +- crypto/openssl/crypto/asn1/x_int64.c | 87 +- crypto/openssl/crypto/asn1/x_long.c | 25 +- crypto/openssl/crypto/asn1/x_sig.c | 8 +- crypto/openssl/crypto/asn1/x_spki.c | 10 +- crypto/openssl/crypto/asn1/x_val.c | 4 +- crypto/openssl/crypto/asn1_dsa.c | 61 +- crypto/openssl/crypto/async/arch/async_null.c | 1 - crypto/openssl/crypto/async/arch/async_null.h | 13 +- crypto/openssl/crypto/async/arch/async_posix.c | 6 +- crypto/openssl/crypto/async/arch/async_posix.h | 51 +- crypto/openssl/crypto/async/arch/async_win.c | 10 +- crypto/openssl/crypto/async/arch/async_win.h | 30 +- crypto/openssl/crypto/async/async.c | 29 +- crypto/openssl/crypto/async/async_err.c | 16 +- crypto/openssl/crypto/async/async_local.h | 9 +- crypto/openssl/crypto/async/async_wait.c | 48 +- crypto/openssl/crypto/bf/bf_cfb64.c | 8 +- crypto/openssl/crypto/bf/bf_ecb.c | 2 +- crypto/openssl/crypto/bf/bf_enc.c | 12 +- crypto/openssl/crypto/bf/bf_local.h | 134 +- crypto/openssl/crypto/bf/bf_ofb64.c | 8 +- crypto/openssl/crypto/bf/bf_pi.h | 1548 +- crypto/openssl/crypto/bio/bf_buff.c | 23 +- crypto/openssl/crypto/bio/bf_lbuf.c | 20 +- crypto/openssl/crypto/bio/bf_prefix.c | 14 +- crypto/openssl/crypto/bio/bf_readbuff.c | 64 +- crypto/openssl/crypto/bio/bio_addr.c | 162 +- crypto/openssl/crypto/bio/bio_cb.c | 22 +- crypto/openssl/crypto/bio/bio_dump.c | 26 +- crypto/openssl/crypto/bio/bio_err.c | 114 +- crypto/openssl/crypto/bio/bio_lib.c | 46 +- crypto/openssl/crypto/bio/bio_local.h | 153 +- crypto/openssl/crypto/bio/bio_meth.c | 46 +- crypto/openssl/crypto/bio/bio_print.c | 173 +- crypto/openssl/crypto/bio/bio_sock.c | 213 +- crypto/openssl/crypto/bio/bio_sock2.c | 87 +- crypto/openssl/crypto/bio/bss_acpt.c | 140 +- crypto/openssl/crypto/bio/bss_bio.c | 68 +- crypto/openssl/crypto/bio/bss_conn.c | 192 +- crypto/openssl/crypto/bio/bss_core.c | 8 +- crypto/openssl/crypto/bio/bss_dgram.c | 833 +- crypto/openssl/crypto/bio/bss_fd.c | 46 +- crypto/openssl/crypto/bio/bss_file.c | 88 +- crypto/openssl/crypto/bio/bss_log.c | 206 +- crypto/openssl/crypto/bio/bss_mem.c | 14 +- crypto/openssl/crypto/bio/bss_null.c | 2 +- crypto/openssl/crypto/bio/bss_sock.c | 101 +- crypto/openssl/crypto/bio/ossl_core_bio.c | 4 +- crypto/openssl/crypto/bn/asm/armv4-gf2m.pl | 4 +- crypto/openssl/crypto/bn/asm/rsaz-avx512.pl | 4 +- crypto/openssl/crypto/bn/asm/sparcv9-mont.pl | 4 +- crypto/openssl/crypto/bn/asm/x86_64-gcc.c | 306 +- crypto/openssl/crypto/bn/bn_add.c | 3 +- crypto/openssl/crypto/bn/bn_asm.c | 457 +- crypto/openssl/crypto/bn/bn_blind.c | 35 +- crypto/openssl/crypto/bn/bn_const.c | 253 +- crypto/openssl/crypto/bn/bn_conv.c | 14 +- crypto/openssl/crypto/bn/bn_ctx.c | 37 +- crypto/openssl/crypto/bn/bn_depr.c | 16 +- crypto/openssl/crypto/bn/bn_dh.c | 1135 +- crypto/openssl/crypto/bn/bn_div.c | 160 +- crypto/openssl/crypto/bn/bn_err.c | 54 +- crypto/openssl/crypto/bn/bn_exp.c | 344 +- crypto/openssl/crypto/bn/bn_exp2.c | 29 +- crypto/openssl/crypto/bn/bn_gcd.c | 35 +- crypto/openssl/crypto/bn/bn_gf2m.c | 158 +- crypto/openssl/crypto/bn/bn_intern.c | 14 +- crypto/openssl/crypto/bn/bn_kron.c | 6 +- crypto/openssl/crypto/bn/bn_lib.c | 74 +- crypto/openssl/crypto/bn/bn_local.h | 820 +- crypto/openssl/crypto/bn/bn_mod.c | 20 +- crypto/openssl/crypto/bn/bn_mont.c | 69 +- crypto/openssl/crypto/bn/bn_mpi.c | 3 +- crypto/openssl/crypto/bn/bn_mul.c | 69 +- crypto/openssl/crypto/bn/bn_nist.c | 432 +- crypto/openssl/crypto/bn/bn_ppc.c | 8 +- crypto/openssl/crypto/bn/bn_prime.c | 70 +- crypto/openssl/crypto/bn/bn_print.c | 6 +- crypto/openssl/crypto/bn/bn_rand.c | 78 +- crypto/openssl/crypto/bn/bn_recp.c | 12 +- crypto/openssl/crypto/bn/bn_rsa_fips186_4.c | 45 +- crypto/openssl/crypto/bn/bn_shift.c | 8 +- crypto/openssl/crypto/bn/bn_sparc.c | 65 +- crypto/openssl/crypto/bn/bn_sqr.c | 16 +- crypto/openssl/crypto/bn/bn_sqrt.c | 13 +- crypto/openssl/crypto/bn/bn_srp.c | 26 +- crypto/openssl/crypto/bn/bn_word.c | 3 +- crypto/openssl/crypto/bn/bn_x931p.c | 25 +- crypto/openssl/crypto/bn/rsaz_exp.c | 40 +- crypto/openssl/crypto/bn/rsaz_exp.h | 67 +- crypto/openssl/crypto/bn/rsaz_exp_x2.c | 182 +- crypto/openssl/crypto/bsearch.c | 12 +- crypto/openssl/crypto/buffer/buf_err.c | 2 +- crypto/openssl/crypto/camellia/camellia.c | 426 +- crypto/openssl/crypto/camellia/cmll_cbc.c | 8 +- crypto/openssl/crypto/camellia/cmll_cfb.c | 18 +- crypto/openssl/crypto/camellia/cmll_ctr.c | 10 +- crypto/openssl/crypto/camellia/cmll_ecb.c | 2 +- crypto/openssl/crypto/camellia/cmll_local.h | 18 +- crypto/openssl/crypto/camellia/cmll_misc.c | 6 +- crypto/openssl/crypto/camellia/cmll_ofb.c | 6 +- crypto/openssl/crypto/cast/c_cfb64.c | 8 +- crypto/openssl/crypto/cast/c_ecb.c | 2 +- crypto/openssl/crypto/cast/c_enc.c | 4 +- crypto/openssl/crypto/cast/c_ofb64.c | 8 +- crypto/openssl/crypto/cast/c_skey.c | 15 +- crypto/openssl/crypto/cast/cast_local.h | 321 +- crypto/openssl/crypto/cast/cast_s.h | 2560 +- crypto/openssl/crypto/chacha/chacha_enc.c | 45 +- crypto/openssl/crypto/chacha/chacha_ppc.c | 24 +- crypto/openssl/crypto/cmac/cmac.c | 3 +- crypto/openssl/crypto/cmp/cmp_asn.c | 189 +- crypto/openssl/crypto/cmp/cmp_client.c | 207 +- crypto/openssl/crypto/cmp/cmp_ctx.c | 208 +- crypto/openssl/crypto/cmp/cmp_err.c | 302 +- crypto/openssl/crypto/cmp/cmp_hdr.c | 50 +- crypto/openssl/crypto/cmp/cmp_http.c | 36 +- crypto/openssl/crypto/cmp/cmp_local.h | 212 +- crypto/openssl/crypto/cmp/cmp_msg.c | 275 +- crypto/openssl/crypto/cmp/cmp_protect.c | 48 +- crypto/openssl/crypto/cmp/cmp_server.c | 128 +- crypto/openssl/crypto/cmp/cmp_status.c | 59 +- crypto/openssl/crypto/cmp/cmp_util.c | 76 +- crypto/openssl/crypto/cmp/cmp_vfy.c | 200 +- crypto/openssl/crypto/cms/cms_asn1.c | 301 +- crypto/openssl/crypto/cms/cms_att.c | 88 +- crypto/openssl/crypto/cms/cms_cd.c | 8 +- crypto/openssl/crypto/cms/cms_dd.c | 13 +- crypto/openssl/crypto/cms/cms_dh.c | 43 +- crypto/openssl/crypto/cms/cms_ec.c | 42 +- crypto/openssl/crypto/cms/cms_enc.c | 32 +- crypto/openssl/crypto/cms/cms_env.c | 192 +- crypto/openssl/crypto/cms/cms_err.c | 304 +- crypto/openssl/crypto/cms/cms_ess.c | 59 +- crypto/openssl/crypto/cms/cms_io.c | 30 +- crypto/openssl/crypto/cms/cms_kari.c | 110 +- crypto/openssl/crypto/cms/cms_lib.c | 41 +- crypto/openssl/crypto/cms/cms_local.h | 86 +- crypto/openssl/crypto/cms/cms_pwri.c | 66 +- crypto/openssl/crypto/cms/cms_rsa.c | 43 +- crypto/openssl/crypto/cms/cms_sd.c | 152 +- crypto/openssl/crypto/cms/cms_smime.c | 143 +- crypto/openssl/crypto/comp/c_zlib.c | 174 +- crypto/openssl/crypto/comp/comp_err.c | 22 +- crypto/openssl/crypto/comp/comp_lib.c | 6 +- crypto/openssl/crypto/comp/comp_local.h | 22 +- crypto/openssl/crypto/conf/conf_api.c | 6 +- crypto/openssl/crypto/conf/conf_def.c | 78 +- crypto/openssl/crypto/conf/conf_err.c | 90 +- crypto/openssl/crypto/conf/conf_lib.c | 27 +- crypto/openssl/crypto/conf/conf_mod.c | 67 +- crypto/openssl/crypto/conf/conf_sap.c | 6 +- crypto/openssl/crypto/conf/conf_ssl.c | 13 +- crypto/openssl/crypto/context.c | 38 +- crypto/openssl/crypto/core_algorithm.c | 52 +- crypto/openssl/crypto/core_fetch.c | 34 +- crypto/openssl/crypto/core_namemap.c | 75 +- crypto/openssl/crypto/cpt_err.c | 82 +- crypto/openssl/crypto/cpuid.c | 41 +- crypto/openssl/crypto/crmf/crmf_asn.c | 81 +- crypto/openssl/crypto/crmf/crmf_err.c | 88 +- crypto/openssl/crypto/crmf/crmf_lib.c | 236 +- crypto/openssl/crypto/crmf/crmf_local.h | 25 +- crypto/openssl/crypto/crmf/crmf_pbm.c | 29 +- crypto/openssl/crypto/cryptlib.c | 112 +- crypto/openssl/crypto/ct/ct_b64.c | 16 +- crypto/openssl/crypto/ct/ct_err.c | 62 +- crypto/openssl/crypto/ct/ct_local.h | 97 +- crypto/openssl/crypto/ct/ct_log.c | 27 +- crypto/openssl/crypto/ct/ct_oct.c | 22 +- crypto/openssl/crypto/ct/ct_policy.c | 13 +- crypto/openssl/crypto/ct/ct_prn.c | 16 +- crypto/openssl/crypto/ct/ct_sct.c | 11 +- crypto/openssl/crypto/ct/ct_sct_ctx.c | 13 +- crypto/openssl/crypto/ct/ct_vfy.c | 9 +- crypto/openssl/crypto/ct/ct_x509v3.c | 62 +- crypto/openssl/crypto/ctype.c | 414 +- crypto/openssl/crypto/der_writer.c | 23 +- crypto/openssl/crypto/des/cbc_cksm.c | 4 +- crypto/openssl/crypto/des/cbc_enc.c | 2 + crypto/openssl/crypto/des/cfb64ede.c | 16 +- crypto/openssl/crypto/des/cfb64enc.c | 8 +- crypto/openssl/crypto/des/cfb_enc.c | 13 +- crypto/openssl/crypto/des/des_enc.c | 144 +- crypto/openssl/crypto/des/des_local.h | 381 +- crypto/openssl/crypto/des/ecb3_enc.c | 4 +- crypto/openssl/crypto/des/ecb_enc.c | 3 +- crypto/openssl/crypto/des/fcrypt.c | 154 +- crypto/openssl/crypto/des/fcrypt_b.c | 52 +- crypto/openssl/crypto/des/ncbc_enc.c | 6 +- crypto/openssl/crypto/des/ofb64ede.c | 10 +- crypto/openssl/crypto/des/ofb64enc.c | 8 +- crypto/openssl/crypto/des/ofb_enc.c | 8 +- crypto/openssl/crypto/des/pcbc_enc.c | 4 +- crypto/openssl/crypto/des/qud_cksm.c | 22 +- crypto/openssl/crypto/des/set_key.c | 725 +- crypto/openssl/crypto/des/spr.h | 640 +- crypto/openssl/crypto/des/xcbc_enc.c | 6 +- crypto/openssl/crypto/dh/dh_ameth.c | 48 +- crypto/openssl/crypto/dh/dh_asn1.c | 38 +- crypto/openssl/crypto/dh/dh_backend.c | 21 +- crypto/openssl/crypto/dh/dh_check.c | 8 +- crypto/openssl/crypto/dh/dh_depr.c | 2 +- crypto/openssl/crypto/dh/dh_err.c | 92 +- crypto/openssl/crypto/dh/dh_gen.c | 18 +- crypto/openssl/crypto/dh/dh_group_params.c | 5 +- crypto/openssl/crypto/dh/dh_kdf.c | 26 +- crypto/openssl/crypto/dh/dh_key.c | 59 +- crypto/openssl/crypto/dh/dh_lib.c | 16 +- crypto/openssl/crypto/dh/dh_local.h | 24 +- crypto/openssl/crypto/dh/dh_meth.c | 28 +- crypto/openssl/crypto/dh/dh_pmeth.c | 53 +- crypto/openssl/crypto/dh/dh_rfc5114.c | 34 +- crypto/openssl/crypto/dllmain.c | 7 +- crypto/openssl/crypto/dsa/dsa_ameth.c | 157 +- crypto/openssl/crypto/dsa/dsa_asn1.c | 30 +- crypto/openssl/crypto/dsa/dsa_backend.c | 24 +- crypto/openssl/crypto/dsa/dsa_check.c | 8 +- crypto/openssl/crypto/dsa/dsa_depr.c | 10 +- crypto/openssl/crypto/dsa/dsa_err.c | 50 +- crypto/openssl/crypto/dsa/dsa_gen.c | 24 +- crypto/openssl/crypto/dsa/dsa_key.c | 18 +- crypto/openssl/crypto/dsa/dsa_lib.c | 19 +- crypto/openssl/crypto/dsa/dsa_local.h | 38 +- crypto/openssl/crypto/dsa/dsa_meth.c | 52 +- crypto/openssl/crypto/dsa/dsa_ossl.c | 70 +- crypto/openssl/crypto/dsa/dsa_pmeth.c | 39 +- crypto/openssl/crypto/dsa/dsa_sign.c | 14 +- crypto/openssl/crypto/dsa/dsa_vrf.c | 2 +- crypto/openssl/crypto/dso/dso_dl.c | 59 +- crypto/openssl/crypto/dso/dso_dlfcn.c | 132 +- crypto/openssl/crypto/dso/dso_err.c | 56 +- crypto/openssl/crypto/dso/dso_lib.c | 8 +- crypto/openssl/crypto/dso/dso_local.h | 16 +- crypto/openssl/crypto/dso/dso_vms.c | 162 +- crypto/openssl/crypto/dso/dso_win32.c | 160 +- crypto/openssl/crypto/ebcdic.c | 110 +- crypto/openssl/crypto/ec/curve25519.c | 5131 ++-- .../crypto/ec/curve448/arch_32/arch_intrinsics.h | 8 +- crypto/openssl/crypto/ec/curve448/arch_32/f_impl.h | 18 +- .../openssl/crypto/ec/curve448/arch_32/f_impl32.c | 10 +- .../crypto/ec/curve448/arch_64/arch_intrinsics.h | 12 +- crypto/openssl/crypto/ec/curve448/arch_64/f_impl.h | 15 +- .../openssl/crypto/ec/curve448/arch_64/f_impl64.c | 8 +- crypto/openssl/crypto/ec/curve448/curve448.c | 222 +- crypto/openssl/crypto/ec/curve448/curve448_local.h | 22 +- .../openssl/crypto/ec/curve448/curve448_tables.c | 3028 +-- crypto/openssl/crypto/ec/curve448/curve448utils.h | 44 +- crypto/openssl/crypto/ec/curve448/ed448.h | 102 +- crypto/openssl/crypto/ec/curve448/eddsa.c | 232 +- crypto/openssl/crypto/ec/curve448/f_generic.c | 25 +- crypto/openssl/crypto/ec/curve448/field.h | 87 +- crypto/openssl/crypto/ec/curve448/point_448.h | 101 +- crypto/openssl/crypto/ec/curve448/scalar.c | 82 +- crypto/openssl/crypto/ec/curve448/word.h | 48 +- crypto/openssl/crypto/ec/ec2_oct.c | 34 +- crypto/openssl/crypto/ec/ec2_smpl.c | 122 +- crypto/openssl/crypto/ec/ec_ameth.c | 89 +- crypto/openssl/crypto/ec/ec_asn1.c | 150 +- crypto/openssl/crypto/ec/ec_backend.c | 93 +- crypto/openssl/crypto/ec/ec_check.c | 14 +- crypto/openssl/crypto/ec/ec_curve.c | 1560 +- crypto/openssl/crypto/ec/ec_cvt.c | 4 +- crypto/openssl/crypto/ec/ec_deprecated.c | 8 +- crypto/openssl/crypto/ec/ec_err.c | 212 +- crypto/openssl/crypto/ec/ec_key.c | 44 +- crypto/openssl/crypto/ec/ec_kmeth.c | 147 +- crypto/openssl/crypto/ec/ec_lib.c | 188 +- crypto/openssl/crypto/ec/ec_local.h | 496 +- crypto/openssl/crypto/ec/ec_mult.c | 113 +- crypto/openssl/crypto/ec/ec_oct.c | 34 +- crypto/openssl/crypto/ec/ec_pmeth.c | 29 +- crypto/openssl/crypto/ec/ec_print.c | 6 +- crypto/openssl/crypto/ec/ecdh_kdf.c | 22 +- crypto/openssl/crypto/ec/ecdh_ossl.c | 9 +- crypto/openssl/crypto/ec/ecdsa_ossl.c | 51 +- crypto/openssl/crypto/ec/ecdsa_sign.c | 13 +- crypto/openssl/crypto/ec/ecdsa_vrf.c | 6 +- crypto/openssl/crypto/ec/eck_prn.c | 23 +- crypto/openssl/crypto/ec/ecp_mont.c | 32 +- crypto/openssl/crypto/ec/ecp_nist.c | 28 +- crypto/openssl/crypto/ec/ecp_nistp224.c | 602 +- crypto/openssl/crypto/ec/ecp_nistp256.c | 789 +- crypto/openssl/crypto/ec/ecp_nistp521.c | 940 +- crypto/openssl/crypto/ec/ecp_nistputil.c | 62 +- crypto/openssl/crypto/ec/ecp_nistz256.c | 363 +- crypto/openssl/crypto/ec/ecp_nistz256_table.c | 24407 +++++++++++-------- crypto/openssl/crypto/ec/ecp_oct.c | 31 +- crypto/openssl/crypto/ec/ecp_ppc.c | 8 +- crypto/openssl/crypto/ec/ecp_s390x_nistp.c | 323 +- crypto/openssl/crypto/ec/ecp_smpl.c | 169 +- crypto/openssl/crypto/ec/ecx_backend.c | 32 +- crypto/openssl/crypto/ec/ecx_backend.h | 18 +- crypto/openssl/crypto/ec/ecx_key.c | 2 +- crypto/openssl/crypto/ec/ecx_meth.c | 229 +- crypto/openssl/crypto/ec/ecx_s390x.c | 28 +- crypto/openssl/crypto/encode_decode/decoder_err.c | 14 +- crypto/openssl/crypto/encode_decode/decoder_lib.c | 363 +- crypto/openssl/crypto/encode_decode/decoder_meth.c | 90 +- crypto/openssl/crypto/encode_decode/decoder_pkey.c | 173 +- crypto/openssl/crypto/encode_decode/encoder_err.c | 14 +- crypto/openssl/crypto/encode_decode/encoder_lib.c | 218 +- .../openssl/crypto/encode_decode/encoder_local.h | 12 +- crypto/openssl/crypto/encode_decode/encoder_meth.c | 100 +- crypto/openssl/crypto/encode_decode/encoder_pkey.c | 98 +- crypto/openssl/crypto/engine/eng_all.c | 4 +- crypto/openssl/crypto/engine/eng_cnf.c | 13 +- crypto/openssl/crypto/engine/eng_ctrl.c | 28 +- crypto/openssl/crypto/engine/eng_dyn.c | 116 +- crypto/openssl/crypto/engine/eng_err.c | 128 +- crypto/openssl/crypto/engine/eng_fat.c | 2 +- crypto/openssl/crypto/engine/eng_lib.c | 4 +- crypto/openssl/crypto/engine/eng_list.c | 13 +- crypto/openssl/crypto/engine/eng_local.h | 48 +- crypto/openssl/crypto/engine/eng_openssl.c | 126 +- crypto/openssl/crypto/engine/eng_pkey.c | 20 +- crypto/openssl/crypto/engine/eng_rdrand.c | 30 +- crypto/openssl/crypto/engine/eng_table.c | 46 +- crypto/openssl/crypto/engine/tb_asnmth.c | 22 +- crypto/openssl/crypto/engine/tb_cipher.c | 10 +- crypto/openssl/crypto/engine/tb_dh.c | 10 +- crypto/openssl/crypto/engine/tb_digest.c | 10 +- crypto/openssl/crypto/engine/tb_dsa.c | 10 +- crypto/openssl/crypto/engine/tb_eckey.c | 10 +- crypto/openssl/crypto/engine/tb_pkmeth.c | 10 +- crypto/openssl/crypto/engine/tb_rand.c | 10 +- crypto/openssl/crypto/engine/tb_rsa.c | 10 +- crypto/openssl/crypto/err/err.c | 238 +- crypto/openssl/crypto/err/err_all.c | 48 +- crypto/openssl/crypto/err/err_all_legacy.c | 112 +- crypto/openssl/crypto/err/err_local.h | 15 +- crypto/openssl/crypto/err/err_prn.c | 12 +- crypto/openssl/crypto/ess/ess_asn1.c | 24 +- crypto/openssl/crypto/ess/ess_err.c | 38 +- crypto/openssl/crypto/ess/ess_lib.c | 51 +- crypto/openssl/crypto/evp/asymcipher.c | 93 +- crypto/openssl/crypto/evp/bio_b64.c | 69 +- crypto/openssl/crypto/evp/bio_enc.c | 56 +- crypto/openssl/crypto/evp/bio_md.c | 8 +- crypto/openssl/crypto/evp/bio_ok.c | 72 +- crypto/openssl/crypto/evp/c_allc.c | 8 +- crypto/openssl/crypto/evp/cmeth_lib.c | 57 +- crypto/openssl/crypto/evp/ctrl_params_translate.c | 1357 +- crypto/openssl/crypto/evp/dh_ctrl.c | 46 +- crypto/openssl/crypto/evp/dh_support.c | 15 +- crypto/openssl/crypto/evp/digest.c | 161 +- crypto/openssl/crypto/evp/dsa_ctrl.c | 18 +- crypto/openssl/crypto/evp/e_aes.c | 1624 +- crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c | 447 +- crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha256.c | 440 +- crypto/openssl/crypto/evp/e_aria.c | 358 +- crypto/openssl/crypto/evp/e_bf.c | 20 +- crypto/openssl/crypto/evp/e_camellia.c | 240 +- crypto/openssl/crypto/evp/e_cast.c | 22 +- crypto/openssl/crypto/evp/e_chacha20_poly1305.c | 268 +- crypto/openssl/crypto/evp/e_des.c | 128 +- crypto/openssl/crypto/evp/e_des3.c | 192 +- crypto/openssl/crypto/evp/e_idea.c | 34 +- crypto/openssl/crypto/evp/e_null.c | 8 +- crypto/openssl/crypto/evp/e_old.c | 16 +- crypto/openssl/crypto/evp/e_rc2.c | 53 +- crypto/openssl/crypto/evp/e_rc4.c | 22 +- crypto/openssl/crypto/evp/e_rc4_hmac_md5.c | 161 +- crypto/openssl/crypto/evp/e_rc5.c | 26 +- crypto/openssl/crypto/evp/e_seed.c | 10 +- crypto/openssl/crypto/evp/e_sm4.c | 44 +- crypto/openssl/crypto/evp/e_xcbc_d.c | 34 +- crypto/openssl/crypto/evp/ec_ctrl.c | 39 +- crypto/openssl/crypto/evp/ec_support.c | 194 +- crypto/openssl/crypto/evp/encode.c | 342 +- crypto/openssl/crypto/evp/evp_cnf.c | 7 +- crypto/openssl/crypto/evp/evp_enc.c | 265 +- crypto/openssl/crypto/evp/evp_err.c | 358 +- crypto/openssl/crypto/evp/evp_fetch.c | 175 +- crypto/openssl/crypto/evp/evp_key.c | 22 +- crypto/openssl/crypto/evp/evp_lib.c | 174 +- crypto/openssl/crypto/evp/evp_local.h | 183 +- crypto/openssl/crypto/evp/evp_pbe.c | 124 +- crypto/openssl/crypto/evp/evp_pkey.c | 40 +- crypto/openssl/crypto/evp/evp_rand.c | 115 +- crypto/openssl/crypto/evp/evp_utils.c | 70 +- crypto/openssl/crypto/evp/exchange.c | 115 +- crypto/openssl/crypto/evp/kdf_lib.c | 10 +- crypto/openssl/crypto/evp/kdf_meth.c | 27 +- crypto/openssl/crypto/evp/kem.c | 67 +- crypto/openssl/crypto/evp/keymgmt_lib.c | 72 +- crypto/openssl/crypto/evp/keymgmt_meth.c | 102 +- crypto/openssl/crypto/evp/legacy_blake2.c | 6 +- crypto/openssl/crypto/evp/legacy_md5_sha1.c | 6 +- crypto/openssl/crypto/evp/legacy_mdc2.c | 2 +- crypto/openssl/crypto/evp/legacy_meth.h | 55 +- crypto/openssl/crypto/evp/legacy_ripemd.c | 2 +- crypto/openssl/crypto/evp/legacy_sha.c | 130 +- crypto/openssl/crypto/evp/legacy_wp.c | 2 +- crypto/openssl/crypto/evp/m_sigver.c | 164 +- crypto/openssl/crypto/evp/mac_lib.c | 37 +- crypto/openssl/crypto/evp/mac_meth.c | 27 +- crypto/openssl/crypto/evp/names.c | 50 +- crypto/openssl/crypto/evp/p5_crpt.c | 24 +- crypto/openssl/crypto/evp/p5_crpt2.c | 69 +- crypto/openssl/crypto/evp/p_dec.c | 7 +- crypto/openssl/crypto/evp/p_enc.c | 7 +- crypto/openssl/crypto/evp/p_lib.c | 569 +- crypto/openssl/crypto/evp/p_open.c | 6 +- crypto/openssl/crypto/evp/p_seal.c | 13 +- crypto/openssl/crypto/evp/p_sign.c | 8 +- crypto/openssl/crypto/evp/p_verify.c | 8 +- crypto/openssl/crypto/evp/pbe_scrypt.c | 32 +- crypto/openssl/crypto/evp/pmeth_check.c | 25 +- crypto/openssl/crypto/evp/pmeth_gn.c | 61 +- crypto/openssl/crypto/evp/pmeth_lib.c | 726 +- crypto/openssl/crypto/evp/signature.c | 127 +- crypto/openssl/crypto/ex_data.c | 45 +- crypto/openssl/crypto/ffc/ffc_backend.c | 16 +- crypto/openssl/crypto/ffc/ffc_dh.c | 64 +- crypto/openssl/crypto/ffc/ffc_key_generate.c | 2 +- crypto/openssl/crypto/ffc/ffc_key_validate.c | 10 +- crypto/openssl/crypto/ffc/ffc_params.c | 62 +- crypto/openssl/crypto/ffc/ffc_params_generate.c | 186 +- crypto/openssl/crypto/ffc/ffc_params_validate.c | 46 +- crypto/openssl/crypto/getenv.c | 18 +- crypto/openssl/crypto/hmac/hmac.c | 32 +- crypto/openssl/crypto/hmac/hmac_local.h | 4 +- crypto/openssl/crypto/http/http_client.c | 344 +- crypto/openssl/crypto/http/http_err.c | 106 +- crypto/openssl/crypto/http/http_lib.c | 46 +- crypto/openssl/crypto/idea/i_cbc.c | 4 +- crypto/openssl/crypto/idea/i_cfb64.c | 7 +- crypto/openssl/crypto/idea/i_ecb.c | 2 +- crypto/openssl/crypto/idea/i_ofb64.c | 7 +- crypto/openssl/crypto/idea/idea_local.h | 179 +- crypto/openssl/crypto/info.c | 169 +- crypto/openssl/crypto/init.c | 162 +- crypto/openssl/crypto/initthread.c | 19 +- crypto/openssl/crypto/lhash/lh_stats.c | 14 +- crypto/openssl/crypto/lhash/lhash.c | 23 +- crypto/openssl/crypto/lhash/lhash_local.h | 4 +- crypto/openssl/crypto/md2/md2_dgst.c | 296 +- crypto/openssl/crypto/md4/md4_dgst.c | 16 +- crypto/openssl/crypto/md4/md4_local.h | 63 +- crypto/openssl/crypto/md4/md4_one.c | 2 +- crypto/openssl/crypto/md5/md5_dgst.c | 16 +- crypto/openssl/crypto/md5/md5_local.h | 96 +- crypto/openssl/crypto/md5/md5_one.c | 2 +- crypto/openssl/crypto/mdc2/mdc2dgst.c | 16 +- crypto/openssl/crypto/mem.c | 95 +- crypto/openssl/crypto/mem_sec.c | 131 +- crypto/openssl/crypto/mips_arch.h | 48 +- crypto/openssl/crypto/modes/asm/ghash-armv4.pl | 4 +- crypto/openssl/crypto/modes/cbc128.c | 38 +- crypto/openssl/crypto/modes/ccm128.c | 108 +- crypto/openssl/crypto/modes/cfb128.c | 64 +- crypto/openssl/crypto/modes/ctr128.c | 38 +- crypto/openssl/crypto/modes/cts128.c | 86 +- crypto/openssl/crypto/modes/gcm128.c | 638 +- crypto/openssl/crypto/modes/ocb128.c | 67 +- crypto/openssl/crypto/modes/ofb128.c | 20 +- crypto/openssl/crypto/modes/siv128.c | 61 +- crypto/openssl/crypto/modes/wrap128.c | 49 +- crypto/openssl/crypto/modes/xts128.c | 22 +- crypto/openssl/crypto/o_dir.c | 2 + crypto/openssl/crypto/o_fopen.c | 46 +- crypto/openssl/crypto/o_str.c | 90 +- crypto/openssl/crypto/o_time.c | 20 +- crypto/openssl/crypto/objects/o_names.c | 44 +- crypto/openssl/crypto/objects/obj_compat.h | 62 +- crypto/openssl/crypto/objects/obj_dat.c | 38 +- crypto/openssl/crypto/objects/obj_dat.h | 2 +- crypto/openssl/crypto/objects/obj_err.c | 10 +- crypto/openssl/crypto/objects/obj_lib.c | 6 +- crypto/openssl/crypto/ocsp/ocsp_asn.c | 90 +- crypto/openssl/crypto/ocsp/ocsp_cl.c | 42 +- crypto/openssl/crypto/ocsp/ocsp_err.c | 90 +- crypto/openssl/crypto/ocsp/ocsp_ext.c | 77 +- crypto/openssl/crypto/ocsp/ocsp_http.c | 16 +- crypto/openssl/crypto/ocsp/ocsp_lib.c | 12 +- crypto/openssl/crypto/ocsp/ocsp_local.h | 94 +- crypto/openssl/crypto/ocsp/ocsp_prn.c | 61 +- crypto/openssl/crypto/ocsp/ocsp_srv.c | 61 +- crypto/openssl/crypto/ocsp/ocsp_vfy.c | 50 +- crypto/openssl/crypto/ocsp/v3_ocsp.c | 60 +- crypto/openssl/crypto/packet.c | 48 +- crypto/openssl/crypto/param_build.c | 162 +- crypto/openssl/crypto/param_build_set.c | 20 +- crypto/openssl/crypto/params.c | 153 +- crypto/openssl/crypto/params_dup.c | 39 +- crypto/openssl/crypto/params_from_text.c | 24 +- crypto/openssl/crypto/passphrase.c | 73 +- crypto/openssl/crypto/pem/pem_all.c | 35 +- crypto/openssl/crypto/pem/pem_err.c | 90 +- crypto/openssl/crypto/pem/pem_info.c | 61 +- crypto/openssl/crypto/pem/pem_lib.c | 122 +- crypto/openssl/crypto/pem/pem_local.h | 145 +- crypto/openssl/crypto/pem/pem_oth.c | 2 +- crypto/openssl/crypto/pem/pem_pk8.c | 74 +- crypto/openssl/crypto/pem/pem_pkey.c | 115 +- crypto/openssl/crypto/pem/pem_sign.c | 6 +- crypto/openssl/crypto/pem/pvkfmt.c | 112 +- crypto/openssl/crypto/perlasm/sparcv9_modes.pl | 10 +- crypto/openssl/crypto/perlasm/x86_64-xlate.pl | 5 +- crypto/openssl/crypto/pkcs12/p12_add.c | 45 +- crypto/openssl/crypto/pkcs12/p12_asn.c | 46 +- crypto/openssl/crypto/pkcs12/p12_attr.c | 33 +- crypto/openssl/crypto/pkcs12/p12_crpt.c | 25 +- crypto/openssl/crypto/pkcs12/p12_crt.c | 86 +- crypto/openssl/crypto/pkcs12/p12_decr.c | 81 +- crypto/openssl/crypto/pkcs12/p12_init.c | 3 +- crypto/openssl/crypto/pkcs12/p12_key.c | 58 +- crypto/openssl/crypto/pkcs12/p12_kiss.c | 31 +- crypto/openssl/crypto/pkcs12/p12_local.h | 6 +- crypto/openssl/crypto/pkcs12/p12_mutl.c | 59 +- crypto/openssl/crypto/pkcs12/p12_npas.c | 20 +- crypto/openssl/crypto/pkcs12/p12_p8d.c | 11 +- crypto/openssl/crypto/pkcs12/p12_p8e.c | 31 +- crypto/openssl/crypto/pkcs12/p12_sbag.c | 97 +- crypto/openssl/crypto/pkcs12/p12_utl.c | 83 +- crypto/openssl/crypto/pkcs12/pk12err.c | 64 +- crypto/openssl/crypto/pkcs7/bio_pk7.c | 2 +- crypto/openssl/crypto/pkcs7/pk7_asn1.c | 125 +- crypto/openssl/crypto/pkcs7/pk7_attr.c | 16 +- crypto/openssl/crypto/pkcs7/pk7_doit.c | 121 +- crypto/openssl/crypto/pkcs7/pk7_lib.c | 60 +- crypto/openssl/crypto/pkcs7/pk7_mime.c | 12 +- crypto/openssl/crypto/pkcs7/pk7_smime.c | 59 +- crypto/openssl/crypto/pkcs7/pkcs7err.c | 138 +- crypto/openssl/crypto/poly1305/poly1305.c | 102 +- crypto/openssl/crypto/poly1305/poly1305_base2_44.c | 29 +- crypto/openssl/crypto/poly1305/poly1305_ieee754.c | 279 +- crypto/openssl/crypto/poly1305/poly1305_ppc.c | 24 +- crypto/openssl/crypto/ppccap.c | 110 +- crypto/openssl/crypto/property/defn_cache.c | 19 +- crypto/openssl/crypto/property/property.c | 80 +- crypto/openssl/crypto/property/property_err.c | 36 +- crypto/openssl/crypto/property/property_local.h | 18 +- crypto/openssl/crypto/property/property_parse.c | 139 +- crypto/openssl/crypto/property/property_query.c | 22 +- crypto/openssl/crypto/property/property_string.c | 37 +- crypto/openssl/crypto/provider.c | 24 +- crypto/openssl/crypto/provider_child.c | 55 +- crypto/openssl/crypto/provider_conf.c | 56 +- crypto/openssl/crypto/provider_core.c | 267 +- crypto/openssl/crypto/provider_local.h | 8 +- crypto/openssl/crypto/provider_predefined.c | 4 +- crypto/openssl/crypto/punycode.c | 27 +- crypto/openssl/crypto/rand/prov_seed.c | 18 +- crypto/openssl/crypto/rand/rand_deprecated.c | 8 +- crypto/openssl/crypto/rand/rand_egd.c | 103 +- crypto/openssl/crypto/rand/rand_err.c | 156 +- crypto/openssl/crypto/rand/rand_lib.c | 182 +- crypto/openssl/crypto/rand/rand_local.h | 30 +- crypto/openssl/crypto/rand/rand_meth.c | 2 +- crypto/openssl/crypto/rand/rand_pool.c | 15 +- crypto/openssl/crypto/rand/randfile.c | 97 +- crypto/openssl/crypto/rc2/rc2_cbc.c | 30 +- crypto/openssl/crypto/rc2/rc2_ecb.c | 2 +- crypto/openssl/crypto/rc2/rc2_local.h | 250 +- crypto/openssl/crypto/rc2/rc2_skey.c | 284 +- crypto/openssl/crypto/rc2/rc2cfb64.c | 8 +- crypto/openssl/crypto/rc2/rc2ofb64.c | 8 +- crypto/openssl/crypto/rc4/rc4_enc.c | 16 +- crypto/openssl/crypto/rc4/rc4_local.h | 6 +- crypto/openssl/crypto/rc4/rc4_skey.c | 15 +- crypto/openssl/crypto/rc5/rc5_ecb.c | 2 +- crypto/openssl/crypto/rc5/rc5_enc.c | 4 +- crypto/openssl/crypto/rc5/rc5_local.h | 330 +- crypto/openssl/crypto/rc5/rc5_skey.c | 5 +- crypto/openssl/crypto/rc5/rc5cfb64.c | 8 +- crypto/openssl/crypto/rc5/rc5ofb64.c | 8 +- crypto/openssl/crypto/ripemd/rmd_dgst.c | 19 +- crypto/openssl/crypto/ripemd/rmd_local.h | 112 +- crypto/openssl/crypto/ripemd/rmdconst.h | 360 +- crypto/openssl/crypto/rsa/rsa_acvp_test_params.c | 29 +- crypto/openssl/crypto/rsa/rsa_ameth.c | 274 +- crypto/openssl/crypto/rsa/rsa_asn1.c | 51 +- crypto/openssl/crypto/rsa/rsa_backend.c | 119 +- crypto/openssl/crypto/rsa/rsa_chk.c | 12 +- crypto/openssl/crypto/rsa/rsa_crpt.c | 18 +- crypto/openssl/crypto/rsa/rsa_depr.c | 4 +- crypto/openssl/crypto/rsa/rsa_err.c | 274 +- crypto/openssl/crypto/rsa/rsa_gen.c | 45 +- crypto/openssl/crypto/rsa/rsa_lib.c | 159 +- crypto/openssl/crypto/rsa/rsa_local.h | 72 +- crypto/openssl/crypto/rsa/rsa_meth.c | 132 +- crypto/openssl/crypto/rsa/rsa_mp.c | 4 +- crypto/openssl/crypto/rsa/rsa_none.c | 4 +- crypto/openssl/crypto/rsa/rsa_oaep.c | 52 +- crypto/openssl/crypto/rsa/rsa_ossl.c | 126 +- crypto/openssl/crypto/rsa/rsa_pk1.c | 72 +- crypto/openssl/crypto/rsa/rsa_pmeth.c | 104 +- crypto/openssl/crypto/rsa/rsa_pss.c | 64 +- crypto/openssl/crypto/rsa/rsa_saos.c | 17 +- crypto/openssl/crypto/rsa/rsa_schemes.c | 22 +- crypto/openssl/crypto/rsa/rsa_sign.c | 243 +- crypto/openssl/crypto/rsa/rsa_sp800_56b_check.c | 121 +- crypto/openssl/crypto/rsa/rsa_sp800_56b_gen.c | 24 +- crypto/openssl/crypto/rsa/rsa_x931.c | 5 +- crypto/openssl/crypto/rsa/rsa_x931g.c | 32 +- crypto/openssl/crypto/s390x_arch.h | 178 +- crypto/openssl/crypto/s390xcap.c | 704 +- crypto/openssl/crypto/s390xcpuid.pl | 8 +- crypto/openssl/crypto/seed/seed.c | 752 +- crypto/openssl/crypto/seed/seed_cbc.c | 8 +- crypto/openssl/crypto/seed/seed_cfb.c | 8 +- crypto/openssl/crypto/seed/seed_ecb.c | 2 +- crypto/openssl/crypto/seed/seed_local.h | 123 +- crypto/openssl/crypto/seed/seed_ofb.c | 6 +- crypto/openssl/crypto/self_test_core.c | 32 +- crypto/openssl/crypto/sha/asm/keccak1600-s390x.pl | 3 +- crypto/openssl/crypto/sha/keccak1600.c | 271 +- crypto/openssl/crypto/sha/sha256.c | 120 +- crypto/openssl/crypto/sha/sha3.c | 2 +- crypto/openssl/crypto/sha/sha512.c | 219 +- crypto/openssl/crypto/sha/sha_local.h | 251 +- crypto/openssl/crypto/sha/sha_ppc.c | 6 +- crypto/openssl/crypto/siphash/siphash.c | 61 +- crypto/openssl/crypto/sm2/sm2_crypt.c | 80 +- crypto/openssl/crypto/sm2/sm2_err.c | 42 +- crypto/openssl/crypto/sm2/sm2_key.c | 8 +- crypto/openssl/crypto/sm2/sm2_sign.c | 142 +- crypto/openssl/crypto/sm3/legacy_sm3.c | 3 +- crypto/openssl/crypto/sm3/sm3.c | 6 +- crypto/openssl/crypto/sm3/sm3_local.h | 90 +- crypto/openssl/crypto/sm4/sm4.c | 42 +- crypto/openssl/crypto/sparcv9cap.c | 85 +- crypto/openssl/crypto/sparse_array.c | 28 +- crypto/openssl/crypto/srp/srp_lib.c | 71 +- crypto/openssl/crypto/srp/srp_vfy.c | 117 +- crypto/openssl/crypto/stack/stack.c | 25 +- crypto/openssl/crypto/store/store_err.c | 92 +- crypto/openssl/crypto/store/store_lib.c | 217 +- crypto/openssl/crypto/store/store_local.h | 24 +- crypto/openssl/crypto/store/store_meth.c | 74 +- crypto/openssl/crypto/store/store_register.c | 52 +- crypto/openssl/crypto/store/store_result.c | 114 +- crypto/openssl/crypto/store/store_strings.c | 12 +- crypto/openssl/crypto/threads_none.c | 25 +- crypto/openssl/crypto/threads_pthread.c | 94 +- crypto/openssl/crypto/threads_win.c | 56 +- crypto/openssl/crypto/trace.c | 131 +- crypto/openssl/crypto/ts/ts_asn1.c | 64 +- crypto/openssl/crypto/ts/ts_conf.c | 108 +- crypto/openssl/crypto/ts/ts_err.c | 122 +- crypto/openssl/crypto/ts/ts_lib.c | 4 +- crypto/openssl/crypto/ts/ts_local.h | 18 +- crypto/openssl/crypto/ts/ts_req_print.c | 2 +- crypto/openssl/crypto/ts/ts_rsp_print.c | 41 +- crypto/openssl/crypto/ts/ts_rsp_sign.c | 172 +- crypto/openssl/crypto/ts/ts_rsp_verify.c | 104 +- crypto/openssl/crypto/ts/ts_verify_ctx.c | 6 +- crypto/openssl/crypto/txt_db/txt_db.c | 22 +- crypto/openssl/crypto/ui/ui_err.c | 36 +- crypto/openssl/crypto/ui/ui_lib.c | 260 +- crypto/openssl/crypto/ui/ui_local.h | 56 +- crypto/openssl/crypto/ui/ui_null.c | 10 +- crypto/openssl/crypto/ui/ui_openssl.c | 536 +- crypto/openssl/crypto/ui/ui_util.c | 65 +- crypto/openssl/crypto/uid.c | 34 +- crypto/openssl/crypto/vms_rms.h | 86 +- crypto/openssl/crypto/whrlpool/wp_block.c | 811 +- crypto/openssl/crypto/whrlpool/wp_dgst.c | 20 +- crypto/openssl/crypto/x509/by_dir.c | 76 +- crypto/openssl/crypto/x509/by_file.c | 66 +- crypto/openssl/crypto/x509/by_store.c | 175 +- crypto/openssl/crypto/x509/pcy_cache.c | 24 +- crypto/openssl/crypto/x509/pcy_data.c | 2 +- crypto/openssl/crypto/x509/pcy_lib.c | 19 +- crypto/openssl/crypto/x509/pcy_local.h | 34 +- crypto/openssl/crypto/x509/pcy_map.c | 10 +- crypto/openssl/crypto/x509/pcy_node.c | 28 +- crypto/openssl/crypto/x509/pcy_tree.c | 107 +- crypto/openssl/crypto/x509/standard_exts.h | 5 - crypto/openssl/crypto/x509/t_crl.c | 7 +- crypto/openssl/crypto/x509/t_req.c | 24 +- crypto/openssl/crypto/x509/t_x509.c | 75 +- crypto/openssl/crypto/x509/v3_addr.c | 306 +- crypto/openssl/crypto/x509/v3_admis.c | 52 +- crypto/openssl/crypto/x509/v3_admis.h | 28 +- crypto/openssl/crypto/x509/v3_akeya.c | 6 +- crypto/openssl/crypto/x509/v3_akid.c | 30 +- crypto/openssl/crypto/x509/v3_asid.c | 213 +- crypto/openssl/crypto/x509/v3_bcons.c | 28 +- crypto/openssl/crypto/x509/v3_bitst.c | 54 +- crypto/openssl/crypto/x509/v3_conf.c | 77 +- crypto/openssl/crypto/x509/v3_cpols.c | 93 +- crypto/openssl/crypto/x509/v3_crld.c | 135 +- crypto/openssl/crypto/x509/v3_enum.c | 30 +- crypto/openssl/crypto/x509/v3_extku.c | 23 +- crypto/openssl/crypto/x509/v3_genn.c | 45 +- crypto/openssl/crypto/x509/v3_ia5.c | 6 +- crypto/openssl/crypto/x509/v3_info.c | 47 +- crypto/openssl/crypto/x509/v3_int.c | 2 +- crypto/openssl/crypto/x509/v3_ist.c | 37 +- crypto/openssl/crypto/x509/v3_lib.c | 29 +- crypto/openssl/crypto/x509/v3_ncons.c | 98 +- crypto/openssl/crypto/x509/v3_pci.c | 65 +- crypto/openssl/crypto/x509/v3_pcia.c | 14 +- crypto/openssl/crypto/x509/v3_pcons.c | 30 +- crypto/openssl/crypto/x509/v3_pku.c | 12 +- crypto/openssl/crypto/x509/v3_pmaps.c | 27 +- crypto/openssl/crypto/x509/v3_prn.c | 29 +- crypto/openssl/crypto/x509/v3_purp.c | 136 +- crypto/openssl/crypto/x509/v3_san.c | 229 +- crypto/openssl/crypto/x509/v3_skid.c | 15 +- crypto/openssl/crypto/x509/v3_sxnet.c | 28 +- crypto/openssl/crypto/x509/v3_tlsf.c | 29 +- crypto/openssl/crypto/x509/v3_utf8.c | 11 +- crypto/openssl/crypto/x509/v3_utl.c | 166 +- crypto/openssl/crypto/x509/v3err.c | 236 +- crypto/openssl/crypto/x509/x509_att.c | 93 +- crypto/openssl/crypto/x509/x509_cmp.c | 48 +- crypto/openssl/crypto/x509/x509_d2.c | 15 +- crypto/openssl/crypto/x509/x509_err.c | 134 +- crypto/openssl/crypto/x509/x509_ext.c | 35 +- crypto/openssl/crypto/x509/x509_local.h | 118 +- crypto/openssl/crypto/x509/x509_lu.c | 98 +- crypto/openssl/crypto/x509/x509_meth.c | 27 +- crypto/openssl/crypto/x509/x509_obj.c | 19 +- crypto/openssl/crypto/x509/x509_r2x.c | 9 +- crypto/openssl/crypto/x509/x509_req.c | 32 +- crypto/openssl/crypto/x509/x509_set.c | 14 +- crypto/openssl/crypto/x509/x509_trust.c | 56 +- crypto/openssl/crypto/x509/x509_txt.c | 3 +- crypto/openssl/crypto/x509/x509_v3.c | 22 +- crypto/openssl/crypto/x509/x509_vfy.c | 355 +- crypto/openssl/crypto/x509/x509_vpm.c | 157 +- crypto/openssl/crypto/x509/x509cset.c | 2 +- crypto/openssl/crypto/x509/x509name.c | 54 +- crypto/openssl/crypto/x509/x509type.c | 2 +- crypto/openssl/crypto/x509/x_all.c | 144 +- crypto/openssl/crypto/x509/x_attrib.c | 6 +- crypto/openssl/crypto/x509/x_crl.c | 109 +- crypto/openssl/crypto/x509/x_exten.c | 9 +- crypto/openssl/crypto/x509/x_name.c | 127 +- crypto/openssl/crypto/x509/x_pubkey.c | 147 +- crypto/openssl/crypto/x509/x_req.c | 84 +- crypto/openssl/crypto/x509/x_x509.c | 64 +- crypto/openssl/crypto/x509/x_x509a.c | 14 +- crypto/openssl/demos/bio/client-arg.c | 2 +- crypto/openssl/demos/bio/client-conf.c | 4 +- crypto/openssl/demos/bio/saccept.c | 13 +- crypto/openssl/demos/bio/sconnect.c | 11 +- crypto/openssl/demos/bio/server-arg.c | 13 +- crypto/openssl/demos/bio/server-cmod.c | 11 +- crypto/openssl/demos/bio/server-conf.c | 13 +- crypto/openssl/demos/cipher/aesccm.c | 13 +- crypto/openssl/demos/cipher/aesgcm.c | 10 +- crypto/openssl/demos/cipher/aeskeywrap.c | 99 +- *** 688302 LINES SKIPPED *** From nobody Tue Jun 9 19:18:34 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdx65mZ0z6gV7P for ; Tue, 09 Jun 2026 19:18:34 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdx61vPMz3N3d for ; Tue, 09 Jun 2026 19:18:34 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032714; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=31dIqwq5DLkFKDGLKyIjlnjpqZHbLGS9PdTXBtiU8ms=; b=T4kPhNAokx5FK9LRFt2z4a/qUEujVm4vde2jEcnkpsbvTPFDJ5SIZrmUK7AC/+1dLiyKOc zyzePrsBBNXWAll/o+H6BLxldMq/PKcv9pP4a8/SgboSsmHT7KG4b+tAzuzjo1SxRQHjLt CGsDSsetYymI3owcCmpQSaXzCtiPTqXhNSrQNMEKMg8ZNS3IK75piZyVMvGkxOjOOa6KOz /Lz3ITpUaSxaGS3zxWld2ZA5A9/mbS87Mz/b2DOoisJWkTtetZ8N1aEWXVUDTWqae9XZia SwLRuxEMPvBiCnP0LQmvo0GWQ5ewUtRNCSDAgHvi13cVbNYoNa7DTyQLGpmS7Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032714; a=rsa-sha256; cv=none; b=NCrcgaw88VjkU2q7M2KKeoj7O3uhy0fsuvmy3p4EMXC7NvuNMEY+XTuWwKN/9QgmV8QD9u lp4ikLsfl8MiCrd+mXFJ5AO3mC2xbfpNc43F6f98qFilvdwidtdl6KLS9T12lrh0+5YTk0 1VDXtQkgLnePKRlop1ZuMQYmnLHGdOg0YZWw811TLODhVKG7v93E8l5rFaYdtNoCWdQ8r7 bg61kja3NhHeKK18Xosp1VnVKgvk6h9B38nG3wVfRjjXsHJGoCmjH6eIcHfNIftNTIptHg Tgajw+qocD3yA9437b/eafMx+ICkzcZ47aLICP2iF8Yek/TaYR/ADug4F14H0g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032714; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=31dIqwq5DLkFKDGLKyIjlnjpqZHbLGS9PdTXBtiU8ms=; b=FNGLETdrbaPBqrnPQy04+pwA23e+nx/Fp0EQEvu54gwiKStjmj8yVGhYZY9+Z8p+abhmyw +0I6nLRuZpLPabKjka0s38dJhs1dudmpemhvhVqmBiP+R6aZfjN6Jidq3mNTyIdLhI+Xh4 5pnweanpRp17fw1evswfBah2Jw/OX065AE1mOPVHsIPmVCechcZRKNoa6gMoqzoxZg3p+v vMwPacZzlLEeS579aKp9JoTQIdnw/4fxIvmTjotyYFUTFqH5iURXHe14QAY8aB2Yu80KDq WA3zHyxhwfSZlV1n85HL2juVSXVcek9ACafpKPU4GYh2GeREnqUVDjF1En7YXA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdx61FcPzntB for ; Tue, 09 Jun 2026 19:18:34 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3cd7f by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:18:34 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: fa5581c379fe - releng/14.3 - thr_kill2: Respect p_cansignal() List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.3 X-Git-Reftype: branch X-Git-Commit: fa5581c379fec9855e88df49534a973752bbec3f Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:18:34 +0000 Message-Id: <6a28670a.3cd7f.6c4f2f81@gitrepo.freebsd.org> The branch releng/14.3 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=fa5581c379fec9855e88df49534a973752bbec3f commit fa5581c379fec9855e88df49534a973752bbec3f Author: Mark Johnston AuthorDate: 2026-05-25 15:12:57 +0000 Commit: Mark Johnston CommitDate: 2026-06-07 15:53:09 +0000 thr_kill2: Respect p_cansignal() Approved by: so Security: FreeBSD-SA-26:25.thr Security: CVE-2026-45256 Reported by: Igor Gabriel Sousa e Souza Reported by: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai Reviewed by: emaste, kib Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57237 --- sys/kern/kern_thr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/kern/kern_thr.c b/sys/kern/kern_thr.c index 0ab4cb5f7970..de6b141a918b 100644 --- a/sys/kern/kern_thr.c +++ b/sys/kern/kern_thr.c @@ -477,7 +477,7 @@ sys_thr_kill2(struct thread *td, struct thr_kill2_args *uap) p = ttd->td_proc; AUDIT_ARG_PROCESS(p); error = p_cansignal(td, p, uap->sig); - if (uap->sig == 0) + if (error != 0 || uap->sig == 0) ; else if (!_SIG_VALID(uap->sig)) error = EINVAL; From nobody Tue Jun 9 19:18:35 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdx75RvCz6gV42 for ; Tue, 09 Jun 2026 19:18:35 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdx72vRjz3NY8 for ; Tue, 09 Jun 2026 19:18:35 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032715; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=WO/7ucM/N+hHn1OOihc5IvrzY+sbUZBLMNvZ+aFk2MA=; b=VM1z+u2VS3+3qaJwt1x3wc8H/rfeY/AR1LFeovwqRmTNEq8tq+1TV61/fvWRWbZJfN8KP8 5Vrr/5+q1++r3AKZAAKr+YtCEx6855ywh1VqLMMh4Mvsk59bQ7PPsc6uuEvtfSpBIU6ozM PH2IgmGyko5V+avaqBC025ySTZM/D/2y2NpoGO+iwBLUN8txPVpPmVVOsJ8gfxVLRznBHW NQZixPKsQaRY9nqwFWfPbGkDD3lKxVywzbGjmEWPaIs5JmLWCkzKw236UxzE2isFLVYJFk DUTn/ZlGQrB+0+svY9GWcBG9T6Sgt4ip0C0q+2o7FrT23fjcqxyw1ZIUbeuRRA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032715; a=rsa-sha256; cv=none; b=OABOJEibyQrLYpiklRHOMKJ13cleRGNZdxHdSVErfphFvfCoNiNmXBX37N0w43TsgGYL/I OdixdFgI4z3cYbfjHAqInsgH2AirhfXg5sn3niJfbg6BEOWTHEn/Fc6LyWFFkgSBVoKa0a r+Wfx7SdNjbXbX4ipLBFYJTg8IH6dPuc5id7le0XsBCE505a9KVsVHspgCCjvpXhnvjm0c Jl3/ngb7lwRnkmyj80jOHTUfRBg/PCKIoWh/zQChx+cMYa+FD19n1+7SoFK1J/d7p83qJE lD+9eYIVq8YNYgYyUvmfxbaNqEZiRvCCsYj9i0/ozd89nMCIqYpT3Cnz+1nRkA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032715; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=WO/7ucM/N+hHn1OOihc5IvrzY+sbUZBLMNvZ+aFk2MA=; b=lVfuJXL2nOVgLx/hwiO8SL3PmqeoK57M3jWPpArwmA0RosvEPUF2WsSDg7Y9rBP7GUiw0M K51FY9svo4pdJNbJ2VXHs/0phdmWQYP3ysH9S6vSdWKOZiiHGzYuAHyqN/tBAB48735SUe dwkOfnqK+DmHs8hlV6ZLGz/Di2HnDlg7cSirCR/YDwQXr8loySfkp0X3ru8PuSkzl6t7Qa pLfSx/9RozGFE7IBeIeD/zF2GCjHpqOE35+35wtStQf88MMJVj76yJxPKTz9hr+jBC+M8V HNl+sB0l2nrveICpouOIAfiAq9A+uRV3ZOq+IA79nxSe+1HNwiDEs2GG2qsv6Q== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdx724BHzntC for ; Tue, 09 Jun 2026 19:18:35 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3e78d by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:18:35 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: John Baldwin From: Mark Johnston Subject: git: af3398862ac0 - releng/14.3 - ktls: Don't attempt to modify non-anonymous mbufs on the receive path List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.3 X-Git-Reftype: branch X-Git-Commit: af3398862ac05421ec07eb134da394755c565356 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:18:35 +0000 Message-Id: <6a28670b.3e78d.438a569f@gitrepo.freebsd.org> The branch releng/14.3 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=af3398862ac05421ec07eb134da394755c565356 commit af3398862ac05421ec07eb134da394755c565356 Author: John Baldwin AuthorDate: 2026-06-03 23:22:00 +0000 Commit: Mark Johnston CommitDate: 2026-06-07 15:53:09 +0000 ktls: Don't attempt to modify non-anonymous mbufs on the receive path Normally, data processed on the KTLS receive path is contained in anonymous mbufs that can be modified in place. Either the data originates in receive buffers from a NIC driver, or for loopback connections the data is anonymous-backed mbufs created when writing to a socket. One potential source of non-anonymous mbufs are mbufs created by sendfile(2) which borrow the pages of the underlying file, either via M_EXTPG or EXT_SFBUF that are sent over a loopback connection. For a well-formed loopback TLS session, the sender should only use sendfile(2) if KTLS is enabled. If TLS is fully handled in userspace, the sender must use write(2) or send(2) which allocate anonymous mbufs. If KTLS transmit is enabled, then sendfile(2) on a loopback connection will always use crypto via OCF and will allocate anonymous pages to hold the encrypted data. However, if sendfile(2) is used to send file-backed data directly over a loopback connection where KTLS is not enabled on the sender side, the KTLS receive path can modify the file-backed pages in place overwriting the file's data. One potential fix would be to replace non-anonymous mbufs in a received TLS record with anonymous mbufs (e.g. via m_dup()) before passing the record to OCF. However, there is no legitimate use case for using sendfile(2) over a loopback TLS connection without using KTLS on the sender side, so instead simply fail decryption requests and close the connection if non-anonymous mbufs are encountered in the RX decryption path. Add a test for this that verifies that the original data backing the file descriptor used as the source for sendfile() is unchanged after being processed. Approved by: so Security: FreeBSD-SA-26:26.ktls Security: CVE-2026-45257 Co-authored-by: Drew Gallatin Sponsored by: Chelsio Communications Sponsored by: Netflix --- sys/kern/uipc_ktls.c | 17 +++++++-- sys/sys/ktls.h | 1 + tests/sys/kern/ktls_test.c | 93 ++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 108 insertions(+), 3 deletions(-) diff --git a/sys/kern/uipc_ktls.c b/sys/kern/uipc_ktls.c index 294a196db60d..ff1a94c57673 100644 --- a/sys/kern/uipc_ktls.c +++ b/sys/kern/uipc_ktls.c @@ -2329,8 +2329,10 @@ tls13_find_record_type(struct ktls_session *tls, struct mbuf *m, int tls_len, * Check if a mbuf chain is fully decrypted at the given offset and * length. Returns KTLS_MBUF_CRYPTO_ST_DECRYPTED if all data is * decrypted. KTLS_MBUF_CRYPTO_ST_MIXED if there is a mix of encrypted - * and decrypted data. Else KTLS_MBUF_CRYPTO_ST_ENCRYPTED if all data - * is encrypted. + * and decrypted data. KTLS_MBUF_CRYPTO_ST_ENCRYPTED if all data is + * encrypted. KTLS_MBUF_CRYPTO_ST_SHAREDMBUF if any mbuf points at + * shared data that must not be modified in place (non-anonymous + * M_EXTPG or sendfile M_EXT buffers). */ ktls_mbuf_crypto_st_t ktls_mbuf_crypto_state(struct mbuf *mb, int offset, int len) @@ -2346,6 +2348,13 @@ ktls_mbuf_crypto_state(struct mbuf *mb, int offset, int len) offset += len; for (; mb != NULL; mb = mb->m_next) { + if ((mb->m_flags & M_EXTPG) != 0 && + (mb->m_epg_flags & EPG_FLAG_ANON) == 0) + return (KTLS_MBUF_CRYPTO_ST_SHAREDMBUF); + if ((mb->m_flags & M_EXT) != 0 && + mb->m_ext.ext_type == EXT_SFBUF) + return (KTLS_MBUF_CRYPTO_ST_SHAREDMBUF); + m_flags_ored |= mb->m_flags; m_flags_anded &= mb->m_flags; @@ -2546,9 +2555,11 @@ ktls_decrypt(struct socket *so) record_type = hdr->tls_type; } break; - default: + case KTLS_MBUF_CRYPTO_ST_SHAREDMBUF: error = EINVAL; break; + default: + __assert_unreachable(); } if (error) { counter_u64_add(ktls_offload_failed_crypto, 1); diff --git a/sys/sys/ktls.h b/sys/sys/ktls.h index 693864394ffe..0fdf4c4ceac7 100644 --- a/sys/sys/ktls.h +++ b/sys/sys/ktls.h @@ -210,6 +210,7 @@ typedef enum { KTLS_MBUF_CRYPTO_ST_MIXED = 0, KTLS_MBUF_CRYPTO_ST_ENCRYPTED = 1, KTLS_MBUF_CRYPTO_ST_DECRYPTED = -1, + KTLS_MBUF_CRYPTO_ST_SHAREDMBUF = -2, } ktls_mbuf_crypto_st_t; void ktls_check_rx(struct sockbuf *sb); diff --git a/tests/sys/kern/ktls_test.c b/tests/sys/kern/ktls_test.c index 72497196b945..3970083e7f72 100644 --- a/tests/sys/kern/ktls_test.c +++ b/tests/sys/kern/ktls_test.c @@ -30,6 +30,7 @@ #include #include #include +#include #include #include #include @@ -2817,6 +2818,97 @@ ATF_TC_BODY(ktls_listening_socket, tc) ATF_REQUIRE(close(s) == 0); } +/* + * Verify that the KTLS receive path does not overwrite data belonging + * to a file whose payload is transmitted over a loopback connection + * via plain sendfile. + */ +ATF_TC_WITHOUT_HEAD(ktls_receive_loopback_sendfile); +ATF_TC_BODY(ktls_receive_loopback_sendfile, tc) +{ + struct tls_enable en; + struct msghdr msg; + struct sf_hdtr hdtr; + struct iovec iov[2]; + uint64_t seqno; + off_t sbytes; + char cbuf[CMSG_SPACE(sizeof(struct tls_get_record))]; + char *plaintext, *ciphertext, *outbuf; + void *p; + const size_t payload_len = PAGE_SIZE; + ssize_t rv; + size_t len; + int mode, shm, sockets[2]; + socklen_t slen; + + ATF_REQUIRE_KTLS(); + seqno = random(); + build_tls_enable(tc, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0, + TLS_MINOR_VER_TWO, seqno, &en); + + len = tls_header_len(&en) + payload_len + tls_trailer_len(&en); + plaintext = alloc_buffer(payload_len); + ciphertext = malloc(len); + ATF_REQUIRE_INTEQ(len, encrypt_tls_record(tc, &en, TLS_RLTYPE_APP, + seqno, plaintext, payload_len, ciphertext, len, 0)); + + ATF_REQUIRE((shm = shm_open(SHM_ANON, O_RDWR, 0600)) > 0); + ATF_REQUIRE_INTEQ(0, ftruncate(shm, payload_len)); + ATF_REQUIRE((p = mmap(NULL, payload_len, PROT_READ | PROT_WRITE, + MAP_SHARED, shm, 0)) != MAP_FAILED); + memcpy(p, ciphertext + tls_header_len(&en), payload_len); + + ATF_REQUIRE_MSG(socketpair_tcp(sockets), "failed to create sockets"); + ATF_REQUIRE(setsockopt(sockets[0], IPPROTO_TCP, TCP_RXTLS_ENABLE, &en, + sizeof(en)) == 0); + slen = sizeof(mode); + ATF_REQUIRE_INTEQ(0, getsockopt(sockets[0], IPPROTO_TCP, TCP_RXTLS_MODE, + &mode, &slen)); + ATF_REQUIRE_INTEQ(TCP_TLS_MODE_SW, mode); + + fd_set_blocking(sockets[0]); + fd_set_blocking(sockets[1]); + + iov[0].iov_base = ciphertext; + iov[0].iov_len = tls_header_len(&en); + iov[1].iov_base = ciphertext + tls_header_len(&en) + payload_len; + iov[1].iov_len = tls_trailer_len(&en); + hdtr.headers = iov; + hdtr.hdr_cnt = 1; + hdtr.trailers = iov + 1; + hdtr.trl_cnt = 1; + debug_hexdump(tc, p, payload_len, "shm buffer before"); + ATF_REQUIRE_INTEQ(0, sendfile(shm, sockets[1], 0, payload_len, &hdtr, + &sbytes, 0)); + ATF_REQUIRE_INTEQ(sbytes, len); + + outbuf = calloc(payload_len, 1); + + memset(&msg, 0, sizeof(msg)); + + msg.msg_control = cbuf; + msg.msg_controllen = sizeof(cbuf); + + iov[0].iov_base = outbuf; + iov[0].iov_len = payload_len; + msg.msg_iov = iov; + msg.msg_iovlen = 1; + + rv = recvmsg(sockets[0], &msg, 0); + if (rv >= 0) { + ATF_REQUIRE_INTEQ(payload_len, rv); + ATF_REQUIRE_INTEQ(0, memcmp(outbuf, plaintext, payload_len)); + } else + ATF_REQUIRE_ERRNO(EBADMSG, true); + + debug_hexdump(tc, p, payload_len, "shm buffer after"); + ATF_REQUIRE_INTEQ(0, memcmp(p, ciphertext + tls_header_len(&en), + payload_len)); + + close_sockets_ignore_errors(sockets); + (void)close(shm); +} + ATF_TP_ADD_TCS(tp) { /* Transmit tests */ @@ -2843,6 +2935,7 @@ ATF_TP_ADD_TCS(tp) /* Miscellaneous */ ATF_TP_ADD_TC(tp, ktls_sendto_baddst); ATF_TP_ADD_TC(tp, ktls_listening_socket); + ATF_TP_ADD_TC(tp, ktls_receive_loopback_sendfile); return (atf_no_error()); } From nobody Tue Jun 9 19:18:36 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdx86FNsz6gV2X for ; Tue, 09 Jun 2026 19:18:36 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdx83YQ9z3NK4 for ; Tue, 09 Jun 2026 19:18:36 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032716; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=++E2IW/9ovZSy7BAZlUUgCg4/Zdz9UNSs26ogQEkqCw=; b=cQAv4MUqQk/OaVB+pKPsrkq7oBbzjRgVhVAT5YiPNDUioyjSeQrRabwVC39pnltnmxg/Q9 QJYuLVnUG/ZEEXDtcUzDsDDa9hpW/ngsvfwruDaN5b7QR2VdCkHEm2xLsnHxbiJGuI1Aix hqXpvVgJ5l3pXnIRzm+k67jLdJiV06I5SJ/2CDMpizOmi2crfBYdbxswPjK4/CqKNLYd71 kexQRQic5nLN7VtW+Nxpr/Fw8Ib4bkYJeCI7y/n2c2hpNBME9zxslqoTCMj9zBVPh4PXxg v5LIHsDQR+Q/GYjHhY4kGwV0noxa5f+7brOMUTDhJiVkYuRbYvo89nynE3dAUA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032716; a=rsa-sha256; cv=none; b=M7a9S7ZZxwLt2ahGnJwNuRpZuv99KTuhp2ZB9DEzxmrpZ3bw3VAEaS4tJNEp8xIXbaHhNs VW3z/oL4c9zcvX5X6ADhAJZ/pQ1td0C471+Usr20u/xBKjrXOoQM/O5WuDcfP7QoNou/Re Fo5Ahq9GZOkoHyC1CbDDE8akgC7hhACK6edeYhmPaNorPx52bkdNJNqPTdNS+Xf6j2/LhK hmpcp2z9dOH2P7/kBUwtLREQCg09CxEVRFlUU+w8wjzS2Eajj8ycnnhKkS6GbdhYD7TAjB ZKZcLSXykdTXhnLEkGgEodR8S20HvMgLBTrm5W6q6e1cO8dpeayu9lGygsJV8w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032716; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=++E2IW/9ovZSy7BAZlUUgCg4/Zdz9UNSs26ogQEkqCw=; b=K1G2C9WzSywk/vPjHDeOfZgxn3Tmps5qDsIzev/sjEzogAdix49TZbzlbrq6vE7NRcofcm yGRiuCOZLJLOFlzfF9u6wj+kUlnVZ9aU+LzP8lq3AL5dFmgm1t1FNYgRbJOUKhQAHjaK6z RjWdimYwaxPKw6pfFHBMDSU9i9uDhtKp3IV1CF1ZrTjDTdLA7v6saNZuPg5oOWmOT3jN7I MCx4SfOcVMBnmRKd+WwLhwr09Igrt6ngQoTcudu+Xh/E7wbCTLiJ01CIARxkzBth/9UExr Ul6zeOP99Dl2JXNI5vKcpSIucRM3Q8oLrt/02YCAFbVwocnIY1iePD9wGpWEFQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdx82rs9zntF for ; Tue, 09 Jun 2026 19:18:36 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3e836 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:18:36 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Christos Margiolis From: Mark Johnston Subject: git: 644ce0e7dffa - releng/14.3 - sound: Check for offset overflow in dsp_mmap_single() List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.3 X-Git-Reftype: branch X-Git-Commit: 644ce0e7dffa22503afee6b3d5b830b31947bada Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:18:36 +0000 Message-Id: <6a28670c.3e836.15b71248@gitrepo.freebsd.org> The branch releng/14.3 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=644ce0e7dffa22503afee6b3d5b830b31947bada commit 644ce0e7dffa22503afee6b3d5b830b31947bada Author: Christos Margiolis AuthorDate: 2026-05-27 15:50:33 +0000 Commit: Mark Johnston CommitDate: 2026-06-07 17:23:12 +0000 sound: Check for offset overflow in dsp_mmap_single() Approved by: so Security: FreeBSD-SA-26:27.sound Security: CVE-2026-45258 Reviewed by: markj Sponsored by: The FreeBSD Foundation --- sys/dev/sound/pcm/dsp.c | 3 +++ tests/sys/sound/Makefile | 1 + tests/sys/sound/mmap.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 54 insertions(+) diff --git a/sys/dev/sound/pcm/dsp.c b/sys/dev/sound/pcm/dsp.c index 8ee3d1d3f2a8..f2254f925940 100644 --- a/sys/dev/sound/pcm/dsp.c +++ b/sys/dev/sound/pcm/dsp.c @@ -1843,6 +1843,9 @@ dsp_mmap_single(struct cdev *i_dev, vm_ooffset_t *offset, struct pcm_channel *wrch, *rdch, *c; int err; + if (*offset >= *offset + size) + return (EINVAL); + /* * Reject PROT_EXEC by default. It just doesn't makes sense. * Unfortunately, we have to give up this one due to linux_mmap diff --git a/tests/sys/sound/Makefile b/tests/sys/sound/Makefile index 74a0765a0540..ce156ae8c4cf 100644 --- a/tests/sys/sound/Makefile +++ b/tests/sys/sound/Makefile @@ -2,6 +2,7 @@ PACKAGE= tests TESTSDIR= ${TESTSBASE}/sys/sound +ATF_TESTS_C+= mmap ATF_TESTS_C+= pcm_read_write ATF_TESTS_C+= sndstat diff --git a/tests/sys/sound/mmap.c b/tests/sys/sound/mmap.c new file mode 100644 index 000000000000..33440529eb10 --- /dev/null +++ b/tests/sys/sound/mmap.c @@ -0,0 +1,50 @@ +/*- + * SPDX-License-Identifier: BSD-2-Clause + * + * Copyright (c) 2026 The FreeBSD Foundation + */ + +#include +#include + +#include +#include +#include +#include + +#define FMT_ERR(s) s ": %s", strerror(errno) + +ATF_TC(mmap_offset_overflow); +ATF_TC_HEAD(mmap_offset_overflow, tc) +{ + atf_tc_set_md_var(tc, "descr", "mmap offset overflow test"); +} + +ATF_TC_BODY(mmap_offset_overflow, tc) +{ + uint8_t *buf; + off_t off; + size_t len; + int fd; + + fd = open("/dev/dsp0", O_RDWR); + ATF_REQUIRE_MSG(fd >= 0, FMT_ERR("open")); + + /* off + len will overflow and wrap back to 0. */ + off = 0xfffffffffffff000; + len = 0x1000; + + buf = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_SHARED, fd, off); + ATF_REQUIRE_MSG(buf == MAP_FAILED, FMT_ERR("mmap")); + + munmap(buf, len); + + close(fd); +} + +ATF_TP_ADD_TCS(tp) +{ + ATF_TP_ADD_TC(tp, mmap_offset_overflow); + + return (atf_no_error()); +} From nobody Tue Jun 9 19:18:38 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxB6XmDz6gV8J for ; Tue, 09 Jun 2026 19:18:38 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdxB5FPhz3NW7 for ; Tue, 09 Jun 2026 19:18:38 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032718; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Iwk0uXqvAtWcKGSiPIo/1qA6X5kTiHpUeKsUGAR4IOQ=; b=lBO0btCYGPbydO/tXbkDnJrATMaXdQ5JTgc12lDZZ3nL4rYVSeWUEpqQ3yRzg2guVXDSba TmxKgULvf1aBnpPB5TC5duhvcpxaZDF32c0ay3IeJv3AxH0FKh6MwVrKajnfkD3MuaNI01 fLo8deEiRRIHvBsexlaLCkt88jcu4dzsT3fXDLIaX6VDNrhlEiWK4YHtinebvfUg/Oot/O JMNSElpuRKeLnalchcAMpfQGUCTI5wbTUqFzJ9zxcQ11B/NG1/9t34xdjFP8W5uEpUPIPy uRxczGxUwow4vpPgUD0mRBi9TPK1Ug6oIKiVg0HvoQ8lBigIRUCt5FBbhGsPoQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032718; a=rsa-sha256; cv=none; b=RFqN2E/IuqCr/8enHTiuKBoQo9gxSI4w3VRlE91Et1QaC3z+P7rMUZi4f769h0Y6pnFlq1 xW8B3F2rmBJ2N9f+zIki5deZW/VT8u4hPfABNNiQdibUq1RlFrofcxiarb2kTZ8vrj6c8l 6M/8QTZ5773WlQwRTUdP9Pz4Mo0M6Xc9UjswkfXpmEh98+7dp/pLLLY/DX8up6+L2VcY8N E4IbewFCzzAMiAw1C/uvHLUNjkjn0xJ/H9pWD802s4ZOx1qvqfFYEswPYPgwCBWyLwp6fv ebU+WagDBJR281BEzOr0MG6w46Ihahkz/tSoK6+/55q5zNRZ0LnrRK6IMxUIDA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032718; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Iwk0uXqvAtWcKGSiPIo/1qA6X5kTiHpUeKsUGAR4IOQ=; b=LBB3PtqgQPYSkCkaN/JEPenIHfos7jvM4bvsAzYzwSp9nxkIsluM1fyz30e9JhdaMcOtEd yPwnztqM5LyfyumOPn+wNDyZH3botdhiGRM+DRKY9suV9gxBs07WAZljmdFWLNaWf+tpY6 8uEs2DqL5ylFEsdkWC6xS4mo6qtc6ZeSeZacHYBQJB7VgDRcixPYjnNfTXPA4tL6HS0BkW VTYTdAGVsN5ENkN0Iz+8jqGV6Tl9X6my2GcHbXInQAUKXJmLvKnQs6zi0JyaUXS0GlENJG AIfdwDQK/9lwMz1KhFdkAgAJd+RwhnbuUgyY/RSjOH++BI1pGQorwP860d8zmQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxB4Qzgznvx for ; Tue, 09 Jun 2026 19:18:38 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3ef34 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:18:38 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Ed Maste From: Mark Johnston Subject: git: f56e8cb94df6 - releng/14.3 - sigqueue: In capability mode, only allow signalling self List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.3 X-Git-Reftype: branch X-Git-Commit: f56e8cb94df666e548c8e1e4e5bd74c8040817f3 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:18:38 +0000 Message-Id: <6a28670e.3ef34.6a513e51@gitrepo.freebsd.org> The branch releng/14.3 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=f56e8cb94df666e548c8e1e4e5bd74c8040817f3 commit f56e8cb94df666e548c8e1e4e5bd74c8040817f3 Author: Ed Maste AuthorDate: 2026-05-26 13:24:36 +0000 Commit: Mark Johnston CommitDate: 2026-06-07 17:48:17 +0000 sigqueue: In capability mode, only allow signalling self This is copied from the check in kern_kill. Approved by: so Security: FreeBSD-SA-26:28.capsicum Security: CVE-2026-45259 Reviewed by: markj, oshogbo Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57244 (cherry picked from commit b9d16b7fd2fa6bc4b3e8364804cbdc1b76ebe8a5) (cherry picked from commit defd9b86ef995ce70363eae9b323d616bda865be) (cherry picked from commit d11ff01b3aec336128e6babbff7a421fbce82015) --- contrib/capsicum-test/capmode.cc | 12 +++++++++--- sys/kern/kern_sig.c | 10 ++++++++++ 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/contrib/capsicum-test/capmode.cc b/contrib/capsicum-test/capmode.cc index f32d9e038744..12921bb53c72 100644 --- a/contrib/capsicum-test/capmode.cc +++ b/contrib/capsicum-test/capmode.cc @@ -747,8 +747,8 @@ FORK_TEST(Capmode, NewThread) { close(thread_pipe[1]); } -static volatile sig_atomic_t had_signal = 0; -static void handle_signal(int) { had_signal = 1; } +static volatile sig_atomic_t signal_cnt = 0; +static void handle_signal(int) { signal_cnt++; } FORK_TEST(Capmode, SelfKill) { pid_t me = getpid(); @@ -766,7 +766,13 @@ FORK_TEST(Capmode, SelfKill) { // Can only kill(2) to own pid. EXPECT_CAPMODE(kill(child, SIGUSR1)); EXPECT_OK(kill(me, SIGUSR1)); - EXPECT_EQ(1, had_signal); + EXPECT_EQ(1, signal_cnt); + + union sigval sv; + sv.sival_int = 0x1234; + EXPECT_CAPMODE(sigqueue(child, SIGUSR1, sv)); + EXPECT_OK(sigqueue(me, SIGUSR1, sv)); + EXPECT_EQ(2, signal_cnt); signal(SIGUSR1, original); } diff --git a/sys/kern/kern_sig.c b/sys/kern/kern_sig.c index 3ef9d093b29e..eda533d73522 100644 --- a/sys/kern/kern_sig.c +++ b/sys/kern/kern_sig.c @@ -2041,6 +2041,16 @@ kern_sigqueue(struct thread *td, pid_t pid, int signumf, union sigval *value) if (pid <= 0) return (EINVAL); + /* + * A process in capability mode can send signals only to itself. + */ + if (pid != td->td_proc->p_pid) { + if (CAP_TRACING(td)) + ktrcapfail(CAPFAIL_SIGNAL, &signum); + if (IN_CAPABILITY_MODE(td)) + return (ECAPMODE); + } + if ((signumf & __SIGQUEUE_TID) == 0) { if ((p = pfind_any(pid)) == NULL) return (ESRCH); From nobody Tue Jun 9 19:18:37 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxB2Tc2z6gV7W for ; Tue, 09 Jun 2026 19:18:38 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdx94swdz3NVy for ; Tue, 09 Jun 2026 19:18:37 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032717; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=stff5ZzCRZslNDHRqBGkx1H9UcEPueWQU1wDE9Xcw4U=; b=es/MNKwnDqBVVj0hDEDQOYYyW6rBamoKvxGv2Y9sjgoPf1WdN3Vi5e8EGfKVLp3GD1kN58 OXAlcK0UQXczbMTe2TGTMe692PU1bRgOuwIgNmzOkjGDz+pPxHXeWfSn9oABK8PMnfCfky 7PcT1iItKiJXO/jgPLmY/MDUoyeVxwpBZJl5Ggs2RQlcAeJ8isPRMNQs5yGpZ0wTjJwoTb SPwv/fGZaGs/Ju5j4vrKkaH9iC1SRfXwd0unaQeNMJm4JEeQ64rv84ueQ/+ogK+RhO3sCc HJmbljIRENRtPkZI/5A4h4eR9tlfM3u130s/kF2WHm9c6qWefr0BDHBZc2IF0w== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032717; a=rsa-sha256; cv=none; b=foExhC13iVvFmhNTDPglXHcac1P7YWc5VTH6/DHk+08Q9nfXQZQBw6evVEiEadxBKX/wdh xM0sUrnwUd+6LfCT7+LxEOQkX8WKt+MnfiiS+sn28m1i51eG5BvIcDqUZtNS3fPftDJYqS /RxNd3StyaHJhJYG4qosj/h4TcwHb4x2aoA/AhRdEnYFGvRgdm8ygQ15RJrLKWIvST5C8h wQNJBjm5FqtmINg46a49QEErfN1i95zkG6PIZpjxyR2wxJGlBiKxQhBHAljuGI7piNZWWe 121dhfVXkAe2njaEzleA8Hi/5wo/Gzt3vV0gul0B8fAXtooyVf00eMizg6JrfA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032717; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=stff5ZzCRZslNDHRqBGkx1H9UcEPueWQU1wDE9Xcw4U=; b=VjV7ZjZQuwHnKn18XD5QEx0GuxSyQQxNjvrlLg+Ja/yiyjZoCchuAU3JFaaNCovSFGdA5b oMMaUPpqLYvRvu2njksUkKq3QeazxeiKQZb5yhDunA7pehW5ppoOPvUiRS2BuD9dmZXS/5 320krA0ha/4ORY3r7g8AtgUeoJjNuebgd0Lo8EYLtIOumvl/Fu3uRQR5Qdov43u21M9XGW 4B3llRkckoVXMDXPSgZy3DaaZnXly7Adyj2BMgNDpVH2cEA+r+NmgxVYSkwpQZ98VxW+Do Gw011HSpBb0//a1uwzuVfm+uFxsfmqUOZq3HWvzoKx7CFZYhrtyd4a51r9wuOA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdx93cvnznkf for ; Tue, 09 Jun 2026 19:18:37 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3d649 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:18:37 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: de5fd56985c3 - releng/14.3 - sound: Fix software buffer lifetime issues List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.3 X-Git-Reftype: branch X-Git-Commit: de5fd56985c380ec617a10e480a27eb192b1b074 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:18:37 +0000 Message-Id: <6a28670d.3d649.7725752d@gitrepo.freebsd.org> The branch releng/14.3 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=de5fd56985c380ec617a10e480a27eb192b1b074 commit de5fd56985c380ec617a10e480a27eb192b1b074 Author: Mark Johnston AuthorDate: 2026-06-01 21:57:40 +0000 Commit: Mark Johnston CommitDate: 2026-06-07 17:48:04 +0000 sound: Fix software buffer lifetime issues The channel buffer mapped by dsp_mmap_single() may be freed when the device handle is closed, but the mapping persists beyond that, allowing userspace to read or write memory owned by a different consumer. Fix the problem by adding a reference counter to the sound buffer. Define pager ops for the VM object returned by dsp_mmap_single() and use them to manage the extra reference. Add a regression test. Approved by: so Security: FreeBSD-SA-26:27.sound Security: CVE-2026-49417 Reported by: Lexpl0it, 75Acol, Liyw979, Rob1n Reviewed by kib Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57393 --- sys/dev/sound/pcm/buffer.c | 38 ++++++++++++++++++++-- sys/dev/sound/pcm/buffer.h | 4 +++ sys/dev/sound/pcm/dsp.c | 80 ++++++++++++++++++++++++++++++++++++++-------- tests/sys/sound/mmap.c | 59 ++++++++++++++++++++++++++++++++++ 4 files changed, 165 insertions(+), 16 deletions(-) diff --git a/sys/dev/sound/pcm/buffer.c b/sys/dev/sound/pcm/buffer.c index de535ec2dcba..ddcf14fbc1c2 100644 --- a/sys/dev/sound/pcm/buffer.c +++ b/sys/dev/sound/pcm/buffer.c @@ -32,6 +32,7 @@ #include "opt_snd.h" #endif +#include #include #include "feeder_if.h" @@ -46,6 +47,7 @@ sndbuf_create(device_t dev, char *drv, char *desc, struct pcm_channel *channel) struct snd_dbuf *b; b = malloc(sizeof(*b), M_DEVBUF, M_WAITOK | M_ZERO); + refcount_init(&b->refcount, 1); snprintf(b->name, SNDBUF_NAMELEN, "%s:%s", drv, desc); b->dev = dev; b->channel = channel; @@ -56,8 +58,30 @@ sndbuf_create(device_t dev, char *drv, char *desc, struct pcm_channel *channel) void sndbuf_destroy(struct snd_dbuf *b) { - sndbuf_free(b); - free(b, M_DEVBUF); + b->flags |= SNDBUF_F_DETACHED; + sndbuf_rele(b); +} + +void +sndbuf_ref(struct snd_dbuf *b) +{ + unsigned int count __diagused; + + CHN_LOCK(b->channel); + count = refcount_acquire(&b->refcount); + KASSERT(count > 0, ("sndbuf %p refcount 0", b)); + CHN_UNLOCK(b->channel); +} + +void +sndbuf_rele(struct snd_dbuf *b) +{ + if (refcount_release(&b->refcount)) { + sndbuf_free(b); + KASSERT(refcount_load(&b->refcount) == 0, + ("sndbuf %p still referenced", b)); + free(b, M_DEVBUF); + } } bus_addr_t @@ -183,6 +207,11 @@ sndbuf_resize(struct snd_dbuf *b, unsigned int blkcnt, unsigned int blksz) if (bufsize > b->allocsize || bufsize < (b->allocsize >> SNDBUF_CACHE_SHIFT)) { + if (refcount_load(&b->refcount) > 1 || + (b->flags & SNDBUF_F_DETACHED) != 0) { + CHN_UNLOCK(b->channel); + return (EBUSY); + } allocsize = round_page(bufsize); CHN_UNLOCK(b->channel); tmpbuf = malloc(allocsize, M_DEVBUF, M_WAITOK); @@ -218,10 +247,15 @@ sndbuf_remalloc(struct snd_dbuf *b, unsigned int blkcnt, unsigned int blksz) if (blkcnt < 2 || blksz < 16) return EINVAL; + CHN_LOCKASSERT(b->channel); + bufsize = blksz * blkcnt; if (bufsize > b->allocsize || bufsize < (b->allocsize >> SNDBUF_CACHE_SHIFT)) { + if (refcount_load(&b->refcount) > 1 || + (b->flags & SNDBUF_F_DETACHED) != 0) + return (EBUSY); allocsize = round_page(bufsize); CHN_UNLOCK(b->channel); buf = malloc(allocsize, M_DEVBUF, M_WAITOK); diff --git a/sys/dev/sound/pcm/buffer.h b/sys/dev/sound/pcm/buffer.h index ddf4083ec19f..99bc6c0611d2 100644 --- a/sys/dev/sound/pcm/buffer.h +++ b/sys/dev/sound/pcm/buffer.h @@ -27,6 +27,7 @@ */ #define SNDBUF_F_MANAGED 0x00000008 +#define SNDBUF_F_DETACHED 0x00000010 #define SNDBUF_NAMELEN 48 @@ -50,6 +51,7 @@ struct snd_dbuf { bus_dma_tag_t dmatag; bus_addr_t buf_addr; int dmaflags; + unsigned int refcount; struct selinfo sel; struct pcm_channel *channel; char name[SNDBUF_NAMELEN]; @@ -57,6 +59,8 @@ struct snd_dbuf { struct snd_dbuf *sndbuf_create(device_t dev, char *drv, char *desc, struct pcm_channel *channel); void sndbuf_destroy(struct snd_dbuf *b); +void sndbuf_ref(struct snd_dbuf *b); +void sndbuf_rele(struct snd_dbuf *b); void sndbuf_dump(struct snd_dbuf *b, char *s, u_int32_t what); diff --git a/sys/dev/sound/pcm/dsp.c b/sys/dev/sound/pcm/dsp.c index f2254f925940..21d1407ac882 100644 --- a/sys/dev/sound/pcm/dsp.c +++ b/sys/dev/sound/pcm/dsp.c @@ -74,7 +74,6 @@ static d_read_t dsp_read; static d_write_t dsp_write; static d_ioctl_t dsp_ioctl; static d_poll_t dsp_poll; -static d_mmap_t dsp_mmap; static d_mmap_single_t dsp_mmap_single; struct cdevsw dsp_cdevsw = { @@ -84,7 +83,6 @@ struct cdevsw dsp_cdevsw = { .d_write = dsp_write, .d_ioctl = dsp_ioctl, .d_poll = dsp_poll, - .d_mmap = dsp_mmap, .d_mmap_single = dsp_mmap_single, .d_name = "dsp", }; @@ -1821,23 +1819,72 @@ dsp_poll(struct cdev *i_dev, int events, struct thread *td) return (ret); } +struct dsp_mmap_handle { + struct cdev *cdev; + struct snd_dbuf *buf; +}; + static int -dsp_mmap(struct cdev *i_dev, vm_ooffset_t offset, vm_paddr_t *paddr, - int nprot, vm_memattr_t *memattr) +dsp_dev_pager_ctor(void *handle, vm_ooffset_t size, vm_prot_t prot, + vm_ooffset_t foff, struct ucred *cred, u_short *color) { + struct dsp_mmap_handle *h = handle; - /* - * offset is in range due to checks in dsp_mmap_single(). - * XXX memattr is not honored. - */ - *paddr = vtophys(offset); + dev_ref(h->cdev); + sndbuf_ref(h->buf); return (0); } +static void +dsp_dev_pager_dtor(void *handle) +{ + struct dsp_mmap_handle *h = handle; + + sndbuf_rele(h->buf); + dev_rel(h->cdev); + free(h, M_DEVBUF); +} + static int -dsp_mmap_single(struct cdev *i_dev, vm_ooffset_t *offset, +dsp_dev_pager_fault(vm_object_t object, vm_ooffset_t offset, int prot, + vm_page_t *mres) +{ + struct dsp_mmap_handle *h = object->handle; + vm_page_t m; + uintptr_t addr; + vm_paddr_t paddr; + + addr = (uintptr_t)offset; + if (addr < (uintptr_t)h->buf->buf || + addr >= (uintptr_t)h->buf->buf + h->buf->allocsize) + return (VM_PAGER_ERROR); + paddr = vtophys((void *)addr); + + if (((*mres)->flags & PG_FICTITIOUS) != 0) { + m = *mres; + vm_page_updatefake(m, paddr, object->memattr); + } else { + VM_OBJECT_WUNLOCK(object); + m = vm_page_getfake(paddr, object->memattr); + VM_OBJECT_WLOCK(object); + vm_page_replace(m, object, (*mres)->pindex, *mres); + *mres = m; + } + m->valid = VM_PAGE_BITS_ALL; + return (VM_PAGER_OK); +} + +static const struct cdev_pager_ops dsp_dev_pager_ops = { + .cdev_pg_ctor = dsp_dev_pager_ctor, + .cdev_pg_dtor = dsp_dev_pager_dtor, + .cdev_pg_fault = dsp_dev_pager_fault, +}; + +static int +dsp_mmap_single(struct cdev *cdev, vm_ooffset_t *offset, vm_size_t size, struct vm_object **object, int nprot) { + struct dsp_mmap_handle *handle; struct dsp_cdevpriv *priv; struct snddev_info *d; struct pcm_channel *wrch, *rdch, *c; @@ -1900,13 +1947,18 @@ dsp_mmap_single(struct cdev *i_dev, vm_ooffset_t *offset, *offset = (uintptr_t)sndbuf_getbufofs(c->bufsoft, *offset); dsp_unlock_chans(priv, SD_F_PRIO_RD | SD_F_PRIO_WR); - *object = vm_pager_allocate(OBJT_DEVICE, i_dev, - size, nprot, *offset, curthread->td_ucred); + handle = malloc(sizeof(*handle), M_DEVBUF, M_WAITOK); + handle->cdev = cdev; + handle->buf = c->bufsoft; + *object = cdev_pager_allocate(handle, OBJT_DEVICE, &dsp_dev_pager_ops, + size, nprot, *offset, curthread->td_ucred); PCM_GIANT_LEAVE(d); + if (*object == NULL) { + free(handle, M_DEVBUF); + return (EINVAL); + } - if (*object == NULL) - return (EINVAL); return (0); } diff --git a/tests/sys/sound/mmap.c b/tests/sys/sound/mmap.c index 33440529eb10..ee35986831c2 100644 --- a/tests/sys/sound/mmap.c +++ b/tests/sys/sound/mmap.c @@ -4,12 +4,14 @@ * Copyright (c) 2026 The FreeBSD Foundation */ +#include #include #include #include #include #include +#include #include #define FMT_ERR(s) s ": %s", strerror(errno) @@ -42,9 +44,66 @@ ATF_TC_BODY(mmap_offset_overflow, tc) close(fd); } +/* + * Verify that a MAP_SHARED mapping of a DSP device's software buffer remains + * valid after the file descriptor is closed. + */ +ATF_TC(mmap_buffer_lifetime); +ATF_TC_HEAD(mmap_buffer_lifetime, tc) +{ + atf_tc_set_md_var(tc, "descr", "mmap data survives close()"); +} +ATF_TC_BODY(mmap_buffer_lifetime, tc) +{ + audio_buf_info abi; + uint8_t *buf; + size_t len; + int fd, arg; + + fd = open("/dev/dsp0", O_RDWR); + ATF_REQUIRE_MSG(fd >= 0, FMT_ERR("open")); + + arg = (2 << 16) | 14; /* 2*16KB */ + ATF_REQUIRE_MSG(ioctl(fd, SNDCTL_DSP_SETFRAGMENT, &arg) == 0, + FMT_ERR("SNDCTL_DSP_SETFRAGMENT")); + ATF_REQUIRE_MSG(ioctl(fd, SNDCTL_DSP_GETOSPACE, &abi) == 0, + FMT_ERR("SNDCTL_DSP_GETOSPACE")); + + len = abi.bytes; + ATF_REQUIRE_MSG(len >= PAGE_SIZE, "buffer too small: %zu", len); + + buf = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); + ATF_REQUIRE_MSG(buf != MAP_FAILED, FMT_ERR("mmap")); + + for (size_t i = 0; i < len; i++) { + ATF_REQUIRE_MSG(buf[i] == 0, + "mmap data corrupted at offset %zu: want 0 got 0x%02x", + i, buf[i]); + } + + memset(buf, 0xa5, len); + for (size_t i = 0; i < len; i++) { + ATF_REQUIRE_MSG(buf[i] == 0xa5, + "mmap data corrupted at offset %zu: want 0xa5 got 0x%02x", + i, buf[i]); + } + + ATF_REQUIRE(close(fd) == 0); + + /* Closing the device causes the buffer to be reset. */ + for (size_t i = 0; i < len; i++) { + ATF_REQUIRE_MSG(buf[i] == 0 || buf[i] == 0xa5, + "mmap data corrupted at offset %zu: got 0x%02x", i, buf[i]); + } + memset(buf, 0xa5, len); + + ATF_REQUIRE(munmap(buf, len) == 0); +} + ATF_TP_ADD_TCS(tp) { ATF_TP_ADD_TC(tp, mmap_offset_overflow); + ATF_TP_ADD_TC(tp, mmap_buffer_lifetime); return (atf_no_error()); } From nobody Tue Jun 9 19:18:39 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxD1b5xz6gV4B for ; Tue, 09 Jun 2026 19:18:40 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdxC5Gltz3NQP for ; Tue, 09 Jun 2026 19:18:39 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032719; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=6Et6GRrtMVwZr7qEsduNlaOxmVkcpytz/DDz0h8DFRI=; b=YJR/hCJ84u4DKbMFbvGpv/Zin99w3R/AxF4OXvOL0GjldAKOpQaI5dvMxejTqwy+imagH4 o0P/DGsXh11YPOyZNE0n6BPW2WHpS7Z/b3/pd8j9eeJ58cKUv5AxWRm6Tfj4cF+L2fNho8 osN2ZUjD1Qny8JG7pLdNGzVojc/v/66hYfy6oP6u8BmmWZdDoCtIk8zrEZNScH2ALBR3TY hsSf2Kh9yIOHn0ntxGUyJCiC8H5wSWcHDTTAzRJT41fwXaQXrCtGq0HaUwm8XNbu475RzJ ROXtnVhtQL/AFf6B6rF/MwtUMtqDOS+eRP60xvcZ7RoE86SuzjyWetk4j87c1Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032719; a=rsa-sha256; cv=none; b=X9600dsfzVGsBpMuI1gy5zUg6nJUMF4Ow6kLVt05Sw9app7H5KpiYOWA/KQER/oTPHkAJj XppvJYivWMpy8+XpEMCObecSVuA+TeKVaCy++MNUOyZ8WTlWlQivGQluvNU5L3pv+P8jH5 EVWQPqAju//LpaKsmZrlTtxcPj/d19oq+H0DGLCrMHAE5YpQI01Po13WDVEc20Y9EdIUDX U5zp3Z+mkUvgnzaJpuC16R9rDPFDI+QQbzgxo1PX08mbaRv1PaSm5lYAwdv/CBwFTtQ54x fQd6je7YpZrMFMnPRLOFWdKz85iAkvjbS3CWX1PboVaEBQqf+hIP2N/K/geD2g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032719; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=6Et6GRrtMVwZr7qEsduNlaOxmVkcpytz/DDz0h8DFRI=; b=d+4RZS7GJdEMo6DcPVsi210mXj90DEFek5hGhAVvHMsQZODX6senq0NreHC0ocnuzpZFLS 0j10I36y9WDUkUthYkAcshasWdRNrxizd+ppuDaQEbqUojtnEj+yQTF01Msl6NijRvSRcL fvYHCPaoxAHpAlXwRXpo8aE2iMMKnIesuJHc6tQyF3N71CmcL5sIsyXFAujMuvZHY2Y/qc QAIkvlHCY/HiZjePTp7uTnGho1D/sfwYFJ+RT5hn1fG8k3LKc/A6zG6IIKaYtir7Otva/o OxZEtJeZ8z/EiKLqNSgPJR9CalANuKS+jSR806inf8RpWFE7O6T8xLQcZGrTAw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxC4pK8znvy for ; Tue, 09 Jun 2026 19:18:39 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3e52a by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:18:39 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: e6859453de61 - releng/14.3 - in6_mcast: Fix a race in in6p_set_source_filter() List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.3 X-Git-Reftype: branch X-Git-Commit: e6859453de61e683b77b0172e98e06181d82a930 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:18:39 +0000 Message-Id: <6a28670f.3e52a.437f5186@gitrepo.freebsd.org> The branch releng/14.3 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=e6859453de61e683b77b0172e98e06181d82a930 commit e6859453de61e683b77b0172e98e06181d82a930 Author: Mark Johnston AuthorDate: 2026-05-29 20:12:24 +0000 Commit: Mark Johnston CommitDate: 2026-06-07 17:48:17 +0000 in6_mcast: Fix a race in in6p_set_source_filter() We drop the inpcb lock in order to copy in the source list, but this leaves a window where the multicast filter structure might be freed. This can be exploited to obtain root privileges. In the v4 code this race is mitigated by holding the global multicast lock across the gap. Restructure the code to copy in filters before doing anything else, so that there's no need to drop the inpcb lock and reason about the correctness of doing so. Do the same in the v4 code for consistency. Approved by: so Security: FreeBSD-SA-26:29.ip6_multicast Security: CVE-2026-49412 Reported by: Andrew Griffiths Reported by: Maik Münch Reviewed by: glebius Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57347 --- sys/netinet/in_mcast.c | 39 +++++++++++++++++---------------------- sys/netinet6/in6_mcast.c | 41 +++++++++++++++++++---------------------- 2 files changed, 36 insertions(+), 44 deletions(-) diff --git a/sys/netinet/in_mcast.c b/sys/netinet/in_mcast.c index 3dc4fa271683..4fd00bac3ae4 100644 --- a/sys/netinet/in_mcast.c +++ b/sys/netinet/in_mcast.c @@ -2524,6 +2524,7 @@ inp_set_source_filters(struct inpcb *inp, struct sockopt *sopt) { struct epoch_tracker et; struct __msfilterreq msfr; + struct sockaddr_storage *kss; sockunion_t *gsa; struct ifnet *ifp; struct in_mfilter *imf; @@ -2536,9 +2537,6 @@ inp_set_source_filters(struct inpcb *inp, struct sockopt *sopt) if (error) return (error); - if (msfr.msfr_nsrcs > in_mcast_maxsocksrc) - return (ENOBUFS); - if ((msfr.msfr_fmode != MCAST_EXCLUDE && msfr.msfr_fmode != MCAST_INCLUDE)) return (EINVAL); @@ -2551,13 +2549,24 @@ inp_set_source_filters(struct inpcb *inp, struct sockopt *sopt) if (!IN_MULTICAST(ntohl(gsa->sin.sin_addr.s_addr))) return (EINVAL); + if (msfr.msfr_nsrcs > in_mcast_maxsocksrc) + return (ENOBUFS); + kss = mallocarray(msfr.msfr_nsrcs, sizeof(struct sockaddr_storage), + M_TEMP, M_WAITOK); + error = copyin(msfr.msfr_srcs, kss, + sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs); + if (error) + goto out_inp_unlocked; + gsa->sin.sin_port = 0; /* ignore port */ NET_EPOCH_ENTER(et); ifp = ifnet_byindex(msfr.msfr_ifindex); NET_EPOCH_EXIT(et); /* XXXGL: unsafe ifp */ - if (ifp == NULL) - return (EADDRNOTAVAIL); + if (ifp == NULL) { + error = EADDRNOTAVAIL; + goto out_inp_unlocked; + } IN_MULTI_LOCK(); @@ -2589,24 +2598,9 @@ inp_set_source_filters(struct inpcb *inp, struct sockopt *sopt) if (msfr.msfr_nsrcs > 0) { struct in_msource *lims; struct sockaddr_in *psin; - struct sockaddr_storage *kss, *pkss; + struct sockaddr_storage *pkss; int i; - INP_WUNLOCK(inp); - - CTR2(KTR_IGMPV3, "%s: loading %lu source list entries", - __func__, (unsigned long)msfr.msfr_nsrcs); - kss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs, - M_TEMP, M_WAITOK); - error = copyin(msfr.msfr_srcs, kss, - sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs); - if (error) { - free(kss, M_TEMP); - return (error); - } - - INP_WLOCK(inp); - /* * Mark all source filters as UNDEFINED at t1. * Restore new group filter mode, as imf_leave() @@ -2641,7 +2635,6 @@ inp_set_source_filters(struct inpcb *inp, struct sockopt *sopt) break; lims->imsl_st[1] = imf->imf_st[1]; } - free(kss, M_TEMP); } if (error) @@ -2678,6 +2671,8 @@ out_imf_rollback: out_inp_locked: INP_WUNLOCK(inp); IN_MULTI_UNLOCK(); +out_inp_unlocked: + free(kss, M_TEMP); return (error); } diff --git a/sys/netinet6/in6_mcast.c b/sys/netinet6/in6_mcast.c index a6186568ecb2..4ec9f36cd9ac 100644 --- a/sys/netinet6/in6_mcast.c +++ b/sys/netinet6/in6_mcast.c @@ -2489,6 +2489,7 @@ in6p_set_source_filters(struct inpcb *inp, struct sockopt *sopt) { struct __msfilterreq msfr; struct epoch_tracker et; + struct sockaddr_storage *kss; sockunion_t *gsa; struct ifnet *ifp; struct in6_mfilter *imf; @@ -2501,9 +2502,6 @@ in6p_set_source_filters(struct inpcb *inp, struct sockopt *sopt) if (error) return (error); - if (msfr.msfr_nsrcs > in6_mcast_maxsocksrc) - return (ENOBUFS); - if (msfr.msfr_fmode != MCAST_EXCLUDE && msfr.msfr_fmode != MCAST_INCLUDE) return (EINVAL); @@ -2516,19 +2514,31 @@ in6p_set_source_filters(struct inpcb *inp, struct sockopt *sopt) if (!IN6_IS_ADDR_MULTICAST(&gsa->sin6.sin6_addr)) return (EINVAL); + if (msfr.msfr_nsrcs > in6_mcast_maxsocksrc) + return (ENOBUFS); + kss = mallocarray(msfr.msfr_nsrcs, sizeof(struct sockaddr_storage), + M_TEMP, M_WAITOK); + error = copyin(msfr.msfr_srcs, kss, + sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs); + if (error) + goto out_in6p_unlocked; + gsa->sin6.sin6_port = 0; /* ignore port */ NET_EPOCH_ENTER(et); ifp = ifnet_byindex(msfr.msfr_ifindex); NET_EPOCH_EXIT(et); - if (ifp == NULL) - return (EADDRNOTAVAIL); + if (ifp == NULL) { + error = EADDRNOTAVAIL; + goto out_in6p_unlocked; + } (void)in6_setscope(&gsa->sin6.sin6_addr, ifp, NULL); /* * Take the INP write lock. * Check if this socket is a member of this group. */ + IN6_MULTI_LOCK(); imo = in6p_findmoptions(inp); imf = im6o_match_group(imo, ifp, &gsa->sa); if (imf == NULL) { @@ -2553,24 +2563,9 @@ in6p_set_source_filters(struct inpcb *inp, struct sockopt *sopt) if (msfr.msfr_nsrcs > 0) { struct in6_msource *lims; struct sockaddr_in6 *psin; - struct sockaddr_storage *kss, *pkss; + struct sockaddr_storage *pkss; int i; - INP_WUNLOCK(inp); - - CTR2(KTR_MLD, "%s: loading %lu source list entries", - __func__, (unsigned long)msfr.msfr_nsrcs); - kss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs, - M_TEMP, M_WAITOK); - error = copyin(msfr.msfr_srcs, kss, - sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs); - if (error) { - free(kss, M_TEMP); - return (error); - } - - INP_WLOCK(inp); - /* * Mark all source filters as UNDEFINED at t1. * Restore new group filter mode, as im6f_leave() @@ -2615,7 +2610,6 @@ in6p_set_source_filters(struct inpcb *inp, struct sockopt *sopt) break; lims->im6sl_st[1] = imf->im6f_st[1]; } - free(kss, M_TEMP); } if (error) @@ -2650,6 +2644,9 @@ out_im6f_rollback: out_in6p_locked: INP_WUNLOCK(inp); + IN6_MULTI_UNLOCK(); +out_in6p_unlocked: + free(kss, M_TEMP); return (error); } From nobody Tue Jun 9 19:18:40 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxF1rKwz6gVBX for ; Tue, 09 Jun 2026 19:18:41 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdxD6C0sz3NNX for ; Tue, 09 Jun 2026 19:18:40 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032720; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=M/+kbOepM/mfvAXmK+IvMTvDQlQKLImFA8ZtGWWGPmA=; b=yf6/98yFqJ8AyFIxRUyXHPcOuETGLlU5SE0shkBdtyQiRZHf1m5vntyQzERhBYTmfNd99L Ol4ojpkUOgpyanHHlprMidvAecG0A039qf0nfu7n+r63f5d06Mir6HsTlO1DhJcgyS3IS8 t0eFlcIftr05j9g5mpAX/KI4eKAdCxpodfB+9siw8vle4oIZ7Q54/+pR6lZ05MetEsXxVL z8v7TjpRoTX+fuUfzk6OmNlSsgXl+UCkvXZDpSSbbH9mzDkHMA7Hi6mgEy79iy/Wo4g3ep KefWlufeywI1hWQd0ixXbiaFZ33i/OtD6nPz6CtPiO8pg6EpuNJMWMGbjnO6Bg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032720; a=rsa-sha256; cv=none; b=B+jEF7UY6zp6G9kgGOiB1cGjuA+K5gqmrXjy0qYq4G4hMP2BjH7w03oAk666qAr/wnZUi/ /c+G7H1K7N0E47osr7efiIi0M4xQS11P9AlTkfF+6TFDAuoZ0Fwwd91AN+loMFsFfrIvRB 1JlOofybJFw3rhCMk/DWyENlrNRxl7fY8NTU3iBznLzyIDlLQl7oQzNfh5y5DOZ7iXU0Bg 1RC+NHydkxkQkssYeUbW/6qJjzpFcKfcTMxSh6/2BWB0ibFy1fo23sMHnmZsUazLA1esOv 3BmYy9F03FVZ1Ta/J94TajfyR/dmlUz3XFdRa3StnZFMFqLXWxSkZ9hYujI+OQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032720; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=M/+kbOepM/mfvAXmK+IvMTvDQlQKLImFA8ZtGWWGPmA=; b=leMyxgBjrzkipCFa3pCM7kE0M1+C4cqSClyuakySn2N3INX/+2I3zDaNZ+rntqNeqYk5Nb y5WaG6DEc4Nthi7V1cO5AMxpSgDVFERTScr8U4BL5uFinO4FZXjgjRxD8pAfmpYsGM4EJk 1W5l/N3weOXMABhpDVpk5anhWjBV9cAKtyEdcchmQVN2Fyp4ai27bfcwUZezNys4F3STT7 fV6mE5gHjcEpDjlNcxHvOUc8gVqjwrr0RseJL70GJRrN8jO68EBOk9jGNo4cNFXXEG3sdD SUTlMRfjybfgu8erSdH0lsdoQMFu82foeOijA1dbB2OwoDPGWPZFhvv6bpWSww== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxD5ZtPznxx for ; Tue, 09 Jun 2026 19:18:40 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3e421 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:18:40 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 0dcf9bba4b9f - releng/14.3 - linux: Correct the issetugid check in copyout_auxargs List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.3 X-Git-Reftype: branch X-Git-Commit: 0dcf9bba4b9fe7f2f0356095f21b2cb86be02e1d Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:18:40 +0000 Message-Id: <6a286710.3e421.50d410a@gitrepo.freebsd.org> The branch releng/14.3 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=0dcf9bba4b9fe7f2f0356095f21b2cb86be02e1d commit 0dcf9bba4b9fe7f2f0356095f21b2cb86be02e1d Author: Mark Johnston AuthorDate: 2026-05-29 21:41:35 +0000 Commit: Mark Johnston CommitDate: 2026-06-07 17:48:17 +0000 linux: Correct the issetugid check in copyout_auxargs The runtime linker in glibc relies on the AT_SECURE auxv entry to know whether the executable is set-ugid, if so then various dangerous functionality such as LD_PRELOAD is disabled. The check added in commit 669414e4fb74 failed to take into account the fact that during execve, P_SUGID may not yet be set for a set-ugid process. Correct the test. Approved by: so Security: FreeBSD-SA-26:30.linux Security: CVE-2026-49413 Reported by: Minseong Kim Fixes: 669414e4fb74 ("Implement AT_SECURE properly.") Reviewed by: kib Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57350 --- sys/compat/linux/linux_elf.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/sys/compat/linux/linux_elf.c b/sys/compat/linux/linux_elf.c index c9eb6aea8373..6c9f785c97e7 100644 --- a/sys/compat/linux/linux_elf.c +++ b/sys/compat/linux/linux_elf.c @@ -492,11 +492,9 @@ __linuxN(copyout_auxargs)(struct image_params *imgp, uintptr_t base) struct thread *td = curthread; Elf_Auxargs *args; Elf_Auxinfo *aarray, *pos; - struct proc *p; int error, issetugid; - p = imgp->proc; - issetugid = p->p_flag & P_SUGID ? 1 : 0; + issetugid = imgp->credential_setid ? 1 : 0; args = imgp->auxargs; aarray = pos = malloc(LINUX_AT_COUNT * sizeof(*pos), M_TEMP, M_WAITOK | M_ZERO); From nobody Tue Jun 9 19:18:41 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxG3FFqz6gV8M for ; Tue, 09 Jun 2026 19:18:42 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdxF6qvZz3NX7 for ; Tue, 09 Jun 2026 19:18:41 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032722; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=UdYHrbgIEhyENyND0buDUUW93oJVie+LngaRFRBJDCM=; b=xg4Xw6AgYi3xieTRsTBG0y3Ah1Knj0qY9WcWy0UqhhtM3wKJQwlErEs36/YdtTEy5/kKxy aEJOKqYa1T/0xoXHLBmaQx3N6WDCi+yhJgCbXK4ip1iQykJvxsBWVTeMt+0yIKap4evloj mIM+PHYjRwaoJGo5D5rxAcmA2kc41ve4vdTAbcglMDulqGES/vHB/U1HDC7X2QquEgkrum euRLyx0sxON7etJ1DoZEZdyBUVBFq1GVly/erYHBG2CnFzNqW4Fo8s4J01tqUNdcKmESQK dO0OKcOObItSS8Z0hZZCWdMEypLq4LOCxX6jVD+9QJXgcFoQQXC17GUlvCWJGQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032722; a=rsa-sha256; cv=none; b=PmdVekRTe0zW9j3UmQS1Oq0LqF9+uRsMJMzCWAcydY/Yj1C22XXCYgE4/4DJyjKM2j8tce iIBJgjk0kWO83uG29Eq5IkvBROXtzMxQIzJ90YhOap5xgOv8v69rgUtW52I0t/jZOBu7rN NtSpEoCdulDfcn1qPkcUwV7y/tM4WgPCuafkKiTq12TdC+VTx05FPwHA/zgMGbwlze5tk9 Xq7z+vroFPyF9HGI2qZM/UnBsJpLlRSEnqZ1b3QordcqE5cQknfJR4KoOLMLq9Qx4LwCQ8 B07I8DU0YcAjvhcuerqaW9TOo5oI3I0J20j6zRQdL+4vHSR8esOWal04UHP9vw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032722; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=UdYHrbgIEhyENyND0buDUUW93oJVie+LngaRFRBJDCM=; b=B0UmWRVTUKiXQOo30B3z4aEXZ1LeTagmEREtKa93ZOClkI02ot0rVa8P27PLGpWX1/5nld UVf9CguxlBbMjDPd2OUfzM9Hyb8tZgQL4EN1TEeF7pjit0bxRL9R7zwZViDFnNik2HBNnf 5yzSS+7qiILuxwGAcvD1bKuLzFRtGh4lLKYVGRvrp8tZLDH2nvV1jOUoGIbilo8foWmxtF iplc26+dNSHLpXJi5MdZsELrXSQr9FiA1GW4yIU6548AocYuW9sEhper8MSILkqnp8pWMS dGLn55Z04pVABskxvlk4tutFtdOuvnqx5KUGz6ZMO8xR+ujiPeI1tf9WCckUjA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxF6MZ9znrS for ; Tue, 09 Jun 2026 19:18:41 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3c5f2 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:18:41 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Andrew Turner From: Mark Johnston Subject: git: 61d0cea4c00f - releng/14.3 - arm64: Workaround the following errata List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.3 X-Git-Reftype: branch X-Git-Commit: 61d0cea4c00fd48ca9cedfd788a58105948aff78 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:18:41 +0000 Message-Id: <6a286711.3c5f2.51d4f2ed@gitrepo.freebsd.org> The branch releng/14.3 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=61d0cea4c00fd48ca9cedfd788a58105948aff78 commit 61d0cea4c00fd48ca9cedfd788a58105948aff78 Author: Andrew Turner AuthorDate: 2026-05-29 08:31:10 +0000 Commit: Mark Johnston CommitDate: 2026-06-07 17:48:17 +0000 arm64: Workaround the following errata - ARM C1-Premium erratum 4193780 - ARM C1-Ultra erratum 4193780 - ARM Cortex-A76 erratum 4193800 - ARM Cortex-A76AE erratum 4193801 - ARM Cortex-A77 erratum 4193798 - ARM Cortex-A78 erratum 4193791 - ARM Cortex-A78AE erratum 4193793 - ARM Cortex-A78C erratum 4193794 - ARM Cortex-A710 erratum 4193788 - ARM Cortex-X1 erratum 4193791 - ARM Cortex-X1C erratum 4193792 - ARM Cortex-X2 erratum 4193788 - ARM Cortex-X3 erratum 4193786 - ARM Cortex-X4 erratum 4118414 - ARM Cortex-X925 erratum 4193781 - ARM Neoverse-N1 erratum 4193800 - ARM Neoverse-N2 erratum 4193789 - ARM Neoverse-V1 erratum 4193790 - ARM Neoverse-V2 erratum 4193787 - ARM Neoverse-V3 erratum 4193784 - ARM Neoverse-V3AE erratum 4193784 These are all variants on an erratum where TLBI+DSB instructions on one CPU may incorrectly complete early leading to stores to an updated address using an incorrect translation on another CPU. In all cases the workaround is to add a second TLBI+DSB. Sponsored by: Arm Ltd arm64: Add more CPU MIDR values Found in Linux and https://github.com/arm-software/data Sponsored by: Arm Ltd Differential Revision: https://reviews.freebsd.org/D50726 (cherry picked from commit 124b5dbf5c09a17251b75f6b96c9ab7b218eee7f) (cherry picked from commit 935f00c4ddf6c0e90752e7017e1d8d165e0796a1) arm64: Add the new C1 CPU IDs Add the Arm C1-Nano, C1-Pro, C1-Premium, and C1-Ultra CPUs from their Technical Reference Manuals. Sponsored by: Arm Ltd (cherry picked from commit 8fee6b9ecc84d3602a461f1cd33df91e50849cdf) (cherry picked from commit 25ff471f0bbcf5b489678e9f94877386366dc521) Approved by: so Security: FreeBSD-SA-26:31.arm64 Security: CVE-2025-10263 --- sys/arm64/arm64/pmap.c | 79 +++++++++++++++++++++++++++++++++++++++++++++++++ sys/arm64/include/cpu.h | 24 ++++++++++++++- 2 files changed, 102 insertions(+), 1 deletion(-) diff --git a/sys/arm64/arm64/pmap.c b/sys/arm64/arm64/pmap.c index a5d037d7b71c..91b4942b4345 100644 --- a/sys/arm64/arm64/pmap.c +++ b/sys/arm64/arm64/pmap.c @@ -183,6 +183,8 @@ #define PMAP_SAN_PTE_BITS (ATTR_DEFAULT | ATTR_S1_XN | \ ATTR_S1_IDX(VM_MEMATTR_WRITE_BACK) | ATTR_S1_AP(ATTR_S1_AP_RW)) +static bool __read_mostly pmap_multiple_tlbi = false; + struct pmap_large_md_page { struct rwlock pv_lock; struct md_page pv_page; @@ -1534,6 +1536,71 @@ pmap_init_pv_table(void) } } + +static void +pmap_init_multiple_tlbi(void *dummy __unused) +{ + u_int cpu, midr; + + CPU_FOREACH(cpu) { + midr = pcpu_find(cpu)->pc_midr; + + /* + * ARM C1-Premium erratum 4193780 + * ARM C1-Ultra erratum 4193780 + * ARM Cortex-A76 erratum 4193800 + * ARM Cortex-A76AE erratum 4193801 + * ARM Cortex-A77 erratum 4193798 + * ARM Cortex-A78 erratum 4193791 + * ARM Cortex-A78AE erratum 4193793 + * ARM Cortex-A78C erratum 4193794 + * ARM Cortex-A710 erratum 4193788 + * ARM Cortex-X1 erratum 4193791 + * ARM Cortex-X1C erratum 4193792 + * ARM Cortex-X2 erratum 4193788 + * ARM Cortex-X3 erratum 4193786 + * ARM Cortex-X4 erratum 4118414 + * ARM Cortex-X925 erratum 4193781 + * ARM Neoverse-N1 erratum 4193800 + * ARM Neoverse-N2 erratum 4193789 + * ARM Neoverse-V1 erratum 4193790 + * ARM Neoverse-V2 erratum 4193787 + * ARM Neoverse-V3 erratum 4193784 + * ARM Neoverse-V3AE erratum 4193784 + * Present in all revisions + */ + if (CPU_IMPL(midr) == CPU_IMPL_ARM) { + switch(CPU_PART(midr)) { + case CPU_PART_C1_PREMIUM: + case CPU_PART_C1_ULTRA: + case CPU_PART_CORTEX_A76: + case CPU_PART_CORTEX_A76AE: + case CPU_PART_CORTEX_A77: + case CPU_PART_CORTEX_A78: + case CPU_PART_CORTEX_A78AE: + case CPU_PART_CORTEX_A78C: + case CPU_PART_CORTEX_A710: + case CPU_PART_CORTEX_X1: + case CPU_PART_CORTEX_X1C: + case CPU_PART_CORTEX_X2: + case CPU_PART_CORTEX_X3: + case CPU_PART_CORTEX_X4: + case CPU_PART_CORTEX_X925: + case CPU_PART_NEOVERSE_N1: + case CPU_PART_NEOVERSE_N2: + case CPU_PART_NEOVERSE_V1: + case CPU_PART_NEOVERSE_V2: + case CPU_PART_NEOVERSE_V3: + case CPU_PART_NEOVERSE_V3AE: + pmap_multiple_tlbi = true; + return; + } + } + } +} +SYSINIT(pmap_init_multiple_tlbi, SI_SUB_CPU, SI_ORDER_ANY, + pmap_init_multiple_tlbi, NULL); + /* * Initialize the pmap module. * @@ -1652,6 +1719,10 @@ pmap_s1_invalidate_page(pmap_t pmap, vm_offset_t va, bool final_only) r |= ASID_TO_OPERAND(COOKIE_TO_ASID(pmap->pm_cookie)); pmap_s1_invalidate_user(r, final_only); } + if (pmap_multiple_tlbi) { + dsb(ish); + __asm __volatile("tlbi vale1is, xzr" ::: "memory"); + } dsb(ish); isb(); } @@ -1699,6 +1770,10 @@ pmap_s1_invalidate_range(pmap_t pmap, vm_offset_t sva, vm_offset_t eva, for (r = start; r < end; r += TLBI_VA_L3_INCR) pmap_s1_invalidate_user(r, final_only); } + if (pmap_multiple_tlbi) { + dsb(ish); + __asm __volatile("tlbi vale1is, xzr" ::: "memory"); + } dsb(ish); isb(); } @@ -1740,6 +1815,10 @@ pmap_s1_invalidate_all(pmap_t pmap) r = ASID_TO_OPERAND(COOKIE_TO_ASID(pmap->pm_cookie)); __asm __volatile("tlbi aside1is, %0" : : "r" (r)); } + if (pmap_multiple_tlbi) { + dsb(ish); + __asm __volatile("tlbi vale1is, xzr" ::: "memory"); + } dsb(ish); isb(); } diff --git a/sys/arm64/include/cpu.h b/sys/arm64/include/cpu.h index 0701a75d17f7..dbb92d75dd85 100644 --- a/sys/arm64/include/cpu.h +++ b/sys/arm64/include/cpu.h @@ -77,6 +77,7 @@ #define CPU_IMPL_CAVIUM 0x43 #define CPU_IMPL_DEC 0x44 #define CPU_IMPL_FUJITSU 0x46 +#define CPU_IMPL_HISILICON 0x48 #define CPU_IMPL_INFINEON 0x49 #define CPU_IMPL_FREESCALE 0x4D #define CPU_IMPL_NVIDIA 0x4E @@ -86,6 +87,7 @@ #define CPU_IMPL_APPLE 0x61 #define CPU_IMPL_INTEL 0x69 #define CPU_IMPL_AMPERE 0xC0 +#define CPU_IMPL_MICROSOFT 0x6D /* ARM Part numbers */ #define CPU_PART_FOUNDATION 0xD00 @@ -105,6 +107,7 @@ #define CPU_PART_AEM_V8 0xD0F #define CPU_PART_NEOVERSE_V1 0xD40 #define CPU_PART_CORTEX_A78 0xD41 +#define CPU_PART_CORTEX_A78AE 0xD42 #define CPU_PART_CORTEX_A65AE 0xD43 #define CPU_PART_CORTEX_X1 0xD44 #define CPU_PART_CORTEX_A510 0xD46 @@ -117,6 +120,18 @@ #define CPU_PART_CORTEX_A715 0xD4D #define CPU_PART_CORTEX_X3 0xD4E #define CPU_PART_NEOVERSE_V2 0xD4F +#define CPU_PART_CORTEX_A520 0xD80 +#define CPU_PART_CORTEX_A720 0xD81 +#define CPU_PART_CORTEX_X4 0xD82 +#define CPU_PART_NEOVERSE_V3AE 0xD83 +#define CPU_PART_NEOVERSE_V3 0xD84 +#define CPU_PART_CORTEX_X925 0xD85 +#define CPU_PART_CORTEX_A725 0xD87 +#define CPU_PART_C1_NANO 0xD8A +#define CPU_PART_C1_PRO 0xD8B +#define CPU_PART_C1_ULTRA 0xD8C +#define CPU_PART_NEOVERSE_N3 0xD8E +#define CPU_PART_C1_PREMIUM 0xD90 /* Cavium Part numbers */ #define CPU_PART_THUNDERX 0x0A1 @@ -129,9 +144,16 @@ #define CPU_REV_THUNDERX2_0 0x00 -/* APM / Ampere Part Number */ +/* APM (now Ampere) Part number */ #define CPU_PART_EMAG8180 0x000 +/* Ampere Part numbers */ +#define CPU_PART_AMPERE1 0xAC3 +#define CPU_PART_AMPERE1A 0xAC4 + +/* Microsoft Part numbers */ +#define CPU_PART_AZURE_COBALT_100 0xD49 + /* Qualcomm */ #define CPU_PART_KRYO400_GOLD 0x804 #define CPU_PART_KRYO400_SILVER 0x805 From nobody Tue Jun 9 19:18:44 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxJ2pBLz6gVBd for ; Tue, 09 Jun 2026 19:18:44 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdxJ1QkJz3NPD for ; Tue, 09 Jun 2026 19:18:44 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032724; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=4sK3XWSRFQ8gjXFbYQt74mwM/vFV86RviLpTYqFQwdM=; b=TjOP891gK7eD7LhcOMYhLgUiIQbnRW3JgGApXxDbZBCxULEvi8Dzc7CauIjD2dFqrnAHQB vBjOrvSqwRofC/p2zii+vQeyXau4dC23k7SAZMnEUHjF0/F8Huu0EU7uavA6Jh9Xy3IQYy 0Qs6iQsBd2GTBxn9zDyaCLpk+MGfIhDFzbLtxNs7qHeYr3dFRXhPYx8YQfeP3iUCmGL1eQ yzSaUQ5ohb8BDJfYP3yObybDXqhVQqjOKEdOdkAm3CYpz5SBJIc7VX9d4t2umnFfDWDTZr coOydOcnpsKBX0/AoqIxVhJPqRP5OMF5bPpZKvs3qFnHSOcDVg21cKVucaDFQQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032724; a=rsa-sha256; cv=none; b=clJjEo6yxOs5+yERlN/aKoB21iyzmF9GAnjvr9ld3nuD4wE4H4fq0b8rp8qYpQ3Ex4xbcM 7fhHaV7Ox2E27Z2lGPwx7gutWtxqePLuG8PIEeWG+W3rS0ROGqbuTU6cQDDRKeOqLT1Cve SrnTl2tAyv2JuNJ34ZltepIIcMYeS9ypmsA1Fcs9PYbK//bp9S54NitErnyDBWZjTBcD/O b6lonXRGoqvM6QKJwFIQs8fQ3svwhBr0xJLybDU4crgdvK2k86wkhaf/TimhrB5UfghXM3 e3JIkjpKGYZoXuf7+ND2LpoLh0nr9LUgHBF8xPLG9vNt8vpcKxQO1nxJa2Q8TQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032724; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=4sK3XWSRFQ8gjXFbYQt74mwM/vFV86RviLpTYqFQwdM=; b=it+W+PBJ6XCYiun2T8n1nFvkaEGNA3+YiKKAMo2x9DtJoNf7bEXBT1MWflomzBY4yttdmg +AdhWUiWKBPo9hchSgNJayqVFqwFOOuA23b7QI4Btm9J+sOcwPty0z8t7oPx5sb84ZaQF4 qPx9DtaR1iI6igO+L/vgWtcUl50esXCAkClhjnByAWrOaGSJgNTL4Xot53UCaWUo770u8e RIgoJN59rb8xgWVp7J5nD28QWjNhlXKk6xoxK9rRazzYR6JsE5ziwFgG2TMYLYee0msWpE tGJ2yLYgK4JtORU/rA7BZ6ez0kXvO8qjGHRdXVwPnPYY3uY8uxkqUbf22Zmg4Q== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxJ0ytvznw1 for ; Tue, 09 Jun 2026 19:18:44 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3ecbe by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:18:44 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Dag-Erling=?utf-8?Q? Sm=C3=B8rg?=rav From: Mark Johnston Subject: git: a68c183e0ad2 - releng/14.3 - unbound: Apply upstream patches List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.3 X-Git-Reftype: branch X-Git-Commit: a68c183e0ad2ceefa2a1ea8f8c8d1d1937c36c0d Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:18:44 +0000 Message-Id: <6a286714.3ecbe.66468ba6@gitrepo.freebsd.org> The branch releng/14.3 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=a68c183e0ad2ceefa2a1ea8f8c8d1d1937c36c0d commit a68c183e0ad2ceefa2a1ea8f8c8d1d1937c36c0d Author: Dag-Erling Smørgrav AuthorDate: 2026-05-29 22:21:50 +0000 Commit: Mark Johnston CommitDate: 2026-06-07 17:48:17 +0000 unbound: Apply upstream patches - Use the same EDE removal logic when encoding errors as when encoding replies. - Fix CVE-2026-33278, Possible remote code execution during DNSSEC validation. Thanks to Qifan Zhang, Palo Alto Networks, for the report. - Fix CVE-2026-42944, Heap overflow and crash with multiple nsid, cookie, padding EDNS options. Thanks to Qifan Zhang, Palo Alto Networks, for the report. - Fix CVE-2026-42959, Crash during DNSSEC validation of malicious content. Thanks to Qifan Zhang, Palo Alto Networks, for the report. - Fix CVE-2026-32792, Packet of death with DNSCrypt. Thanks to Andrew Griffiths from 'calif.io' for the report. - Fix CVE-2026-40622, "Ghost domain name" variant. Thanks to Qifan Zhang, Palo Alto Networks, for the report. - Fix CVE-2026-41292, Parsing a long list of incoming EDNS options degrades performance. Thanks to GitHub user 'N0zoM1z0', also Qifan Zhang from Palo Alto Networks, for the report. - Fix CVE-2026-42534, Jostle logic bypass degrades resolution performance. Thanks to Qifan Zhang, Palo Alto Networks, for the report. - Fix CVE-2026-42923, Degradation of service with unbounded NSEC3 hash calculations. Thanks to Qifan Zhang, Palo Alto Networks, for the report. - Fix CVE-2026-42960, Possible cache poisoning attack while following delegation. Thanks to TaoFei Guo from Peking University, Yang Luo and JianJun Chen, Tsinghua University, for the report. - Fix CVE-2026-44390, Unbounded name compression in certain cases causes degradation of service. Thanks to Qifan Zhang, Palo Alto Networks, for the report. - Fix CVE-2026-44608, Use after free and crash in RPZ code. Thanks to Qifan Zhang, Palo Alto Networks, for the report. Approved by: so Security: FreeBSD-SA-26:33.unbound Security: CVE-2026-33278 Security: CVE-2026-42944 Security: CVE-2026-42959 Security: CVE-2026-32792 Security: CVE-2026-40622 Security: CVE-2026-41292 Security: CVE-2026-42534 Security: CVE-2026-42923 Security: CVE-2026-42960 Security: CVE-2026-44390 Security: CVE-2026-44608 --- contrib/unbound/dnscrypt/dnscrypt.c | 2 +- contrib/unbound/iterator/iter_scrub.c | 8 +++- contrib/unbound/services/cache/dns.c | 8 +++- contrib/unbound/services/cache/rrset.c | 10 +++++ contrib/unbound/services/mesh.c | 14 +++++-- contrib/unbound/services/mesh.h | 6 +++ contrib/unbound/services/rpz.c | 10 +++-- contrib/unbound/util/data/msgencode.c | 54 ++++++++++++++++-------- contrib/unbound/util/data/msgencode.h | 4 +- contrib/unbound/util/data/msgparse.c | 19 ++++++--- contrib/unbound/util/data/msgparse.h | 4 ++ contrib/unbound/validator/val_neg.c | 28 ++++++++++++- contrib/unbound/validator/val_nsec3.c | 76 +++++++++++++++++++++++++++++++--- contrib/unbound/validator/val_nsec3.h | 6 +++ contrib/unbound/validator/val_utils.c | 4 +- 15 files changed, 209 insertions(+), 44 deletions(-) diff --git a/contrib/unbound/dnscrypt/dnscrypt.c b/contrib/unbound/dnscrypt/dnscrypt.c index 4902447fda01..173484cdf0b1 100644 --- a/contrib/unbound/dnscrypt/dnscrypt.c +++ b/contrib/unbound/dnscrypt/dnscrypt.c @@ -361,7 +361,7 @@ dnscrypt_server_uncurve(struct dnsc_env* env, len -= DNSCRYPT_QUERY_HEADER_SIZE; - while (*sldns_buffer_at(buffer, --len) == 0) + while (len>0 && *sldns_buffer_at(buffer, --len) == 0) ; if (*sldns_buffer_at(buffer, len) != 0x80) { diff --git a/contrib/unbound/iterator/iter_scrub.c b/contrib/unbound/iterator/iter_scrub.c index b02b4dc484bf..0d2c82524ce0 100644 --- a/contrib/unbound/iterator/iter_scrub.c +++ b/contrib/unbound/iterator/iter_scrub.c @@ -725,7 +725,13 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, rrset->rrset_all_next = NULL; return 1; } - mark_additional_rrset(pkt, msg, rrset); + /* Only mark glue as allowed for type NS in the authority + * section. Other RR types do not get glue for them, it + * is allowed from the answer section, but not authority + * so that a message can not have address records cached + * as a side effect to the query. */ + if(rrset->type==LDNS_RR_TYPE_NS) + mark_additional_rrset(pkt, msg, rrset); prev = rrset; rrset = rrset->rrset_all_next; } diff --git a/contrib/unbound/services/cache/dns.c b/contrib/unbound/services/cache/dns.c index 7ab63bacf492..0e748c8addc4 100644 --- a/contrib/unbound/services/cache/dns.c +++ b/contrib/unbound/services/cache/dns.c @@ -675,10 +675,16 @@ struct dns_msg* dns_msg_deepcopy_region(struct dns_msg* origin, struct regional* region) { size_t i; + struct ub_packed_rrset_key** saved_rrsets; struct dns_msg* res = NULL; + size_t rep_alloc_size = sizeof(struct reply_info) + - sizeof(struct rrset_ref); /* this is the size of res->rep + allocated in gen_dns_msg() */ res = gen_dns_msg(region, &origin->qinfo, origin->rep->rrset_count); if(!res) return NULL; - *res->rep = *origin->rep; + saved_rrsets = res->rep->rrsets; /* save rrsets alloc by gen_dns_msg */ + memcpy(res->rep, origin->rep, rep_alloc_size); + res->rep->rrsets = saved_rrsets; if(origin->rep->reason_bogus_str) { res->rep->reason_bogus_str = regional_strdup(region, origin->rep->reason_bogus_str); diff --git a/contrib/unbound/services/cache/rrset.c b/contrib/unbound/services/cache/rrset.c index a05ae5a56b78..d807a2440e37 100644 --- a/contrib/unbound/services/cache/rrset.c +++ b/contrib/unbound/services/cache/rrset.c @@ -147,6 +147,16 @@ need_to_update_rrset(void* nd, void* cd, time_t timenow, int equal, int ns) if(equal && cached->ttl >= timenow && cached->security == sec_status_bogus) return 0; + /* ghost-domain: never let an NS overwrite extend lifetime + * past the entry it replaces, regardless of trust. */ + if(ns && !TTL_IS_EXPIRED(cached->ttl, timenow) && + newd->ttl > cached->ttl) { + size_t i; + newd->ttl = cached->ttl; + for(i=0; i<(newd->count+newd->rrsig_count); i++) + if(newd->rr_ttl[i] > newd->ttl) + newd->rr_ttl[i] = newd->ttl; + } return 1; } /* o item in cache has expired */ diff --git a/contrib/unbound/services/mesh.c b/contrib/unbound/services/mesh.c index d512ab3d32d4..498ebaf87cdf 100644 --- a/contrib/unbound/services/mesh.c +++ b/contrib/unbound/services/mesh.c @@ -277,12 +277,14 @@ int mesh_make_new_space(struct mesh_area* mesh, sldns_buffer* qbuf) if(mesh->num_reply_states < mesh->max_reply_states) return 1; /* try to kick out a jostle-list item */ - if(m && m->reply_list && m->list_select == mesh_jostle_list) { + if(m && m->list_select == mesh_jostle_list) { /* how old is it? */ struct timeval age; - timeval_subtract(&age, mesh->env->now_tv, - &m->reply_list->start_time); - if(timeval_smaller(&mesh->jostle_max, &age)) { + if(m->has_first_reply_time) + timeval_subtract(&age, mesh->env->now_tv, + &m->first_reply_time); + if(!m->has_first_reply_time || + timeval_smaller(&mesh->jostle_max, &age)) { /* its a goner */ log_nametypeclass(VERB_ALGO, "query jostled out to " "make space for a new one", @@ -1734,6 +1736,10 @@ int mesh_state_add_reply(struct mesh_state* s, struct edns_data* edns, r->qid = qid; r->qflags = qflags; r->start_time = *s->s.env->now_tv; + if(s->reply_list == NULL && !s->has_first_reply_time) { + s->first_reply_time = r->start_time; + s->has_first_reply_time = 1; + } r->next = s->reply_list; r->qname = regional_alloc_init(s->s.region, qinfo->qname, s->s.qinfo.qname_len); diff --git a/contrib/unbound/services/mesh.h b/contrib/unbound/services/mesh.h index 26ececbe6210..569b3ef7c9d1 100644 --- a/contrib/unbound/services/mesh.h +++ b/contrib/unbound/services/mesh.h @@ -176,6 +176,12 @@ struct mesh_state { struct module_qstate s; /** the list of replies to clients for the results */ struct mesh_reply* reply_list; + /** if it has a first reply time */ + int has_first_reply_time; + /** wall-clock time the first client reply was attached; + * used by mesh_make_new_space() so duplicate retransmits + * cannot reset jostle aging. */ + struct timeval first_reply_time; /** the list of callbacks for the results */ struct mesh_cb* cb_list; /** set of superstates (that want this state's result) diff --git a/contrib/unbound/services/rpz.c b/contrib/unbound/services/rpz.c index 3b92ee53837e..e7f21a8cbf17 100644 --- a/contrib/unbound/services/rpz.c +++ b/contrib/unbound/services/rpz.c @@ -2449,6 +2449,7 @@ rpz_callback_from_iterator_module(struct module_qstate* ms, struct iter_qstate* { struct auth_zones* az; struct auth_zone* a; + struct dns_msg* ret = NULL; struct clientip_synthesized_rr* raddr = NULL; struct rpz* r = NULL; struct local_zone* z = NULL; @@ -2492,13 +2493,11 @@ rpz_callback_from_iterator_module(struct module_qstate* ms, struct iter_qstate* z = rpz_delegation_point_zone_lookup(is->dp, r->nsdname_zones, is->qchase.qclass, &match); if(z != NULL) { - lock_rw_unlock(&a->lock); break; } raddr = rpz_delegation_point_ipbased_trigger_lookup(r, is); if(raddr != NULL) { - lock_rw_unlock(&a->lock); break; } lock_rw_unlock(&a->lock); @@ -2513,9 +2512,12 @@ rpz_callback_from_iterator_module(struct module_qstate* ms, struct iter_qstate* if(z) { lock_rw_unlock(&z->lock); } - return rpz_apply_nsip_trigger(ms, &is->qchase, r, raddr, a); + ret = rpz_apply_nsip_trigger(ms, &is->qchase, r, raddr, a); + } else { + ret = rpz_apply_nsdname_trigger(ms, &is->qchase, r, z, &match, a); } - return rpz_apply_nsdname_trigger(ms, &is->qchase, r, z, &match, a); + lock_rw_unlock(&a->lock); + return ret; } struct dns_msg* rpz_callback_from_iterator_cname(struct module_qstate* ms, diff --git a/contrib/unbound/util/data/msgencode.c b/contrib/unbound/util/data/msgencode.c index 6d116fb52d6d..812df8ed4026 100644 --- a/contrib/unbound/util/data/msgencode.c +++ b/contrib/unbound/util/data/msgencode.c @@ -352,7 +352,6 @@ compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs, (p = compress_tree_lookup(tree, dname, labs, &insertpt))) { if(!write_compressed_dname(pkt, dname, labs, p)) return RETVAL_TRUNC; - (*compress_count)++; } else { if(!dname_buffer_write(pkt, dname)) return RETVAL_TRUNC; @@ -360,6 +359,7 @@ compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs, if(*compress_count < MAX_COMPRESSION_PER_MESSAGE && !compress_tree_store(dname, labs, pos, region, p, insertpt)) return RETVAL_OUTMEM; + (*compress_count)++; return RETVAL_OK; } @@ -804,7 +804,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep, return 1; } -uint16_t +size_t calc_edns_field_size(struct edns_data* edns) { size_t rdatalen = 0; @@ -840,7 +840,7 @@ calc_edns_option_size(struct edns_data* edns, uint16_t code) } uint16_t -calc_ede_option_size(struct edns_data* edns, uint16_t* txt_size) +calc_ede_option_size(struct edns_data* edns, size_t* txt_size) { size_t rdatalen = 0; struct edns_option* opt; @@ -942,6 +942,10 @@ attach_edns_record_max_msg_sz(sldns_buffer* pkt, struct edns_data* edns, padding_option = opt; continue; } + if(sldns_buffer_position(pkt) + opt->opt_len + 4 > max_msg_sz) + break; /* no space for it */ + if(!sldns_buffer_available(pkt, 4 + opt->opt_len)) + break; sldns_buffer_write_u16(pkt, opt->opt_code); sldns_buffer_write_u16(pkt, opt->opt_len); if(opt->opt_len != 0) @@ -952,12 +956,18 @@ attach_edns_record_max_msg_sz(sldns_buffer* pkt, struct edns_data* edns, padding_option = opt; continue; } + if(sldns_buffer_position(pkt) + opt->opt_len + 4 > max_msg_sz) + break; /* no space for it */ + if(!sldns_buffer_available(pkt, 4 + opt->opt_len)) + break; sldns_buffer_write_u16(pkt, opt->opt_code); sldns_buffer_write_u16(pkt, opt->opt_len); if(opt->opt_len != 0) sldns_buffer_write(pkt, opt->opt_data, opt->opt_len); } - if (padding_option && edns->padding_block_size ) { + if (padding_option && edns->padding_block_size && + sldns_buffer_position(pkt)+4 <= max_msg_sz && + sldns_buffer_available(pkt, 4) /* if there is space for it */) { size_t pad_pos = sldns_buffer_position(pkt); size_t msg_sz = ((pad_pos + 3) / edns->padding_block_size + 1) * edns->padding_block_size; @@ -1001,7 +1011,7 @@ reply_info_answer_encode(struct query_info* qinf, struct reply_info* rep, { uint16_t flags; unsigned int attach_edns = 0; - uint16_t edns_field_size, ede_size, ede_txt_size; + size_t edns_field_size, ede_size, ede_txt_size; if(!cached || rep->authoritative) { /* original flags, copy RD and CD bits from query. */ @@ -1028,12 +1038,12 @@ reply_info_answer_encode(struct query_info* qinf, struct reply_info* rep, * calculate sizes once here */ edns_field_size = calc_edns_field_size(edns); ede_size = calc_ede_option_size(edns, &ede_txt_size); - if(sldns_buffer_capacity(pkt) < udpsize) + if(sldns_buffer_capacity(pkt) < (size_t)udpsize) udpsize = sldns_buffer_capacity(pkt); if(!edns || !edns->edns_present) { attach_edns = 0; /* EDEs are optional, try to fit anything else before them */ - } else if(udpsize < LDNS_HEADER_SIZE + edns_field_size - ede_size) { + } else if((size_t)udpsize < (size_t)LDNS_HEADER_SIZE + edns_field_size - ede_size) { /* packet too small to contain edns, omit it. */ attach_edns = 0; } else { @@ -1047,13 +1057,13 @@ reply_info_answer_encode(struct query_info* qinf, struct reply_info* rep, return 0; } if(attach_edns) { - if(udpsize >= sldns_buffer_limit(pkt) + edns_field_size) + if((size_t)udpsize >= sldns_buffer_limit(pkt) + edns_field_size) attach_edns_record_max_msg_sz(pkt, edns, udpsize); - else if(udpsize >= sldns_buffer_limit(pkt) + edns_field_size - ede_txt_size) { + else if((size_t)udpsize >= sldns_buffer_limit(pkt) + edns_field_size - ede_txt_size) { ede_trim_text(&edns->opt_list_inplace_cb_out); ede_trim_text(&edns->opt_list_out); attach_edns_record_max_msg_sz(pkt, edns, udpsize); - } else if(udpsize >= sldns_buffer_limit(pkt) + edns_field_size - ede_size) { + } else if((size_t)udpsize >= sldns_buffer_limit(pkt) + edns_field_size - ede_size) { edns_opt_list_remove(&edns->opt_list_inplace_cb_out, LDNS_EDNS_EDE); edns_opt_list_remove(&edns->opt_list_out, LDNS_EDNS_EDE); attach_edns_record_max_msg_sz(pkt, edns, udpsize); @@ -1115,22 +1125,30 @@ extended_error_encode(sldns_buffer* buf, uint16_t rcode, sldns_buffer_write_u16(buf, qinfo->qclass); } sldns_buffer_flip(buf); - if(edns) { + if(edns && edns->edns_present) { + size_t edns_field_size, ede_size, ede_txt_size; struct edns_data es = *edns; es.edns_version = EDNS_ADVERTISED_VERSION; es.udp_size = EDNS_ADVERTISED_SIZE; es.ext_rcode = (uint8_t)(rcode >> 4); es.bits &= EDNS_DO; - if(sldns_buffer_limit(buf) + calc_edns_field_size(&es) > - edns->udp_size) { + /* EDEs are optional. If space is a concern try in order: + * - removing any EXTRA-TEXT fields from explicit EDEs, or + * - removing all EDEs, + * to see if EDNS can fit. */ + edns_field_size = calc_edns_field_size(&es); + ede_size = calc_ede_option_size(&es, &ede_txt_size); + if((size_t)edns->udp_size >= sldns_buffer_limit(buf) + edns_field_size) + attach_edns_record_max_msg_sz(buf, &es, edns->udp_size); + else if((size_t)edns->udp_size >= sldns_buffer_limit(buf) + edns_field_size - ede_txt_size) { + ede_trim_text(&es.opt_list_inplace_cb_out); + ede_trim_text(&es.opt_list_out); + attach_edns_record_max_msg_sz(buf, &es, edns->udp_size); + } else if((size_t)edns->udp_size >= sldns_buffer_limit(buf) + edns_field_size - ede_size) { edns_opt_list_remove(&es.opt_list_inplace_cb_out, LDNS_EDNS_EDE); edns_opt_list_remove(&es.opt_list_out, LDNS_EDNS_EDE); - if(sldns_buffer_limit(buf) + calc_edns_field_size(&es) > - edns->udp_size) { - return; - } + attach_edns_record_max_msg_sz(buf, &es, edns->udp_size); } - attach_edns_record(buf, &es); } } diff --git a/contrib/unbound/util/data/msgencode.h b/contrib/unbound/util/data/msgencode.h index 6aff06099ee9..f6297b78e419 100644 --- a/contrib/unbound/util/data/msgencode.h +++ b/contrib/unbound/util/data/msgencode.h @@ -106,7 +106,7 @@ void qinfo_query_encode(struct sldns_buffer* pkt, struct query_info* qinfo); * @param edns: edns data or NULL. * @return octets to reserve for EDNS. */ -uint16_t calc_edns_field_size(struct edns_data* edns); +size_t calc_edns_field_size(struct edns_data* edns); /** * Calculate the size of a specific EDNS option in packet. @@ -127,7 +127,7 @@ uint16_t calc_edns_option_size(struct edns_data* edns, uint16_t code); * extra text. * @return octets the option will take up. */ -uint16_t calc_ede_option_size(struct edns_data* edns, uint16_t* txt_size); +uint16_t calc_ede_option_size(struct edns_data* edns, size_t* txt_size); /** * Attach EDNS record to buffer. Buffer has complete packet. There must diff --git a/contrib/unbound/util/data/msgparse.c b/contrib/unbound/util/data/msgparse.c index 6963d850171e..169709b7e3c0 100644 --- a/contrib/unbound/util/data/msgparse.c +++ b/contrib/unbound/util/data/msgparse.c @@ -53,6 +53,8 @@ #include "sldns/parseutil.h" #include "sldns/wire2str.h" +#define MAX_PARSED_EDNS_OPTIONS 100 + /** smart comparison of (compressed, valid) dnames from packet */ static int smart_compare(sldns_buffer* pkt, uint8_t* dnow, @@ -950,6 +952,7 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len, struct comm_reply* repinfo, uint32_t now, struct regional* region, struct cookie_secrets* cookie_secrets) { + int i = 0, nsid_seen = 0, cookie_seen = 0, padding_seen = 0; /* To respond with a Keepalive option, the client connection must have * received one message with a TCP Keepalive EDNS option, and that * option must have 0 length data. Subsequent messages sent on that @@ -969,7 +972,7 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len, /* while still more options, and have code+len to read */ /* ignores partial content (i.e. rdata len 3) */ - while(rdata_len >= 4) { + while(rdata_len >= 4 && i < MAX_PARSED_EDNS_OPTIONS) { uint16_t opt_code = sldns_read_uint16(rdata_ptr); uint16_t opt_len = sldns_read_uint16(rdata_ptr+2); uint8_t server_cookie[40]; @@ -984,8 +987,9 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len, /* handle parse time edns options here */ switch(opt_code) { case LDNS_EDNS_NSID: - if (!cfg || !cfg->nsid) + if (!cfg || !cfg->nsid || nsid_seen) break; + nsid_seen = 1; if(!edns_opt_list_append(&edns->opt_list_out, LDNS_EDNS_NSID, cfg->nsid_len, cfg->nsid, region)) { @@ -1027,8 +1031,9 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len, case LDNS_EDNS_PADDING: if(!cfg || !cfg->pad_responses || - !c || c->type != comm_tcp ||!c->ssl) + !c || c->type != comm_tcp ||!c->ssl || padding_seen) break; + padding_seen = 1; if(!edns_opt_list_append(&edns->opt_list_out, LDNS_EDNS_PADDING, 0, NULL, region)) { @@ -1039,8 +1044,9 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len, break; case LDNS_EDNS_COOKIE: - if(!cfg || !cfg->do_answer_cookie || !repinfo) + if(!cfg || !cfg->do_answer_cookie || !repinfo || cookie_seen) break; + cookie_seen = 1; if(opt_len != 8 && (opt_len < 16 || opt_len > 40)) { verbose(VERB_ALGO, "worker request: " "badly formatted cookie"); @@ -1146,6 +1152,7 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len, } rdata_ptr += opt_len; rdata_len -= opt_len; + i++; } return LDNS_RCODE_NOERROR; } @@ -1160,6 +1167,7 @@ parse_extract_edns_from_response_msg(struct msg_parse* msg, struct rrset_parse* found_prev = 0; size_t rdata_len; uint8_t* rdata_ptr; + int i = 0; /* since the class encodes the UDP size, we cannot use hash table to * find the EDNS OPT record. Scan the packet. */ while(rrset) { @@ -1219,7 +1227,7 @@ parse_extract_edns_from_response_msg(struct msg_parse* msg, /* while still more options, and have code+len to read */ /* ignores partial content (i.e. rdata len 3) */ - while(rdata_len >= 4) { + while(rdata_len >= 4 && i < MAX_PARSED_EDNS_OPTIONS) { uint16_t opt_code = sldns_read_uint16(rdata_ptr); uint16_t opt_len = sldns_read_uint16(rdata_ptr+2); rdata_ptr += 4; @@ -1234,6 +1242,7 @@ parse_extract_edns_from_response_msg(struct msg_parse* msg, } rdata_ptr += opt_len; rdata_len -= opt_len; + i++; } /* ignore rrsigs */ return LDNS_RCODE_NOERROR; diff --git a/contrib/unbound/util/data/msgparse.h b/contrib/unbound/util/data/msgparse.h index 62f0d5aacd80..55d8229b8d40 100644 --- a/contrib/unbound/util/data/msgparse.h +++ b/contrib/unbound/util/data/msgparse.h @@ -98,6 +98,10 @@ extern time_t SERVE_EXPIRED_REPLY_TTL; /** If we serve the original TTL or decrementing TTLs */ extern int SERVE_ORIGINAL_TTL; +/** Check if TTL is expired. 0 TTL is considered expired. + * Used mainly to identify parts of the code that do this comparison. */ +#define TTL_IS_EXPIRED(ttl, now) ((ttl) <= (now)) + /** * Data stored in scratch pad memory during parsing. * Stores the data that will enter into the msgreply and packet result. diff --git a/contrib/unbound/validator/val_neg.c b/contrib/unbound/validator/val_neg.c index b5b678fdea68..3998b12010fe 100644 --- a/contrib/unbound/validator/val_neg.c +++ b/contrib/unbound/validator/val_neg.c @@ -62,6 +62,13 @@ #include "sldns/rrdef.h" #include "sldns/sbuffer.h" +/** + * The maximum salt length that the negative cache is willing to use. + * Larger salt increases the computation time, while recommendations are + * for zero salt length for zones. + */ +#define MAX_SALT_LENGTH 64 + int val_neg_data_compare(const void* a, const void* b) { struct val_neg_data* x = (struct val_neg_data*)a; @@ -826,7 +833,11 @@ void neg_insert_data(struct val_neg_cache* neg, (slen != 0 && zone->nsec3_salt && s && memcmp(zone->nsec3_salt, s, slen) != 0))) { - if(slen > 0) { + if(slen > MAX_SALT_LENGTH) { + /* RFC 9276 s3.1: operators SHOULD NOT use a salt; large + * salts inflate per-hash block count. Decline to cache. */ + return; + } else if(slen > 0) { uint8_t* sa = memdup(s, slen); if(sa) { free(zone->nsec3_salt); @@ -1169,6 +1180,15 @@ neg_find_nsec3_ce(struct val_neg_zone* zone, uint8_t* qname, size_t qname_len, uint8_t hashce[NSEC3_SHA_LEN]; uint8_t b32[257]; size_t celen, b32len; + int hashmax = MAX_NSEC3_CALCULATIONS; + if(qlabs > hashmax) { + /* strip leading labels so the walk costs at most + * MAX_NSEC3_CALCULATIONS hashes, mirroring val_nsec3.c */ + while(qlabs > hashmax) { + dname_remove_label(&qname, &qname_len); + qlabs--; + } + } *nclen = 0; while(qlabs > 0) { @@ -1269,6 +1289,12 @@ neg_nsec3_proof_ds(struct val_neg_zone* zone, uint8_t* qname, size_t qname_len, if(!zone->nsec3_hash) return NULL; /* not nsec3 zone */ + if(!topname && qlabs > zone->labs + 1) + return NULL; /* iterator caller; opt-out proof would be discarded + * at the !topname check below anyway. + * The qlabs check allows the exact-match for + * the one-label-below-zone case. */ + if(!(data=neg_find_nsec3_ce(zone, qname, qname_len, qlabs, buf, hashnc, &nclen))) { return NULL; diff --git a/contrib/unbound/validator/val_nsec3.c b/contrib/unbound/validator/val_nsec3.c index 998fcc4e38ee..62effde2093f 100644 --- a/contrib/unbound/validator/val_nsec3.c +++ b/contrib/unbound/validator/val_nsec3.c @@ -59,11 +59,6 @@ #include "sldns/sbuffer.h" #include "util/config_file.h" -/** - * Max number of NSEC3 calculations at once, suspend query for later. - * 8 is low enough and allows for cases where multiple proofs are needed. - */ -#define MAX_NSEC3_CALCULATIONS 8 /** * When all allowed NSEC3 calculations at once resulted in error treat as * bogus. NSEC3 hash errors are not cached and this helps breaks loops with @@ -456,6 +451,67 @@ filter_init(struct nsec3_filter* filter, struct ub_packed_rrset_key** list, } } +/** Check if the NSEC3s have the same parameter set. */ +static int +param_set_same(struct nsec3_filter* flt, char** reason) +{ + size_t rrsetnum; + int rrnum; + struct ub_packed_rrset_key* rrset; + int have_params = 0; + int first_algo = 0; + size_t first_iter = 0; + uint8_t* first_salt = NULL; + size_t first_saltlen = 0; + + /* If the NSEC3 parameter sets have distinct values, then they are + * from different NSEC3 chains, and we do not want that. */ + for(rrset=filter_first(flt, &rrsetnum, &rrnum); rrset; + rrset=filter_next(flt, &rrsetnum, &rrnum)) { + if(!have_params) { + first_algo = nsec3_get_algo(rrset, rrnum); + first_iter = nsec3_get_iter(rrset, rrnum); + if(!nsec3_get_salt(rrset, rrnum, &first_salt, + &first_saltlen)) { + verbose(VERB_ALGO, "NSEC3 salt malformed"); + if(reason) + *reason = "NSEC3 salt malformed"; + return 0; + } + have_params = 1; + } else { + uint8_t* salt = NULL; + size_t saltlen = 0; + if(nsec3_get_algo(rrset, rrnum) != first_algo) { + verbose(VERB_ALGO, "NSEC3 algorithm mismatch"); + if(reason) + *reason = "NSEC3 algorithm mismatch"; + return 0; + } + if(nsec3_get_iter(rrset, rrnum) != first_iter) { + verbose(VERB_ALGO, "NSEC3 iterations mismatch"); + if(reason) + *reason = "NSEC3 iterations mismatch"; + return 0; + } + if(!nsec3_get_salt(rrset, rrnum, &salt, &saltlen)) { + verbose(VERB_ALGO, "NSEC3 salt malformed"); + if(reason) + *reason = "NSEC3 salt malformed"; + return 0; + } + if(saltlen != first_saltlen || + memcmp(salt, first_salt, saltlen) != 0) { + verbose(VERB_ALGO, "NSEC3 salt mismatch"); + if(reason) + *reason = "NSEC3 salt mismatch"; + return 0; + } + } + } + return 1; +} + /** * Find max iteration count using config settings and key size * @param ve: validator environment with iteration count config settings. @@ -1192,6 +1248,8 @@ nsec3_prove_nameerror(struct module_env* env, struct val_env* ve, filter_init(&flt, list, num, qinfo); /* init RR iterator */ if(!flt.zone) return sec_status_bogus; /* no RRs */ + if(!param_set_same(&flt, NULL)) + return sec_status_bogus; /* nsec3 params from distinct chains*/ if(nsec3_iteration_count_high(ve, &flt, kkey)) return sec_status_insecure; /* iteration count too high */ log_nametypeclass(VERB_ALGO, "start nsec3 nameerror proof, zone", @@ -1378,6 +1436,8 @@ nsec3_prove_nodata(struct module_env* env, struct val_env* ve, filter_init(&flt, list, num, qinfo); /* init RR iterator */ if(!flt.zone) return sec_status_bogus; /* no RRs */ + if(!param_set_same(&flt, NULL)) + return sec_status_bogus; /* nsec3 params from distinct chains*/ if(nsec3_iteration_count_high(ve, &flt, kkey)) return sec_status_insecure; /* iteration count too high */ return nsec3_do_prove_nodata(env, &flt, ct, qinfo, calc); @@ -1401,6 +1461,8 @@ nsec3_prove_wildcard(struct module_env* env, struct val_env* ve, filter_init(&flt, list, num, qinfo); /* init RR iterator */ if(!flt.zone) return sec_status_bogus; /* no RRs */ + if(!param_set_same(&flt, NULL)) + return sec_status_bogus; /* nsec3 params from distinct chains*/ if(nsec3_iteration_count_high(ve, &flt, kkey)) return sec_status_insecure; /* iteration count too high */ @@ -1503,6 +1565,8 @@ nsec3_prove_nods(struct module_env* env, struct val_env* ve, *reason = "no NSEC3 records"; return sec_status_bogus; /* no RRs */ } + if(!param_set_same(&flt, reason)) + return sec_status_bogus; /* nsec3 params from distinct chains*/ if(nsec3_iteration_count_high(ve, &flt, kkey)) return sec_status_insecure; /* iteration count too high */ @@ -1596,6 +1660,8 @@ nsec3_prove_nxornodata(struct module_env* env, struct val_env* ve, filter_init(&flt, list, num, qinfo); /* init RR iterator */ if(!flt.zone) return sec_status_bogus; /* no RRs */ + if(!param_set_same(&flt, NULL)) + return sec_status_bogus; /* nsec3 params from distinct chains*/ if(nsec3_iteration_count_high(ve, &flt, kkey)) return sec_status_insecure; /* iteration count too high */ diff --git a/contrib/unbound/validator/val_nsec3.h b/contrib/unbound/validator/val_nsec3.h index f668a270ff12..a13e92991106 100644 --- a/contrib/unbound/validator/val_nsec3.h +++ b/contrib/unbound/validator/val_nsec3.h @@ -98,6 +98,12 @@ struct sldns_buffer; /** The SHA1 hash algorithm for NSEC3 */ #define NSEC3_HASH_SHA1 0x01 +/** + * Max number of NSEC3 calculations at once, suspend query for later. + * 8 is low enough and allows for cases where multiple proofs are needed. + */ +#define MAX_NSEC3_CALCULATIONS 8 + /** * Cache table for NSEC3 hashes. * It keeps a *pointer* to the region its items are allocated. diff --git a/contrib/unbound/validator/val_utils.c b/contrib/unbound/validator/val_utils.c index 549264d76a1f..4495695ac853 100644 --- a/contrib/unbound/validator/val_utils.c +++ b/contrib/unbound/validator/val_utils.c @@ -1066,10 +1066,10 @@ val_fill_reply(struct reply_info* chase, struct reply_info* orig, if(query_dname_compare(name, orig->rrsets[i]->rk.dname) == 0) chase->rrsets[chase->an_numrrsets - +orig->ns_numrrsets+chase->ar_numrrsets++] + +chase->ns_numrrsets+chase->ar_numrrsets++] = orig->rrsets[i]; } else if(rrset_has_signer(orig->rrsets[i], name, len)) { - chase->rrsets[chase->an_numrrsets+orig->ns_numrrsets+ + chase->rrsets[chase->an_numrrsets+chase->ns_numrrsets+ chase->ar_numrrsets++] = orig->rrsets[i]; } } From nobody Tue Jun 9 19:18:43 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxH2bWZz6gVHM for ; Tue, 09 Jun 2026 19:18:43 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdxH0g66z3NP1 for ; Tue, 09 Jun 2026 19:18:43 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032723; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=YhpEGzp54tdNlmb1iTT10dfrTrulswQ57odUcqjDUEM=; b=f0cxb6ZdMQZYln+P3fsQTG5BFH8MYmDMDhg/WUgVs8vITcRvIbJjK9iVmnLsUP/nFu63mH /bLRaAXOT5BeRY5U0L+zG0id5s84n9wg6xQVzKaOrNkJRIVbnm0CXpZFdAorrRwde3XuWc u33qK8SJ0OA1kYcqk75sQWYGhIQgHeX4cWL0OM2azEAEeZkqwtlmnMzZRL4aaaW7OiSwYY jpN9bykQsqLxlMVLy2P9flhtggAGZe7/Qj5lh6noQDEoR0p6bqnVfkvlZLAk4k5/CNVOUL Yd1KMn4F4bvgftFvPo+gDB5eIMj/h7VKFdhYOH5Ep11S1n9u3aHDgJuFbt16JQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032723; a=rsa-sha256; cv=none; b=UioQwpe9fN1l0j4PBARo501c0ziEN8bZmqiUzoq5kmc1PzgTV7MWmtSjR0jwOwOhNOcAwp AAy28c3wmWiAtx/moHuFippIopPURx4BCYOg3r3RyXJnXUkkA/3NbTZc+ht8TtULZDwmEZ ply6YEgMzplo76V7FNJjTUkUvTSIdz5fSSXfaXSx8otz2AuVqs6erPRqjAhUeXLlX0HJvX B0xO295ECxUS1xfStHOT3Ut+1MuZLSQ+vRwpVrjJb+WmM4X43rLHBTn+3ZZCzx+01E8wHp nOnp5IahpDR+eTU+ta8F/bHb6DQQ/GUyyA+XFanBYTskWeuyicUgBTXJuKrqWQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032723; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=YhpEGzp54tdNlmb1iTT10dfrTrulswQ57odUcqjDUEM=; b=gw7j1lF4cN+wHYAGODr3Ctpq8VrcothbjMAmV7zpUTp3EUBkjIHr2FJ3ALvFd1ITdb51gt ag9SNTCM9lW5BOQ63kb6vmD7VJIBvl9PWDBds/jALmqy8JFDxMTxM1vRfrOrBTrt3m6tze Rd6fZLojYv2vHSUhXBeXyMUBSDIOkhGXTmRkFd2EKcs/VU2C4yk437cdK7NB5O4pHkTfwo Hzv4ghBJPRywuuZwPTI40xc2STRVx7DrjUSSqgD75BAJGVk6chRwtkyW8/rOL0vcYXylEC Pw62Fq6rU5tOPQyHXqg5kZmAsxyKNHQXbc6EfDL7Ade1fKWz32LPgwZYM+lVSQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxH04GcznrW for ; Tue, 09 Jun 2026 19:18:43 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3d4d5 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:18:43 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 744f62ccbf82 - releng/14.3 - imgact_elf: Clear no-ASLR and -WXORX flags earlier for setugid images List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.3 X-Git-Reftype: branch X-Git-Commit: 744f62ccbf823fc8d9dfdb2ffb91723c9e9fe7da Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:18:43 +0000 Message-Id: <6a286713.3d4d5.717e4e@gitrepo.freebsd.org> The branch releng/14.3 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=744f62ccbf823fc8d9dfdb2ffb91723c9e9fe7da commit 744f62ccbf823fc8d9dfdb2ffb91723c9e9fe7da Author: Mark Johnston AuthorDate: 2026-06-02 20:29:00 +0000 Commit: Mark Johnston CommitDate: 2026-06-07 17:48:17 +0000 imgact_elf: Clear no-ASLR and -WXORX flags earlier for setugid images Otherwise an unprivileged user can disable randomization of the base address for PIEs even if they are setugid. Add a regression test. Approved by: so Security: FreeBSD-SA-26:32.elf Security: CVE-2026-49414 Reported by: David Berard Reviewed by: kib Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57397 --- sys/kern/imgact_elf.c | 55 ++++++++--------- tests/sys/kern/Makefile | 2 + tests/sys/kern/aslr.c | 157 ++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 187 insertions(+), 27 deletions(-) diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c index 0a09bb9e3891..e419a2894689 100644 --- a/sys/kern/imgact_elf.c +++ b/sys/kern/imgact_elf.c @@ -1230,11 +1230,39 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *imgp) error = ENOEXEC; goto ret; } + + /* + * Avoid a possible deadlock if the current address space is destroyed + * and that address space maps the locked vnode. In the common case, + * the locked vnode's v_usecount is decremented but remains greater + * than zero. Consequently, the vnode lock is not needed by vrele(). + * However, in cases where the vnode lock is external, such as nullfs, + * v_usecount may become zero. + * + * The VV_TEXT flag prevents modifications to the executable while + * the vnode is unlocked. + */ + VOP_UNLOCK(imgp->vp); + + /* + * Decide whether to enable randomization of user mappings. First, + * reset user preferences for the setid binaries. Then, account for the + * support of randomization by the ABI, by user preferences, and make + * special treatment for PIE binaries. + */ + if (imgp->credential_setid) { + PROC_LOCK(imgp->proc); + imgp->proc->p_flag2 &= ~(P2_ASLR_ENABLE | P2_ASLR_DISABLE | + P2_WXORX_DISABLE | P2_WXORX_ENABLE_EXEC); + PROC_UNLOCK(imgp->proc); + } + sv = brand_info->sysvec; if (hdr->e_type == ET_DYN) { if ((brand_info->flags & BI_CAN_EXEC_DYN) == 0) { uprintf("Cannot execute shared object\n"); error = ENOEXEC; + (void)vn_lock(imgp->vp, LK_SHARED | LK_RETRY); goto ret; } /* @@ -1253,33 +1281,6 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *imgp) imgp->et_dyn_addr = __elfN(pie_base); } } - - /* - * Avoid a possible deadlock if the current address space is destroyed - * and that address space maps the locked vnode. In the common case, - * the locked vnode's v_usecount is decremented but remains greater - * than zero. Consequently, the vnode lock is not needed by vrele(). - * However, in cases where the vnode lock is external, such as nullfs, - * v_usecount may become zero. - * - * The VV_TEXT flag prevents modifications to the executable while - * the vnode is unlocked. - */ - VOP_UNLOCK(imgp->vp); - - /* - * Decide whether to enable randomization of user mappings. - * First, reset user preferences for the setid binaries. - * Then, account for the support of the randomization by the - * ABI, by user preferences, and make special treatment for - * PIE binaries. - */ - if (imgp->credential_setid) { - PROC_LOCK(imgp->proc); - imgp->proc->p_flag2 &= ~(P2_ASLR_ENABLE | P2_ASLR_DISABLE | - P2_WXORX_DISABLE | P2_WXORX_ENABLE_EXEC); - PROC_UNLOCK(imgp->proc); - } if ((sv->sv_flags & SV_ASLR) == 0 || (imgp->proc->p_flag2 & P2_ASLR_DISABLE) != 0 || (fctl0 & NT_FREEBSD_FCTL_ASLR_DISABLE) != 0) { diff --git a/tests/sys/kern/Makefile b/tests/sys/kern/Makefile index f06f58f1eae6..82bac2aa8b80 100644 --- a/tests/sys/kern/Makefile +++ b/tests/sys/kern/Makefile @@ -8,6 +8,7 @@ TESTSRC= ${SRCTOP}/contrib/netbsd-tests/kernel TESTSDIR= ${TESTSBASE}/sys/kern +ATF_TESTS_C+= aslr ATF_TESTS_C+= basic_signal .if ${MACHINE_ARCH} != "i386" && ${MACHINE_ARCH} != "powerpc" && \ ${MACHINE_ARCH} != "powerpcspe" @@ -72,6 +73,7 @@ PROGS+= coredump_phnum_helper PROGS+= pdeathsig_helper PROGS+= sendfile_helper +LIBADD.aslr+= util LIBADD.jail_lookup_root+= jail util CFLAGS.sys_getrandom+= -I${SRCTOP}/sys/contrib/zstd/lib LIBADD.sys_getrandom+= zstd diff --git a/tests/sys/kern/aslr.c b/tests/sys/kern/aslr.c new file mode 100644 index 000000000000..13038054603c --- /dev/null +++ b/tests/sys/kern/aslr.c @@ -0,0 +1,157 @@ +/* + * Copyright (c) 2026 The FreeBSD Foundation + * + * This software was developed by Mark Johnston under sponsorship from the + * FreeBSD Foundation. + */ + +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include + +#include + +/* + * Spawn an unprivileged child with ASLR force-disabled, which then execs + * /sbin/ping (setuid root). + */ +static pid_t +spawn_ping(const atf_tc_t *tc) +{ + const char *user; + struct passwd *passwd; + pid_t child; + int arg, error; + + user = atf_tc_get_config_var(tc, "unprivileged_user"); + passwd = getpwnam(user); + ATF_REQUIRE(passwd != NULL); + + child = fork(); + ATF_REQUIRE(child >= 0); + if (child == 0) { + if (seteuid(passwd->pw_uid) != 0) + _exit(1); + + arg = PROC_ASLR_FORCE_DISABLE; + error = procctl(P_PID, getpid(), PROC_ASLR_CTL, &arg); + if (error != 0) + _exit(2); + + execl("/sbin/ping", "ping", "127.0.0.1", NULL); + _exit(127); + } + usleep(500000); /* XXX-MJ */ + + return (child); +} + +/* + * Return the base address of the first mapping backed by the specified + * executable in the given process, or 0 if not found. + */ +static uint64_t +text_base(pid_t pid, const char *path) +{ + struct kinfo_vmentry *vmmap; + uint64_t base; + int cnt; + + base = 0; + vmmap = kinfo_getvmmap(pid, &cnt); + if (vmmap == NULL) + return (0); + for (int i = 0; i < cnt; i++) { + if (vmmap[i].kve_type == KVME_TYPE_VNODE && + strcmp(vmmap[i].kve_path, path) == 0) { + base = vmmap[i].kve_start; + break; + } + } + free(vmmap); + return (base); +} + +/* + * Make sure that ASLR can't be disabled for a setuid executable by an + * unprivileged user. + */ +ATF_TC(aslr_setuid); +ATF_TC_HEAD(aslr_setuid, tc) +{ + atf_tc_set_md_var(tc, "require.user", "root"); + atf_tc_set_md_var(tc, "require.config", "unprivileged_user"); +} +ATF_TC_BODY(aslr_setuid, tc) +{ + struct stat sb; + uint64_t bases[5]; + pid_t child, pid; + int arg, error, st; + + if (!atf_tc_has_config_var(tc, "unprivileged_user")) + atf_tc_skip("unprivileged_user not set"); + + error = stat("/sbin/ping", &sb); + ATF_REQUIRE(error == 0); + ATF_REQUIRE_MSG(sb.st_uid == 0 && (sb.st_mode & S_ISUID) != 0, + "/sbin/ping is not setuid root"); + + child = spawn_ping(tc); + bases[0] = text_base(child, "/sbin/ping"); + ATF_REQUIRE_MSG(bases[0] != 0, + "failed to find /sbin/ping text segment"); + + arg = 0; + error = procctl(P_PID, child, PROC_ASLR_STATUS, &arg); + ATF_REQUIRE_MSG(error == 0, "procctl ASLR_STATUS failed: %s", + strerror(errno)); + ATF_REQUIRE_MSG((arg & PROC_ASLR_ACTIVE) != 0, + "ASLR is not active for setuid child"); + ATF_REQUIRE_MSG((arg & ~PROC_ASLR_ACTIVE) == PROC_ASLR_NOFORCE, + "expected NOFORCE for setuid child, got %d", + arg & ~PROC_ASLR_ACTIVE); + + error = kill(child, SIGTERM); + ATF_REQUIRE(error == 0); + pid = waitpid(child, &st, 0); + ATF_REQUIRE(pid == child); + ATF_REQUIRE(WIFSIGNALED(st) && WTERMSIG(st) == SIGTERM); + + for (size_t i = 1; i < nitems(bases); i++) { + child = spawn_ping(tc); + bases[i] = text_base(child, "/sbin/ping"); + ATF_REQUIRE_MSG(bases[i] != 0, + "failed to find /sbin/ping text segment"); + error = kill(child, SIGTERM); + ATF_REQUIRE(error == 0); + pid = waitpid(child, &st, 0); + ATF_REQUIRE(pid == child); + ATF_REQUIRE(WIFSIGNALED(st) && WTERMSIG(st) == SIGTERM); + } + + /* Verify that the text base is different across all runs. */ + for (size_t i = 0; i < nitems(bases); i++) { + for (size_t j = i + 1; j < nitems(bases); j++) { + ATF_REQUIRE_MSG(bases[i] != bases[j], + "ping text base collision 0x%jx", + (uintmax_t)bases[i]); + } + } +} + +ATF_TP_ADD_TCS(tp) +{ + ATF_TP_ADD_TC(tp, aslr_setuid); + + return (atf_no_error()); +} From nobody Tue Jun 9 19:18:45 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxK6g86z6gVKy for ; Tue, 09 Jun 2026 19:18:45 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdxK4jnHz3NXh for ; Tue, 09 Jun 2026 19:18:45 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032725; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=8T64V+cVozIuVIbsYw8Y/dylPScn7H7MORmdJcqxDvU=; b=almRP8BPchRWMEfVYQMVnKGSbI/79WniYzMcVPDFtPw6SWS+AMaZ9gSgMOhgi62ZD5hs11 Niqyf/wAYaMQqXeAVlsLiFSpXEeq4WhVyP7vZZxYlFFOWpnpXZW6i+TaQZP66VURSARLD1 KZW4S81934ZXxmVkIfY0AnXK1zscuROslgK5YbwFd1CvgeueM4Uo8sizkXM0hyI3tLaT4V nKlhqP+Sgqjo5NCiutzZQj9LRcDM2Gawk1bFuBnXb48nrzTFkF4rqZYlDd9yRS29D8ESgP uVHkEXDOLw8YwAIvyHWQF/ntOehZvwHyKFPHxoHJ+q36ASn66HoI+ovghLJNiQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032725; a=rsa-sha256; cv=none; b=SPTxmhPFYILrDeTuWswWk/3VPF0bbnpKYX5GjGuMyvU/oTY1Yn2ldRBFGCbNNzUr8Pn2gl pdwYt6FgNhH2mx0pR40T8UZparWi9XhqyHVD8dwat9NEFEfNJb7iFhk4nvPrg+pu8xlcRx pzkZ5v8LFwTp5Vtkc5LISp/xwxbWmfjbxMcmeyssSv66ALat7FIhhH9Fp+UfB/imEpihNm ISsNBnUu44N3d+hSUs/4WvR8dNpvB+kEsaZifpX06JS7SF6LVKwGZPGdlKRDBJnF8H6G85 /pnTAR4ICB+cZTyDBLEjCByp6AeDxR2hBL01+LUdeNo8myVpzK+HR9ESjNB3Fw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032725; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=8T64V+cVozIuVIbsYw8Y/dylPScn7H7MORmdJcqxDvU=; b=L9Px3MKDEriianU2+Bz5ns8yVItyv5zPohfXKBRr/pkTK224hQUnia9BABOfS40+cY2kl0 81vRdOZ8Ut7P5FLowAUrrRiK6se5ynGg57vvjgw8oos8tipzyRKtycgeJ+KymBLgYhftyp 0A26dykLlftpbpSqYbMe0eGutyEj2bvhp25V6mT+2ZtuXkQ0yRpFmmquELHCBBE4J0kIHF O2itH+8TaGSSPpQGKTiUgeeclWPYDV7e40oEiXCX+OtS6xZediJ/sa5xoYk5rNBrK9DGT9 aCpgS3wLGP679cHWYSmaQbTQAybj6TtzOgH/VeJ2JbhdUUncvTid3+WmRQZ24g== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxK1lkHznFv for ; Tue, 09 Jun 2026 19:18:45 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3d972 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:18:45 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Ed Maste From: Mark Johnston Subject: git: 9cba21c2de16 - releng/14.3 - vt: Avoid integer overflow in CONS_HISTORY ioctl List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.3 X-Git-Reftype: branch X-Git-Commit: 9cba21c2de1668717a77833ad1533416babe131a Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:18:45 +0000 Message-Id: <6a286715.3d972.2875afcb@gitrepo.freebsd.org> The branch releng/14.3 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=9cba21c2de1668717a77833ad1533416babe131a commit 9cba21c2de1668717a77833ad1533416babe131a Author: Ed Maste AuthorDate: 2026-05-26 16:19:47 +0000 Commit: Mark Johnston CommitDate: 2026-06-07 17:48:17 +0000 vt: Avoid integer overflow in CONS_HISTORY ioctl Approved by: so Security: FreeBSD-SA-26:34.vt Security: CVE-2026-49416 Reviewed by: markj, vexeduxr Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57250 (cherry picked from commit 0ae946e7223df5ef3f7980af1d774d7f593f6421) (cherry picked from commit deaaddf1d3c4283649945553ad7e3208c8424308) (cherry picked from commit b5a4f4bfbc95d5d5361da708728f7f4a6db2ee60) --- sys/dev/vt/vt_buf.c | 9 ++++----- sys/dev/vt/vt_core.c | 6 ++++-- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/sys/dev/vt/vt_buf.c b/sys/dev/vt/vt_buf.c index ea27ea8a5ebf..0fd301bb662a 100644 --- a/sys/dev/vt/vt_buf.c +++ b/sys/dev/vt/vt_buf.c @@ -500,7 +500,6 @@ vtbuf_grow(struct vt_buf *vb, const term_pos_t *p, unsigned int history_size) { term_char_t *old, *new, **rows, **oldrows, **copyrows, *row, *oldrow; unsigned int w, h, c, r, old_history_size; - size_t bufsize, rowssize; int history_full; const teken_attr_t *a; term_char_t ch; @@ -511,10 +510,10 @@ vtbuf_grow(struct vt_buf *vb, const term_pos_t *p, unsigned int history_size) history_size = MAX(history_size, p->tp_row); /* Allocate new buffer. */ - bufsize = history_size * p->tp_col * sizeof(term_char_t); - new = malloc(bufsize, M_VTBUF, M_WAITOK | M_ZERO); - rowssize = history_size * sizeof(term_pos_t *); - rows = malloc(rowssize, M_VTBUF, M_WAITOK | M_ZERO); + new = mallocarray(history_size, p->tp_col * sizeof(term_char_t), + M_VTBUF, M_WAITOK | M_ZERO); + rows = mallocarray(history_size, sizeof(term_pos_t *), M_VTBUF, + M_WAITOK | M_ZERO); /* Toggle it. */ VTBUF_LOCK(vb); diff --git a/sys/dev/vt/vt_core.c b/sys/dev/vt/vt_core.c index 50f12512a81c..547bee8be86a 100644 --- a/sys/dev/vt/vt_core.c +++ b/sys/dev/vt/vt_core.c @@ -41,6 +41,7 @@ #include #include #include +#include #include #include #include @@ -2771,8 +2772,9 @@ skip_thunk: /* XXX */ return (0); case CONS_HISTORY: - if (*(int *)data < 0) - return EINVAL; + if (*(int *)data < 0 || + *(int *)data > UINT_MAX / USHRT_MAX / sizeof(term_char_t)) + return (EINVAL); if (*(int *)data != vw->vw_buf.vb_history_size) vtbuf_sethistory_size(&vw->vw_buf, *(int *)data); return (0); From nobody Tue Jun 9 19:18:46 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxL5Cqbz6gVBl for ; Tue, 09 Jun 2026 19:18:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdxL2yN6z3NRJ for ; Tue, 09 Jun 2026 19:18:46 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032726; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=xRnnQj9cFGpJzvDGRYPt0fN6suV5rwn5mmfdxu667DM=; b=gubU8GalxuXmVpeBCju4xcZJpYquH0L7SaAdd6g8e8rnuKeoBEODVkZnpuBqyTcdIkAr0A 4sxhuL3Xj9164sh1LQQ8crfzocaAVrPEg0Mo4oBCLwfXAEm1cL/o19Isgwb+a5NvYOp+xp RUDTKGARhm7rGgmsiRQ6ucBaIGJTi+WJUtRD6MnI05tJBcFmzRK5jjxzoKLiw7y3fiNfTK BW9LObeAAQ47c4sOPHwTXgiZ/RZJhxxze2OisDvwk3XfHdFCSIdLAtmX0XhISfGfyCVXy3 GP5WNupTfW+B4zdMa6WinvWe0uO+EmOY4/ZoEf0oc6Vh3VOFtftHnq0/W6F8lA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032726; a=rsa-sha256; cv=none; b=c++SdFJm/hM4rFbGA9zgTYWgFjbvbVwH/EvUb9KOZQmSAfwnd+KGiJU2deKu4+/e0J0gs0 D0yNImcg6XPVqmWNi/1EIzit4MXc3WslyjtsOwRS3JEamYxGIeNxr9Bk7SK4xfd/j7CxQ4 Uu4rLtt7jlpfbPS590sVbjFruRlCCI1rtPn+QT+g69E7wyAbZHEVheLftMobjWNmOhuBNv oKSiAqAugxWxtHoLragiCiLjTBaOei8rzGcYmCyV6D/FCvo0DeoCxZa//fCbcx1C4NYd2c t4S0VOVauIZ3rs6zJ0nys6bY2hNIACmp9pzDd8It7LXEaqxdQbjrB22Hfc4syg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032726; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=xRnnQj9cFGpJzvDGRYPt0fN6suV5rwn5mmfdxu667DM=; b=p+BllcD3b7kI9+c9tF92UKgIfYqo43dBNbdil0Xj+RBHyLMpYqluglziyhRq7hRfNTIH3Q KEt9MzuhhHoSZJWJzh9PmVOckqFgCTj9pu+jyzN9ErUgMW7N1/W7/G3Lh7R3RccSEgDoH7 HmD8UbB/H9nzF3D8Z0tj4dhUBoR6LQrsIc1Nico0CgGyGNur5KmJorZNfkK85z2ZY8Px1E PVcVa1VQMrEB3gwykjB34dG+2heUl1WYLma2A1t041Xskz+lxwnN4fmdOfB4LfMRGw7Lw6 xqvHpy2PG1v8Cdf/SfgO3ZrT3evSVHHqSteEzUE5hBf/nE89CZYyHNHvRGlR9g== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxL2R72znFx for ; Tue, 09 Jun 2026 19:18:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3eb21 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:18:46 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Gordon Tetlow From: Mark Johnston Subject: git: dd3096b4efe6 - releng/14.3 - openssl: Fix multiple vulnerabilities List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.3 X-Git-Reftype: branch X-Git-Commit: dd3096b4efe6e6b821624ede869a182e7936fc80 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:18:46 +0000 Message-Id: <6a286716.3eb21.365af0c4@gitrepo.freebsd.org> The branch releng/14.3 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=dd3096b4efe6e6b821624ede869a182e7936fc80 commit dd3096b4efe6e6b821624ede869a182e7936fc80 Author: Gordon Tetlow AuthorDate: 2026-06-07 03:24:17 +0000 Commit: Mark Johnston CommitDate: 2026-06-07 17:48:17 +0000 openssl: Fix multiple vulnerabilities This is a rollup commit from upstream to fix: Reject oversized inputs in ASN1_mbstring_ncopy() cms: kek_unwrap_key: Fix out-of-bounds read in check-byte validation cms: kek_unwrap_key: test for fix out-of-bounds read in check-byte validation Avoid length truncation in ASN1_STRING_set Reject potentially forged encrypted CMS AuthEnvelopedData messages Fix potential NULL dereference processing CMS PasswordRecipientInfo Match the local q DHX parameter against the peer's q Apply the buffered IV on the AES-OCB EVP_Cipher() path Fix handling of empty-ciphertext messages in AES-GCM-SIV and AES-SIV Fix possible use-after-free in OpenSSL PKCS7_verify() Approved by: so Obtained from: OpenSSL Security: FreeBSD-SA-26:35.openssl Security: CVE-2026-7383 Security: CVE-2026-9076 Security: CVE-2026-34180 Security: CVE-2026-34182 Security: CVE-2026-42766 Security: CVE-2026-42770 Security: CVE-2026-45445 Security: CVE-2026-45446 Security: CVE-2026-45447 --- crypto/openssl/crypto/asn1/a_mbstr.c | 31 ++++++++++- crypto/openssl/crypto/asn1/tasn_dec.c | 24 +++++--- crypto/openssl/crypto/cms/cms_enc.c | 18 ++++-- crypto/openssl/crypto/cms/cms_env.c | 6 +- crypto/openssl/crypto/cms/cms_err.c | 4 +- crypto/openssl/crypto/cms/cms_local.h | 2 +- crypto/openssl/crypto/cms/cms_pwri.c | 15 ++++- crypto/openssl/crypto/err/openssl.txt | 3 +- crypto/openssl/crypto/pkcs7/pk7_smime.c | 9 +-- crypto/openssl/include/crypto/cmserr.h | 2 +- crypto/openssl/include/openssl/cmserr.h | 4 +- .../implementations/ciphers/cipher_aes_ocb.c | 13 +++++ .../implementations/ciphers/cipher_aes_siv.c | 3 + .../providers/implementations/exchange/dh_exch.c | 5 +- .../cms-msg/enveloped-content-type-for-aes-gcm.pem | 7 +++ crypto/openssl/test/cmsapitest.c | 54 +++++++++++++++++- crypto/openssl/test/evp_extra_test.c | 61 +++++++++++++++++++++ crypto/openssl/test/recipes/80-test_cms.t | 12 +++- crypto/openssl/test/recipes/80-test_cmsapi.t | 3 +- .../80-test_cmsapi_data/cms_pwri_kek_oob.der | Bin 0 -> 193 bytes 20 files changed, 239 insertions(+), 37 deletions(-) diff --git a/crypto/openssl/crypto/asn1/a_mbstr.c b/crypto/openssl/crypto/asn1/a_mbstr.c index 531e01d33257..9329e5795a9e 100644 --- a/crypto/openssl/crypto/asn1/a_mbstr.c +++ b/crypto/openssl/crypto/asn1/a_mbstr.c @@ -174,11 +174,27 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len, break; case MBSTRING_BMP: + if (nchar > INT_MAX / 2) { + ERR_raise(ERR_LIB_ASN1, ASN1_R_STRING_TOO_LONG); + if (free_out) { + ASN1_STRING_free(dest); + *out = NULL; + } + return -1; + } outlen = nchar << 1; cpyfunc = cpy_bmp; break; case MBSTRING_UNIV: + if (nchar > INT_MAX / 4) { + ERR_raise(ERR_LIB_ASN1, ASN1_R_STRING_TOO_LONG); + if (free_out) { + ASN1_STRING_free(dest); + *out = NULL; + } + return -1; + } outlen = nchar << 2; cpyfunc = cpy_univ; break; @@ -186,8 +202,11 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len, case MBSTRING_UTF8: outlen = 0; ret = traverse_string(in, len, inform, out_utf8, &outlen); - if (ret < 0) { - ERR_raise(ERR_LIB_ASN1, ASN1_R_INVALID_UTF8STRING); + if (ret < 0) { /* error already raised in out_utf8() */ + if (free_out) { + ASN1_STRING_free(dest); + *out = NULL; + } return -1; } cpyfunc = cpy_utf8; @@ -271,9 +290,15 @@ static int out_utf8(unsigned long value, void *arg) int *outlen, len; len = UTF8_putc(NULL, -1, value); - if (len <= 0) + if (len <= 0) { + ERR_raise(ERR_LIB_ASN1, ASN1_R_INVALID_UTF8STRING); return len; + } outlen = arg; + if (*outlen > INT_MAX - len) { + ERR_raise(ERR_LIB_ASN1, ASN1_R_STRING_TOO_LONG); + return -1; + } *outlen += len; return 1; } diff --git a/crypto/openssl/crypto/asn1/tasn_dec.c b/crypto/openssl/crypto/asn1/tasn_dec.c index 9138ad381f7d..4cbc6275cc35 100644 --- a/crypto/openssl/crypto/asn1/tasn_dec.c +++ b/crypto/openssl/crypto/asn1/tasn_dec.c @@ -54,7 +54,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx); -static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, +static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, long len, int utype, char *free_cont, const ASN1_ITEM *it); /* Table to convert tags to bit values, used for MSTRING type */ @@ -855,19 +855,24 @@ err: /* Translate ASN1 content octets into a structure */ -static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, +static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, long len, int utype, char *free_cont, const ASN1_ITEM *it) { ASN1_VALUE **opval = NULL; ASN1_STRING *stmp; ASN1_TYPE *typ = NULL; int ret = 0; + int ilen = (int)len; const ASN1_PRIMITIVE_FUNCS *pf; ASN1_INTEGER **tint; pf = it->funcs; - if (pf && pf->prim_c2i) - return pf->prim_c2i(pval, cont, len, utype, free_cont, it); + if (pf && pf->prim_c2i) { + if (len == (long)ilen) + return pf->prim_c2i(pval, cont, ilen, utype, free_cont, it); + ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG); + return 0; + } /* If ANY type clear type and set pointer to internal value */ if (it->utype == V_ASN1_ANY) { if (*pval == NULL) { @@ -885,7 +890,8 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, } switch (utype) { case V_ASN1_OBJECT: - if (!ossl_c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &cont, len)) + if (len != (long)ilen + || !ossl_c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &cont, ilen)) goto err; break; @@ -940,6 +946,10 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, case V_ASN1_SET: case V_ASN1_SEQUENCE: default: + if (len != (long)ilen) { + ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG); + goto err; + } if (utype == V_ASN1_BMPSTRING && (len & 1)) { ERR_raise(ERR_LIB_ASN1, ASN1_R_BMPSTRING_IS_WRONG_LENGTH); goto err; @@ -964,10 +974,10 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, if (*free_cont) { OPENSSL_free(stmp->data); stmp->data = (unsigned char *)cont; /* UGLY CAST! RL */ - stmp->length = len; + stmp->length = ilen; *free_cont = 0; } else { - if (!ASN1_STRING_set(stmp, cont, len)) { + if (!ASN1_STRING_set(stmp, cont, ilen)) { ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE); ASN1_STRING_free(stmp); *pval = NULL; diff --git a/crypto/openssl/crypto/cms/cms_enc.c b/crypto/openssl/crypto/cms/cms_enc.c index 8c1a15aeda71..367617576175 100644 --- a/crypto/openssl/crypto/cms/cms_enc.c +++ b/crypto/openssl/crypto/cms/cms_enc.c @@ -23,7 +23,7 @@ /* Return BIO based on EncryptedContentInfo and key */ BIO *ossl_cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec, - const CMS_CTX *cms_ctx) + const CMS_CTX *cms_ctx, int auth) { BIO *b; EVP_CIPHER_CTX *ctx; @@ -104,14 +104,20 @@ BIO *ossl_cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec, goto err; } if ((EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)) { + if (!auth) { + ERR_raise(ERR_LIB_CMS, CMS_R_CIPHER_AEAD_IN_ENVELOPED_DATA); + goto err; + } piv = aparams.iv; - if (ec->taglen > 0 - && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, - ec->taglen, ec->tag) - <= 0) { + + if (ec->taglen < 4 || ec->taglen > 16 + || EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, (int)ec->taglen, ec->tag) <= 0) { ERR_raise(ERR_LIB_CMS, CMS_R_CIPHER_AEAD_SET_TAG_ERROR); goto err; } + } else if (auth) { + ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM); + goto err; } } len = EVP_CIPHER_CTX_get_key_length(ctx); @@ -263,5 +269,5 @@ BIO *ossl_cms_EncryptedData_init_bio(const CMS_ContentInfo *cms) if (enc->encryptedContentInfo->cipher && enc->unprotectedAttrs) enc->version = 2; return ossl_cms_EncryptedContent_init_bio(enc->encryptedContentInfo, - ossl_cms_get0_cmsctx(cms)); + ossl_cms_get0_cmsctx(cms), 0); } diff --git a/crypto/openssl/crypto/cms/cms_env.c b/crypto/openssl/crypto/cms/cms_env.c index 2326253b6743..d2eace4fef5d 100644 --- a/crypto/openssl/crypto/cms/cms_env.c +++ b/crypto/openssl/crypto/cms/cms_env.c @@ -1099,7 +1099,7 @@ static BIO *cms_EnvelopedData_Decryption_init_bio(CMS_ContentInfo *cms) { CMS_EncryptedContentInfo *ec = cms->d.envelopedData->encryptedContentInfo; BIO *contentBio = ossl_cms_EncryptedContent_init_bio(ec, - ossl_cms_get0_cmsctx(cms)); + ossl_cms_get0_cmsctx(cms), 0); EVP_CIPHER_CTX *ctx = NULL; if (contentBio == NULL) @@ -1137,7 +1137,7 @@ static BIO *cms_EnvelopedData_Encryption_init_bio(CMS_ContentInfo *cms) /* Get BIO first to set up key */ ec = env->encryptedContentInfo; - ret = ossl_cms_EncryptedContent_init_bio(ec, ossl_cms_get0_cmsctx(cms)); + ret = ossl_cms_EncryptedContent_init_bio(ec, ossl_cms_get0_cmsctx(cms), 0); /* If error end of processing */ if (!ret) @@ -1189,7 +1189,7 @@ BIO *ossl_cms_AuthEnvelopedData_init_bio(CMS_ContentInfo *cms) ec->tag = aenv->mac->data; ec->taglen = aenv->mac->length; } - ret = ossl_cms_EncryptedContent_init_bio(ec, ossl_cms_get0_cmsctx(cms)); + ret = ossl_cms_EncryptedContent_init_bio(ec, ossl_cms_get0_cmsctx(cms), 1); /* If error or no cipher end of processing */ if (ret == NULL || ec->cipher == NULL) diff --git a/crypto/openssl/crypto/cms/cms_err.c b/crypto/openssl/crypto/cms/cms_err.c index 37e52963e16d..bc922d0ee03d 100644 --- a/crypto/openssl/crypto/cms/cms_err.c +++ b/crypto/openssl/crypto/cms/cms_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2026 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -25,6 +25,8 @@ static const ERR_STRING_DATA CMS_str_reasons[] = { "certificate has no keyid" }, { ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CERTIFICATE_VERIFY_ERROR), "certificate verify error" }, + { ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CIPHER_AEAD_IN_ENVELOPED_DATA), + "cipher aead in enveloped data" }, { ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CIPHER_AEAD_SET_TAG_ERROR), "cipher aead set tag error" }, { ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CIPHER_GET_TAG), "cipher get tag" }, diff --git a/crypto/openssl/crypto/cms/cms_local.h b/crypto/openssl/crypto/cms/cms_local.h index a92a67fa8b24..d80689f64d68 100644 --- a/crypto/openssl/crypto/cms/cms_local.h +++ b/crypto/openssl/crypto/cms/cms_local.h @@ -429,7 +429,7 @@ int ossl_cms_set1_ias(CMS_IssuerAndSerialNumber **pias, X509 *cert); int ossl_cms_set1_keyid(ASN1_OCTET_STRING **pkeyid, X509 *cert); BIO *ossl_cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec, - const CMS_CTX *ctx); + const CMS_CTX *ctx, int auth); BIO *ossl_cms_EncryptedData_init_bio(const CMS_ContentInfo *cms); int ossl_cms_EncryptedContent_init(CMS_EncryptedContentInfo *ec, const EVP_CIPHER *cipher, diff --git a/crypto/openssl/crypto/cms/cms_pwri.c b/crypto/openssl/crypto/cms/cms_pwri.c index 46313f2bfe2c..8b0ea233fd6d 100644 --- a/crypto/openssl/crypto/cms/cms_pwri.c +++ b/crypto/openssl/crypto/cms/cms_pwri.c @@ -189,14 +189,18 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen, const unsigned char *in, size_t inlen, EVP_CIPHER_CTX *ctx) { - size_t blocklen = EVP_CIPHER_CTX_get_block_size(ctx); + int blocklen = EVP_CIPHER_CTX_get_block_size(ctx); unsigned char *tmp; int outl, rv = 0; - if (inlen < 2 * blocklen) { + + if (blocklen < 4) + return 0; + + if (inlen < 2 * (size_t)blocklen) { /* too small */ return 0; } - if (inlen % blocklen) { + if (inlen > INT_MAX || inlen % blocklen) { /* Invalid size */ return 0; } @@ -350,6 +354,11 @@ int ossl_cms_RecipientInfo_pwri_crypt(const CMS_ContentInfo *cms, /* Finish password based key derivation to setup key in "ctx" */ + if (algtmp == NULL) { + ERR_raise_data(ERR_LIB_CMS, CMS_R_INVALID_KEY_ENCRYPTION_PARAMETER, + "Missing KeyDerivationAlgorithm"); + goto err; + } if (!EVP_PBE_CipherInit_ex(algtmp->algorithm, (char *)pwri->pass, (int)pwri->passlen, algtmp->parameter, kekctx, en_de, diff --git a/crypto/openssl/crypto/err/openssl.txt b/crypto/openssl/crypto/err/openssl.txt index 756fafdfa24a..dc4e3f310f08 100644 --- a/crypto/openssl/crypto/err/openssl.txt +++ b/crypto/openssl/crypto/err/openssl.txt @@ -1,4 +1,4 @@ -# Copyright 1999-2025 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1999-2026 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -284,6 +284,7 @@ CMS_R_ATTRIBUTE_ERROR:161:attribute error CMS_R_CERTIFICATE_ALREADY_PRESENT:175:certificate already present CMS_R_CERTIFICATE_HAS_NO_KEYID:160:certificate has no keyid CMS_R_CERTIFICATE_VERIFY_ERROR:100:certificate verify error +CMS_R_CIPHER_AEAD_IN_ENVELOPED_DATA:182:cipher aead in enveloped data CMS_R_CIPHER_AEAD_SET_TAG_ERROR:184:cipher aead set tag error CMS_R_CIPHER_GET_TAG:185:cipher get tag CMS_R_CIPHER_INITIALISATION_ERROR:101:cipher initialisation error diff --git a/crypto/openssl/crypto/pkcs7/pk7_smime.c b/crypto/openssl/crypto/pkcs7/pk7_smime.c index 001b96d31183..fadf543e9db7 100644 --- a/crypto/openssl/crypto/pkcs7/pk7_smime.c +++ b/crypto/openssl/crypto/pkcs7/pk7_smime.c @@ -218,6 +218,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, int i, j = 0, k, ret = 0; BIO *p7bio = NULL; BIO *tmpin = NULL, *tmpout = NULL; + BIO *next = NULL; const PKCS7_CTX *p7_ctx; if (p7 == NULL) { @@ -366,11 +367,11 @@ err: BIO_free(tmpout); X509_STORE_CTX_free(cert_ctx); OPENSSL_free(buf); - if (tmpin == indata) { - if (indata) - BIO_pop(p7bio); + while (p7bio != NULL && p7bio != indata) { + next = BIO_pop(p7bio); + BIO_free(p7bio); + p7bio = next; } - BIO_free_all(p7bio); sk_X509_free(signers); return ret; } diff --git a/crypto/openssl/include/crypto/cmserr.h b/crypto/openssl/include/crypto/cmserr.h index f9fd933682e5..8b896822d091 100644 --- a/crypto/openssl/include/crypto/cmserr.h +++ b/crypto/openssl/include/crypto/cmserr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2026 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/openssl/include/openssl/cmserr.h b/crypto/openssl/include/openssl/cmserr.h index c584b90574e2..6c0baf2362fc 100644 --- a/crypto/openssl/include/openssl/cmserr.h +++ b/crypto/openssl/include/openssl/cmserr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2026 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -17,7 +17,6 @@ #include #ifndef OPENSSL_NO_CMS - /* * CMS reason codes. */ @@ -26,6 +25,7 @@ #define CMS_R_CERTIFICATE_ALREADY_PRESENT 175 #define CMS_R_CERTIFICATE_HAS_NO_KEYID 160 #define CMS_R_CERTIFICATE_VERIFY_ERROR 100 +#define CMS_R_CIPHER_AEAD_IN_ENVELOPED_DATA 182 #define CMS_R_CIPHER_AEAD_SET_TAG_ERROR 184 #define CMS_R_CIPHER_GET_TAG 185 #define CMS_R_CIPHER_INITIALISATION_ERROR 101 diff --git a/crypto/openssl/providers/implementations/ciphers/cipher_aes_ocb.c b/crypto/openssl/providers/implementations/ciphers/cipher_aes_ocb.c index 8a8eddf36eec..70c0703ddb7c 100644 --- a/crypto/openssl/providers/implementations/ciphers/cipher_aes_ocb.c +++ b/crypto/openssl/providers/implementations/ciphers/cipher_aes_ocb.c @@ -516,6 +516,19 @@ static int aes_ocb_cipher(void *vctx, unsigned char *out, size_t *outl, return 0; } + /* + * Mirror the streaming handler: refuse if the key has not been set, + * and push the buffered IV into the OCB context before any data is + * processed. Without this, CRYPTO_ocb128_encrypt/decrypt runs with + * Offset_0 = 0 regardless of the caller's IV -- catastrophic + * (key, nonce) reuse, and a subsequent EVP_*Final_ex() emits a tag + * that is a function of (key, iv) only. + */ + if (!ctx->key_set || !update_iv(ctx)) { + ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED); + return 0; + } + if (!aes_generic_ocb_cipher(ctx, in, out, inl)) { ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED); return 0; diff --git a/crypto/openssl/providers/implementations/ciphers/cipher_aes_siv.c b/crypto/openssl/providers/implementations/ciphers/cipher_aes_siv.c index 510c1581b593..c3facacfbcf4 100644 --- a/crypto/openssl/providers/implementations/ciphers/cipher_aes_siv.c +++ b/crypto/openssl/providers/implementations/ciphers/cipher_aes_siv.c @@ -203,6 +203,7 @@ static int aes_siv_set_ctx_params(void *vctx, const OSSL_PARAM params[]) PROV_AES_SIV_CTX *ctx = (PROV_AES_SIV_CTX *)vctx; const OSSL_PARAM *p; unsigned int speed = 0; + SIV128_CONTEXT *sctx = &ctx->siv; if (params == NULL) return 1; @@ -237,6 +238,8 @@ static int aes_siv_set_ctx_params(void *vctx, const OSSL_PARAM params[]) if (keylen != ctx->keylen) return 0; } + sctx->final_ret = -1; + return 1; } diff --git a/crypto/openssl/providers/implementations/exchange/dh_exch.c b/crypto/openssl/providers/implementations/exchange/dh_exch.c index bb2d355c8143..668602a5e523 100644 --- a/crypto/openssl/providers/implementations/exchange/dh_exch.c +++ b/crypto/openssl/providers/implementations/exchange/dh_exch.c @@ -113,12 +113,15 @@ static int dh_init(void *vpdhctx, void *vdh, const OSSL_PARAM params[]) static int dh_match_params(DH *priv, DH *peer) { int ret; + int ignore_q = 1; FFC_PARAMS *dhparams_priv = ossl_dh_get0_params(priv); FFC_PARAMS *dhparams_peer = ossl_dh_get0_params(peer); + if (dhparams_priv != NULL && dhparams_priv->q != NULL) + ignore_q = 0; ret = dhparams_priv != NULL && dhparams_peer != NULL - && ossl_ffc_params_cmp(dhparams_priv, dhparams_peer, 1); + && ossl_ffc_params_cmp(dhparams_priv, dhparams_peer, ignore_q); if (!ret) ERR_raise(ERR_LIB_PROV, PROV_R_MISMATCHING_DOMAIN_PARAMETERS); return ret; diff --git a/crypto/openssl/test/cms-msg/enveloped-content-type-for-aes-gcm.pem b/crypto/openssl/test/cms-msg/enveloped-content-type-for-aes-gcm.pem new file mode 100644 index 000000000000..b0610a7ec8a2 --- /dev/null +++ b/crypto/openssl/test/cms-msg/enveloped-content-type-for-aes-gcm.pem @@ -0,0 +1,7 @@ +-----BEGIN PKCS7----- +MIAGCSqGSIb3DQEHA6CAMIACAQIxNqI0AgEEMAgEBkMwRkVFMDALBglghkgBZQME +AQUEGPN0q9rM3neSiY7HIADpnqWym33mRZC4JDCABgkqhkiG9w0BBwEwHgYJYIZI +AWUDBAEGMBEEDIExQGiHZFSYa0ZBqQIBEKCABGNap+JL1B21Mq7ojKPzVuxtRkg3 +LWt8khnK1EzfmV7e64l5KnTdjq9+gfbwOfbuhTavfBI7VK/ZtpH3HII4fCOe37kV +mju8/YnYeRq2KcxESmJBySV/veMwxqmHGAw71JyHpg4AAAAAAAAAAAAA +-----END PKCS7----- diff --git a/crypto/openssl/test/cmsapitest.c b/crypto/openssl/test/cmsapitest.c index 7e74c5daf221..0a7e536bbe75 100644 --- a/crypto/openssl/test/cmsapitest.c +++ b/crypto/openssl/test/cmsapitest.c @@ -20,6 +20,7 @@ static X509 *cert = NULL; static EVP_PKEY *privkey = NULL; static char *derin = NULL; static char *too_long_iv_cms_in = NULL; +static char *pwri_kek_oob_der_in = NULL; static int test_encrypt_decrypt(const EVP_CIPHER *cipher) { @@ -45,6 +46,12 @@ static int test_encrypt_decrypt(const EVP_CIPHER *cipher) CMS_TEXT))) goto end; + if (!(EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) + && !TEST_ptr(contentbio = CMS_EnvelopedData_decrypt(content->d.envelopedData, + NULL, privkey, cert, NULL, + CMS_TEXT, NULL, NULL))) + goto end; + /* Check we got the message we first started with */ if (!TEST_int_eq(BIO_gets(outmsgbio, buf, sizeof(buf)), strlen(msg)) || !TEST_int_eq(strcmp(buf, msg), 0)) @@ -484,7 +491,48 @@ end: return ret; } -OPT_TEST_DECLARE_USAGE("certfile privkeyfile derfile\n") +/* + * CMS EnvelopedData with a single PasswordRecipientInfo using + * id-alg-PWRI-KEK and an AES-128-CFB key encryption cipher + * (1-byte effective block size). The encryptedKey OCTET STRING is + * only two bytes long, so the wrapped key buffer is shorter than + * the seven octets read by the check-byte test in kek_unwrap_key(). + * Prior to CVE-2026-9076 this triggered an out-of-bounds heap read; + * CMS_decrypt() must now fail cleanly. + */ +static int test_pwri_kek_unwrap_short_encrypted_key(void) +{ + BIO *in = NULL; + CMS_ContentInfo *cms = NULL; + unsigned long err = 0; + int ret = 0; + + if (!TEST_ptr(in = BIO_new_file(pwri_kek_oob_der_in, "rb")) + || !TEST_ptr(cms = d2i_CMS_bio(in, NULL))) + goto end; + + /* + * The unwrap is attempted eagerly inside CMS_decrypt_set1_password(). + * It must fail cleanly (no OOB read) and report CMS_R_UNWRAP_FAILURE. + */ + if (!TEST_false(CMS_decrypt_set1_password(cms, + (unsigned char *)"password", -1))) + goto end; + + err = ERR_peek_last_error(); + if (!TEST_int_eq(ERR_GET_LIB(err), ERR_LIB_CMS) + || !TEST_int_eq(ERR_GET_REASON(err), CMS_R_UNWRAP_FAILURE)) + goto end; + + ERR_clear_error(); + ret = 1; +end: + CMS_ContentInfo_free(cms); + BIO_free(in); + return ret; +} + +OPT_TEST_DECLARE_USAGE("certfile privkeyfile derfile tooLongIVpem pwriKekOobDer\n") int setup_tests(void) { @@ -499,7 +547,8 @@ int setup_tests(void) if (!TEST_ptr(certin = test_get_argument(0)) || !TEST_ptr(privkeyin = test_get_argument(1)) || !TEST_ptr(derin = test_get_argument(2)) - || !TEST_ptr(too_long_iv_cms_in = test_get_argument(3))) + || !TEST_ptr(too_long_iv_cms_in = test_get_argument(3)) + || !TEST_ptr(pwri_kek_oob_der_in = test_get_argument(4))) return 0; certbio = BIO_new_file(certin, "r"); @@ -535,6 +584,7 @@ int setup_tests(void) ADD_TEST(test_encrypted_data_aead); ADD_ALL_TESTS(test_d2i_CMS_decode, 2); ADD_TEST(test_cms_aesgcm_iv_too_long); + ADD_TEST(test_pwri_kek_unwrap_short_encrypted_key); return 1; } diff --git a/crypto/openssl/test/evp_extra_test.c b/crypto/openssl/test/evp_extra_test.c index 1b0f0711cb57..7bd41db115ca 100644 --- a/crypto/openssl/test/evp_extra_test.c +++ b/crypto/openssl/test/evp_extra_test.c @@ -5414,6 +5414,64 @@ static int test_aes_rc4_keylen_change_cve_2023_5363(void) } #endif +/* + * AES-SIV reuse-without-rekey: + * msg1: legit non-empty CT, tag verifies, final_ret=0 + * msg2: no reinit (or reinit with key=NULL), set forged tag, + * AAD only, DecryptFinal -> does stale final_ret leak through? + */ +static int test_aes_siv_ctx_reuse(void) +{ + unsigned char key[32] = { 7 }; /* AES-128-SIV => 2*16 */ + unsigned char pt[9] = "payload!"; + unsigned char ct[9], tagbuf[16], out[16], zero16[16] = { 0 }; + unsigned char aad[14] = "forged header"; + int outl, ret = 0; + EVP_CIPHER_CTX *e = NULL, *d = NULL; + EVP_CIPHER *c = EVP_CIPHER_fetch(NULL, "AES-128-SIV", NULL); + + if (c == NULL) { + return TEST_skip("AES-128-SIV cipher is not available"); + } + + /* produce a valid (ct,tag) for msg1 */ + e = EVP_CIPHER_CTX_new(); + if (!TEST_ptr(e) + || !TEST_true(EVP_EncryptInit_ex2(e, c, key, NULL, NULL)) + || !TEST_true(EVP_EncryptUpdate(e, NULL, &outl, (unsigned char *)"hdr1", 4)) + || !TEST_true(EVP_EncryptUpdate(e, ct, &outl, pt, sizeof(pt))) + || !TEST_true(EVP_EncryptFinal_ex(e, out, &outl)) + || !TEST_true(EVP_CIPHER_CTX_ctrl(e, EVP_CTRL_AEAD_GET_TAG, 16, tagbuf))) { + EVP_CIPHER_CTX_free(e); + goto err; + } + EVP_CIPHER_CTX_free(e); + + /* msg1 decrypt */ + d = EVP_CIPHER_CTX_new(); + if (!TEST_ptr(d) + || !TEST_true(EVP_DecryptInit_ex2(d, c, key, NULL, NULL)) + || !TEST_true(EVP_CIPHER_CTX_ctrl(d, EVP_CTRL_AEAD_SET_TAG, 16, tagbuf)) + || !TEST_true(EVP_DecryptUpdate(d, NULL, &outl, (unsigned char *)"hdr1", 4)) + || !TEST_true(EVP_DecryptUpdate(d, out, &outl, ct, sizeof(ct))) + || !TEST_true(EVP_DecryptFinal_ex(d, out, &outl))) + goto err; + + /* msg2 on SAME ctx, reinit with key=NULL => initkey skipped, final_ret should be reset */ + if (!TEST_true(EVP_DecryptInit_ex2(d, NULL, NULL, NULL, NULL)) + || !TEST_true(EVP_CIPHER_CTX_ctrl(d, EVP_CTRL_AEAD_SET_TAG, 16, zero16)) + || !TEST_true(EVP_DecryptUpdate(d, NULL, &outl, aad, sizeof(aad))) /* forged AAD */ + || !TEST_false(EVP_DecryptFinal_ex(d, out, &outl))) + goto err; + + ret = 1; + +err: + EVP_CIPHER_CTX_free(d); + EVP_CIPHER_free(c); + return ret; +} + static int test_invalid_ctx_for_digest(void) { int ret; @@ -5637,6 +5695,9 @@ int setup_tests(void) ADD_TEST(test_aes_rc4_keylen_change_cve_2023_5363); #endif + /* Test case for CVE-2026-45446 */ + ADD_TEST(test_aes_siv_ctx_reuse); + ADD_TEST(test_invalid_ctx_for_digest); ADD_TEST(test_evp_cipher_negative_length); diff --git a/crypto/openssl/test/recipes/80-test_cms.t b/crypto/openssl/test/recipes/80-test_cms.t index b6ee61464409..f573651e26bc 100644 --- a/crypto/openssl/test/recipes/80-test_cms.t +++ b/crypto/openssl/test/recipes/80-test_cms.t @@ -51,7 +51,7 @@ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib) $no_rc2 = 1 if disabled("legacy"); -plan tests => 23; +plan tests => 24; ok(run(test(["pkcs7_test"])), "test pkcs7"); @@ -1054,6 +1054,16 @@ ok(!run(app(['openssl', 'cms', '-verify', ])), "issue#19643"); +# Check that users get error when using incorrect envelope type for AEAD algorithms +ok(!run(app(['openssl', 'cms', '-decrypt', + '-inform', 'PEM', '-stream', + '-secretkey', '000102030405060708090A0B0C0D0E0F', + '-secretkeyid', 'C0FEE0', + '-in', srctop_file("test/cms-msg", + "enveloped-content-type-for-aes-gcm.pem") + ])), + "Error AES-GCM in enveloped content type"); + # Check that kari encryption with originator does not segfault with({ exit_checker => sub { return shift == 3; } }, sub { diff --git a/crypto/openssl/test/recipes/80-test_cmsapi.t b/crypto/openssl/test/recipes/80-test_cmsapi.t index 8d9371e005c0..3d1dae846464 100644 --- a/crypto/openssl/test/recipes/80-test_cmsapi.t +++ b/crypto/openssl/test/recipes/80-test_cmsapi.t @@ -19,5 +19,6 @@ plan tests => 1; ok(run(test(["cmsapitest", srctop_file("test", "certs", "servercert.pem"), srctop_file("test", "certs", "serverkey.pem"), srctop_file("test", "recipes", "80-test_cmsapi_data", "encryptedData.der"), - srctop_file("test", "recipes", "80-test_cmsapi_data", "encDataWithTooLongIV.pem")])), + srctop_file("test", "recipes", "80-test_cmsapi_data", "encDataWithTooLongIV.pem"), + srctop_file("test", "recipes", "80-test_cmsapi_data", "cms_pwri_kek_oob.der")])), "running cmsapitest"); diff --git a/crypto/openssl/test/recipes/80-test_cmsapi_data/cms_pwri_kek_oob.der b/crypto/openssl/test/recipes/80-test_cmsapi_data/cms_pwri_kek_oob.der new file mode 100644 index 000000000000..c3ef3abd10e6 Binary files /dev/null and b/crypto/openssl/test/recipes/80-test_cmsapi_data/cms_pwri_kek_oob.der differ From nobody Tue Jun 9 19:18:47 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxN1TWcz6gV7m for ; Tue, 09 Jun 2026 19:18:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdxM3fMtz3NfY for ; Tue, 09 Jun 2026 19:18:47 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032727; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=cUjpku+uswLgiLA5gpUDWiRzR/iyliW1k17zKPepWkU=; b=pKu6bml2Eg0Vk5jMnu9zbNJND73/y5GD7dbV0TKEcM6ZahzIhDX96okUJQ2cmNNfj5NpmD ay4h6z+VmGFSHeeFUH170yJXSsOOTjGBHj5WugOyQSVe4Pt0mmRzCTrLycJWHK2FckbTv2 kzqF52a0XghhIY3x2F8HJM5Xr0b2dFHgt5K8g4Gyjbx4QkauHqZIhOqpsqeVlX6XiS9ppl 9gjhdESDZIavN4/aTHUVi8mKmyhCdZnyk40WU1WsRuODn60VWO5qXpwp9X6l/k+ykITSkf rsHs/q7ruKpWBrmzvLZvnXKDel+gi/8TJ/NLpSHMAefvAsOaXTV9lZTl48Pzxw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032727; a=rsa-sha256; cv=none; b=vU1N15xAo+Emu5K/pJwZ8YbDlckPFY1AY/rdye7Ng/tUkPNgvRuNDfea0HM5YtfphbDafX lPiagUgjczOBgX+DP1tYwMpzyyBnN8QtAO3L/IpMoIecOAlka27/fS0u+tfXn++7HLCDnT oJi/ybOvwRN0rQ6jKPdJgPUpJiByyN7qHUC3qzEOZ35Tsj+yg2cD/sjtCJfOGibEITy3ol 95jvZxr+a7R4xDPUxP8cpyVRsrsDdaIoj0aZ9jLnIr0QfA+U2ch4O4HKVNnS5TafT3jmo9 CjDjwqTjHHHye+tc4lyDImphb6+CnFrTcF2v0GmbVboIrdWZK3DobYajeFnDFg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032727; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=cUjpku+uswLgiLA5gpUDWiRzR/iyliW1k17zKPepWkU=; b=Q3+wfZ5ne8GnE/F3n1+SVX5QDVv8eJQxUhON+kEj4YrqaR+FxBOd8xaUmwCbmUgtu0pUGK AFE+J+hNZGjZqaSw1WkL/AWGWFTfem22Xr29hzYdYnStP0obgGhB5dqHcwvUxFzbEoSfk+ dCGjEstjwIojMcYEM+NOyujFOXCU/wGGJzh/3CZefS9NKGC9pEevcuA918DNd3UIAvYtH6 hYf/GcDWkEC9PiIaGWDbLiGIVTq6+aHNce44D/9yd5VqHGAVttk7malByAK1GtdcHKrSz6 BAOle8gavOUPVU21cB0Uks5r/3ZAleiDkO4b6FYTc78xDBUQQceiFiQ6Wimq7g== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxM3CNvznkk for ; Tue, 09 Jun 2026 19:18:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3e83b by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:18:47 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Gordon Tetlow From: Mark Johnston Subject: git: f61d7fc2ba85 - releng/14.3 - ldns: Fix query response validation List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.3 X-Git-Reftype: branch X-Git-Commit: f61d7fc2ba857cdce154a7c3964d8ee3f400e838 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:18:47 +0000 Message-Id: <6a286717.3e83b.ad3fac6@gitrepo.freebsd.org> The branch releng/14.3 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=f61d7fc2ba857cdce154a7c3964d8ee3f400e838 commit f61d7fc2ba857cdce154a7c3964d8ee3f400e838 Author: Gordon Tetlow AuthorDate: 2026-06-07 15:49:47 +0000 Commit: Mark Johnston CommitDate: 2026-06-07 17:48:17 +0000 ldns: Fix query response validation Approved by: so Security: FreeBSD-SA-26:36.ldns Security: CVE-2026-10846 --- contrib/ldns/error.c | 13 +++++++ contrib/ldns/ldns/error.h | 8 ++++- contrib/ldns/net.c | 92 +++++++++++++++++++++++++++++++++++++++++++++-- 3 files changed, 110 insertions(+), 3 deletions(-) diff --git a/contrib/ldns/error.c b/contrib/ldns/error.c index e3fd12112789..4fc05d6d0d8f 100644 --- a/contrib/ldns/error.c +++ b/contrib/ldns/error.c @@ -184,6 +184,19 @@ ldns_lookup_table ldns_error_str[] = { { LDNS_STATUS_INVALID_SVCPARAM_VALUE, "Invalid wireformat of a value " "in the ServiceParam rdata field of SVCB or HTTPS RR" }, + { LDNS_STATUS_NOT_EDE, + "The EDNS option is not an extended error code" }, + { LDNS_STATUS_EDE_OPTION_MALFORMED, + "The extended error code option is malformed, expected " + "at least 2 bytes of option data" }, + { LDNS_STATUS_EQUAL_RR, + "An identical RR already existed in the zone" }, + { LDNS_STATUS_ID_DID_NOT_MATCH, + "Response ID did not match the query ID" }, + { LDNS_STATUS_QDCOUNT_MUST_BE_ONE, + "The query section MUST contain exactly one question" }, + { LDNS_STATUS_QUERY_DID_NOT_MATCH, + "The question in the response did not match the query" }, { 0, NULL } }; diff --git a/contrib/ldns/ldns/error.h b/contrib/ldns/ldns/error.h index 2429b7703dfa..41d64cc0815f 100644 --- a/contrib/ldns/ldns/error.h +++ b/contrib/ldns/ldns/error.h @@ -141,7 +141,13 @@ enum ldns_enum_status { LDNS_STATUS_RESERVED_SVCPARAM_KEY, LDNS_STATUS_NO_SVCPARAM_VALUE_EXPECTED, LDNS_STATUS_SVCPARAM_KEY_MORE_THAN_ONCE, - LDNS_STATUS_INVALID_SVCPARAM_VALUE + LDNS_STATUS_INVALID_SVCPARAM_VALUE, + LDNS_STATUS_NOT_EDE, + LDNS_STATUS_EDE_OPTION_MALFORMED, + LDNS_STATUS_EQUAL_RR, + LDNS_STATUS_ID_DID_NOT_MATCH, + LDNS_STATUS_QDCOUNT_MUST_BE_ONE, + LDNS_STATUS_QUERY_DID_NOT_MATCH }; typedef enum ldns_enum_status ldns_status; diff --git a/contrib/ldns/net.c b/contrib/ldns/net.c index 57d4dff24dbe..215c0cac891c 100644 --- a/contrib/ldns/net.c +++ b/contrib/ldns/net.c @@ -441,6 +441,50 @@ ldns_udp_bgsend2(ldns_buffer *qbin, return ldns_udp_bgsend_from(qbin, to, tolen, NULL, 0, timeout); } +/** helper sockaddr compare function. returns -1, 0 or 1. */ +static int +ldns_sockaddr_cmp(const struct sockaddr_storage* addr1, socklen_t len1, + const struct sockaddr_storage* addr2, socklen_t len2) +{ + struct sockaddr_in* p1_in = (struct sockaddr_in*)addr1; + struct sockaddr_in* p2_in = (struct sockaddr_in*)addr2; + struct sockaddr_in6* p1_in6 = (struct sockaddr_in6*)addr1; + struct sockaddr_in6* p2_in6 = (struct sockaddr_in6*)addr2; + if(len1 < len2) + return -1; + if(len1 > len2) + return 1; + assert(len1 == len2); + if( p1_in->sin_family < p2_in->sin_family) + return -1; + if( p1_in->sin_family > p2_in->sin_family) + return 1; + assert( p1_in->sin_family == p2_in->sin_family ); + /* compare ip4 */ + if( p1_in->sin_family == AF_INET ) { + /* just order it, ntohs not required */ + if(p1_in->sin_port < p2_in->sin_port) + return -1; + if(p1_in->sin_port > p2_in->sin_port) + return 1; + assert(p1_in->sin_port == p2_in->sin_port); + return memcmp(&p1_in->sin_addr, &p2_in->sin_addr, + sizeof(p1_in->sin_addr)); + } else if (p1_in6->sin6_family == AF_INET6) { + /* just order it, ntohs not required */ + if(p1_in6->sin6_port < p2_in6->sin6_port) + return -1; + if(p1_in6->sin6_port > p2_in6->sin6_port) + return 1; + assert(p1_in6->sin6_port == p2_in6->sin6_port); + return memcmp(&p1_in6->sin6_addr, &p2_in6->sin6_addr, + sizeof(p1_in6->sin6_addr)); + } else { + /* eek unknown type, perform this comparison for sanity. */ + return memcmp(addr1, addr2, len1); + } +} + static ldns_status ldns_udp_send_from(uint8_t **result, ldns_buffer *qbin, const struct sockaddr_storage *to , socklen_t tolen, @@ -449,6 +493,8 @@ ldns_udp_send_from(uint8_t **result, ldns_buffer *qbin, { int sockfd; uint8_t *answer; + struct sockaddr_storage reply_addr; + socklen_t reply_addr_len; sockfd = ldns_udp_bgsend_from(qbin, to, tolen, from, fromlen, timeout); @@ -467,13 +513,21 @@ ldns_udp_send_from(uint8_t **result, ldns_buffer *qbin, * but returns a 'NETWORK_ERROR' much like a timeout. */ ldns_sock_nonblock(sockfd); - answer = ldns_udp_read_wire(sockfd, answer_size, NULL, NULL); + reply_addr_len = sizeof(reply_addr); + memset(&reply_addr, 0, reply_addr_len); + answer = ldns_udp_read_wire(sockfd, answer_size, &reply_addr, + &reply_addr_len); close_socket(sockfd); if (!answer) { /* oops */ return LDNS_STATUS_NETWORK_ERR; } + /* Check that the reply came from the to addr. */ + if(ldns_sockaddr_cmp(to, tolen, &reply_addr, reply_addr_len) != 0) { + free(answer); + return LDNS_STATUS_NETWORK_ERR; + } *result = answer; return LDNS_STATUS_OK; @@ -512,6 +566,10 @@ ldns_send_buffer(ldns_pkt **result, ldns_resolver *r, ldns_buffer *qb, ldns_rdf assert(r != NULL); + /* The query should at least have one question */ + if(ldns_buffer_limit(qb) < 6 || ldns_buffer_read_u16_at(qb, 4) != 1) + return LDNS_STATUS_QDCOUNT_MUST_BE_ONE; + status = LDNS_STATUS_OK; rtt = ldns_resolver_rtt(r); ns_array = ldns_resolver_nameservers(r); @@ -599,6 +657,16 @@ ldns_send_buffer(ldns_pkt **result, ldns_resolver *r, ldns_buffer *qb, ldns_rdf ldns_resolver_set_nameserver_rtt(r, i, LDNS_RESOLV_RTT_INF); status = send_status; } + if(reply_bytes && ldns_buffer_limit(qb) >= 2) { + uint16_t txid = ldns_buffer_read_u16_at(qb, 0); + if(reply_size < 2 || + ldns_read_uint16(reply_bytes) != txid) { + status = LDNS_STATUS_ID_DID_NOT_MATCH; + LDNS_FREE(reply_bytes); + reply_bytes = NULL; + reply_size = 0; + } + } /* obey the fail directive */ if (!reply_bytes) { @@ -608,7 +676,7 @@ ldns_send_buffer(ldns_pkt **result, ldns_resolver *r, ldns_buffer *qb, ldns_rdf LDNS_FREE(src); } LDNS_FREE(ns); - return LDNS_STATUS_ERR; + return status ? status : LDNS_STATUS_ERR; } else { LDNS_FREE(ns); continue; @@ -670,6 +738,26 @@ ldns_send_buffer(ldns_pkt **result, ldns_resolver *r, ldns_buffer *qb, ldns_rdf #endif /* HAVE_SSL */ LDNS_FREE(reply_bytes); + if (reply) { + ldns_pkt *query = NULL; + + if(ldns_pkt_qdcount(reply) != 1) { + status = LDNS_STATUS_QDCOUNT_MUST_BE_ONE; + ldns_pkt_free(reply); + reply = NULL; + + } else if(ldns_wire2pkt(&query + , ldns_buffer_begin(qb) + , ldns_buffer_position(qb)) != LDNS_STATUS_OK + || ldns_pkt_qdcount(query) != 1 + || ldns_rr_compare(ldns_rr_list_rr(ldns_pkt_question(query),0) + ,ldns_rr_list_rr(ldns_pkt_question(reply),0))){ + status = LDNS_STATUS_QUERY_DID_NOT_MATCH; + ldns_pkt_free(reply); + reply = NULL; + } + ldns_pkt_free(query); + } if (result) { *result = reply; } From nobody Tue Jun 9 19:18:48 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxN6MNDz6gVNW for ; Tue, 09 Jun 2026 19:18:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdxN4YhKz3NRp for ; Tue, 09 Jun 2026 19:18:48 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032728; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=6aWZWmSr0PoiqSInru6wWOaoVIqHrsyD0nnSabR7ed4=; b=t6/29Sc8h06HtkfOcXdAP3wAd4CAmfS6bZQKk8cZnWe+jUbWIxdZ7PIKXV9rEYMPYFClAK Hz4rwVoBy5W9/kXqnhYqOJKUAazv9REXWfKVqD8GXT7FimpFDBpF+JgmD5L673HA8+oDIA EwpgJQbUP1smBl2SvsQTrwHvN8r8Bong6AJR4s8ZMLIa2xzLKxHSLXTWmqcsvcOHXc6lnU hZKRlm4ZhCrXN0YgSL4hE050mAn+ZTRoIBF6h+Ltv0paqiFcXLExMKDSRo5tnG5KjPb6DG nuuMPYz8RkwyNOfJE+l9IRXM3OnhSCuZ7TjYuyrOVnjs5d4F/1sX3pBUm5khHQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032728; a=rsa-sha256; cv=none; b=s3S1iyUyRi6bSsjQyKDPS1whTUY42csicMrBM3eT7TNY+uQ7uzXQ6eNmxgiNgNJ/PQ/zgv raDbMjY37vnDkvbGMD4yJ1Ps7gNJ4NpN9L6q+i8bgdOK4cJCiQEm4y7fBlaEock0m0Ssoa ZYDmefvZybWVyzX1v8NsrIndYoyzhS8tA/jhaUwl4VwOB46yI1tBsbG5IzblvOf+yZYMLW wEjVOG3yGOP0VziPJ/3rIjGsqBd8/My0fhk8V6bir+h4AZRo9lGLAaHyWrveZGif7LA2vG jMIpxy6iEvIYHQq1Fnx9eTjq2asCpheY5JVRPhDkohr+CIeYehYBX0clkGClIw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032728; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=6aWZWmSr0PoiqSInru6wWOaoVIqHrsyD0nnSabR7ed4=; b=IaQnsat2CPPMCIOYqhsWKdX0qPPTmXuzWhtHbTtGaLzlz2d4t1IJA4ZidU/j9yESOa17LW nfTpVB/JC/wX78cCFsOA/sVvUk/hJQ9BnCNwR502ogynt+UrLXB7GTRKe8MprBvX4LXLzk Vh6nSdUt2iTITR45yd3XLPWuNrc3tXJEbZhGWGw3KD3xeWtDJPqnQzL3gNI9Lq0Sn7+wvV QPqA3z2qXVApjoXOoYClrAAoH31WEKs7178e/+1upwVvDpkMQkneI75Y3Dl0C0QdUnUsd6 D997Ce7fYWyG/lGzdAszF8+cXd/55fM8ZUaJhyOD7BDg30BwN+9qvmxCGWpHhQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxN3yzdznCW for ; Tue, 09 Jun 2026 19:18:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3c5f7 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:18:48 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 0b1dfc94785e - releng/14.3 - Add UPDATING entries and bump version List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.3 X-Git-Reftype: branch X-Git-Commit: 0b1dfc94785e1ae263e9334a07fbe2a1ef98c0c9 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:18:48 +0000 Message-Id: <6a286718.3c5f7.5414a565@gitrepo.freebsd.org> The branch releng/14.3 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=0b1dfc94785e1ae263e9334a07fbe2a1ef98c0c9 commit 0b1dfc94785e1ae263e9334a07fbe2a1ef98c0c9 Author: Mark Johnston AuthorDate: 2026-06-07 17:34:10 +0000 Commit: Mark Johnston CommitDate: 2026-06-08 15:24:16 +0000 Add UPDATING entries and bump version Approved by: so --- UPDATING | 41 +++++++++++++++++++++++++++++++++++++++++ sys/conf/newvers.sh | 2 +- 2 files changed, 42 insertions(+), 1 deletion(-) diff --git a/UPDATING b/UPDATING index 8abe8c180b1f..54f8fba0e6a2 100644 --- a/UPDATING +++ b/UPDATING @@ -12,6 +12,47 @@ Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before updating system packages and/or ports. +20260609: + 14.3-RELEASE-p15 EN-26:15.openssl + SA-26:25.thr + SA-26:26.ktls + SA-26:27.sound + SA-26:28.capsicum + SA-26:29.ip6_multicast + SA-26:30.linux + SA-26:31.arm64 + SA-26:32.elf + SA-26:33.unbound + SA-26:34.vt + SA-26:35.openssl + SA-26:36.ldns + + Update OpenSSL to 3.0.20 and 3.5.6. [EN-26:15.openssl] + + Missing permission check in thr_kill2(2). [SA-26:25.thr] + + Arbitrary file overwrite via the KTLS receive path. [SA-26:26.ktls] + + Multiple vulnerabilities in the sound(4) mmap path. [SA-26:27.sound] + + sigqueue(2) missing capability mode restriction. [SA-26:28.capsicum] + + Use-after-free bug in the IPV6_MSFILTER socket option handler. [SA-26:29.ip6_multicast] + + Flaw in Linuxulator execution of setugid binaries. [SA-26:30.linux] + + Arm CPU errata may bypass page table permission changes. [SA-26:31.arm64] + + ASLR bypass for setuid executables via procctl(2). [SA-26:32.elf] + + Multiple vulnerabilities in unbound. [SA-26:33.unbound] + + Integer overflow in vt(4) CONS_HISTORY ioctl. [SA-26:34.vt] + + Multiple vulnerabilities in OpenSSL. [SA-26:35.openssl] + + Insufficient response validation in the ldns stub resolver. [SA-26:36.ldns] + 20260520: 14.3-RELEASE-p14 SA-26:18.setcred SA-26:19.file diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index 1c3b6a33dd3b..0617bc4d8e1a 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -53,7 +53,7 @@ TYPE="FreeBSD" REVISION="14.3" -BRANCH="RELEASE-p14" +BRANCH="RELEASE-p15" if [ -n "${BRANCH_OVERRIDE}" ]; then BRANCH=${BRANCH_OVERRIDE} fi From nobody Tue Jun 9 19:18:58 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxg57RRz6gVJK for ; Tue, 09 Jun 2026 19:19:03 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdxg3j03z3PJV for ; Tue, 09 Jun 2026 19:19:03 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032743; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=/Ak1aLesszcutpzOqDj1SAizkdo+McbT7FQFhNDo/TY=; b=GTGYdYCzle2oEG7EanVDh6ErHsald4DgNCKd25R6QWyaRbJybinnCTHGfGPOYE9/mTvzD2 LO0TEX/BuwcuCV3La7+Rhqahtj9pjE3K0o6kwjuLd8/ZgZZ5jAvaxSrHnzEhQ4uTEy7oDO Zifp2ED/J2hn9VlY0GilpOz4UE27gTyqN+nFE5uElZlFQuP8khn0ugRVsItyzxbs6CfnZc MlenfsxEsO0fwtEJLp2kImuM94ilXdVDQcjywtnW9m/j1R9gISFTTqw/39JEBk53Qrou1N RlmqrCLdG2eq0CKB2fNvZ9/ena3KbCN9I1oLaCTwRQ/1BW/c3oVUDdkaUBN5+g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032743; a=rsa-sha256; cv=none; b=J+pbvIVlW1x2h35T5u+gVwa9pFyqp8baqI7ylh6EfKSyX1FW6jFjTzAXMTmhDpuGuMHlvJ m8MZmuIvnXI2RgwHXLTb22mSiK0L012gr9szcPbSgz116i4v0lwTVLWK8E6RgUezDR/z1M Z85SCObHXTRHLQ7I3JxMUosIxAWg2yNg2hSwSY5pME7Hj+or7M7pGjRBtYN9yCV8eY8Isn 811h8D3VO+rIeJ9J2Chkx3L422X14p6uo2pKYrpkBnOCAmmxDiOmaAmgX6xbMRiZWcjpCK G5VMabjeJrcyuJMLSJqAXNCCd42XuI2xy/EbRroZUu9tFtYmujvbVFBU/PVFdQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032743; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=/Ak1aLesszcutpzOqDj1SAizkdo+McbT7FQFhNDo/TY=; b=KhyppaSmgU8yxc4rfbeXXgOvptDjGck0zHJgAOi+dP83OuMkQH0uY6mus+saV26HhzMaNO omux8M7yOdd3coxrilNJDjbyjrwNKXmiyeykcW9LCkMYa7ihqLd46H08uByASnfYmmQqiR TXpfpJkekuMuyiC986/41i6h/11LTSDZOnLGIIrMlkTO7CNH+Ag0GfnQO+XUdLMbDv2mCJ girCKukdikWYuv1pJ8r6D9TR94wT4wydriZxYk0Nt14CZaaCQ8MBAh483kD31QFYitP4AK b1PKSIzJKz/CHGKbuUthbw3urExpdM1NxM2DvJL+Z+6gNFd+iwSKFohCPfVjuw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxg36ppznG0 for ; Tue, 09 Jun 2026 19:19:03 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3e840 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:18:58 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Enji Cooper From: Mark Johnston Subject: git: 1bfe60bae8b8 - releng/14.4 - crypto/openssl: Update to 3.0.20 List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.4 X-Git-Reftype: branch X-Git-Commit: 1bfe60bae8b85cc63307d9f6b295c30f1684a2c9 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:18:58 +0000 Message-Id: <6a286722.3e840.7a6fc5da@gitrepo.freebsd.org> The branch releng/14.4 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=1bfe60bae8b85cc63307d9f6b295c30f1684a2c9 commit 1bfe60bae8b85cc63307d9f6b295c30f1684a2c9 Author: Enji Cooper AuthorDate: 2026-04-13 00:10:02 +0000 Commit: Mark Johnston CommitDate: 2026-06-07 15:53:43 +0000 crypto/openssl: Update to 3.0.20 This particular change contains all functional and security fixes made between 3.0.16 and 3.0.20. (cherry picked from commit 27ac9d336f715b4ce91bf447f73d5c3621d099ce) Approved by: so Security: FreeBSD-EN-26:15.openssl Security: CVE-2026-28387 Security: CVE-2026-28388 Security: CVE-2026-28389 Security: CVE-2026-31789 Security: CVE-2026-31790 --- crypto/openssl/ACKNOWLEDGEMENTS.md | 4 +- crypto/openssl/CHANGES.md | 781 +- crypto/openssl/Configurations/10-main.conf | 3 +- crypto/openssl/Configurations/50-nonstop.conf | 2 + crypto/openssl/Configurations/unix-Makefile.tmpl | 17 +- .../openssl/Configurations/windows-makefile.tmpl | 5 +- crypto/openssl/Configure | 7 +- crypto/openssl/INSTALL.md | 4 +- crypto/openssl/NEWS.md | 460 +- crypto/openssl/NOTES-WINDOWS.md | 5 + crypto/openssl/README-ENGINES.md | 2 +- crypto/openssl/README.md | 9 +- crypto/openssl/VERSION.dat | 4 +- crypto/openssl/apps/CA.pl | 383 + crypto/openssl/apps/CA.pl.in | 260 +- crypto/openssl/apps/asn1parse.c | 72 +- crypto/openssl/apps/ca.c | 742 +- crypto/openssl/apps/ciphers.c | 55 +- crypto/openssl/apps/cmp.c | 1163 +- crypto/openssl/apps/cms.c | 491 +- crypto/openssl/apps/crl.c | 124 +- crypto/openssl/apps/crl2pkcs7.c | 36 +- crypto/openssl/apps/dgst.c | 141 +- crypto/openssl/apps/dhparam.c | 152 +- crypto/openssl/apps/dsa.c | 78 +- crypto/openssl/apps/dsaparam.c | 64 +- crypto/openssl/apps/ec.c | 78 +- crypto/openssl/apps/ecparam.c | 127 +- crypto/openssl/apps/enc.c | 180 +- crypto/openssl/apps/engine.c | 112 +- crypto/openssl/apps/errstr.c | 17 +- crypto/openssl/apps/fipsinstall.c | 192 +- crypto/openssl/apps/gendsa.c | 39 +- crypto/openssl/apps/genpkey.c | 67 +- crypto/openssl/apps/genrsa.c | 57 +- crypto/openssl/apps/include/app_libctx.h | 4 +- crypto/openssl/apps/include/app_params.h | 1 - crypto/openssl/apps/include/apps.h | 262 +- crypto/openssl/apps/include/apps_ui.h | 5 +- crypto/openssl/apps/include/cmp_mock_srv.h | 18 +- crypto/openssl/apps/include/engine_loader.h | 8 +- crypto/openssl/apps/include/fmt.h | 32 +- crypto/openssl/apps/include/function.h | 17 +- crypto/openssl/apps/include/http_server.h | 86 +- crypto/openssl/apps/include/names.h | 2 +- crypto/openssl/apps/include/opt.h | 544 +- crypto/openssl/apps/include/platform.h | 12 +- crypto/openssl/apps/include/s_apps.h | 56 +- crypto/openssl/apps/include/vms_term_sock.h | 12 +- crypto/openssl/apps/info.c | 36 +- crypto/openssl/apps/kdf.c | 45 +- crypto/openssl/apps/lib/app_libctx.c | 3 +- crypto/openssl/apps/lib/app_params.c | 7 +- crypto/openssl/apps/lib/app_provider.c | 5 +- crypto/openssl/apps/lib/app_rand.c | 7 +- crypto/openssl/apps/lib/app_x509.c | 54 +- crypto/openssl/apps/lib/apps.c | 825 +- crypto/openssl/apps/lib/apps_ui.c | 39 +- crypto/openssl/apps/lib/cmp_mock_srv.c | 121 +- crypto/openssl/apps/lib/columns.c | 1 - crypto/openssl/apps/lib/engine.c | 15 +- crypto/openssl/apps/lib/engine_loader.c | 38 +- crypto/openssl/apps/lib/http_server.c | 126 +- crypto/openssl/apps/lib/names.c | 2 +- crypto/openssl/apps/lib/opt.c | 271 +- crypto/openssl/apps/lib/s_cb.c | 625 +- crypto/openssl/apps/lib/s_socket.c | 119 +- crypto/openssl/apps/lib/tlssrp_depr.c | 47 +- crypto/openssl/apps/lib/vms_decc_argv.c | 2 +- crypto/openssl/apps/lib/vms_term_sock.c | 517 +- crypto/openssl/apps/lib/win32_init.c | 31 +- crypto/openssl/apps/list.c | 484 +- crypto/openssl/apps/mac.c | 42 +- crypto/openssl/apps/nseq.c | 22 +- crypto/openssl/apps/ocsp.c | 487 +- crypto/openssl/apps/openssl.c | 58 +- crypto/openssl/apps/passwd.c | 253 +- crypto/openssl/apps/pkcs12.c | 342 +- crypto/openssl/apps/pkcs7.c | 39 +- crypto/openssl/apps/pkcs8.c | 88 +- crypto/openssl/apps/pkey.c | 100 +- crypto/openssl/apps/pkeyparam.c | 32 +- crypto/openssl/apps/pkeyutl.c | 244 +- crypto/openssl/apps/prime.c | 39 +- crypto/openssl/apps/progs.pl | 11 +- crypto/openssl/apps/rand.c | 28 +- crypto/openssl/apps/rehash.c | 169 +- crypto/openssl/apps/req.c | 450 +- crypto/openssl/apps/rsa.c | 103 +- crypto/openssl/apps/rsautl.c | 91 +- crypto/openssl/apps/s_client.c | 1742 +- crypto/openssl/apps/s_server.c | 929 +- crypto/openssl/apps/s_time.c | 164 +- crypto/openssl/apps/sess_id.c | 42 +- crypto/openssl/apps/smime.c | 208 +- crypto/openssl/apps/speed.c | 1256 +- crypto/openssl/apps/spkac.c | 56 +- crypto/openssl/apps/srp.c | 196 +- crypto/openssl/apps/storeutl.c | 181 +- crypto/openssl/apps/testdsa.h | 1490 +- crypto/openssl/apps/testrsa.h | 4912 +++- crypto/openssl/apps/timeouts.h | 8 +- crypto/openssl/apps/ts.c | 269 +- crypto/openssl/apps/verify.c | 137 +- crypto/openssl/apps/version.c | 53 +- crypto/openssl/apps/vms_decc_init.c | 73 +- crypto/openssl/apps/x509.c | 389 +- crypto/openssl/configdata.pm.in | 4 +- crypto/openssl/crypto/LPdir_nyi.c | 2 +- crypto/openssl/crypto/LPdir_unix.c | 23 +- crypto/openssl/crypto/LPdir_vms.c | 24 +- crypto/openssl/crypto/LPdir_win.c | 35 +- crypto/openssl/crypto/LPdir_win32.c | 2 + crypto/openssl/crypto/LPdir_wince.c | 2 + crypto/openssl/crypto/aes/aes_cbc.c | 8 +- crypto/openssl/crypto/aes/aes_cfb.c | 18 +- crypto/openssl/crypto/aes/aes_core.c | 3589 ++- crypto/openssl/crypto/aes/aes_ecb.c | 2 +- crypto/openssl/crypto/aes/aes_ige.c | 56 +- crypto/openssl/crypto/aes/aes_local.h | 51 +- crypto/openssl/crypto/aes/aes_misc.c | 6 +- crypto/openssl/crypto/aes/aes_ofb.c | 6 +- crypto/openssl/crypto/aes/aes_wrap.c | 12 +- crypto/openssl/crypto/aes/aes_x86core.c | 594 +- crypto/openssl/crypto/aes/asm/aes-s390x.pl | 5 +- crypto/openssl/crypto/aes/asm/aesv8-armx.pl | 8 +- crypto/openssl/crypto/aria/aria.c | 337 +- crypto/openssl/crypto/arm_arch.h | 165 +- crypto/openssl/crypto/armcap.c | 154 +- crypto/openssl/crypto/asn1/a_bitstr.c | 12 +- crypto/openssl/crypto/asn1/a_d2i_fp.c | 40 +- crypto/openssl/crypto/asn1/a_digest.c | 9 +- crypto/openssl/crypto/asn1/a_dup.c | 6 +- crypto/openssl/crypto/asn1/a_gentm.c | 8 +- crypto/openssl/crypto/asn1/a_i2d_fp.c | 4 +- crypto/openssl/crypto/asn1/a_int.c | 33 +- crypto/openssl/crypto/asn1/a_mbstr.c | 58 +- crypto/openssl/crypto/asn1/a_object.c | 32 +- crypto/openssl/crypto/asn1/a_octet.c | 4 +- crypto/openssl/crypto/asn1/a_print.c | 3 +- crypto/openssl/crypto/asn1/a_sign.c | 43 +- crypto/openssl/crypto/asn1/a_strex.c | 91 +- crypto/openssl/crypto/asn1/a_strnid.c | 16 +- crypto/openssl/crypto/asn1/a_time.c | 53 +- crypto/openssl/crypto/asn1/a_type.c | 12 +- crypto/openssl/crypto/asn1/a_utctm.c | 2 +- crypto/openssl/crypto/asn1/a_utf8.c | 4 +- crypto/openssl/crypto/asn1/a_verify.c | 27 +- crypto/openssl/crypto/asn1/ameth_lib.c | 172 +- crypto/openssl/crypto/asn1/asn1_err.c | 366 +- crypto/openssl/crypto/asn1/asn1_gen.c | 103 +- crypto/openssl/crypto/asn1/asn1_item_list.h | 4 +- crypto/openssl/crypto/asn1/asn1_lib.c | 12 +- crypto/openssl/crypto/asn1/asn1_local.h | 28 +- crypto/openssl/crypto/asn1/asn1_parse.c | 74 +- crypto/openssl/crypto/asn1/asn_mime.c | 123 +- crypto/openssl/crypto/asn1/asn_mstbl.c | 12 +- crypto/openssl/crypto/asn1/asn_pack.c | 4 +- crypto/openssl/crypto/asn1/bio_asn1.c | 44 +- crypto/openssl/crypto/asn1/bio_ndef.c | 17 +- crypto/openssl/crypto/asn1/d2i_param.c | 2 +- crypto/openssl/crypto/asn1/d2i_pr.c | 41 +- crypto/openssl/crypto/asn1/d2i_pu.c | 4 +- crypto/openssl/crypto/asn1/evp_asn1.c | 26 +- crypto/openssl/crypto/asn1/f_int.c | 7 +- crypto/openssl/crypto/asn1/f_string.c | 4 +- crypto/openssl/crypto/asn1/i2d_evp.c | 34 +- crypto/openssl/crypto/asn1/n_pkey.c | 23 +- crypto/openssl/crypto/asn1/nsseq.c | 6 +- crypto/openssl/crypto/asn1/p5_pbe.c | 19 +- crypto/openssl/crypto/asn1/p5_pbev2.c | 55 +- crypto/openssl/crypto/asn1/p5_scrypt.c | 67 +- crypto/openssl/crypto/asn1/p8_pkey.c | 22 +- crypto/openssl/crypto/asn1/standard_methods.h | 1 - crypto/openssl/crypto/asn1/t_bitst.c | 4 +- crypto/openssl/crypto/asn1/t_pkey.c | 19 +- crypto/openssl/crypto/asn1/t_spki.c | 6 +- crypto/openssl/crypto/asn1/tasn_dec.c | 227 +- crypto/openssl/crypto/asn1/tasn_enc.c | 56 +- crypto/openssl/crypto/asn1/tasn_new.c | 30 +- crypto/openssl/crypto/asn1/tasn_prn.c | 92 +- crypto/openssl/crypto/asn1/tasn_scn.c | 2 +- crypto/openssl/crypto/asn1/tasn_typ.c | 26 +- crypto/openssl/crypto/asn1/tasn_utl.c | 22 +- crypto/openssl/crypto/asn1/tbl_standard.h | 85 +- crypto/openssl/crypto/asn1/x_algor.c | 21 +- crypto/openssl/crypto/asn1/x_bignum.c | 29 +- crypto/openssl/crypto/asn1/x_int64.c | 87 +- crypto/openssl/crypto/asn1/x_long.c | 25 +- crypto/openssl/crypto/asn1/x_sig.c | 8 +- crypto/openssl/crypto/asn1/x_spki.c | 10 +- crypto/openssl/crypto/asn1/x_val.c | 4 +- crypto/openssl/crypto/asn1_dsa.c | 61 +- crypto/openssl/crypto/async/arch/async_null.c | 1 - crypto/openssl/crypto/async/arch/async_null.h | 13 +- crypto/openssl/crypto/async/arch/async_posix.c | 6 +- crypto/openssl/crypto/async/arch/async_posix.h | 51 +- crypto/openssl/crypto/async/arch/async_win.c | 10 +- crypto/openssl/crypto/async/arch/async_win.h | 30 +- crypto/openssl/crypto/async/async.c | 29 +- crypto/openssl/crypto/async/async_err.c | 16 +- crypto/openssl/crypto/async/async_local.h | 9 +- crypto/openssl/crypto/async/async_wait.c | 48 +- crypto/openssl/crypto/bf/bf_cfb64.c | 8 +- crypto/openssl/crypto/bf/bf_ecb.c | 2 +- crypto/openssl/crypto/bf/bf_enc.c | 12 +- crypto/openssl/crypto/bf/bf_local.h | 134 +- crypto/openssl/crypto/bf/bf_ofb64.c | 8 +- crypto/openssl/crypto/bf/bf_pi.h | 1548 +- crypto/openssl/crypto/bio/bf_buff.c | 23 +- crypto/openssl/crypto/bio/bf_lbuf.c | 20 +- crypto/openssl/crypto/bio/bf_prefix.c | 14 +- crypto/openssl/crypto/bio/bf_readbuff.c | 64 +- crypto/openssl/crypto/bio/bio_addr.c | 162 +- crypto/openssl/crypto/bio/bio_cb.c | 22 +- crypto/openssl/crypto/bio/bio_dump.c | 26 +- crypto/openssl/crypto/bio/bio_err.c | 114 +- crypto/openssl/crypto/bio/bio_lib.c | 46 +- crypto/openssl/crypto/bio/bio_local.h | 153 +- crypto/openssl/crypto/bio/bio_meth.c | 46 +- crypto/openssl/crypto/bio/bio_print.c | 173 +- crypto/openssl/crypto/bio/bio_sock.c | 213 +- crypto/openssl/crypto/bio/bio_sock2.c | 87 +- crypto/openssl/crypto/bio/bss_acpt.c | 140 +- crypto/openssl/crypto/bio/bss_bio.c | 68 +- crypto/openssl/crypto/bio/bss_conn.c | 192 +- crypto/openssl/crypto/bio/bss_core.c | 8 +- crypto/openssl/crypto/bio/bss_dgram.c | 833 +- crypto/openssl/crypto/bio/bss_fd.c | 46 +- crypto/openssl/crypto/bio/bss_file.c | 88 +- crypto/openssl/crypto/bio/bss_log.c | 206 +- crypto/openssl/crypto/bio/bss_mem.c | 14 +- crypto/openssl/crypto/bio/bss_null.c | 2 +- crypto/openssl/crypto/bio/bss_sock.c | 101 +- crypto/openssl/crypto/bio/ossl_core_bio.c | 4 +- crypto/openssl/crypto/bn/asm/armv4-gf2m.pl | 4 +- crypto/openssl/crypto/bn/asm/rsaz-avx512.pl | 4 +- crypto/openssl/crypto/bn/asm/sparcv9-mont.pl | 4 +- crypto/openssl/crypto/bn/asm/x86_64-gcc.c | 306 +- crypto/openssl/crypto/bn/bn_add.c | 3 +- crypto/openssl/crypto/bn/bn_asm.c | 457 +- crypto/openssl/crypto/bn/bn_blind.c | 35 +- crypto/openssl/crypto/bn/bn_const.c | 253 +- crypto/openssl/crypto/bn/bn_conv.c | 14 +- crypto/openssl/crypto/bn/bn_ctx.c | 37 +- crypto/openssl/crypto/bn/bn_depr.c | 16 +- crypto/openssl/crypto/bn/bn_dh.c | 1135 +- crypto/openssl/crypto/bn/bn_div.c | 160 +- crypto/openssl/crypto/bn/bn_err.c | 54 +- crypto/openssl/crypto/bn/bn_exp.c | 344 +- crypto/openssl/crypto/bn/bn_exp2.c | 29 +- crypto/openssl/crypto/bn/bn_gcd.c | 35 +- crypto/openssl/crypto/bn/bn_gf2m.c | 158 +- crypto/openssl/crypto/bn/bn_intern.c | 14 +- crypto/openssl/crypto/bn/bn_kron.c | 6 +- crypto/openssl/crypto/bn/bn_lib.c | 74 +- crypto/openssl/crypto/bn/bn_local.h | 820 +- crypto/openssl/crypto/bn/bn_mod.c | 20 +- crypto/openssl/crypto/bn/bn_mont.c | 69 +- crypto/openssl/crypto/bn/bn_mpi.c | 3 +- crypto/openssl/crypto/bn/bn_mul.c | 69 +- crypto/openssl/crypto/bn/bn_nist.c | 432 +- crypto/openssl/crypto/bn/bn_ppc.c | 8 +- crypto/openssl/crypto/bn/bn_prime.c | 70 +- crypto/openssl/crypto/bn/bn_print.c | 6 +- crypto/openssl/crypto/bn/bn_rand.c | 78 +- crypto/openssl/crypto/bn/bn_recp.c | 12 +- crypto/openssl/crypto/bn/bn_rsa_fips186_4.c | 45 +- crypto/openssl/crypto/bn/bn_shift.c | 8 +- crypto/openssl/crypto/bn/bn_sparc.c | 65 +- crypto/openssl/crypto/bn/bn_sqr.c | 16 +- crypto/openssl/crypto/bn/bn_sqrt.c | 13 +- crypto/openssl/crypto/bn/bn_srp.c | 26 +- crypto/openssl/crypto/bn/bn_word.c | 3 +- crypto/openssl/crypto/bn/bn_x931p.c | 25 +- crypto/openssl/crypto/bn/rsaz_exp.c | 40 +- crypto/openssl/crypto/bn/rsaz_exp.h | 67 +- crypto/openssl/crypto/bn/rsaz_exp_x2.c | 182 +- crypto/openssl/crypto/bsearch.c | 12 +- crypto/openssl/crypto/buffer/buf_err.c | 2 +- crypto/openssl/crypto/camellia/camellia.c | 426 +- crypto/openssl/crypto/camellia/cmll_cbc.c | 8 +- crypto/openssl/crypto/camellia/cmll_cfb.c | 18 +- crypto/openssl/crypto/camellia/cmll_ctr.c | 10 +- crypto/openssl/crypto/camellia/cmll_ecb.c | 2 +- crypto/openssl/crypto/camellia/cmll_local.h | 18 +- crypto/openssl/crypto/camellia/cmll_misc.c | 6 +- crypto/openssl/crypto/camellia/cmll_ofb.c | 6 +- crypto/openssl/crypto/cast/c_cfb64.c | 8 +- crypto/openssl/crypto/cast/c_ecb.c | 2 +- crypto/openssl/crypto/cast/c_enc.c | 4 +- crypto/openssl/crypto/cast/c_ofb64.c | 8 +- crypto/openssl/crypto/cast/c_skey.c | 15 +- crypto/openssl/crypto/cast/cast_local.h | 321 +- crypto/openssl/crypto/cast/cast_s.h | 2560 +- crypto/openssl/crypto/chacha/chacha_enc.c | 45 +- crypto/openssl/crypto/chacha/chacha_ppc.c | 24 +- crypto/openssl/crypto/cmac/cmac.c | 3 +- crypto/openssl/crypto/cmp/cmp_asn.c | 189 +- crypto/openssl/crypto/cmp/cmp_client.c | 207 +- crypto/openssl/crypto/cmp/cmp_ctx.c | 208 +- crypto/openssl/crypto/cmp/cmp_err.c | 302 +- crypto/openssl/crypto/cmp/cmp_hdr.c | 50 +- crypto/openssl/crypto/cmp/cmp_http.c | 36 +- crypto/openssl/crypto/cmp/cmp_local.h | 212 +- crypto/openssl/crypto/cmp/cmp_msg.c | 275 +- crypto/openssl/crypto/cmp/cmp_protect.c | 48 +- crypto/openssl/crypto/cmp/cmp_server.c | 128 +- crypto/openssl/crypto/cmp/cmp_status.c | 59 +- crypto/openssl/crypto/cmp/cmp_util.c | 76 +- crypto/openssl/crypto/cmp/cmp_vfy.c | 200 +- crypto/openssl/crypto/cms/cms_asn1.c | 301 +- crypto/openssl/crypto/cms/cms_att.c | 88 +- crypto/openssl/crypto/cms/cms_cd.c | 8 +- crypto/openssl/crypto/cms/cms_dd.c | 13 +- crypto/openssl/crypto/cms/cms_dh.c | 43 +- crypto/openssl/crypto/cms/cms_ec.c | 42 +- crypto/openssl/crypto/cms/cms_enc.c | 32 +- crypto/openssl/crypto/cms/cms_env.c | 192 +- crypto/openssl/crypto/cms/cms_err.c | 304 +- crypto/openssl/crypto/cms/cms_ess.c | 59 +- crypto/openssl/crypto/cms/cms_io.c | 30 +- crypto/openssl/crypto/cms/cms_kari.c | 110 +- crypto/openssl/crypto/cms/cms_lib.c | 41 +- crypto/openssl/crypto/cms/cms_local.h | 86 +- crypto/openssl/crypto/cms/cms_pwri.c | 66 +- crypto/openssl/crypto/cms/cms_rsa.c | 43 +- crypto/openssl/crypto/cms/cms_sd.c | 152 +- crypto/openssl/crypto/cms/cms_smime.c | 143 +- crypto/openssl/crypto/comp/c_zlib.c | 174 +- crypto/openssl/crypto/comp/comp_err.c | 22 +- crypto/openssl/crypto/comp/comp_lib.c | 6 +- crypto/openssl/crypto/comp/comp_local.h | 22 +- crypto/openssl/crypto/conf/conf_api.c | 6 +- crypto/openssl/crypto/conf/conf_def.c | 78 +- crypto/openssl/crypto/conf/conf_err.c | 90 +- crypto/openssl/crypto/conf/conf_lib.c | 27 +- crypto/openssl/crypto/conf/conf_mod.c | 67 +- crypto/openssl/crypto/conf/conf_sap.c | 6 +- crypto/openssl/crypto/conf/conf_ssl.c | 13 +- crypto/openssl/crypto/context.c | 38 +- crypto/openssl/crypto/core_algorithm.c | 52 +- crypto/openssl/crypto/core_fetch.c | 34 +- crypto/openssl/crypto/core_namemap.c | 75 +- crypto/openssl/crypto/cpt_err.c | 82 +- crypto/openssl/crypto/cpuid.c | 41 +- crypto/openssl/crypto/crmf/crmf_asn.c | 81 +- crypto/openssl/crypto/crmf/crmf_err.c | 88 +- crypto/openssl/crypto/crmf/crmf_lib.c | 236 +- crypto/openssl/crypto/crmf/crmf_local.h | 25 +- crypto/openssl/crypto/crmf/crmf_pbm.c | 29 +- crypto/openssl/crypto/cryptlib.c | 112 +- crypto/openssl/crypto/ct/ct_b64.c | 16 +- crypto/openssl/crypto/ct/ct_err.c | 62 +- crypto/openssl/crypto/ct/ct_local.h | 97 +- crypto/openssl/crypto/ct/ct_log.c | 27 +- crypto/openssl/crypto/ct/ct_oct.c | 22 +- crypto/openssl/crypto/ct/ct_policy.c | 13 +- crypto/openssl/crypto/ct/ct_prn.c | 16 +- crypto/openssl/crypto/ct/ct_sct.c | 11 +- crypto/openssl/crypto/ct/ct_sct_ctx.c | 13 +- crypto/openssl/crypto/ct/ct_vfy.c | 9 +- crypto/openssl/crypto/ct/ct_x509v3.c | 62 +- crypto/openssl/crypto/ctype.c | 414 +- crypto/openssl/crypto/der_writer.c | 23 +- crypto/openssl/crypto/des/cbc_cksm.c | 4 +- crypto/openssl/crypto/des/cbc_enc.c | 2 + crypto/openssl/crypto/des/cfb64ede.c | 16 +- crypto/openssl/crypto/des/cfb64enc.c | 8 +- crypto/openssl/crypto/des/cfb_enc.c | 13 +- crypto/openssl/crypto/des/des_enc.c | 144 +- crypto/openssl/crypto/des/des_local.h | 381 +- crypto/openssl/crypto/des/ecb3_enc.c | 4 +- crypto/openssl/crypto/des/ecb_enc.c | 3 +- crypto/openssl/crypto/des/fcrypt.c | 154 +- crypto/openssl/crypto/des/fcrypt_b.c | 52 +- crypto/openssl/crypto/des/ncbc_enc.c | 6 +- crypto/openssl/crypto/des/ofb64ede.c | 10 +- crypto/openssl/crypto/des/ofb64enc.c | 8 +- crypto/openssl/crypto/des/ofb_enc.c | 8 +- crypto/openssl/crypto/des/pcbc_enc.c | 4 +- crypto/openssl/crypto/des/qud_cksm.c | 22 +- crypto/openssl/crypto/des/set_key.c | 725 +- crypto/openssl/crypto/des/spr.h | 640 +- crypto/openssl/crypto/des/xcbc_enc.c | 6 +- crypto/openssl/crypto/dh/dh_ameth.c | 48 +- crypto/openssl/crypto/dh/dh_asn1.c | 38 +- crypto/openssl/crypto/dh/dh_backend.c | 21 +- crypto/openssl/crypto/dh/dh_check.c | 8 +- crypto/openssl/crypto/dh/dh_depr.c | 2 +- crypto/openssl/crypto/dh/dh_err.c | 92 +- crypto/openssl/crypto/dh/dh_gen.c | 18 +- crypto/openssl/crypto/dh/dh_group_params.c | 5 +- crypto/openssl/crypto/dh/dh_kdf.c | 26 +- crypto/openssl/crypto/dh/dh_key.c | 59 +- crypto/openssl/crypto/dh/dh_lib.c | 16 +- crypto/openssl/crypto/dh/dh_local.h | 24 +- crypto/openssl/crypto/dh/dh_meth.c | 28 +- crypto/openssl/crypto/dh/dh_pmeth.c | 53 +- crypto/openssl/crypto/dh/dh_rfc5114.c | 34 +- crypto/openssl/crypto/dllmain.c | 7 +- crypto/openssl/crypto/dsa/dsa_ameth.c | 157 +- crypto/openssl/crypto/dsa/dsa_asn1.c | 30 +- crypto/openssl/crypto/dsa/dsa_backend.c | 24 +- crypto/openssl/crypto/dsa/dsa_check.c | 8 +- crypto/openssl/crypto/dsa/dsa_depr.c | 10 +- crypto/openssl/crypto/dsa/dsa_err.c | 50 +- crypto/openssl/crypto/dsa/dsa_gen.c | 24 +- crypto/openssl/crypto/dsa/dsa_key.c | 18 +- crypto/openssl/crypto/dsa/dsa_lib.c | 19 +- crypto/openssl/crypto/dsa/dsa_local.h | 38 +- crypto/openssl/crypto/dsa/dsa_meth.c | 52 +- crypto/openssl/crypto/dsa/dsa_ossl.c | 70 +- crypto/openssl/crypto/dsa/dsa_pmeth.c | 39 +- crypto/openssl/crypto/dsa/dsa_sign.c | 14 +- crypto/openssl/crypto/dsa/dsa_vrf.c | 2 +- crypto/openssl/crypto/dso/dso_dl.c | 59 +- crypto/openssl/crypto/dso/dso_dlfcn.c | 132 +- crypto/openssl/crypto/dso/dso_err.c | 56 +- crypto/openssl/crypto/dso/dso_lib.c | 8 +- crypto/openssl/crypto/dso/dso_local.h | 16 +- crypto/openssl/crypto/dso/dso_vms.c | 162 +- crypto/openssl/crypto/dso/dso_win32.c | 160 +- crypto/openssl/crypto/ebcdic.c | 110 +- crypto/openssl/crypto/ec/curve25519.c | 5131 ++-- .../crypto/ec/curve448/arch_32/arch_intrinsics.h | 8 +- crypto/openssl/crypto/ec/curve448/arch_32/f_impl.h | 18 +- .../openssl/crypto/ec/curve448/arch_32/f_impl32.c | 10 +- .../crypto/ec/curve448/arch_64/arch_intrinsics.h | 12 +- crypto/openssl/crypto/ec/curve448/arch_64/f_impl.h | 15 +- .../openssl/crypto/ec/curve448/arch_64/f_impl64.c | 8 +- crypto/openssl/crypto/ec/curve448/curve448.c | 222 +- crypto/openssl/crypto/ec/curve448/curve448_local.h | 22 +- .../openssl/crypto/ec/curve448/curve448_tables.c | 3028 +-- crypto/openssl/crypto/ec/curve448/curve448utils.h | 44 +- crypto/openssl/crypto/ec/curve448/ed448.h | 102 +- crypto/openssl/crypto/ec/curve448/eddsa.c | 232 +- crypto/openssl/crypto/ec/curve448/f_generic.c | 25 +- crypto/openssl/crypto/ec/curve448/field.h | 87 +- crypto/openssl/crypto/ec/curve448/point_448.h | 101 +- crypto/openssl/crypto/ec/curve448/scalar.c | 82 +- crypto/openssl/crypto/ec/curve448/word.h | 48 +- crypto/openssl/crypto/ec/ec2_oct.c | 34 +- crypto/openssl/crypto/ec/ec2_smpl.c | 122 +- crypto/openssl/crypto/ec/ec_ameth.c | 89 +- crypto/openssl/crypto/ec/ec_asn1.c | 150 +- crypto/openssl/crypto/ec/ec_backend.c | 93 +- crypto/openssl/crypto/ec/ec_check.c | 14 +- crypto/openssl/crypto/ec/ec_curve.c | 1560 +- crypto/openssl/crypto/ec/ec_cvt.c | 4 +- crypto/openssl/crypto/ec/ec_deprecated.c | 8 +- crypto/openssl/crypto/ec/ec_err.c | 212 +- crypto/openssl/crypto/ec/ec_key.c | 44 +- crypto/openssl/crypto/ec/ec_kmeth.c | 147 +- crypto/openssl/crypto/ec/ec_lib.c | 188 +- crypto/openssl/crypto/ec/ec_local.h | 496 +- crypto/openssl/crypto/ec/ec_mult.c | 113 +- crypto/openssl/crypto/ec/ec_oct.c | 34 +- crypto/openssl/crypto/ec/ec_pmeth.c | 29 +- crypto/openssl/crypto/ec/ec_print.c | 6 +- crypto/openssl/crypto/ec/ecdh_kdf.c | 22 +- crypto/openssl/crypto/ec/ecdh_ossl.c | 9 +- crypto/openssl/crypto/ec/ecdsa_ossl.c | 51 +- crypto/openssl/crypto/ec/ecdsa_sign.c | 13 +- crypto/openssl/crypto/ec/ecdsa_vrf.c | 6 +- crypto/openssl/crypto/ec/eck_prn.c | 23 +- crypto/openssl/crypto/ec/ecp_mont.c | 32 +- crypto/openssl/crypto/ec/ecp_nist.c | 28 +- crypto/openssl/crypto/ec/ecp_nistp224.c | 602 +- crypto/openssl/crypto/ec/ecp_nistp256.c | 789 +- crypto/openssl/crypto/ec/ecp_nistp521.c | 940 +- crypto/openssl/crypto/ec/ecp_nistputil.c | 62 +- crypto/openssl/crypto/ec/ecp_nistz256.c | 363 +- crypto/openssl/crypto/ec/ecp_nistz256_table.c | 24407 +++++++++++-------- crypto/openssl/crypto/ec/ecp_oct.c | 31 +- crypto/openssl/crypto/ec/ecp_ppc.c | 8 +- crypto/openssl/crypto/ec/ecp_s390x_nistp.c | 323 +- crypto/openssl/crypto/ec/ecp_smpl.c | 169 +- crypto/openssl/crypto/ec/ecx_backend.c | 32 +- crypto/openssl/crypto/ec/ecx_backend.h | 18 +- crypto/openssl/crypto/ec/ecx_key.c | 2 +- crypto/openssl/crypto/ec/ecx_meth.c | 229 +- crypto/openssl/crypto/ec/ecx_s390x.c | 28 +- crypto/openssl/crypto/encode_decode/decoder_err.c | 14 +- crypto/openssl/crypto/encode_decode/decoder_lib.c | 363 +- crypto/openssl/crypto/encode_decode/decoder_meth.c | 90 +- crypto/openssl/crypto/encode_decode/decoder_pkey.c | 173 +- crypto/openssl/crypto/encode_decode/encoder_err.c | 14 +- crypto/openssl/crypto/encode_decode/encoder_lib.c | 218 +- .../openssl/crypto/encode_decode/encoder_local.h | 12 +- crypto/openssl/crypto/encode_decode/encoder_meth.c | 100 +- crypto/openssl/crypto/encode_decode/encoder_pkey.c | 98 +- crypto/openssl/crypto/engine/eng_all.c | 4 +- crypto/openssl/crypto/engine/eng_cnf.c | 13 +- crypto/openssl/crypto/engine/eng_ctrl.c | 28 +- crypto/openssl/crypto/engine/eng_dyn.c | 116 +- crypto/openssl/crypto/engine/eng_err.c | 128 +- crypto/openssl/crypto/engine/eng_fat.c | 2 +- crypto/openssl/crypto/engine/eng_lib.c | 4 +- crypto/openssl/crypto/engine/eng_list.c | 13 +- crypto/openssl/crypto/engine/eng_local.h | 48 +- crypto/openssl/crypto/engine/eng_openssl.c | 126 +- crypto/openssl/crypto/engine/eng_pkey.c | 20 +- crypto/openssl/crypto/engine/eng_rdrand.c | 30 +- crypto/openssl/crypto/engine/eng_table.c | 46 +- crypto/openssl/crypto/engine/tb_asnmth.c | 22 +- crypto/openssl/crypto/engine/tb_cipher.c | 10 +- crypto/openssl/crypto/engine/tb_dh.c | 10 +- crypto/openssl/crypto/engine/tb_digest.c | 10 +- crypto/openssl/crypto/engine/tb_dsa.c | 10 +- crypto/openssl/crypto/engine/tb_eckey.c | 10 +- crypto/openssl/crypto/engine/tb_pkmeth.c | 10 +- crypto/openssl/crypto/engine/tb_rand.c | 10 +- crypto/openssl/crypto/engine/tb_rsa.c | 10 +- crypto/openssl/crypto/err/err.c | 238 +- crypto/openssl/crypto/err/err_all.c | 48 +- crypto/openssl/crypto/err/err_all_legacy.c | 112 +- crypto/openssl/crypto/err/err_local.h | 15 +- crypto/openssl/crypto/err/err_prn.c | 12 +- crypto/openssl/crypto/ess/ess_asn1.c | 24 +- crypto/openssl/crypto/ess/ess_err.c | 38 +- crypto/openssl/crypto/ess/ess_lib.c | 51 +- crypto/openssl/crypto/evp/asymcipher.c | 93 +- crypto/openssl/crypto/evp/bio_b64.c | 69 +- crypto/openssl/crypto/evp/bio_enc.c | 56 +- crypto/openssl/crypto/evp/bio_md.c | 8 +- crypto/openssl/crypto/evp/bio_ok.c | 72 +- crypto/openssl/crypto/evp/c_allc.c | 8 +- crypto/openssl/crypto/evp/cmeth_lib.c | 57 +- crypto/openssl/crypto/evp/ctrl_params_translate.c | 1357 +- crypto/openssl/crypto/evp/dh_ctrl.c | 46 +- crypto/openssl/crypto/evp/dh_support.c | 15 +- crypto/openssl/crypto/evp/digest.c | 161 +- crypto/openssl/crypto/evp/dsa_ctrl.c | 18 +- crypto/openssl/crypto/evp/e_aes.c | 1624 +- crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c | 447 +- crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha256.c | 440 +- crypto/openssl/crypto/evp/e_aria.c | 358 +- crypto/openssl/crypto/evp/e_bf.c | 20 +- crypto/openssl/crypto/evp/e_camellia.c | 240 +- crypto/openssl/crypto/evp/e_cast.c | 22 +- crypto/openssl/crypto/evp/e_chacha20_poly1305.c | 268 +- crypto/openssl/crypto/evp/e_des.c | 128 +- crypto/openssl/crypto/evp/e_des3.c | 192 +- crypto/openssl/crypto/evp/e_idea.c | 34 +- crypto/openssl/crypto/evp/e_null.c | 8 +- crypto/openssl/crypto/evp/e_old.c | 16 +- crypto/openssl/crypto/evp/e_rc2.c | 53 +- crypto/openssl/crypto/evp/e_rc4.c | 22 +- crypto/openssl/crypto/evp/e_rc4_hmac_md5.c | 161 +- crypto/openssl/crypto/evp/e_rc5.c | 26 +- crypto/openssl/crypto/evp/e_seed.c | 10 +- crypto/openssl/crypto/evp/e_sm4.c | 44 +- crypto/openssl/crypto/evp/e_xcbc_d.c | 34 +- crypto/openssl/crypto/evp/ec_ctrl.c | 39 +- crypto/openssl/crypto/evp/ec_support.c | 194 +- crypto/openssl/crypto/evp/encode.c | 342 +- crypto/openssl/crypto/evp/evp_cnf.c | 7 +- crypto/openssl/crypto/evp/evp_enc.c | 265 +- crypto/openssl/crypto/evp/evp_err.c | 358 +- crypto/openssl/crypto/evp/evp_fetch.c | 175 +- crypto/openssl/crypto/evp/evp_key.c | 22 +- crypto/openssl/crypto/evp/evp_lib.c | 174 +- crypto/openssl/crypto/evp/evp_local.h | 183 +- crypto/openssl/crypto/evp/evp_pbe.c | 124 +- crypto/openssl/crypto/evp/evp_pkey.c | 40 +- crypto/openssl/crypto/evp/evp_rand.c | 115 +- crypto/openssl/crypto/evp/evp_utils.c | 70 +- crypto/openssl/crypto/evp/exchange.c | 115 +- crypto/openssl/crypto/evp/kdf_lib.c | 10 +- crypto/openssl/crypto/evp/kdf_meth.c | 27 +- crypto/openssl/crypto/evp/kem.c | 67 +- crypto/openssl/crypto/evp/keymgmt_lib.c | 72 +- crypto/openssl/crypto/evp/keymgmt_meth.c | 102 +- crypto/openssl/crypto/evp/legacy_blake2.c | 6 +- crypto/openssl/crypto/evp/legacy_md5_sha1.c | 6 +- crypto/openssl/crypto/evp/legacy_mdc2.c | 2 +- crypto/openssl/crypto/evp/legacy_meth.h | 55 +- crypto/openssl/crypto/evp/legacy_ripemd.c | 2 +- crypto/openssl/crypto/evp/legacy_sha.c | 130 +- crypto/openssl/crypto/evp/legacy_wp.c | 2 +- crypto/openssl/crypto/evp/m_sigver.c | 164 +- crypto/openssl/crypto/evp/mac_lib.c | 37 +- crypto/openssl/crypto/evp/mac_meth.c | 27 +- crypto/openssl/crypto/evp/names.c | 50 +- crypto/openssl/crypto/evp/p5_crpt.c | 24 +- crypto/openssl/crypto/evp/p5_crpt2.c | 69 +- crypto/openssl/crypto/evp/p_dec.c | 7 +- crypto/openssl/crypto/evp/p_enc.c | 7 +- crypto/openssl/crypto/evp/p_lib.c | 569 +- crypto/openssl/crypto/evp/p_open.c | 6 +- crypto/openssl/crypto/evp/p_seal.c | 13 +- crypto/openssl/crypto/evp/p_sign.c | 8 +- crypto/openssl/crypto/evp/p_verify.c | 8 +- crypto/openssl/crypto/evp/pbe_scrypt.c | 32 +- crypto/openssl/crypto/evp/pmeth_check.c | 25 +- crypto/openssl/crypto/evp/pmeth_gn.c | 61 +- crypto/openssl/crypto/evp/pmeth_lib.c | 726 +- crypto/openssl/crypto/evp/signature.c | 127 +- crypto/openssl/crypto/ex_data.c | 45 +- crypto/openssl/crypto/ffc/ffc_backend.c | 16 +- crypto/openssl/crypto/ffc/ffc_dh.c | 64 +- crypto/openssl/crypto/ffc/ffc_key_generate.c | 2 +- crypto/openssl/crypto/ffc/ffc_key_validate.c | 10 +- crypto/openssl/crypto/ffc/ffc_params.c | 62 +- crypto/openssl/crypto/ffc/ffc_params_generate.c | 186 +- crypto/openssl/crypto/ffc/ffc_params_validate.c | 46 +- crypto/openssl/crypto/getenv.c | 18 +- crypto/openssl/crypto/hmac/hmac.c | 32 +- crypto/openssl/crypto/hmac/hmac_local.h | 4 +- crypto/openssl/crypto/http/http_client.c | 330 +- crypto/openssl/crypto/http/http_err.c | 106 +- crypto/openssl/crypto/http/http_lib.c | 46 +- crypto/openssl/crypto/idea/i_cbc.c | 4 +- crypto/openssl/crypto/idea/i_cfb64.c | 7 +- crypto/openssl/crypto/idea/i_ecb.c | 2 +- crypto/openssl/crypto/idea/i_ofb64.c | 7 +- crypto/openssl/crypto/idea/idea_local.h | 179 +- crypto/openssl/crypto/info.c | 169 +- crypto/openssl/crypto/init.c | 162 +- crypto/openssl/crypto/initthread.c | 19 +- crypto/openssl/crypto/lhash/lh_stats.c | 14 +- crypto/openssl/crypto/lhash/lhash.c | 23 +- crypto/openssl/crypto/lhash/lhash_local.h | 4 +- crypto/openssl/crypto/md2/md2_dgst.c | 296 +- crypto/openssl/crypto/md4/md4_dgst.c | 16 +- crypto/openssl/crypto/md4/md4_local.h | 63 +- crypto/openssl/crypto/md4/md4_one.c | 2 +- crypto/openssl/crypto/md5/md5_dgst.c | 16 +- crypto/openssl/crypto/md5/md5_local.h | 96 +- crypto/openssl/crypto/md5/md5_one.c | 2 +- crypto/openssl/crypto/mdc2/mdc2dgst.c | 16 +- crypto/openssl/crypto/mem.c | 95 +- crypto/openssl/crypto/mem_sec.c | 131 +- crypto/openssl/crypto/mips_arch.h | 48 +- crypto/openssl/crypto/modes/asm/ghash-armv4.pl | 4 +- crypto/openssl/crypto/modes/cbc128.c | 38 +- crypto/openssl/crypto/modes/ccm128.c | 108 +- crypto/openssl/crypto/modes/cfb128.c | 64 +- crypto/openssl/crypto/modes/ctr128.c | 38 +- crypto/openssl/crypto/modes/cts128.c | 86 +- crypto/openssl/crypto/modes/gcm128.c | 638 +- crypto/openssl/crypto/modes/ocb128.c | 67 +- crypto/openssl/crypto/modes/ofb128.c | 20 +- crypto/openssl/crypto/modes/siv128.c | 61 +- crypto/openssl/crypto/modes/wrap128.c | 49 +- crypto/openssl/crypto/modes/xts128.c | 22 +- crypto/openssl/crypto/o_dir.c | 2 + crypto/openssl/crypto/o_fopen.c | 46 +- crypto/openssl/crypto/o_str.c | 90 +- crypto/openssl/crypto/o_time.c | 20 +- crypto/openssl/crypto/objects/o_names.c | 44 +- crypto/openssl/crypto/objects/obj_compat.h | 62 +- crypto/openssl/crypto/objects/obj_dat.c | 38 +- crypto/openssl/crypto/objects/obj_dat.h | 2 +- crypto/openssl/crypto/objects/obj_err.c | 10 +- crypto/openssl/crypto/objects/obj_lib.c | 6 +- crypto/openssl/crypto/ocsp/ocsp_asn.c | 90 +- crypto/openssl/crypto/ocsp/ocsp_cl.c | 42 +- crypto/openssl/crypto/ocsp/ocsp_err.c | 90 +- crypto/openssl/crypto/ocsp/ocsp_ext.c | 77 +- crypto/openssl/crypto/ocsp/ocsp_http.c | 16 +- crypto/openssl/crypto/ocsp/ocsp_lib.c | 12 +- crypto/openssl/crypto/ocsp/ocsp_local.h | 94 +- crypto/openssl/crypto/ocsp/ocsp_prn.c | 61 +- crypto/openssl/crypto/ocsp/ocsp_srv.c | 61 +- crypto/openssl/crypto/ocsp/ocsp_vfy.c | 50 +- crypto/openssl/crypto/ocsp/v3_ocsp.c | 60 +- crypto/openssl/crypto/packet.c | 48 +- crypto/openssl/crypto/param_build.c | 162 +- crypto/openssl/crypto/param_build_set.c | 20 +- crypto/openssl/crypto/params.c | 153 +- crypto/openssl/crypto/params_dup.c | 39 +- crypto/openssl/crypto/params_from_text.c | 24 +- crypto/openssl/crypto/passphrase.c | 73 +- crypto/openssl/crypto/pem/pem_all.c | 35 +- crypto/openssl/crypto/pem/pem_err.c | 90 +- crypto/openssl/crypto/pem/pem_info.c | 61 +- crypto/openssl/crypto/pem/pem_lib.c | 122 +- crypto/openssl/crypto/pem/pem_local.h | 145 +- crypto/openssl/crypto/pem/pem_oth.c | 2 +- crypto/openssl/crypto/pem/pem_pk8.c | 74 +- crypto/openssl/crypto/pem/pem_pkey.c | 115 +- crypto/openssl/crypto/pem/pem_sign.c | 6 +- crypto/openssl/crypto/pem/pvkfmt.c | 112 +- crypto/openssl/crypto/perlasm/sparcv9_modes.pl | 10 +- crypto/openssl/crypto/perlasm/x86_64-xlate.pl | 5 +- crypto/openssl/crypto/pkcs12/p12_add.c | 45 +- crypto/openssl/crypto/pkcs12/p12_asn.c | 46 +- crypto/openssl/crypto/pkcs12/p12_attr.c | 33 +- crypto/openssl/crypto/pkcs12/p12_crpt.c | 25 +- crypto/openssl/crypto/pkcs12/p12_crt.c | 86 +- crypto/openssl/crypto/pkcs12/p12_decr.c | 81 +- crypto/openssl/crypto/pkcs12/p12_init.c | 3 +- crypto/openssl/crypto/pkcs12/p12_key.c | 58 +- crypto/openssl/crypto/pkcs12/p12_kiss.c | 31 +- crypto/openssl/crypto/pkcs12/p12_local.h | 6 +- crypto/openssl/crypto/pkcs12/p12_mutl.c | 59 +- crypto/openssl/crypto/pkcs12/p12_npas.c | 20 +- crypto/openssl/crypto/pkcs12/p12_p8d.c | 11 +- crypto/openssl/crypto/pkcs12/p12_p8e.c | 31 +- crypto/openssl/crypto/pkcs12/p12_sbag.c | 97 +- crypto/openssl/crypto/pkcs12/p12_utl.c | 83 +- crypto/openssl/crypto/pkcs12/pk12err.c | 64 +- crypto/openssl/crypto/pkcs7/bio_pk7.c | 2 +- crypto/openssl/crypto/pkcs7/pk7_asn1.c | 125 +- crypto/openssl/crypto/pkcs7/pk7_attr.c | 16 +- crypto/openssl/crypto/pkcs7/pk7_doit.c | 121 +- crypto/openssl/crypto/pkcs7/pk7_lib.c | 60 +- crypto/openssl/crypto/pkcs7/pk7_mime.c | 12 +- crypto/openssl/crypto/pkcs7/pk7_smime.c | 59 +- crypto/openssl/crypto/pkcs7/pkcs7err.c | 138 +- crypto/openssl/crypto/poly1305/poly1305.c | 102 +- crypto/openssl/crypto/poly1305/poly1305_base2_44.c | 29 +- crypto/openssl/crypto/poly1305/poly1305_ieee754.c | 279 +- crypto/openssl/crypto/poly1305/poly1305_ppc.c | 24 +- crypto/openssl/crypto/ppccap.c | 110 +- crypto/openssl/crypto/property/defn_cache.c | 19 +- crypto/openssl/crypto/property/property.c | 80 +- crypto/openssl/crypto/property/property_err.c | 36 +- crypto/openssl/crypto/property/property_local.h | 18 +- crypto/openssl/crypto/property/property_parse.c | 139 +- crypto/openssl/crypto/property/property_query.c | 22 +- crypto/openssl/crypto/property/property_string.c | 37 +- crypto/openssl/crypto/provider.c | 24 +- crypto/openssl/crypto/provider_child.c | 55 +- crypto/openssl/crypto/provider_conf.c | 56 +- crypto/openssl/crypto/provider_core.c | 267 +- crypto/openssl/crypto/provider_local.h | 8 +- crypto/openssl/crypto/provider_predefined.c | 4 +- crypto/openssl/crypto/punycode.c | 27 +- crypto/openssl/crypto/rand/prov_seed.c | 18 +- crypto/openssl/crypto/rand/rand_deprecated.c | 8 +- crypto/openssl/crypto/rand/rand_egd.c | 103 +- crypto/openssl/crypto/rand/rand_err.c | 156 +- crypto/openssl/crypto/rand/rand_lib.c | 182 +- crypto/openssl/crypto/rand/rand_local.h | 30 +- crypto/openssl/crypto/rand/rand_meth.c | 2 +- crypto/openssl/crypto/rand/rand_pool.c | 15 +- crypto/openssl/crypto/rand/randfile.c | 97 +- crypto/openssl/crypto/rc2/rc2_cbc.c | 30 +- crypto/openssl/crypto/rc2/rc2_ecb.c | 2 +- crypto/openssl/crypto/rc2/rc2_local.h | 250 +- crypto/openssl/crypto/rc2/rc2_skey.c | 284 +- crypto/openssl/crypto/rc2/rc2cfb64.c | 8 +- crypto/openssl/crypto/rc2/rc2ofb64.c | 8 +- crypto/openssl/crypto/rc4/rc4_enc.c | 16 +- crypto/openssl/crypto/rc4/rc4_local.h | 6 +- crypto/openssl/crypto/rc4/rc4_skey.c | 15 +- crypto/openssl/crypto/rc5/rc5_ecb.c | 2 +- crypto/openssl/crypto/rc5/rc5_enc.c | 4 +- crypto/openssl/crypto/rc5/rc5_local.h | 330 +- crypto/openssl/crypto/rc5/rc5_skey.c | 5 +- crypto/openssl/crypto/rc5/rc5cfb64.c | 8 +- crypto/openssl/crypto/rc5/rc5ofb64.c | 8 +- crypto/openssl/crypto/ripemd/rmd_dgst.c | 19 +- crypto/openssl/crypto/ripemd/rmd_local.h | 112 +- crypto/openssl/crypto/ripemd/rmdconst.h | 360 +- crypto/openssl/crypto/rsa/rsa_acvp_test_params.c | 29 +- crypto/openssl/crypto/rsa/rsa_ameth.c | 274 +- crypto/openssl/crypto/rsa/rsa_asn1.c | 51 +- crypto/openssl/crypto/rsa/rsa_backend.c | 119 +- crypto/openssl/crypto/rsa/rsa_chk.c | 12 +- crypto/openssl/crypto/rsa/rsa_crpt.c | 18 +- crypto/openssl/crypto/rsa/rsa_depr.c | 4 +- crypto/openssl/crypto/rsa/rsa_err.c | 274 +- crypto/openssl/crypto/rsa/rsa_gen.c | 45 +- crypto/openssl/crypto/rsa/rsa_lib.c | 159 +- crypto/openssl/crypto/rsa/rsa_local.h | 72 +- crypto/openssl/crypto/rsa/rsa_meth.c | 132 +- crypto/openssl/crypto/rsa/rsa_mp.c | 4 +- crypto/openssl/crypto/rsa/rsa_none.c | 4 +- crypto/openssl/crypto/rsa/rsa_oaep.c | 52 +- crypto/openssl/crypto/rsa/rsa_ossl.c | 126 +- crypto/openssl/crypto/rsa/rsa_pk1.c | 72 +- crypto/openssl/crypto/rsa/rsa_pmeth.c | 104 +- crypto/openssl/crypto/rsa/rsa_pss.c | 64 +- crypto/openssl/crypto/rsa/rsa_saos.c | 17 +- crypto/openssl/crypto/rsa/rsa_schemes.c | 22 +- crypto/openssl/crypto/rsa/rsa_sign.c | 243 +- crypto/openssl/crypto/rsa/rsa_sp800_56b_check.c | 121 +- crypto/openssl/crypto/rsa/rsa_sp800_56b_gen.c | 24 +- crypto/openssl/crypto/rsa/rsa_x931.c | 5 +- crypto/openssl/crypto/rsa/rsa_x931g.c | 32 +- crypto/openssl/crypto/s390x_arch.h | 178 +- crypto/openssl/crypto/s390xcap.c | 704 +- crypto/openssl/crypto/s390xcpuid.pl | 8 +- crypto/openssl/crypto/seed/seed.c | 752 +- crypto/openssl/crypto/seed/seed_cbc.c | 8 +- crypto/openssl/crypto/seed/seed_cfb.c | 8 +- crypto/openssl/crypto/seed/seed_ecb.c | 2 +- crypto/openssl/crypto/seed/seed_local.h | 123 +- crypto/openssl/crypto/seed/seed_ofb.c | 6 +- crypto/openssl/crypto/self_test_core.c | 32 +- crypto/openssl/crypto/sha/asm/keccak1600-s390x.pl | 3 +- crypto/openssl/crypto/sha/keccak1600.c | 271 +- crypto/openssl/crypto/sha/sha256.c | 120 +- crypto/openssl/crypto/sha/sha3.c | 2 +- crypto/openssl/crypto/sha/sha512.c | 219 +- crypto/openssl/crypto/sha/sha_local.h | 251 +- crypto/openssl/crypto/sha/sha_ppc.c | 6 +- crypto/openssl/crypto/siphash/siphash.c | 61 +- crypto/openssl/crypto/sm2/sm2_crypt.c | 80 +- crypto/openssl/crypto/sm2/sm2_err.c | 42 +- crypto/openssl/crypto/sm2/sm2_key.c | 8 +- crypto/openssl/crypto/sm2/sm2_sign.c | 142 +- crypto/openssl/crypto/sm3/legacy_sm3.c | 3 +- crypto/openssl/crypto/sm3/sm3.c | 6 +- crypto/openssl/crypto/sm3/sm3_local.h | 90 +- crypto/openssl/crypto/sm4/sm4.c | 42 +- crypto/openssl/crypto/sparcv9cap.c | 85 +- crypto/openssl/crypto/sparse_array.c | 28 +- crypto/openssl/crypto/srp/srp_lib.c | 71 +- crypto/openssl/crypto/srp/srp_vfy.c | 117 +- crypto/openssl/crypto/stack/stack.c | 25 +- crypto/openssl/crypto/store/store_err.c | 92 +- crypto/openssl/crypto/store/store_lib.c | 217 +- crypto/openssl/crypto/store/store_local.h | 24 +- crypto/openssl/crypto/store/store_meth.c | 74 +- crypto/openssl/crypto/store/store_register.c | 52 +- crypto/openssl/crypto/store/store_result.c | 114 +- crypto/openssl/crypto/store/store_strings.c | 12 +- crypto/openssl/crypto/threads_none.c | 25 +- crypto/openssl/crypto/threads_pthread.c | 94 +- crypto/openssl/crypto/threads_win.c | 56 +- crypto/openssl/crypto/trace.c | 131 +- crypto/openssl/crypto/ts/ts_asn1.c | 64 +- crypto/openssl/crypto/ts/ts_conf.c | 108 +- crypto/openssl/crypto/ts/ts_err.c | 122 +- crypto/openssl/crypto/ts/ts_lib.c | 4 +- crypto/openssl/crypto/ts/ts_local.h | 18 +- crypto/openssl/crypto/ts/ts_req_print.c | 2 +- crypto/openssl/crypto/ts/ts_rsp_print.c | 41 +- crypto/openssl/crypto/ts/ts_rsp_sign.c | 172 +- crypto/openssl/crypto/ts/ts_rsp_verify.c | 104 +- crypto/openssl/crypto/ts/ts_verify_ctx.c | 6 +- crypto/openssl/crypto/txt_db/txt_db.c | 22 +- crypto/openssl/crypto/ui/ui_err.c | 36 +- crypto/openssl/crypto/ui/ui_lib.c | 260 +- crypto/openssl/crypto/ui/ui_local.h | 56 +- crypto/openssl/crypto/ui/ui_null.c | 10 +- crypto/openssl/crypto/ui/ui_openssl.c | 536 +- crypto/openssl/crypto/ui/ui_util.c | 65 +- crypto/openssl/crypto/uid.c | 34 +- crypto/openssl/crypto/vms_rms.h | 86 +- crypto/openssl/crypto/whrlpool/wp_block.c | 811 +- crypto/openssl/crypto/whrlpool/wp_dgst.c | 20 +- crypto/openssl/crypto/x509/by_dir.c | 76 +- crypto/openssl/crypto/x509/by_file.c | 66 +- crypto/openssl/crypto/x509/by_store.c | 175 +- crypto/openssl/crypto/x509/pcy_cache.c | 24 +- crypto/openssl/crypto/x509/pcy_data.c | 2 +- crypto/openssl/crypto/x509/pcy_lib.c | 19 +- crypto/openssl/crypto/x509/pcy_local.h | 34 +- crypto/openssl/crypto/x509/pcy_map.c | 10 +- crypto/openssl/crypto/x509/pcy_node.c | 28 +- crypto/openssl/crypto/x509/pcy_tree.c | 107 +- crypto/openssl/crypto/x509/standard_exts.h | 5 - crypto/openssl/crypto/x509/t_crl.c | 7 +- crypto/openssl/crypto/x509/t_req.c | 24 +- crypto/openssl/crypto/x509/t_x509.c | 75 +- crypto/openssl/crypto/x509/v3_addr.c | 306 +- crypto/openssl/crypto/x509/v3_admis.c | 52 +- crypto/openssl/crypto/x509/v3_admis.h | 28 +- crypto/openssl/crypto/x509/v3_akeya.c | 6 +- crypto/openssl/crypto/x509/v3_akid.c | 30 +- crypto/openssl/crypto/x509/v3_asid.c | 213 +- crypto/openssl/crypto/x509/v3_bcons.c | 28 +- crypto/openssl/crypto/x509/v3_bitst.c | 54 +- crypto/openssl/crypto/x509/v3_conf.c | 77 +- crypto/openssl/crypto/x509/v3_cpols.c | 93 +- crypto/openssl/crypto/x509/v3_crld.c | 135 +- crypto/openssl/crypto/x509/v3_enum.c | 30 +- crypto/openssl/crypto/x509/v3_extku.c | 23 +- crypto/openssl/crypto/x509/v3_genn.c | 45 +- crypto/openssl/crypto/x509/v3_ia5.c | 6 +- crypto/openssl/crypto/x509/v3_info.c | 47 +- crypto/openssl/crypto/x509/v3_int.c | 2 +- crypto/openssl/crypto/x509/v3_ist.c | 37 +- crypto/openssl/crypto/x509/v3_lib.c | 29 +- crypto/openssl/crypto/x509/v3_ncons.c | 98 +- crypto/openssl/crypto/x509/v3_pci.c | 65 +- crypto/openssl/crypto/x509/v3_pcia.c | 14 +- crypto/openssl/crypto/x509/v3_pcons.c | 30 +- crypto/openssl/crypto/x509/v3_pku.c | 12 +- crypto/openssl/crypto/x509/v3_pmaps.c | 27 +- crypto/openssl/crypto/x509/v3_prn.c | 29 +- crypto/openssl/crypto/x509/v3_purp.c | 136 +- crypto/openssl/crypto/x509/v3_san.c | 229 +- crypto/openssl/crypto/x509/v3_skid.c | 15 +- crypto/openssl/crypto/x509/v3_sxnet.c | 28 +- crypto/openssl/crypto/x509/v3_tlsf.c | 29 +- crypto/openssl/crypto/x509/v3_utf8.c | 11 +- crypto/openssl/crypto/x509/v3_utl.c | 166 +- crypto/openssl/crypto/x509/v3err.c | 236 +- crypto/openssl/crypto/x509/x509_att.c | 93 +- crypto/openssl/crypto/x509/x509_cmp.c | 48 +- crypto/openssl/crypto/x509/x509_d2.c | 15 +- crypto/openssl/crypto/x509/x509_err.c | 134 +- crypto/openssl/crypto/x509/x509_ext.c | 35 +- crypto/openssl/crypto/x509/x509_local.h | 118 +- crypto/openssl/crypto/x509/x509_lu.c | 98 +- crypto/openssl/crypto/x509/x509_meth.c | 27 +- crypto/openssl/crypto/x509/x509_obj.c | 19 +- crypto/openssl/crypto/x509/x509_r2x.c | 9 +- crypto/openssl/crypto/x509/x509_req.c | 32 +- crypto/openssl/crypto/x509/x509_set.c | 14 +- crypto/openssl/crypto/x509/x509_trust.c | 56 +- crypto/openssl/crypto/x509/x509_txt.c | 3 +- crypto/openssl/crypto/x509/x509_v3.c | 22 +- crypto/openssl/crypto/x509/x509_vfy.c | 355 +- crypto/openssl/crypto/x509/x509_vpm.c | 157 +- crypto/openssl/crypto/x509/x509cset.c | 2 +- crypto/openssl/crypto/x509/x509name.c | 54 +- crypto/openssl/crypto/x509/x509type.c | 2 +- crypto/openssl/crypto/x509/x_all.c | 144 +- crypto/openssl/crypto/x509/x_attrib.c | 6 +- crypto/openssl/crypto/x509/x_crl.c | 109 +- crypto/openssl/crypto/x509/x_exten.c | 9 +- crypto/openssl/crypto/x509/x_name.c | 127 +- crypto/openssl/crypto/x509/x_pubkey.c | 147 +- crypto/openssl/crypto/x509/x_req.c | 84 +- crypto/openssl/crypto/x509/x_x509.c | 64 +- crypto/openssl/crypto/x509/x_x509a.c | 14 +- crypto/openssl/demos/bio/client-arg.c | 2 +- crypto/openssl/demos/bio/client-conf.c | 4 +- crypto/openssl/demos/bio/saccept.c | 13 +- crypto/openssl/demos/bio/sconnect.c | 11 +- crypto/openssl/demos/bio/server-arg.c | 13 +- crypto/openssl/demos/bio/server-cmod.c | 11 +- crypto/openssl/demos/bio/server-conf.c | 13 +- crypto/openssl/demos/cipher/aesccm.c | 13 +- crypto/openssl/demos/cipher/aesgcm.c | 10 +- crypto/openssl/demos/cipher/aeskeywrap.c | 99 +- crypto/openssl/demos/cipher/ariacbc.c | 20 +- crypto/openssl/demos/cms/cms_comp.c | 2 +- crypto/openssl/demos/cms/cms_ddec.c | 6 +- crypto/openssl/demos/cms/cms_dec.c | 2 +- crypto/openssl/demos/cms/cms_denc.c | 6 +- crypto/openssl/demos/cms/cms_enc.c | 2 +- crypto/openssl/demos/cms/cms_sign.c | 2 +- crypto/openssl/demos/cms/cms_sign2.c | 2 +- crypto/openssl/demos/cms/cms_uncomp.c | 2 +- crypto/openssl/demos/cms/cms_ver.c | 2 +- crypto/openssl/demos/digest/BIO_f_md.c | 28 +- crypto/openssl/demos/digest/EVP_MD_demo.c | 159 +- crypto/openssl/demos/digest/EVP_MD_stdin.c | 12 +- crypto/openssl/demos/digest/EVP_MD_xof.c | 6 +- crypto/openssl/demos/encode/ec_encode.c | 14 +- crypto/openssl/demos/encode/rsa_encode.c | 14 +- crypto/openssl/demos/kdf/hkdf.c | 8 +- crypto/openssl/demos/kdf/pbkdf2.c | 8 +- crypto/openssl/demos/kdf/scrypt.c | 4 +- crypto/openssl/demos/keyexch/x25519.c | 45 +- crypto/openssl/demos/mac/cmac-aes256.c | 92 +- crypto/openssl/demos/mac/gmac.c | 10 +- crypto/openssl/demos/mac/hmac-sha512.c | 182 +- crypto/openssl/demos/mac/poly1305.c | 2 +- crypto/openssl/demos/pkcs12/pkread.c | 4 +- crypto/openssl/demos/pkey/EVP_PKEY_DSA_keygen.c | 4 +- .../demos/pkey/EVP_PKEY_DSA_paramfromdata.c | 6 +- *** 497064 LINES SKIPPED *** From nobody Tue Jun 9 19:19:04 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxj0M0Kz6gVGk for ; Tue, 09 Jun 2026 19:19:05 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdxh41bpz3PJl for ; Tue, 09 Jun 2026 19:19:04 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032744; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Lpx9yt/yENKhQKZvxDrYdQzHoEJT3z9SNZmLUb1IN0A=; b=BbDrcsgoPujB7LkVB6zIdTNzSAJ3XxdmkiMFDjM5f/ANt7eXfrPPc6qIgxdKwJyXM/Viv0 SHp0C+pHw66/7srS7ZF41NT2gkjchuuRpU7T7ySzPFfuE/TVr3m24P3tDkadCYpbSJjmLB cXt334cenxacA+TbWLeOtfmNPUsBLiEyBEbmSSOFkRkIukZG8bprlnPdjb6fRLs+A8lPnO zaI9eoC2BTgmN9yEgdhMrRGL8MAnQj7jrDtQE7smb1UTn4I/b+AhmxlOpmtw5a001h3HBp SU4pyckrMm5lnH7xoq6F0acS0rv3IW7ogMLJkas0gWsdnJIGbzK+A3TT2QIIRA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032744; a=rsa-sha256; cv=none; b=udNAhi/XtZG7R73MKe1d4NQOlO5OEinLvMfne7mnv6pvlLBQ/RXGrE8xHSc5vd6Kth0NFs HGnvsesVnOpXsc0Se5LLNmhJCk7ooIGivisaq2VFMVf40evV769qmNj5GHWZR6SQKfaea0 DfejPtk8obFFhKmqftReAyGV/zFIL9dvqlxqGh0QxaIoEwAmOL8Gqr8sLl+fr7H/PsJ5Kb yBEzUnhW2PRB3TuLKUAezIe0ohZd6HOVAG959xAGMvnG593aZFX3bd0J5WDm/BZUZtKWUa vTToIzwf2B9SBBFxuFbopOvMhSEMzSNoHTvGF3quB7oeNI3M7FNymzaa8kFHWg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032744; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Lpx9yt/yENKhQKZvxDrYdQzHoEJT3z9SNZmLUb1IN0A=; b=CQHennTDY/ZbIiuTygVaQh9FOUS5w0u8o4Fx/TsvpNBIFgGXMi+XxozMAy/ACORftmytQQ W8UVyaxjmhyy27B6PkTPde1xGmNfJNFujrB2/HS2CfTnmusI66/saVtZMOVfsf7VVf9tK/ wi7xXg05E6zp+JbXTlVqIZZEDrbUOJLFadZM8q1Vs4w6WwU6WCArCXBWz5IVr4ZvVKDUB2 1KAEIkA7IgYB0DK67N86ib7DkIyHpmJrHA3xNvvkMcIPs2BF/Ellkq5UAmElLqpRIq6iqO vfb/jJaEC1DsyngcO5mrXA2jOxgjaeVTrUAUQDyMK8gJVFbP0dI1ON/rBw7GJw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxh3Pbzznw3 for ; Tue, 09 Jun 2026 19:19:04 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3eb22 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:19:04 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 31f6086db8fe - releng/14.4 - thr_kill2: Respect p_cansignal() List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.4 X-Git-Reftype: branch X-Git-Commit: 31f6086db8fe92e7c7a079a648c08960aed2916c Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:19:04 +0000 Message-Id: <6a286728.3eb22.27b66355@gitrepo.freebsd.org> The branch releng/14.4 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=31f6086db8fe92e7c7a079a648c08960aed2916c commit 31f6086db8fe92e7c7a079a648c08960aed2916c Author: Mark Johnston AuthorDate: 2026-05-25 15:12:57 +0000 Commit: Mark Johnston CommitDate: 2026-06-07 15:53:43 +0000 thr_kill2: Respect p_cansignal() Approved by: so Security: FreeBSD-SA-26:25.thr Security: CVE-2026-45256 Reported by: Igor Gabriel Sousa e Souza Reported by: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai Reviewed by: emaste, kib Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57237 --- sys/kern/kern_thr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/kern/kern_thr.c b/sys/kern/kern_thr.c index 1b5f0b1a33ad..11ceea58e849 100644 --- a/sys/kern/kern_thr.c +++ b/sys/kern/kern_thr.c @@ -499,7 +499,7 @@ sys_thr_kill2(struct thread *td, struct thr_kill2_args *uap) p = ttd->td_proc; AUDIT_ARG_PROCESS(p); error = p_cansignal(td, p, uap->sig); - if (uap->sig == 0) + if (error != 0 || uap->sig == 0) ; else if (!_SIG_VALID(uap->sig)) error = EINVAL; From nobody Tue Jun 9 19:19:05 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxk2n83z6gVCJ for ; Tue, 09 Jun 2026 19:19:06 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdxj4gh6z3PV0 for ; Tue, 09 Jun 2026 19:19:05 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032745; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=f5lqb6jPM051GfPfmV1878UQsFCuXbTvJgaHLDVFvKU=; b=u0uDh1Kxcd65UtbV7aU+Uo6fIDsDL/3TbKhSojDPAepuvxOA5bOZea7HK94GEzOUTrhmjJ fnuOm3ODwB3+6EL4f6t2dBIwJB/UhZD1adtEWWb8FGSLuJYPR8QNZF5Vc/EFxt/0x+Jrqi 80VBxw+x68+adFw+cCTwXSlDrOxhicTiI01oPJJhlcjWgJr8RkEJV69GHzlQBVY0cw7MTP tpEtbxEBznfMh4b+jO9Vom9AGiiwQDmz3bWs0ZyPoMtaivd/nyBmPOTs5vJEepy1Uj4Hot uGfoxmEMs7aKv2rbA9x5suyemsJ/1fHkbssysdaH99hJVm9KkonXB5kdc8PU0g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032745; a=rsa-sha256; cv=none; b=ZpfQnFzpOjLvdMNaw3Y0qLtG8fPpUb9Js/26yKAqVJWGjnvMOfYU9pSg+RtxeMKhMGAEpC l/EhAvQdm0dZvdd5Fg9UJCx9DNm7JSpBuC7aD+U5pYd+zXglhyvmkX8pUcxtHJ+UEQvfby YpLl+j91f44d1d0NWyXMqPiZUiEMT0VAFPAJkHpPTYNbA21hILCFCR6rLL4hZeYFiCen63 o892WYkZSs3sIBYhV8PeDv7GS3yzKs1kaYhBXZUxqMgta/Jl7V6kDj2Z9VWg1sYezaKnhq rnCfadQzh0bOMHqoTGtgmOx3+38ojL+tbSdE+ISGE+cqGtxS440WZ4iZ9bXOgQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032745; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=f5lqb6jPM051GfPfmV1878UQsFCuXbTvJgaHLDVFvKU=; b=TGsfuzOLwkSGZs2vGoSRAgPUekQRJ/QWOvpMhSEfGsbvTpLPkSe/0LSjOBXD0vLDLh3alu MugR13RpABTiCTsCbg6ekaKDa68kY7g+GZ2w5iks+B9+j6HVlSy7fxDNZ4v2S9u53UekHq UdeWwZTHVXGyDSywOf3d8Yv/vyErVgdpC+Q4A8/0LqLeJAD9tdBLrzSi1GsqQJu2D/et/+ jplStsIx2RtyxyTEzGIK5ue2pjBXJwwoKE7WSbtBUgtsq/uHKgISwgrAiEzr7mCauO3DaA ACw2ctnOl8ydsJTqBTUjMHuJn0CYYguNEZKQEmksZ6UMg6ePMPxsko/0P3u3Vg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxj4FL3znkl for ; Tue, 09 Jun 2026 19:19:05 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3ebbf by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:19:05 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: John Baldwin From: Mark Johnston Subject: git: d43259dd66b3 - releng/14.4 - ktls: Don't attempt to modify non-anonymous mbufs on the receive path List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.4 X-Git-Reftype: branch X-Git-Commit: d43259dd66b3b88cde5a833fe2b11b5a353abca0 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:19:05 +0000 Message-Id: <6a286729.3ebbf.7f7c59b2@gitrepo.freebsd.org> The branch releng/14.4 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=d43259dd66b3b88cde5a833fe2b11b5a353abca0 commit d43259dd66b3b88cde5a833fe2b11b5a353abca0 Author: John Baldwin AuthorDate: 2026-06-03 23:22:00 +0000 Commit: Mark Johnston CommitDate: 2026-06-07 15:53:44 +0000 ktls: Don't attempt to modify non-anonymous mbufs on the receive path Normally, data processed on the KTLS receive path is contained in anonymous mbufs that can be modified in place. Either the data originates in receive buffers from a NIC driver, or for loopback connections the data is anonymous-backed mbufs created when writing to a socket. One potential source of non-anonymous mbufs are mbufs created by sendfile(2) which borrow the pages of the underlying file, either via M_EXTPG or EXT_SFBUF that are sent over a loopback connection. For a well-formed loopback TLS session, the sender should only use sendfile(2) if KTLS is enabled. If TLS is fully handled in userspace, the sender must use write(2) or send(2) which allocate anonymous mbufs. If KTLS transmit is enabled, then sendfile(2) on a loopback connection will always use crypto via OCF and will allocate anonymous pages to hold the encrypted data. However, if sendfile(2) is used to send file-backed data directly over a loopback connection where KTLS is not enabled on the sender side, the KTLS receive path can modify the file-backed pages in place overwriting the file's data. One potential fix would be to replace non-anonymous mbufs in a received TLS record with anonymous mbufs (e.g. via m_dup()) before passing the record to OCF. However, there is no legitimate use case for using sendfile(2) over a loopback TLS connection without using KTLS on the sender side, so instead simply fail decryption requests and close the connection if non-anonymous mbufs are encountered in the RX decryption path. Add a test for this that verifies that the original data backing the file descriptor used as the source for sendfile() is unchanged after being processed. Approved by: so Security: FreeBSD-SA-26:26.ktls Security: CVE-2026-45257 Co-authored-by: Drew Gallatin Sponsored by: Chelsio Communications Sponsored by: Netflix --- sys/kern/uipc_ktls.c | 17 +++++++-- sys/sys/ktls.h | 1 + tests/sys/kern/ktls_test.c | 93 ++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 108 insertions(+), 3 deletions(-) diff --git a/sys/kern/uipc_ktls.c b/sys/kern/uipc_ktls.c index 64150086658a..dc370d033a7a 100644 --- a/sys/kern/uipc_ktls.c +++ b/sys/kern/uipc_ktls.c @@ -2337,8 +2337,10 @@ tls13_find_record_type(struct ktls_session *tls, struct mbuf *m, int tls_len, * Check if a mbuf chain is fully decrypted at the given offset and * length. Returns KTLS_MBUF_CRYPTO_ST_DECRYPTED if all data is * decrypted. KTLS_MBUF_CRYPTO_ST_MIXED if there is a mix of encrypted - * and decrypted data. Else KTLS_MBUF_CRYPTO_ST_ENCRYPTED if all data - * is encrypted. + * and decrypted data. KTLS_MBUF_CRYPTO_ST_ENCRYPTED if all data is + * encrypted. KTLS_MBUF_CRYPTO_ST_SHAREDMBUF if any mbuf points at + * shared data that must not be modified in place (non-anonymous + * M_EXTPG or sendfile M_EXT buffers). */ ktls_mbuf_crypto_st_t ktls_mbuf_crypto_state(struct mbuf *mb, int offset, int len) @@ -2354,6 +2356,13 @@ ktls_mbuf_crypto_state(struct mbuf *mb, int offset, int len) offset += len; for (; mb != NULL; mb = mb->m_next) { + if ((mb->m_flags & M_EXTPG) != 0 && + (mb->m_epg_flags & EPG_FLAG_ANON) == 0) + return (KTLS_MBUF_CRYPTO_ST_SHAREDMBUF); + if ((mb->m_flags & M_EXT) != 0 && + mb->m_ext.ext_type == EXT_SFBUF) + return (KTLS_MBUF_CRYPTO_ST_SHAREDMBUF); + m_flags_ored |= mb->m_flags; m_flags_anded &= mb->m_flags; @@ -2554,9 +2563,11 @@ ktls_decrypt(struct socket *so) record_type = hdr->tls_type; } break; - default: + case KTLS_MBUF_CRYPTO_ST_SHAREDMBUF: error = EINVAL; break; + default: + __assert_unreachable(); } if (error) { counter_u64_add(ktls_offload_failed_crypto, 1); diff --git a/sys/sys/ktls.h b/sys/sys/ktls.h index 693864394ffe..0fdf4c4ceac7 100644 --- a/sys/sys/ktls.h +++ b/sys/sys/ktls.h @@ -210,6 +210,7 @@ typedef enum { KTLS_MBUF_CRYPTO_ST_MIXED = 0, KTLS_MBUF_CRYPTO_ST_ENCRYPTED = 1, KTLS_MBUF_CRYPTO_ST_DECRYPTED = -1, + KTLS_MBUF_CRYPTO_ST_SHAREDMBUF = -2, } ktls_mbuf_crypto_st_t; void ktls_check_rx(struct sockbuf *sb); diff --git a/tests/sys/kern/ktls_test.c b/tests/sys/kern/ktls_test.c index 72497196b945..3970083e7f72 100644 --- a/tests/sys/kern/ktls_test.c +++ b/tests/sys/kern/ktls_test.c @@ -30,6 +30,7 @@ #include #include #include +#include #include #include #include @@ -2817,6 +2818,97 @@ ATF_TC_BODY(ktls_listening_socket, tc) ATF_REQUIRE(close(s) == 0); } +/* + * Verify that the KTLS receive path does not overwrite data belonging + * to a file whose payload is transmitted over a loopback connection + * via plain sendfile. + */ +ATF_TC_WITHOUT_HEAD(ktls_receive_loopback_sendfile); +ATF_TC_BODY(ktls_receive_loopback_sendfile, tc) +{ + struct tls_enable en; + struct msghdr msg; + struct sf_hdtr hdtr; + struct iovec iov[2]; + uint64_t seqno; + off_t sbytes; + char cbuf[CMSG_SPACE(sizeof(struct tls_get_record))]; + char *plaintext, *ciphertext, *outbuf; + void *p; + const size_t payload_len = PAGE_SIZE; + ssize_t rv; + size_t len; + int mode, shm, sockets[2]; + socklen_t slen; + + ATF_REQUIRE_KTLS(); + seqno = random(); + build_tls_enable(tc, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0, + TLS_MINOR_VER_TWO, seqno, &en); + + len = tls_header_len(&en) + payload_len + tls_trailer_len(&en); + plaintext = alloc_buffer(payload_len); + ciphertext = malloc(len); + ATF_REQUIRE_INTEQ(len, encrypt_tls_record(tc, &en, TLS_RLTYPE_APP, + seqno, plaintext, payload_len, ciphertext, len, 0)); + + ATF_REQUIRE((shm = shm_open(SHM_ANON, O_RDWR, 0600)) > 0); + ATF_REQUIRE_INTEQ(0, ftruncate(shm, payload_len)); + ATF_REQUIRE((p = mmap(NULL, payload_len, PROT_READ | PROT_WRITE, + MAP_SHARED, shm, 0)) != MAP_FAILED); + memcpy(p, ciphertext + tls_header_len(&en), payload_len); + + ATF_REQUIRE_MSG(socketpair_tcp(sockets), "failed to create sockets"); + ATF_REQUIRE(setsockopt(sockets[0], IPPROTO_TCP, TCP_RXTLS_ENABLE, &en, + sizeof(en)) == 0); + slen = sizeof(mode); + ATF_REQUIRE_INTEQ(0, getsockopt(sockets[0], IPPROTO_TCP, TCP_RXTLS_MODE, + &mode, &slen)); + ATF_REQUIRE_INTEQ(TCP_TLS_MODE_SW, mode); + + fd_set_blocking(sockets[0]); + fd_set_blocking(sockets[1]); + + iov[0].iov_base = ciphertext; + iov[0].iov_len = tls_header_len(&en); + iov[1].iov_base = ciphertext + tls_header_len(&en) + payload_len; + iov[1].iov_len = tls_trailer_len(&en); + hdtr.headers = iov; + hdtr.hdr_cnt = 1; + hdtr.trailers = iov + 1; + hdtr.trl_cnt = 1; + debug_hexdump(tc, p, payload_len, "shm buffer before"); + ATF_REQUIRE_INTEQ(0, sendfile(shm, sockets[1], 0, payload_len, &hdtr, + &sbytes, 0)); + ATF_REQUIRE_INTEQ(sbytes, len); + + outbuf = calloc(payload_len, 1); + + memset(&msg, 0, sizeof(msg)); + + msg.msg_control = cbuf; + msg.msg_controllen = sizeof(cbuf); + + iov[0].iov_base = outbuf; + iov[0].iov_len = payload_len; + msg.msg_iov = iov; + msg.msg_iovlen = 1; + + rv = recvmsg(sockets[0], &msg, 0); + if (rv >= 0) { + ATF_REQUIRE_INTEQ(payload_len, rv); + ATF_REQUIRE_INTEQ(0, memcmp(outbuf, plaintext, payload_len)); + } else + ATF_REQUIRE_ERRNO(EBADMSG, true); + + debug_hexdump(tc, p, payload_len, "shm buffer after"); + ATF_REQUIRE_INTEQ(0, memcmp(p, ciphertext + tls_header_len(&en), + payload_len)); + + close_sockets_ignore_errors(sockets); + (void)close(shm); +} + ATF_TP_ADD_TCS(tp) { /* Transmit tests */ @@ -2843,6 +2935,7 @@ ATF_TP_ADD_TCS(tp) /* Miscellaneous */ ATF_TP_ADD_TC(tp, ktls_sendto_baddst); ATF_TP_ADD_TC(tp, ktls_listening_socket); + ATF_TP_ADD_TC(tp, ktls_receive_loopback_sendfile); return (atf_no_error()); } From nobody Tue Jun 9 19:19:06 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxl36rfz6gVCK for ; Tue, 09 Jun 2026 19:19:07 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdxk5ZbTz3PXp for ; Tue, 09 Jun 2026 19:19:06 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032746; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=CjGzW5K9mgxqm0Zt9EAnE/n1WUawdgtW2qeL1gAw9mc=; b=aTbJgBnrmOXVPSrMPehZaTsVZxV4PlW5xjSP/8n5+JlWHmAniHW8EPT3NUMTGsL4xSzGsa yV+/VzSLIw5Kkn9aAB/WNu7hbTd4TOztVcJXCb5thOJwcifxmSc8CP/qO3Rvdm5PfUuxYY 2kOad7bEYoq1ISnptr6Hij7SRUHb6Nheq5Ln5SZvEspEgsnobP/4jzn58tXfRngQq5lb2r MWAz8mrG6AGUG1v0lI5Qy8j+PAJd3xbt4wNIW3v/rU96CTFA7z8TB4u4XulGSE2Ki+awwk VwndFws5kSG4cMTZ5rIqMSLzam7yTVGoBOlSERHZBVMyCKyFVpKjkbNbd4wZZA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032746; a=rsa-sha256; cv=none; b=drgcqE9BbviZ5umfB3+HDo5FtQDkr7RJTOkFo88kB6IxulzBhV5hetl74dRKUUj8R0hnPb wCStetFyFdbN/hKwhX5S4srCqVHSwPohGCkyM6Q56Ph5dzRfBdXRDiiHTGt5WKpOnZIFzi QJisTQDB4MpGAUcUoiGhIk+3W1Rra3m1tUecegVgM1Y0PgDe2Q00x93AovnwUndH5Vl6Ai Q+BfiHxmYNu3fyjao/KnK1SX1zYHBOdWttoXPm6AbiD0yLl9cbAq1LzthW2/3Tc69RJHbg c8xvMjmS26k/hac8CKmEY+fyAKY/yLtiOoiYOyA9hsOmEKGv3ZS/xrDfltvLZQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032746; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=CjGzW5K9mgxqm0Zt9EAnE/n1WUawdgtW2qeL1gAw9mc=; b=RXsHnlAmAJ8QVITMl39NYSfvRDjes9XZvsUIgebcY2NKrnkofek8J9WpT9Ryp3aMAPdG7M jKYJS3Rd8AaN/1p8uUPh6q7DEkU+a8dgK6uiX5OcytIsPSNe1IxIw9QWs+XNnUAMeemIbi L9OafurG6K69g40VgnNK1wQ2H61b1sGCOGg2j3QgELTuFCj3BG9nIyIp+lLkdSGr/qcJ6m KFFKqatwNbDTAQnnXiqXU+C+FaSgyyfcVR3JGqPFVZUK/yrM5QWgzjut8dBjnE0gK//kCt dH4s//tKIrJEbx//zdpO4UwPtetDGNCK5TEV8F13lVwQi3HbitCUuJJ+cFeBaA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxk52PMznkm for ; Tue, 09 Jun 2026 19:19:06 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3ebc4 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:19:06 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Christos Margiolis From: Mark Johnston Subject: git: b9128fe1951c - releng/14.4 - sound: Check for offset overflow in dsp_mmap_single() List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.4 X-Git-Reftype: branch X-Git-Commit: b9128fe1951c2af3845411dcfe4e2ea0bbf7384c Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:19:06 +0000 Message-Id: <6a28672a.3ebc4.43e256ab@gitrepo.freebsd.org> The branch releng/14.4 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=b9128fe1951c2af3845411dcfe4e2ea0bbf7384c commit b9128fe1951c2af3845411dcfe4e2ea0bbf7384c Author: Christos Margiolis AuthorDate: 2026-05-27 15:50:33 +0000 Commit: Mark Johnston CommitDate: 2026-06-08 13:21:14 +0000 sound: Check for offset overflow in dsp_mmap_single() Approved by: so Security: FreeBSD-SA-26:27.sound Security: CVE-2026-45258 Reviewed by: markj Sponsored by: The FreeBSD Foundation --- sys/dev/sound/pcm/dsp.c | 3 +++ tests/sys/sound/Makefile | 1 + tests/sys/sound/mmap.c | 51 ++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 55 insertions(+) diff --git a/sys/dev/sound/pcm/dsp.c b/sys/dev/sound/pcm/dsp.c index fe5576baf017..72bde9c1066f 100644 --- a/sys/dev/sound/pcm/dsp.c +++ b/sys/dev/sound/pcm/dsp.c @@ -1953,6 +1953,9 @@ dsp_mmap_single(struct cdev *i_dev, vm_ooffset_t *offset, struct pcm_channel *wrch, *rdch, *c; int err; + if (*offset >= *offset + size) + return (EINVAL); + /* * Reject PROT_EXEC by default. It just doesn't makes sense. * Unfortunately, we have to give up this one due to linux_mmap diff --git a/tests/sys/sound/Makefile b/tests/sys/sound/Makefile index 74a0765a0540..ce156ae8c4cf 100644 --- a/tests/sys/sound/Makefile +++ b/tests/sys/sound/Makefile @@ -2,6 +2,7 @@ PACKAGE= tests TESTSDIR= ${TESTSBASE}/sys/sound +ATF_TESTS_C+= mmap ATF_TESTS_C+= pcm_read_write ATF_TESTS_C+= sndstat diff --git a/tests/sys/sound/mmap.c b/tests/sys/sound/mmap.c new file mode 100644 index 000000000000..ab203a39194c --- /dev/null +++ b/tests/sys/sound/mmap.c @@ -0,0 +1,51 @@ +/*- + * SPDX-License-Identifier: BSD-2-Clause + * + * Copyright (c) 2026 The FreeBSD Foundation + */ + +#include +#include + +#include +#include +#include +#include + +#define FMT_ERR(s) s ": %s", strerror(errno) + +ATF_TC(mmap_offset_overflow); +ATF_TC_HEAD(mmap_offset_overflow, tc) +{ + atf_tc_set_md_var(tc, "descr", "mmap offset overflow test"); + atf_tc_set_md_var(tc, "require.kmods", "snd_dummy"); +} + +ATF_TC_BODY(mmap_offset_overflow, tc) +{ + uint8_t *buf; + off_t off; + size_t len; + int fd; + + fd = open("/dev/dsp0", O_RDWR); + ATF_REQUIRE_MSG(fd >= 0, FMT_ERR("open")); + + /* off + len will overflow and wrap back to 0. */ + off = 0xfffffffffffff000; + len = 0x1000; + + buf = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_SHARED, fd, off); + ATF_REQUIRE_MSG(buf == MAP_FAILED, FMT_ERR("mmap")); + + munmap(buf, len); + + close(fd); +} + +ATF_TP_ADD_TCS(tp) +{ + ATF_TP_ADD_TC(tp, mmap_offset_overflow); + + return (atf_no_error()); +} From nobody Tue Jun 9 19:19:07 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxm1Yhyz6gVGn for ; Tue, 09 Jun 2026 19:19:08 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdxl64cDz3PDg for ; Tue, 09 Jun 2026 19:19:07 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032747; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=9xrjMpke3SWdY61aKvkSaa3s5X+JTnyPTMGRQchlp6E=; b=baaYyCcLoRF/rFH4/TAQb3bUMAiNcr6VADvhkjNUOXSVQojeeXQKiVlQ0FpBXVnMZz+I1i v48LApXbIMHGqdUAtadu11Vd2K1KeG6Xn3hX8qeuArKlL6kF59cNaHwfmN+bXiSXlHtHBo LvEA4aZEmEtL6rx99/J7hbA7K3QMG7xyPtHbTDnDGqnm38ifuhx1oJ/SjZwp5TNL8WpvFq JNHII6/pGr/F+iOZ2ylFAUPTfodVYP9Ql9xis/3hO4uMGxWBOePe2CUzwQtuD2LaJ2IVzi WmYtc491VVO6ydLQsQ2JxlNlEV5X41dEk11kmu/SIuplQbnwIJrpN3P4myhYHQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032747; a=rsa-sha256; cv=none; b=BZj+t/FTkwBAy+8vdb5aOwpnpPusne58XlBODeKRSfl4ooq24WWTLQyck8Ly4rn451vQ04 c7ZLXmxyUTFEe9zud5z1UfuaJmf6zXmIhUw4vA+JZUhVzRSnMxFILVnSSfu2mdZvs4+t4C 4bUTdUPZTLDv8lnpI+YhSGYrVwUfs1AIpwGkVCRb0AveqzmEFEFAtxRGG4R9xAGFXZSzNl LZHfYFKUSs8KtnbAtXB9ci0G8nIQU9aTt0ooWxMdxlTZPfEBo/x2FKwFZnbwz0kmOmlesD m3Dk/LppOFtLCz7jxnQ2Be4Tje9PmPn6C39xRzEO/hOpfhfqHLK1FMu0UQKqmw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032747; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=9xrjMpke3SWdY61aKvkSaa3s5X+JTnyPTMGRQchlp6E=; b=jBExgbcNcquKDaZ1P/IlOFXikhClA4aEN/lXMgxgxlRT9bNt4lJ4AFDj2z7L5KzbB6Nb6p 1wpKNFiCRYp+IKmdp1LfUE/7GZpj5u+lzM2dQvGPex4XPVVQhUQsZIJz8ZFrMzu5xVBO7A bs1vQbkEGEOO2ftUJy1P4shJk+lNc/pQWiSdIab0+C/HWXRBgtPl4fYtXXRF73AmJjrENV /04s8L5T9DqUttzr+b4rontLHF3Rjcy1Qr6cIuCheinL+Exsj4RZbfMgtHYlvfGeRwWXKO bgFIbHgXaramPcOxhn4cYsvZoB3yDjMxz1BFY06KndFj4v/LlooOn/DKb+mKDA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxl5ghsznrc for ; Tue, 09 Jun 2026 19:19:07 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3c5fb by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:19:07 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 0e8cc8d8a49f - releng/14.4 - sound: Fix software buffer lifetime issues List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.4 X-Git-Reftype: branch X-Git-Commit: 0e8cc8d8a49f2393fcbc836171f0a85a0e4bd92c Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:19:07 +0000 Message-Id: <6a28672b.3c5fb.387624f6@gitrepo.freebsd.org> The branch releng/14.4 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=0e8cc8d8a49f2393fcbc836171f0a85a0e4bd92c commit 0e8cc8d8a49f2393fcbc836171f0a85a0e4bd92c Author: Mark Johnston AuthorDate: 2026-06-01 21:57:40 +0000 Commit: Mark Johnston CommitDate: 2026-06-08 13:21:29 +0000 sound: Fix software buffer lifetime issues The channel buffer mapped by dsp_mmap_single() may be freed when the device handle is closed, but the mapping persists beyond that, allowing userspace to read or write memory owned by a different consumer. Fix the problem by adding a reference counter to the sound buffer. Define pager ops for the VM object returned by dsp_mmap_single() and use them to manage the extra reference. Add a regression test. Approved by: so Security: FreeBSD-SA-26:27.sound Security: CVE-2026-49417 Reported by: Lexpl0it, 75Acol, Liyw979, Rob1n Reviewed by kib Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57393 --- sys/dev/sound/pcm/buffer.c | 38 ++++++++++++++++++++-- sys/dev/sound/pcm/buffer.h | 4 +++ sys/dev/sound/pcm/dsp.c | 80 ++++++++++++++++++++++++++++++++++++++-------- tests/sys/sound/mmap.c | 60 ++++++++++++++++++++++++++++++++++ 4 files changed, 166 insertions(+), 16 deletions(-) diff --git a/sys/dev/sound/pcm/buffer.c b/sys/dev/sound/pcm/buffer.c index de535ec2dcba..ddcf14fbc1c2 100644 --- a/sys/dev/sound/pcm/buffer.c +++ b/sys/dev/sound/pcm/buffer.c @@ -32,6 +32,7 @@ #include "opt_snd.h" #endif +#include #include #include "feeder_if.h" @@ -46,6 +47,7 @@ sndbuf_create(device_t dev, char *drv, char *desc, struct pcm_channel *channel) struct snd_dbuf *b; b = malloc(sizeof(*b), M_DEVBUF, M_WAITOK | M_ZERO); + refcount_init(&b->refcount, 1); snprintf(b->name, SNDBUF_NAMELEN, "%s:%s", drv, desc); b->dev = dev; b->channel = channel; @@ -56,8 +58,30 @@ sndbuf_create(device_t dev, char *drv, char *desc, struct pcm_channel *channel) void sndbuf_destroy(struct snd_dbuf *b) { - sndbuf_free(b); - free(b, M_DEVBUF); + b->flags |= SNDBUF_F_DETACHED; + sndbuf_rele(b); +} + +void +sndbuf_ref(struct snd_dbuf *b) +{ + unsigned int count __diagused; + + CHN_LOCK(b->channel); + count = refcount_acquire(&b->refcount); + KASSERT(count > 0, ("sndbuf %p refcount 0", b)); + CHN_UNLOCK(b->channel); +} + +void +sndbuf_rele(struct snd_dbuf *b) +{ + if (refcount_release(&b->refcount)) { + sndbuf_free(b); + KASSERT(refcount_load(&b->refcount) == 0, + ("sndbuf %p still referenced", b)); + free(b, M_DEVBUF); + } } bus_addr_t @@ -183,6 +207,11 @@ sndbuf_resize(struct snd_dbuf *b, unsigned int blkcnt, unsigned int blksz) if (bufsize > b->allocsize || bufsize < (b->allocsize >> SNDBUF_CACHE_SHIFT)) { + if (refcount_load(&b->refcount) > 1 || + (b->flags & SNDBUF_F_DETACHED) != 0) { + CHN_UNLOCK(b->channel); + return (EBUSY); + } allocsize = round_page(bufsize); CHN_UNLOCK(b->channel); tmpbuf = malloc(allocsize, M_DEVBUF, M_WAITOK); @@ -218,10 +247,15 @@ sndbuf_remalloc(struct snd_dbuf *b, unsigned int blkcnt, unsigned int blksz) if (blkcnt < 2 || blksz < 16) return EINVAL; + CHN_LOCKASSERT(b->channel); + bufsize = blksz * blkcnt; if (bufsize > b->allocsize || bufsize < (b->allocsize >> SNDBUF_CACHE_SHIFT)) { + if (refcount_load(&b->refcount) > 1 || + (b->flags & SNDBUF_F_DETACHED) != 0) + return (EBUSY); allocsize = round_page(bufsize); CHN_UNLOCK(b->channel); buf = malloc(allocsize, M_DEVBUF, M_WAITOK); diff --git a/sys/dev/sound/pcm/buffer.h b/sys/dev/sound/pcm/buffer.h index ddf4083ec19f..99bc6c0611d2 100644 --- a/sys/dev/sound/pcm/buffer.h +++ b/sys/dev/sound/pcm/buffer.h @@ -27,6 +27,7 @@ */ #define SNDBUF_F_MANAGED 0x00000008 +#define SNDBUF_F_DETACHED 0x00000010 #define SNDBUF_NAMELEN 48 @@ -50,6 +51,7 @@ struct snd_dbuf { bus_dma_tag_t dmatag; bus_addr_t buf_addr; int dmaflags; + unsigned int refcount; struct selinfo sel; struct pcm_channel *channel; char name[SNDBUF_NAMELEN]; @@ -57,6 +59,8 @@ struct snd_dbuf { struct snd_dbuf *sndbuf_create(device_t dev, char *drv, char *desc, struct pcm_channel *channel); void sndbuf_destroy(struct snd_dbuf *b); +void sndbuf_ref(struct snd_dbuf *b); +void sndbuf_rele(struct snd_dbuf *b); void sndbuf_dump(struct snd_dbuf *b, char *s, u_int32_t what); diff --git a/sys/dev/sound/pcm/dsp.c b/sys/dev/sound/pcm/dsp.c index 72bde9c1066f..bf76345827f5 100644 --- a/sys/dev/sound/pcm/dsp.c +++ b/sys/dev/sound/pcm/dsp.c @@ -79,7 +79,6 @@ static d_read_t dsp_read; static d_write_t dsp_write; static d_ioctl_t dsp_ioctl; static d_poll_t dsp_poll; -static d_mmap_t dsp_mmap; static d_mmap_single_t dsp_mmap_single; struct cdevsw dsp_cdevsw = { @@ -89,7 +88,6 @@ struct cdevsw dsp_cdevsw = { .d_write = dsp_write, .d_ioctl = dsp_ioctl, .d_poll = dsp_poll, - .d_mmap = dsp_mmap, .d_mmap_single = dsp_mmap_single, .d_name = "dsp", }; @@ -1931,23 +1929,72 @@ dsp_poll(struct cdev *i_dev, int events, struct thread *td) return (ret); } +struct dsp_mmap_handle { + struct cdev *cdev; + struct snd_dbuf *buf; +}; + static int -dsp_mmap(struct cdev *i_dev, vm_ooffset_t offset, vm_paddr_t *paddr, - int nprot, vm_memattr_t *memattr) +dsp_dev_pager_ctor(void *handle, vm_ooffset_t size, vm_prot_t prot, + vm_ooffset_t foff, struct ucred *cred, u_short *color) { + struct dsp_mmap_handle *h = handle; - /* - * offset is in range due to checks in dsp_mmap_single(). - * XXX memattr is not honored. - */ - *paddr = vtophys(offset); + dev_ref(h->cdev); + sndbuf_ref(h->buf); return (0); } +static void +dsp_dev_pager_dtor(void *handle) +{ + struct dsp_mmap_handle *h = handle; + + sndbuf_rele(h->buf); + dev_rel(h->cdev); + free(h, M_DEVBUF); +} + static int -dsp_mmap_single(struct cdev *i_dev, vm_ooffset_t *offset, +dsp_dev_pager_fault(vm_object_t object, vm_ooffset_t offset, int prot, + vm_page_t *mres) +{ + struct dsp_mmap_handle *h = object->handle; + vm_page_t m; + uintptr_t addr; + vm_paddr_t paddr; + + addr = (uintptr_t)offset; + if (addr < (uintptr_t)h->buf->buf || + addr >= (uintptr_t)h->buf->buf + h->buf->allocsize) + return (VM_PAGER_ERROR); + paddr = vtophys((void *)addr); + + if (((*mres)->flags & PG_FICTITIOUS) != 0) { + m = *mres; + vm_page_updatefake(m, paddr, object->memattr); + } else { + VM_OBJECT_WUNLOCK(object); + m = vm_page_getfake(paddr, object->memattr); + VM_OBJECT_WLOCK(object); + vm_page_replace(m, object, (*mres)->pindex, *mres); + *mres = m; + } + m->valid = VM_PAGE_BITS_ALL; + return (VM_PAGER_OK); +} + +static const struct cdev_pager_ops dsp_dev_pager_ops = { + .cdev_pg_ctor = dsp_dev_pager_ctor, + .cdev_pg_dtor = dsp_dev_pager_dtor, + .cdev_pg_fault = dsp_dev_pager_fault, +}; + +static int +dsp_mmap_single(struct cdev *cdev, vm_ooffset_t *offset, vm_size_t size, struct vm_object **object, int nprot) { + struct dsp_mmap_handle *handle; struct dsp_cdevpriv *priv; struct snddev_info *d; struct pcm_channel *wrch, *rdch, *c; @@ -2010,13 +2057,18 @@ dsp_mmap_single(struct cdev *i_dev, vm_ooffset_t *offset, *offset = (uintptr_t)sndbuf_getbufofs(c->bufsoft, *offset); dsp_unlock_chans(priv, FREAD | FWRITE); - *object = vm_pager_allocate(OBJT_DEVICE, i_dev, - size, nprot, *offset, curthread->td_ucred); + handle = malloc(sizeof(*handle), M_DEVBUF, M_WAITOK); + handle->cdev = cdev; + handle->buf = c->bufsoft; + *object = cdev_pager_allocate(handle, OBJT_DEVICE, &dsp_dev_pager_ops, + size, nprot, *offset, curthread->td_ucred); PCM_GIANT_LEAVE(d); + if (*object == NULL) { + free(handle, M_DEVBUF); + return (EINVAL); + } - if (*object == NULL) - return (EINVAL); return (0); } diff --git a/tests/sys/sound/mmap.c b/tests/sys/sound/mmap.c index ab203a39194c..f775c0f8da8a 100644 --- a/tests/sys/sound/mmap.c +++ b/tests/sys/sound/mmap.c @@ -4,12 +4,14 @@ * Copyright (c) 2026 The FreeBSD Foundation */ +#include #include #include #include #include #include +#include #include #define FMT_ERR(s) s ": %s", strerror(errno) @@ -43,9 +45,67 @@ ATF_TC_BODY(mmap_offset_overflow, tc) close(fd); } +/* + * Verify that a MAP_SHARED mapping of a DSP device's software buffer remains + * valid after the file descriptor is closed. + */ +ATF_TC(mmap_buffer_lifetime); +ATF_TC_HEAD(mmap_buffer_lifetime, tc) +{ + atf_tc_set_md_var(tc, "descr", "mmap data survives close()"); + atf_tc_set_md_var(tc, "require.kmods", "snd_dummy"); +} +ATF_TC_BODY(mmap_buffer_lifetime, tc) +{ + audio_buf_info abi; + uint8_t *buf; + size_t len; + int fd, arg; + + fd = open("/dev/dsp0", O_RDWR); + ATF_REQUIRE_MSG(fd >= 0, FMT_ERR("open")); + + arg = (2 << 16) | 14; /* 2*16KB */ + ATF_REQUIRE_MSG(ioctl(fd, SNDCTL_DSP_SETFRAGMENT, &arg) == 0, + FMT_ERR("SNDCTL_DSP_SETFRAGMENT")); + ATF_REQUIRE_MSG(ioctl(fd, SNDCTL_DSP_GETOSPACE, &abi) == 0, + FMT_ERR("SNDCTL_DSP_GETOSPACE")); + + len = abi.bytes; + ATF_REQUIRE_MSG(len >= PAGE_SIZE, "buffer too small: %zu", len); + + buf = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); + ATF_REQUIRE_MSG(buf != MAP_FAILED, FMT_ERR("mmap")); + + for (size_t i = 0; i < len; i++) { + ATF_REQUIRE_MSG(buf[i] == 0, + "mmap data corrupted at offset %zu: want 0 got 0x%02x", + i, buf[i]); + } + + memset(buf, 0xa5, len); + for (size_t i = 0; i < len; i++) { + ATF_REQUIRE_MSG(buf[i] == 0xa5, + "mmap data corrupted at offset %zu: want 0xa5 got 0x%02x", + i, buf[i]); + } + + ATF_REQUIRE(close(fd) == 0); + + /* Closing the device causes the buffer to be reset. */ + for (size_t i = 0; i < len; i++) { + ATF_REQUIRE_MSG(buf[i] == 0 || buf[i] == 0xa5, + "mmap data corrupted at offset %zu: got 0x%02x", i, buf[i]); + } + memset(buf, 0xa5, len); + + ATF_REQUIRE(munmap(buf, len) == 0); +} + ATF_TP_ADD_TCS(tp) { ATF_TP_ADD_TC(tp, mmap_offset_overflow); + ATF_TP_ADD_TC(tp, mmap_buffer_lifetime); return (atf_no_error()); } From nobody Tue Jun 9 19:19:08 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxn4f0Vz6gVLT for ; Tue, 09 Jun 2026 19:19:09 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdxm6xSsz3PVd for ; Tue, 09 Jun 2026 19:19:08 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032749; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=694/bRj9J13fhbwAdQKh8cJAiYh053/CIwKQnT5oA4U=; b=s6J7MwG9wFWsEEGzVFsHiek1+Q7/7auKJpPLYir1zgm9ZVxdZfHFJ6smGsGVSbq85gk5RF hakWTIOBKcnTtq93ESDG7MDXI3F2ErYdf1K67RI3fF4Bd9RDkyc/lIeNx4af/LA0CSsYVR HhpLizlrouPm6XXx+ecanfPtyZ1Qldq5iO5ABGDLNA32APpD0U5l7PW6riIOuQEVlAP9nb dPyodCyfVx4y9iCjYI3n+/S+P/5y1XtLOZYe3MBprOGJ7bb60TWmhxAB3CQJg92FKMmeeX 1oTjrmAo3uacxSu8c44Z3UgbA0KP8Tkp91MT7JBmSPphbuf2IBXpnCzsVwp67w== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032749; a=rsa-sha256; cv=none; b=Epgp7EJAc75dHVAwGD6S0MbywE8PfnjztP8DnOU17AQ+Ux/OMqqk088Yo88pkqoTZPMJuk w+8Eodbvp2oezB1D7U45+ZC5kgfz7zOemY+DrtumCwSo4pHcefvSdvwCZ1l4bQI9yY2k1S 7BJbZzVjCty61WHp10QjTaXv5ypIv0h72b10oiNVIhJ3YydwisLipnXEuswLfK/R1LVSg7 j4FZzr27XHH+Gf/odtPhFzWRauUYh1gGfx1ureDRZLPLKH6EZ4otLnY0Jo9h6KkmD2byKg HWyJttflsxnFjTB6PxnY2EBjYlciEVTMWASWrnSxRt4oYmIlU3m0vrEy1ANj7A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032749; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=694/bRj9J13fhbwAdQKh8cJAiYh053/CIwKQnT5oA4U=; b=IN8tCf9VwFON9eL7rWnCYl7mY6HGElVmvoWGqDlNd0oNtG0BF9ay9bjnweJ3djn4gCTI1N INYmRmfPA6BTsTVNtfUSY8nVFvAezNLSGtZyeZbwzu4JCe9UqndSOvbjcU6tQi4+pXPUXH YPyls3lYd0keQTGwTLGgu22+0VaMwgt7TSOPDllk4fzfQBzEPM38zOGheSUB7i4KlKYxOx nnq4iZjhN6GCF02k5yxGbnd+3mMhXBkD8dRJ4GWoqigyNuA0O7Vds/RlgMuMmxGGXAoUML pdtEZHMbw/s2m36Pvhs13cmJVx4duMLS08yhFRshB2OwwbVTGowNioxJNigA4g== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxm6TrkzntL for ; Tue, 09 Jun 2026 19:19:08 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3c8e0 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:19:08 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Ed Maste From: Mark Johnston Subject: git: eab757f954ed - releng/14.4 - sigqueue: In capability mode, only allow signalling self List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.4 X-Git-Reftype: branch X-Git-Commit: eab757f954ed63395aad84624b6b1f96b4195fa0 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:19:08 +0000 Message-Id: <6a28672c.3c8e0.388291de@gitrepo.freebsd.org> The branch releng/14.4 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=eab757f954ed63395aad84624b6b1f96b4195fa0 commit eab757f954ed63395aad84624b6b1f96b4195fa0 Author: Ed Maste AuthorDate: 2026-05-26 13:24:36 +0000 Commit: Mark Johnston CommitDate: 2026-06-08 13:21:33 +0000 sigqueue: In capability mode, only allow signalling self This is copied from the check in kern_kill. Approved by: so Security: FreeBSD-SA-26:28.capsicum Security: CVE-2026-45259 Reviewed by: markj, oshogbo Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57244 (cherry picked from commit b9d16b7fd2fa6bc4b3e8364804cbdc1b76ebe8a5) (cherry picked from commit defd9b86ef995ce70363eae9b323d616bda865be) (cherry picked from commit d11ff01b3aec336128e6babbff7a421fbce82015) --- contrib/capsicum-test/capmode.cc | 12 +++++++++--- sys/kern/kern_sig.c | 10 ++++++++++ 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/contrib/capsicum-test/capmode.cc b/contrib/capsicum-test/capmode.cc index f32d9e038744..12921bb53c72 100644 --- a/contrib/capsicum-test/capmode.cc +++ b/contrib/capsicum-test/capmode.cc @@ -747,8 +747,8 @@ FORK_TEST(Capmode, NewThread) { close(thread_pipe[1]); } -static volatile sig_atomic_t had_signal = 0; -static void handle_signal(int) { had_signal = 1; } +static volatile sig_atomic_t signal_cnt = 0; +static void handle_signal(int) { signal_cnt++; } FORK_TEST(Capmode, SelfKill) { pid_t me = getpid(); @@ -766,7 +766,13 @@ FORK_TEST(Capmode, SelfKill) { // Can only kill(2) to own pid. EXPECT_CAPMODE(kill(child, SIGUSR1)); EXPECT_OK(kill(me, SIGUSR1)); - EXPECT_EQ(1, had_signal); + EXPECT_EQ(1, signal_cnt); + + union sigval sv; + sv.sival_int = 0x1234; + EXPECT_CAPMODE(sigqueue(child, SIGUSR1, sv)); + EXPECT_OK(sigqueue(me, SIGUSR1, sv)); + EXPECT_EQ(2, signal_cnt); signal(SIGUSR1, original); } diff --git a/sys/kern/kern_sig.c b/sys/kern/kern_sig.c index 91361d680809..7f399586f639 100644 --- a/sys/kern/kern_sig.c +++ b/sys/kern/kern_sig.c @@ -2047,6 +2047,16 @@ kern_sigqueue(struct thread *td, pid_t pid, int signumf, union sigval *value) if (pid <= 0) return (EINVAL); + /* + * A process in capability mode can send signals only to itself. + */ + if (pid != td->td_proc->p_pid) { + if (CAP_TRACING(td)) + ktrcapfail(CAPFAIL_SIGNAL, &signum); + if (IN_CAPABILITY_MODE(td)) + return (ECAPMODE); + } + if ((signumf & __SIGQUEUE_TID) == 0) { if ((p = pfind_any(pid)) == NULL) return (ESRCH); From nobody Tue Jun 9 19:19:11 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxq3Yvxz6gVCZ for ; Tue, 09 Jun 2026 19:19:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdxq0vr9z3PNX for ; Tue, 09 Jun 2026 19:19:11 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032751; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=MsoGbEbdV3M69awUBpLf9z7umoEbASnme461mtCnhBM=; b=HksRGyofy5MaHM8DJxLFFcR6p+gJTHduae/vm+bWgVOlR3NgV1V0TcDR+S/gd0N7exuH8h q/PnL1QkLzkMhQI2Ii3Z3jLiytAv7ry7nuZGXuUQKRjff7jSrzNmL615GzRIxQqKSKMP6V SVmW+bNwlchF/IF6bUERi623t8tiNQpxs6UsDVKzBF1BFN7TTm6fqfbbfPY9FH1F70WTFe tLsYEhoBOWFGuGme7tya0cT5vBg93wfEo48Wq1tJPy1o0hB6wrjhErloo0Ly+Cv1sp5tY9 HL3NuR62naojiTQstreReyj7MKQ0Picza3RCaJxT34wXMebHExrTsjRb86yhWw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032751; a=rsa-sha256; cv=none; b=YFw/PG3ARVA7a+RH/uNdbsPThnskXUqY0JHSoLhXgnXmltOn/+3QFm6emt5VAqNkAW9Y32 +zJNxf3TFODPt76rL0jC5ODgqRcAYZCs94ZVVaDZhjvrVhwIk2QwOGhD6UfdQ4DT2iLZgS i6ydTOnUVOkEjgH7B9waSbNdwPR12Nvl+Ops1De6QyPU3tyOIgll6D0RuHHMha4R/vxvSQ 0dsPWWZkzKko2D/FRy1xivxp7Alff2CfNSp28aRPhJR1/O5PeFm3QctzSwVITHa9bXySE0 zzC+RANbDcWIqW71SgP8W0DnXu1Yll0xX8sQCWFvMVita8qVdkV6FikI8+4/6g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032751; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=MsoGbEbdV3M69awUBpLf9z7umoEbASnme461mtCnhBM=; b=p+naK7atffYFucPocap/oAcLLcDouskEZ/fOSmH2+h5WJKK41yq3dpZhNldfNLlC1m9Q17 XuXiMJzZFsiwOXlDp6uTa1gKx6adqo9HD/VIBfLPl+RCcrBZwuZB2JcIZ08lgpCKv86VeV 4/PxTWWmdNeOSFtOgW4dJhyPCjvtLfZJkda7keFesnxU0A2IHyYFauekgIXT4t/4XXgupd gm+0qiDa0JIPNbZataA2313emfpSp92Ba0sus0PGjAjQCp8J31FyxWXtDz4YTQ4vEqil4T AQu/JkSK+YitBzBoobzvW87qG/Ds/i9LFxw7rnk1MLp7JtmoCflWyAWcsojjrg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxq0H5jznkp for ; Tue, 09 Jun 2026 19:19:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3f483 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:19:11 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 3fe092282025 - releng/14.4 - linux: Correct the issetugid check in copyout_auxargs List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.4 X-Git-Reftype: branch X-Git-Commit: 3fe092282025d45218605b950f03780f32df6f48 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:19:11 +0000 Message-Id: <6a28672f.3f483.5b415e09@gitrepo.freebsd.org> The branch releng/14.4 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=3fe092282025d45218605b950f03780f32df6f48 commit 3fe092282025d45218605b950f03780f32df6f48 Author: Mark Johnston AuthorDate: 2026-05-29 21:41:35 +0000 Commit: Mark Johnston CommitDate: 2026-06-08 13:21:34 +0000 linux: Correct the issetugid check in copyout_auxargs The runtime linker in glibc relies on the AT_SECURE auxv entry to know whether the executable is set-ugid, if so then various dangerous functionality such as LD_PRELOAD is disabled. The check added in commit 669414e4fb74 failed to take into account the fact that during execve, P_SUGID may not yet be set for a set-ugid process. Correct the test. Approved by: so Security: FreeBSD-SA-26:30.linux Security: CVE-2026-49413 Reported by: Minseong Kim Fixes: 669414e4fb74 ("Implement AT_SECURE properly.") Reviewed by: kib Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57350 --- sys/compat/linux/linux_elf.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/sys/compat/linux/linux_elf.c b/sys/compat/linux/linux_elf.c index c9eb6aea8373..6c9f785c97e7 100644 --- a/sys/compat/linux/linux_elf.c +++ b/sys/compat/linux/linux_elf.c @@ -492,11 +492,9 @@ __linuxN(copyout_auxargs)(struct image_params *imgp, uintptr_t base) struct thread *td = curthread; Elf_Auxargs *args; Elf_Auxinfo *aarray, *pos; - struct proc *p; int error, issetugid; - p = imgp->proc; - issetugid = p->p_flag & P_SUGID ? 1 : 0; + issetugid = imgp->credential_setid ? 1 : 0; args = imgp->auxargs; aarray = pos = malloc(LINUX_AT_COUNT * sizeof(*pos), M_TEMP, M_WAITOK | M_ZERO); From nobody Tue Jun 9 19:19:09 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxp1sw1z6gVCY for ; Tue, 09 Jun 2026 19:19:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdxp0TLlz3PKd for ; Tue, 09 Jun 2026 19:19:10 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032750; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=kqkRC/0Hf3SgismJeCUs6HDfAnb9VSMSGGiqOOBtlao=; b=h2np6CAs3xFDdGfSG9RfTwT+3c839vKNn7r0KET/Dm0C27GtgcvNPdafRU80zgeLcD/iVn HO+dnz+k3THm/POGkHPfQ15JlA8SywWq4e+QlLkhWM+cgyq/eEqM8Nx7HaUY/qxMSaVmBM pdQOD2TmxmFBk0McYdTUTGFprtZeEX934kvkr3pczt3MFBaHiXrC/lnRrYtktZoj2MH0uO iU9dhKwRTn2NUkgYknvxcNewWnJkq3xq3dkgFX16L2J4LzE+7yCulI4KoUM2KFruKOVY3B LQxNu04E+hC5MLKMTdtuva1XWok5qrsU4MZoKyy/cgIvTz/HBtqZoAdQbM0MaA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032750; a=rsa-sha256; cv=none; b=ykd5Ly9xaJdhBhERUR3/JL0bsKsZl1vpvS2IdiEN3tJgSW0oiemAnw6i7+tv1S5zV+cq5X 1kbBdgp3HygtV5HoxHlxMEN31UQr4E2qfYiWnwl3RBSqGFVAExsBie7HlQJkfllXb2Pebk j0rshfVf+Qz5dCb/MbDcMxvvk25VcNp/4HlSdLkgmETyS2uJj9fcqAKSRU9dZk11iSX51b p9C7NmbVj+/N1iMFSYwDKsQUo64t1fsFdvz9p7guvuF3MIBIFug0nzt5JZUC//9tlgXEKo tKXaL2cR0AQgAFF/UxR74PV4S0ZW7tu0f/PakUG7Xud5NvojqVz8Mta51pLdeg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032750; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=kqkRC/0Hf3SgismJeCUs6HDfAnb9VSMSGGiqOOBtlao=; b=cjEzn2QgifH1iuTOwAMNM8ZAl7as16YGyW1X3B8TpR41kfDWRBjNX11FoDjPumnPFGiYYT jAjHUiGBLlp9zCqevkJ/fmolaVjhm3qbpGAxst6wXTB84r8qEXG/aOgpfEn3QwEN+hDkEo b5OOpOp1zCIMyqwoLkxf+7QeJEAzH4ltXtBIadZbt/M19wknYCG0vUlrxSeHLN1kRxSn5C omD8cu43SAY7CJxQh7nAVUhhd8bh/+CfoTgfkfnGOtLzEHO5uZdS8dd/B3lnQzRBmtyAiU sNhTsEBgyHlWUEMFpIYyWENMenL7vigfjPw4iKrhMUWASdS4oF1xErvety43Tw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxn6rbrznG3 for ; Tue, 09 Jun 2026 19:19:09 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3eb26 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:19:09 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: a7062a6de005 - releng/14.4 - in6_mcast: Fix a race in in6p_set_source_filter() List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.4 X-Git-Reftype: branch X-Git-Commit: a7062a6de0057e5ee0eb4d858fcd7660276dd130 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:19:09 +0000 Message-Id: <6a28672d.3eb26.224086a3@gitrepo.freebsd.org> The branch releng/14.4 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=a7062a6de0057e5ee0eb4d858fcd7660276dd130 commit a7062a6de0057e5ee0eb4d858fcd7660276dd130 Author: Mark Johnston AuthorDate: 2026-05-29 20:12:24 +0000 Commit: Mark Johnston CommitDate: 2026-06-08 13:21:33 +0000 in6_mcast: Fix a race in in6p_set_source_filter() We drop the inpcb lock in order to copy in the source list, but this leaves a window where the multicast filter structure might be freed. This can be exploited to obtain root privileges. In the v4 code this race is mitigated by holding the global multicast lock across the gap. Restructure the code to copy in filters before doing anything else, so that there's no need to drop the inpcb lock and reason about the correctness of doing so. Do the same in the v4 code for consistency. Approved by: so Security: FreeBSD-SA-26:29.ip6_multicast Security: CVE-2026-49412 Reported by: Andrew Griffiths Reported by: Maik Münch Reviewed by: glebius Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57347 --- sys/netinet/in_mcast.c | 39 +++++++++++++++++---------------------- sys/netinet6/in6_mcast.c | 41 +++++++++++++++++++---------------------- 2 files changed, 36 insertions(+), 44 deletions(-) diff --git a/sys/netinet/in_mcast.c b/sys/netinet/in_mcast.c index 3dc4fa271683..4fd00bac3ae4 100644 --- a/sys/netinet/in_mcast.c +++ b/sys/netinet/in_mcast.c @@ -2524,6 +2524,7 @@ inp_set_source_filters(struct inpcb *inp, struct sockopt *sopt) { struct epoch_tracker et; struct __msfilterreq msfr; + struct sockaddr_storage *kss; sockunion_t *gsa; struct ifnet *ifp; struct in_mfilter *imf; @@ -2536,9 +2537,6 @@ inp_set_source_filters(struct inpcb *inp, struct sockopt *sopt) if (error) return (error); - if (msfr.msfr_nsrcs > in_mcast_maxsocksrc) - return (ENOBUFS); - if ((msfr.msfr_fmode != MCAST_EXCLUDE && msfr.msfr_fmode != MCAST_INCLUDE)) return (EINVAL); @@ -2551,13 +2549,24 @@ inp_set_source_filters(struct inpcb *inp, struct sockopt *sopt) if (!IN_MULTICAST(ntohl(gsa->sin.sin_addr.s_addr))) return (EINVAL); + if (msfr.msfr_nsrcs > in_mcast_maxsocksrc) + return (ENOBUFS); + kss = mallocarray(msfr.msfr_nsrcs, sizeof(struct sockaddr_storage), + M_TEMP, M_WAITOK); + error = copyin(msfr.msfr_srcs, kss, + sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs); + if (error) + goto out_inp_unlocked; + gsa->sin.sin_port = 0; /* ignore port */ NET_EPOCH_ENTER(et); ifp = ifnet_byindex(msfr.msfr_ifindex); NET_EPOCH_EXIT(et); /* XXXGL: unsafe ifp */ - if (ifp == NULL) - return (EADDRNOTAVAIL); + if (ifp == NULL) { + error = EADDRNOTAVAIL; + goto out_inp_unlocked; + } IN_MULTI_LOCK(); @@ -2589,24 +2598,9 @@ inp_set_source_filters(struct inpcb *inp, struct sockopt *sopt) if (msfr.msfr_nsrcs > 0) { struct in_msource *lims; struct sockaddr_in *psin; - struct sockaddr_storage *kss, *pkss; + struct sockaddr_storage *pkss; int i; - INP_WUNLOCK(inp); - - CTR2(KTR_IGMPV3, "%s: loading %lu source list entries", - __func__, (unsigned long)msfr.msfr_nsrcs); - kss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs, - M_TEMP, M_WAITOK); - error = copyin(msfr.msfr_srcs, kss, - sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs); - if (error) { - free(kss, M_TEMP); - return (error); - } - - INP_WLOCK(inp); - /* * Mark all source filters as UNDEFINED at t1. * Restore new group filter mode, as imf_leave() @@ -2641,7 +2635,6 @@ inp_set_source_filters(struct inpcb *inp, struct sockopt *sopt) break; lims->imsl_st[1] = imf->imf_st[1]; } - free(kss, M_TEMP); } if (error) @@ -2678,6 +2671,8 @@ out_imf_rollback: out_inp_locked: INP_WUNLOCK(inp); IN_MULTI_UNLOCK(); +out_inp_unlocked: + free(kss, M_TEMP); return (error); } diff --git a/sys/netinet6/in6_mcast.c b/sys/netinet6/in6_mcast.c index a6186568ecb2..4ec9f36cd9ac 100644 --- a/sys/netinet6/in6_mcast.c +++ b/sys/netinet6/in6_mcast.c @@ -2489,6 +2489,7 @@ in6p_set_source_filters(struct inpcb *inp, struct sockopt *sopt) { struct __msfilterreq msfr; struct epoch_tracker et; + struct sockaddr_storage *kss; sockunion_t *gsa; struct ifnet *ifp; struct in6_mfilter *imf; @@ -2501,9 +2502,6 @@ in6p_set_source_filters(struct inpcb *inp, struct sockopt *sopt) if (error) return (error); - if (msfr.msfr_nsrcs > in6_mcast_maxsocksrc) - return (ENOBUFS); - if (msfr.msfr_fmode != MCAST_EXCLUDE && msfr.msfr_fmode != MCAST_INCLUDE) return (EINVAL); @@ -2516,19 +2514,31 @@ in6p_set_source_filters(struct inpcb *inp, struct sockopt *sopt) if (!IN6_IS_ADDR_MULTICAST(&gsa->sin6.sin6_addr)) return (EINVAL); + if (msfr.msfr_nsrcs > in6_mcast_maxsocksrc) + return (ENOBUFS); + kss = mallocarray(msfr.msfr_nsrcs, sizeof(struct sockaddr_storage), + M_TEMP, M_WAITOK); + error = copyin(msfr.msfr_srcs, kss, + sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs); + if (error) + goto out_in6p_unlocked; + gsa->sin6.sin6_port = 0; /* ignore port */ NET_EPOCH_ENTER(et); ifp = ifnet_byindex(msfr.msfr_ifindex); NET_EPOCH_EXIT(et); - if (ifp == NULL) - return (EADDRNOTAVAIL); + if (ifp == NULL) { + error = EADDRNOTAVAIL; + goto out_in6p_unlocked; + } (void)in6_setscope(&gsa->sin6.sin6_addr, ifp, NULL); /* * Take the INP write lock. * Check if this socket is a member of this group. */ + IN6_MULTI_LOCK(); imo = in6p_findmoptions(inp); imf = im6o_match_group(imo, ifp, &gsa->sa); if (imf == NULL) { @@ -2553,24 +2563,9 @@ in6p_set_source_filters(struct inpcb *inp, struct sockopt *sopt) if (msfr.msfr_nsrcs > 0) { struct in6_msource *lims; struct sockaddr_in6 *psin; - struct sockaddr_storage *kss, *pkss; + struct sockaddr_storage *pkss; int i; - INP_WUNLOCK(inp); - - CTR2(KTR_MLD, "%s: loading %lu source list entries", - __func__, (unsigned long)msfr.msfr_nsrcs); - kss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs, - M_TEMP, M_WAITOK); - error = copyin(msfr.msfr_srcs, kss, - sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs); - if (error) { - free(kss, M_TEMP); - return (error); - } - - INP_WLOCK(inp); - /* * Mark all source filters as UNDEFINED at t1. * Restore new group filter mode, as im6f_leave() @@ -2615,7 +2610,6 @@ in6p_set_source_filters(struct inpcb *inp, struct sockopt *sopt) break; lims->im6sl_st[1] = imf->im6f_st[1]; } - free(kss, M_TEMP); } if (error) @@ -2650,6 +2644,9 @@ out_im6f_rollback: out_in6p_locked: INP_WUNLOCK(inp); + IN6_MULTI_UNLOCK(); +out_in6p_unlocked: + free(kss, M_TEMP); return (error); } From nobody Tue Jun 9 19:19:12 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxr3zL4z6gVLY for ; Tue, 09 Jun 2026 19:19:12 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdxr1pHmz3PWK for ; Tue, 09 Jun 2026 19:19:12 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032752; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=0z5ud3OFk1wjXxw8zbzfM1VxlKpcD0A0LJlpgDwChpI=; b=QTKEbxHVcN0wYZhk1zId2Ys1gmSOU9Adh5sxnYYRtGiiqHwujTgYS/2Sjsqe3g3SFhNALn V+b6PzFJlEENBczCzTTdA+VkEML6ZQ/BNBvF93Xc0ZWqL9UqA+1KA9WoKDROiwVaeNlz/Z g1+9uJrosvrLyE9zIPzpT1k5fnp748/HVh6LHd7jcWa1Gm1JYBGK/YaXSuvJp+925/btvq fLbI0mT7Sb3iZYG8FZsj89dVNlV4623CBFuIY0L6fQgR81uPOsfCKqZuUigkqTXgcwLXrX cPnpOlQ0PwQvKj+HLXd5q36Q0R3UBNIW3LmCYl3flSNiq/VDTxC8VXNx6qtAVg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032752; a=rsa-sha256; cv=none; b=AYwF9plH2pqRrO8ERknoZ8GucJE6g3CyU1ItJbjuRwn30Gqrosj/53FJ8pExYomHxHw0KG OXiNE3AUxg6/G5uksW+noES5Cc8nzLAwGE8GY0a1+6oQtq9KdS4aKq/WIUpHbrfn/uRKCf xfP/KgrQ8N1Z/gER7BWdCzQSHDTiSd2GqLDeQO5TjZg6ugBMF0pQZEX5wEv/wFdQdIazdb pB5B1GuAPIwZdFv9wuHa3IKr42Bt5ND7NcL4WeOd1j5flpOWHxD4P2neANAj2XVr0qugPU uOSe2LjjAVQ0U0ndHIgz5zfHUYLf94FnyuZS6bE4ADJTI1xhwvj5TPqGVO0zOg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032752; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=0z5ud3OFk1wjXxw8zbzfM1VxlKpcD0A0LJlpgDwChpI=; b=XQzt80sooI/n2AWcUBJYgCTZKfuWqMLbECBp3mr6O8XcFj8Mb8r8VEzTFoll7po9am3Sg/ HXMGLs6thxDKVwKtlG6h4E8akE/Bzec58dNJMpfEfkGpGzDK4yQitMIqX+J7m7aTRw4Hdm tBPhLwQHenC+dcduVsY1WXCcbAgJMHE7zamJ674o6Eo0h3zmTHDCfROMwe84jy2Kog5wD7 yA77O2Qqnv9/c8YoRxxke6w1PjBR89n+A2GUs+7uFSVrKNx4yok7bkz3+cbZwZzD4yYk6w 8t1NQdiWYLGRyMLqFQFKyhshwIOX5rRuDiRKkXl2qPMqAZrfGloWuLQf74NdvA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxr12SFznrg for ; Tue, 09 Jun 2026 19:19:12 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3e425 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:19:12 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Andrew Turner From: Mark Johnston Subject: git: 889e306ded21 - releng/14.4 - arm64: Workaround the following errata List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.4 X-Git-Reftype: branch X-Git-Commit: 889e306ded217659e25516c05265591aa17d4544 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:19:12 +0000 Message-Id: <6a286730.3e425.32446165@gitrepo.freebsd.org> The branch releng/14.4 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=889e306ded217659e25516c05265591aa17d4544 commit 889e306ded217659e25516c05265591aa17d4544 Author: Andrew Turner AuthorDate: 2026-05-28 09:25:30 +0000 Commit: Mark Johnston CommitDate: 2026-06-08 13:21:34 +0000 arm64: Workaround the following errata - ARM C1-Premium erratum 4193780 - ARM C1-Ultra erratum 4193780 - ARM Cortex-A76 erratum 4193800 - ARM Cortex-A76AE erratum 4193801 - ARM Cortex-A77 erratum 4193798 - ARM Cortex-A78 erratum 4193791 - ARM Cortex-A78AE erratum 4193793 - ARM Cortex-A78C erratum 4193794 - ARM Cortex-A710 erratum 4193788 - ARM Cortex-X1 erratum 4193791 - ARM Cortex-X1C erratum 4193792 - ARM Cortex-X2 erratum 4193788 - ARM Cortex-X3 erratum 4193786 - ARM Cortex-X4 erratum 4118414 - ARM Cortex-X925 erratum 4193781 - ARM Neoverse-N1 erratum 4193800 - ARM Neoverse-N2 erratum 4193789 - ARM Neoverse-V1 erratum 4193790 - ARM Neoverse-V2 erratum 4193787 - ARM Neoverse-V3 erratum 4193784 - ARM Neoverse-V3AE erratum 4193784 These are all variants on an erratum where TLBI+DSB instructions on one CPU may incorrectly complete early leading to stores to an updated address using an incorrect translation on another CPU. In all cases the workaround is to add a second TLBI+DSB. Approved by: so Security: FreeBSD-SA-26:31.arm64 Security: CVE-2025-10263 Sponsored by: Arm Ltd --- sys/arm64/arm64/pmap.c | 60 ++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 51 insertions(+), 9 deletions(-) diff --git a/sys/arm64/arm64/pmap.c b/sys/arm64/arm64/pmap.c index 517052419ed4..31c04cf1f00a 100644 --- a/sys/arm64/arm64/pmap.c +++ b/sys/arm64/arm64/pmap.c @@ -1547,20 +1547,62 @@ static cpu_feat_en pmap_multiple_tlbi_check(const struct cpu_feat *feat __unused, u_int midr) { /* - * Cortex-A55 erratum 2441007 (Cat B rare) + * ARM C1-Premium erratum 4193780 + * ARM C1-Ultra erratum 4193780 + * ARM Cortex-A76 erratum 4193800 + * ARM Cortex-A76AE erratum 4193801 + * ARM Cortex-A77 erratum 4193798 + * ARM Cortex-A78 erratum 4193791 + * ARM Cortex-A78AE erratum 4193793 + * ARM Cortex-A78C erratum 4193794 + * ARM Cortex-A710 erratum 4193788 + * ARM Cortex-X1 erratum 4193791 + * ARM Cortex-X1C erratum 4193792 + * ARM Cortex-X2 erratum 4193788 + * ARM Cortex-X3 erratum 4193786 + * ARM Cortex-X4 erratum 4118414 + * ARM Cortex-X925 erratum 4193781 + * ARM Neoverse-N1 erratum 4193800 + * ARM Neoverse-N2 erratum 4193789 + * ARM Neoverse-V1 erratum 4193790 + * ARM Neoverse-V2 erratum 4193787 + * ARM Neoverse-V3 erratum 4193784 + * ARM Neoverse-V3AE erratum 4193784 * Present in all revisions */ - if (CPU_IMPL(midr) == CPU_IMPL_ARM && - CPU_PART(midr) == CPU_PART_CORTEX_A55) - return (FEAT_DEFAULT_DISABLE); + if (CPU_IMPL(midr) == CPU_IMPL_ARM) { + switch(CPU_PART(midr)) { + case CPU_PART_C1_PREMIUM: + case CPU_PART_C1_ULTRA: + case CPU_PART_CORTEX_A76: + case CPU_PART_CORTEX_A76AE: + case CPU_PART_CORTEX_A77: + case CPU_PART_CORTEX_A78: + case CPU_PART_CORTEX_A78AE: + case CPU_PART_CORTEX_A78C: + case CPU_PART_CORTEX_A710: + case CPU_PART_CORTEX_X1: + case CPU_PART_CORTEX_X1C: + case CPU_PART_CORTEX_X2: + case CPU_PART_CORTEX_X3: + case CPU_PART_CORTEX_X4: + case CPU_PART_CORTEX_X925: + case CPU_PART_NEOVERSE_N1: + case CPU_PART_NEOVERSE_N2: + case CPU_PART_NEOVERSE_V1: + case CPU_PART_NEOVERSE_V2: + case CPU_PART_NEOVERSE_V3: + case CPU_PART_NEOVERSE_V3AE: + return (FEAT_DEFAULT_ENABLE); + } + } /* - * Cortex-A76 erratum 1286807 (Cat B rare) - * Present in r0p0 - r3p0 - * Fixed in r3p1 + * Cortex-A55 erratum 2441007 (Cat B rare) + * Present in all revisions */ - if (midr_check_var_part_range(midr, CPU_IMPL_ARM, CPU_PART_CORTEX_A76, - 0, 0, 3, 0)) + if (CPU_IMPL(midr) == CPU_IMPL_ARM && + CPU_PART(midr) == CPU_PART_CORTEX_A55) return (FEAT_DEFAULT_DISABLE); /* From nobody Tue Jun 9 19:19:13 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxs5yPCz6gVCc for ; Tue, 09 Jun 2026 19:19:13 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdxs2cwmz3PT6 for ; Tue, 09 Jun 2026 19:19:13 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032753; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=b2yIePPYxtVQ0Kep0B2gc+vSK9b7dzmahxQGSe/qsvc=; b=cV3dwwW64Oh8vVjz//7C7GE5yD96W86pqvSImb6FMvImFgxJJ62YWzUDMEARSxAsDXMYSN /u6tu/IYi2zDi70egeSOmVAveek1rcu3m9ZUe7TbY7ldVVISVCc/r5G/wh6Nuay/TjZpu0 +Cm7qMwnviQhbvW25Uw/lgD0s7sJxU4BWst4e13QEcRe2s9/3RBuP7sOxAbQcbP6v5DOzB N8QIm6LKh7LeVc/ibMPkQ7tq+rNOjsgAhSnw3AZR2iWdAqdBSjVEVUmguBDgjt6IypH7AP OOxnREukN4w8hpd9BLYNl3xMz130Bcv0M1dgEMmLAO+dI/2Ev4eI5jCC3i4EHw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032753; a=rsa-sha256; cv=none; b=yKaQ4w1EFdg/JkpaT7e2+dVtLG39Afh+VfzWAb0FGs4CUXSaQjgucVMWCNGHYJVKH5lcUE udCjDI6CNH3pAXsxM968GgITSjhq2TUEG/MgLuidk6719m12xXHFU1Bibu2pDbJFBY6B5d ZqZsAH9u/7pgdM0AG5K2/krj0Rpj2lBj1/vQRK9EjamOhnicZ3sZB2koxPJwug1/7mjlNq ZvneJiWx5VQAc3YNvGoNiYJAZV7ZHXbQiXrZfFBc9m/ckjGkYG6XtbXZAiuwWV0aHNu8V3 BYcE7Lona8axqDikDWjg2aFTzr0yqi7vbLmM/YK0mFuZmKhCKmpviWbQHON+qw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032753; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=b2yIePPYxtVQ0Kep0B2gc+vSK9b7dzmahxQGSe/qsvc=; b=J6wBoFmpglK68NmHYfSWHm7b4+VXdpIruVISUrYB5wtcHrbkJmoIeUVIZT/DmSQJ8ZbIoC a1+00KRkfssf/vGyJx4AvR/gTEzfPFupH/pEHX8GmJq+PxPQQHXEGoab9/ZuFSXelPIb2b osWljqmr1Qmh3igxTP4kdyNiUbbC0cu8vrCkCAPqaEKRJKWO8jYtRh4rVw/Y1P/Z0HoGwb gmC5Mr91iTTbvx4ELxnsXlYpLBC4HHv8j7o8SeEUpsn4fo19h2kHQfdTsCzCkGy/+wP/wS fYvnwXu8CdqnZ4Gw6DrqrTHlRREk/1PnzBXxSMPuAdMVXt3p6L2MSuIOwYTMng== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxs1v30znG4 for ; Tue, 09 Jun 2026 19:19:13 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3c5ff by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:19:13 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 547fc2a98a24 - releng/14.4 - imgact_elf: Clear no-ASLR and -WXORX flags earlier for setugid images List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.4 X-Git-Reftype: branch X-Git-Commit: 547fc2a98a24129b12c573531130630f162c1cdd Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:19:13 +0000 Message-Id: <6a286731.3c5ff.2dc8d33d@gitrepo.freebsd.org> The branch releng/14.4 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=547fc2a98a24129b12c573531130630f162c1cdd commit 547fc2a98a24129b12c573531130630f162c1cdd Author: Mark Johnston AuthorDate: 2026-06-02 20:29:00 +0000 Commit: Mark Johnston CommitDate: 2026-06-08 13:21:34 +0000 imgact_elf: Clear no-ASLR and -WXORX flags earlier for setugid images Otherwise an unprivileged user can disable randomization of the base address for PIEs even if they are setugid. Add a regression test. Approved by: so Security: FreeBSD-SA-26:32.elf Security: CVE-2026-49414 Reported by: David Berard Reviewed by: kib Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57397 --- sys/kern/imgact_elf.c | 55 ++++++++--------- tests/sys/kern/Makefile | 2 + tests/sys/kern/aslr.c | 157 ++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 187 insertions(+), 27 deletions(-) diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c index ea74c07cbc48..df9156ad76ca 100644 --- a/sys/kern/imgact_elf.c +++ b/sys/kern/imgact_elf.c @@ -1230,11 +1230,39 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *imgp) error = ENOEXEC; goto ret; } + + /* + * Avoid a possible deadlock if the current address space is destroyed + * and that address space maps the locked vnode. In the common case, + * the locked vnode's v_usecount is decremented but remains greater + * than zero. Consequently, the vnode lock is not needed by vrele(). + * However, in cases where the vnode lock is external, such as nullfs, + * v_usecount may become zero. + * + * The VV_TEXT flag prevents modifications to the executable while + * the vnode is unlocked. + */ + VOP_UNLOCK(imgp->vp); + + /* + * Decide whether to enable randomization of user mappings. First, + * reset user preferences for the setid binaries. Then, account for the + * support of randomization by the ABI, by user preferences, and make + * special treatment for PIE binaries. + */ + if (imgp->credential_setid) { + PROC_LOCK(imgp->proc); + imgp->proc->p_flag2 &= ~(P2_ASLR_ENABLE | P2_ASLR_DISABLE | + P2_WXORX_DISABLE | P2_WXORX_ENABLE_EXEC); + PROC_UNLOCK(imgp->proc); + } + sv = brand_info->sysvec; if (hdr->e_type == ET_DYN) { if ((brand_info->flags & BI_CAN_EXEC_DYN) == 0) { uprintf("Cannot execute shared object\n"); error = ENOEXEC; + (void)vn_lock(imgp->vp, LK_SHARED | LK_RETRY); goto ret; } /* @@ -1253,33 +1281,6 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *imgp) imgp->et_dyn_addr = __elfN(pie_base); } } - - /* - * Avoid a possible deadlock if the current address space is destroyed - * and that address space maps the locked vnode. In the common case, - * the locked vnode's v_usecount is decremented but remains greater - * than zero. Consequently, the vnode lock is not needed by vrele(). - * However, in cases where the vnode lock is external, such as nullfs, - * v_usecount may become zero. - * - * The VV_TEXT flag prevents modifications to the executable while - * the vnode is unlocked. - */ - VOP_UNLOCK(imgp->vp); - - /* - * Decide whether to enable randomization of user mappings. - * First, reset user preferences for the setid binaries. - * Then, account for the support of the randomization by the - * ABI, by user preferences, and make special treatment for - * PIE binaries. - */ - if (imgp->credential_setid) { - PROC_LOCK(imgp->proc); - imgp->proc->p_flag2 &= ~(P2_ASLR_ENABLE | P2_ASLR_DISABLE | - P2_WXORX_DISABLE | P2_WXORX_ENABLE_EXEC); - PROC_UNLOCK(imgp->proc); - } if ((sv->sv_flags & SV_ASLR) == 0 || (imgp->proc->p_flag2 & P2_ASLR_DISABLE) != 0 || (fctl0 & NT_FREEBSD_FCTL_ASLR_DISABLE) != 0) { diff --git a/tests/sys/kern/Makefile b/tests/sys/kern/Makefile index 3dcfbc71f6e5..67cdf19f6d6e 100644 --- a/tests/sys/kern/Makefile +++ b/tests/sys/kern/Makefile @@ -8,6 +8,7 @@ TESTSRC= ${SRCTOP}/contrib/netbsd-tests/kernel TESTSDIR= ${TESTSBASE}/sys/kern +ATF_TESTS_C+= aslr ATF_TESTS_C+= basic_signal ATF_TESTS_C+= copy_file_range .if ${MACHINE_ARCH} != "i386" && ${MACHINE_ARCH} != "powerpc" && \ @@ -75,6 +76,7 @@ PROGS+= coredump_phnum_helper PROGS+= pdeathsig_helper PROGS+= sendfile_helper +LIBADD.aslr+= util LIBADD.copy_file_range+= md LIBADD.jail_lookup_root+= jail util CFLAGS.sys_getrandom+= -I${SRCTOP}/sys/contrib/zstd/lib diff --git a/tests/sys/kern/aslr.c b/tests/sys/kern/aslr.c new file mode 100644 index 000000000000..13038054603c --- /dev/null +++ b/tests/sys/kern/aslr.c @@ -0,0 +1,157 @@ +/* + * Copyright (c) 2026 The FreeBSD Foundation + * + * This software was developed by Mark Johnston under sponsorship from the + * FreeBSD Foundation. + */ + +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include + +#include + +/* + * Spawn an unprivileged child with ASLR force-disabled, which then execs + * /sbin/ping (setuid root). + */ +static pid_t +spawn_ping(const atf_tc_t *tc) +{ + const char *user; + struct passwd *passwd; + pid_t child; + int arg, error; + + user = atf_tc_get_config_var(tc, "unprivileged_user"); + passwd = getpwnam(user); + ATF_REQUIRE(passwd != NULL); + + child = fork(); + ATF_REQUIRE(child >= 0); + if (child == 0) { + if (seteuid(passwd->pw_uid) != 0) + _exit(1); + + arg = PROC_ASLR_FORCE_DISABLE; + error = procctl(P_PID, getpid(), PROC_ASLR_CTL, &arg); + if (error != 0) + _exit(2); + + execl("/sbin/ping", "ping", "127.0.0.1", NULL); + _exit(127); + } + usleep(500000); /* XXX-MJ */ + + return (child); +} + +/* + * Return the base address of the first mapping backed by the specified + * executable in the given process, or 0 if not found. + */ +static uint64_t +text_base(pid_t pid, const char *path) +{ + struct kinfo_vmentry *vmmap; + uint64_t base; + int cnt; + + base = 0; + vmmap = kinfo_getvmmap(pid, &cnt); + if (vmmap == NULL) + return (0); + for (int i = 0; i < cnt; i++) { + if (vmmap[i].kve_type == KVME_TYPE_VNODE && + strcmp(vmmap[i].kve_path, path) == 0) { + base = vmmap[i].kve_start; + break; + } + } + free(vmmap); + return (base); +} + +/* + * Make sure that ASLR can't be disabled for a setuid executable by an + * unprivileged user. + */ +ATF_TC(aslr_setuid); +ATF_TC_HEAD(aslr_setuid, tc) +{ + atf_tc_set_md_var(tc, "require.user", "root"); + atf_tc_set_md_var(tc, "require.config", "unprivileged_user"); +} +ATF_TC_BODY(aslr_setuid, tc) +{ + struct stat sb; + uint64_t bases[5]; + pid_t child, pid; + int arg, error, st; + + if (!atf_tc_has_config_var(tc, "unprivileged_user")) + atf_tc_skip("unprivileged_user not set"); + + error = stat("/sbin/ping", &sb); + ATF_REQUIRE(error == 0); + ATF_REQUIRE_MSG(sb.st_uid == 0 && (sb.st_mode & S_ISUID) != 0, + "/sbin/ping is not setuid root"); + + child = spawn_ping(tc); + bases[0] = text_base(child, "/sbin/ping"); + ATF_REQUIRE_MSG(bases[0] != 0, + "failed to find /sbin/ping text segment"); + + arg = 0; + error = procctl(P_PID, child, PROC_ASLR_STATUS, &arg); + ATF_REQUIRE_MSG(error == 0, "procctl ASLR_STATUS failed: %s", + strerror(errno)); + ATF_REQUIRE_MSG((arg & PROC_ASLR_ACTIVE) != 0, + "ASLR is not active for setuid child"); + ATF_REQUIRE_MSG((arg & ~PROC_ASLR_ACTIVE) == PROC_ASLR_NOFORCE, + "expected NOFORCE for setuid child, got %d", + arg & ~PROC_ASLR_ACTIVE); + + error = kill(child, SIGTERM); + ATF_REQUIRE(error == 0); + pid = waitpid(child, &st, 0); + ATF_REQUIRE(pid == child); + ATF_REQUIRE(WIFSIGNALED(st) && WTERMSIG(st) == SIGTERM); + + for (size_t i = 1; i < nitems(bases); i++) { + child = spawn_ping(tc); + bases[i] = text_base(child, "/sbin/ping"); + ATF_REQUIRE_MSG(bases[i] != 0, + "failed to find /sbin/ping text segment"); + error = kill(child, SIGTERM); + ATF_REQUIRE(error == 0); + pid = waitpid(child, &st, 0); + ATF_REQUIRE(pid == child); + ATF_REQUIRE(WIFSIGNALED(st) && WTERMSIG(st) == SIGTERM); + } + + /* Verify that the text base is different across all runs. */ + for (size_t i = 0; i < nitems(bases); i++) { + for (size_t j = i + 1; j < nitems(bases); j++) { + ATF_REQUIRE_MSG(bases[i] != bases[j], + "ping text base collision 0x%jx", + (uintmax_t)bases[i]); + } + } +} + +ATF_TP_ADD_TCS(tp) +{ + ATF_TP_ADD_TC(tp, aslr_setuid); + + return (atf_no_error()); +} From nobody Tue Jun 9 19:19:14 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxt5sNrz6gVR8 for ; Tue, 09 Jun 2026 19:19:14 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdxt3jG6z3Pdr for ; Tue, 09 Jun 2026 19:19:14 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032754; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=NAI/gn8QQrYuuJ53Yfm/Zim/Tu4QTeJT0puygfZ6wug=; b=ogfKDaZcNcVVZg1xkuJslm296SM9n2gBKN1wHI/naCZxqxG/8lr68dtCx1+SJw5z7YvXqC YF7sB2mj3pKSv8eAf+3G7PHD+tH54LU25ubEvhtE2QSF99+T/7W9/BdK+jKdtXMC9SIdzx 8T7yNjZYYlKn/+/38c7xrlPSaIR0zJh35V37TKacYVyjrmQzOcS/Ot7crMw3npvrLQ50P3 nBW5zybDx60Z8un6lDvTC7bbJj/vuRaXTIIPD40nZjJ4lp5DoQCIGflgJe2FHeJ2Xzi1W/ zmARQEdUD4zPh+mLBKxMG6NPiit+TxL00By0bML9FrjHwozV5p6xfnwBRJ/aeg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032754; a=rsa-sha256; cv=none; b=OfnzWtJQoZxK07FIoBPFK1COWk6cmlYsCcjxMcOecDvJGX1GNk/jXytFoRgusXdTwmaBmt JcrPTTY7g4CAPFGr3vuwyRS/qXRTQ7KQg90nMG1vHMX59GP6XKLrvhwNTFYtQ5AZEzNkXu 7FUk5LMC0XbS5bqiL8yvGITZFI5vjHO1uXtWabZjyJRn2A0/VZJRKoEHG1k6bKIrOHY5+m 3rFRRs9WGKPRRCVUURaDvD5U5OVlYQnGCo+A9TsOO2a/LLtUbnm8yRabRYewhnz7Vld9Sx zige4m70GpT24hKpvJy33pMcBCK495to790G42XM1cRc+FHq1a5vHwf0vU4jJg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032754; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=NAI/gn8QQrYuuJ53Yfm/Zim/Tu4QTeJT0puygfZ6wug=; b=oFwqZ9H4pHLIH8NE0hzkm3zk2HRhcCNYuXFwv4pZb8LMWVFqZlWzQtnmX6Nk7J6lKwFHB/ lkthXcCc/dK+RFiVstDBznYtSjZ5GQ72t6cLdb/75UcGELIzuPuKk1B/xODmyBQSEtj3HB qmUhfaKz+XBliVuxBMxBVMv7KYKOr4+cpgB2h6zOkDMCV2N9u4J4ByYJYaeQfoTBZs0Mru t8Ffx/MbiTTQdT92QmECplwa2bCKze5LVPmn6PlQhiO2z9lvfIE0M3DqDz6jByhIQ6l+2y fiAz0iT22AvKXFD5vQukNReqVNgkfOqV2yAspXUHt1p+FKBGHFLrz8BBX2ZPDA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxt3DBhznkt for ; Tue, 09 Jun 2026 19:19:14 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3dab0 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:19:14 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Dag-Erling=?utf-8?Q? Sm=C3=B8rg?=rav From: Mark Johnston Subject: git: 857abc12945a - releng/14.4 - unbound: Apply upstream patches List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.4 X-Git-Reftype: branch X-Git-Commit: 857abc12945a8f31fd445eab92a7c08a7f61479d Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:19:14 +0000 Message-Id: <6a286732.3dab0.6723e2ba@gitrepo.freebsd.org> The branch releng/14.4 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=857abc12945a8f31fd445eab92a7c08a7f61479d commit 857abc12945a8f31fd445eab92a7c08a7f61479d Author: Dag-Erling Smørgrav AuthorDate: 2026-05-29 22:21:50 +0000 Commit: Mark Johnston CommitDate: 2026-06-08 13:21:34 +0000 unbound: Apply upstream patches - Use the same EDE removal logic when encoding errors as when encoding replies. - Fix CVE-2026-33278, Possible remote code execution during DNSSEC validation. Thanks to Qifan Zhang, Palo Alto Networks, for the report. - Fix CVE-2026-42944, Heap overflow and crash with multiple nsid, cookie, padding EDNS options. Thanks to Qifan Zhang, Palo Alto Networks, for the report. - Fix CVE-2026-42959, Crash during DNSSEC validation of malicious content. Thanks to Qifan Zhang, Palo Alto Networks, for the report. - Fix CVE-2026-32792, Packet of death with DNSCrypt. Thanks to Andrew Griffiths from 'calif.io' for the report. - Fix CVE-2026-40622, "Ghost domain name" variant. Thanks to Qifan Zhang, Palo Alto Networks, for the report. - Fix CVE-2026-41292, Parsing a long list of incoming EDNS options degrades performance. Thanks to GitHub user 'N0zoM1z0', also Qifan Zhang from Palo Alto Networks, for the report. - Fix CVE-2026-42534, Jostle logic bypass degrades resolution performance. Thanks to Qifan Zhang, Palo Alto Networks, for the report. - Fix CVE-2026-42923, Degradation of service with unbounded NSEC3 hash calculations. Thanks to Qifan Zhang, Palo Alto Networks, for the report. - Fix CVE-2026-42960, Possible cache poisoning attack while following delegation. Thanks to TaoFei Guo from Peking University, Yang Luo and JianJun Chen, Tsinghua University, for the report. - Fix CVE-2026-44390, Unbounded name compression in certain cases causes degradation of service. Thanks to Qifan Zhang, Palo Alto Networks, for the report. - Fix CVE-2026-44608, Use after free and crash in RPZ code. Thanks to Qifan Zhang, Palo Alto Networks, for the report. Approved by: so Security: FreeBSD-SA-26:33.unbound Security: CVE-2026-33278 Security: CVE-2026-42944 Security: CVE-2026-42959 Security: CVE-2026-32792 Security: CVE-2026-40622 Security: CVE-2026-41292 Security: CVE-2026-42534 Security: CVE-2026-42923 Security: CVE-2026-42960 Security: CVE-2026-44390 Security: CVE-2026-44608 --- contrib/unbound/dnscrypt/dnscrypt.c | 2 +- contrib/unbound/iterator/iter_scrub.c | 8 +++- contrib/unbound/services/cache/dns.c | 8 +++- contrib/unbound/services/cache/rrset.c | 10 +++++ contrib/unbound/services/mesh.c | 14 +++++-- contrib/unbound/services/mesh.h | 6 +++ contrib/unbound/services/rpz.c | 10 +++-- contrib/unbound/util/data/msgencode.c | 54 ++++++++++++++++-------- contrib/unbound/util/data/msgencode.h | 4 +- contrib/unbound/util/data/msgparse.c | 19 ++++++--- contrib/unbound/util/data/msgparse.h | 4 ++ contrib/unbound/validator/val_neg.c | 28 ++++++++++++- contrib/unbound/validator/val_nsec3.c | 76 +++++++++++++++++++++++++++++++--- contrib/unbound/validator/val_nsec3.h | 6 +++ contrib/unbound/validator/val_utils.c | 4 +- 15 files changed, 209 insertions(+), 44 deletions(-) diff --git a/contrib/unbound/dnscrypt/dnscrypt.c b/contrib/unbound/dnscrypt/dnscrypt.c index 4902447fda01..173484cdf0b1 100644 --- a/contrib/unbound/dnscrypt/dnscrypt.c +++ b/contrib/unbound/dnscrypt/dnscrypt.c @@ -361,7 +361,7 @@ dnscrypt_server_uncurve(struct dnsc_env* env, len -= DNSCRYPT_QUERY_HEADER_SIZE; - while (*sldns_buffer_at(buffer, --len) == 0) + while (len>0 && *sldns_buffer_at(buffer, --len) == 0) ; if (*sldns_buffer_at(buffer, len) != 0x80) { diff --git a/contrib/unbound/iterator/iter_scrub.c b/contrib/unbound/iterator/iter_scrub.c index 8507a3fb65ac..852705db3ee9 100644 --- a/contrib/unbound/iterator/iter_scrub.c +++ b/contrib/unbound/iterator/iter_scrub.c @@ -725,7 +725,13 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, rrset->rrset_all_next = NULL; return 1; } - mark_additional_rrset(pkt, msg, rrset); + /* Only mark glue as allowed for type NS in the authority + * section. Other RR types do not get glue for them, it + * is allowed from the answer section, but not authority + * so that a message can not have address records cached + * as a side effect to the query. */ + if(rrset->type==LDNS_RR_TYPE_NS) + mark_additional_rrset(pkt, msg, rrset); prev = rrset; rrset = rrset->rrset_all_next; } diff --git a/contrib/unbound/services/cache/dns.c b/contrib/unbound/services/cache/dns.c index 351b3568c80b..8dae2ffcca90 100644 --- a/contrib/unbound/services/cache/dns.c +++ b/contrib/unbound/services/cache/dns.c @@ -675,10 +675,16 @@ struct dns_msg* dns_msg_deepcopy_region(struct dns_msg* origin, struct regional* region) { size_t i; + struct ub_packed_rrset_key** saved_rrsets; struct dns_msg* res = NULL; + size_t rep_alloc_size = sizeof(struct reply_info) + - sizeof(struct rrset_ref); /* this is the size of res->rep + allocated in gen_dns_msg() */ res = gen_dns_msg(region, &origin->qinfo, origin->rep->rrset_count); if(!res) return NULL; - *res->rep = *origin->rep; + saved_rrsets = res->rep->rrsets; /* save rrsets alloc by gen_dns_msg */ + memcpy(res->rep, origin->rep, rep_alloc_size); + res->rep->rrsets = saved_rrsets; if(origin->rep->reason_bogus_str) { res->rep->reason_bogus_str = regional_strdup(region, origin->rep->reason_bogus_str); diff --git a/contrib/unbound/services/cache/rrset.c b/contrib/unbound/services/cache/rrset.c index 6d5c24f8053e..81f4e2820edd 100644 --- a/contrib/unbound/services/cache/rrset.c +++ b/contrib/unbound/services/cache/rrset.c @@ -149,6 +149,16 @@ need_to_update_rrset(void* nd, void* cd, time_t timenow, int equal, int ns) if(equal && cached->ttl >= timenow && cached->security == sec_status_bogus) return 0; + /* ghost-domain: never let an NS overwrite extend lifetime + * past the entry it replaces, regardless of trust. */ + if(ns && !TTL_IS_EXPIRED(cached->ttl, timenow) && + newd->ttl > cached->ttl) { + size_t i; + newd->ttl = cached->ttl; + for(i=0; i<(newd->count+newd->rrsig_count); i++) + if(newd->rr_ttl[i] > newd->ttl) + newd->rr_ttl[i] = newd->ttl; + } return 1; } /* o item in cache has expired */ diff --git a/contrib/unbound/services/mesh.c b/contrib/unbound/services/mesh.c index 3212a6abf4c6..23499dcef960 100644 --- a/contrib/unbound/services/mesh.c +++ b/contrib/unbound/services/mesh.c @@ -296,12 +296,14 @@ int mesh_make_new_space(struct mesh_area* mesh, sldns_buffer* qbuf) if(mesh->num_reply_states < mesh->max_reply_states) return 1; /* try to kick out a jostle-list item */ - if(m && m->reply_list && m->list_select == mesh_jostle_list) { + if(m && m->list_select == mesh_jostle_list) { /* how old is it? */ struct timeval age; - timeval_subtract(&age, mesh->env->now_tv, - &m->reply_list->start_time); - if(timeval_smaller(&mesh->jostle_max, &age)) { + if(m->has_first_reply_time) + timeval_subtract(&age, mesh->env->now_tv, + &m->first_reply_time); + if(!m->has_first_reply_time || + timeval_smaller(&mesh->jostle_max, &age)) { /* its a goner */ log_nametypeclass(VERB_ALGO, "query jostled out to " "make space for a new one", @@ -1960,6 +1962,10 @@ int mesh_state_add_reply(struct mesh_state* s, struct edns_data* edns, r->qid = qid; r->qflags = qflags; r->start_time = *s->s.env->now_tv; + if(s->reply_list == NULL && !s->has_first_reply_time) { + s->first_reply_time = r->start_time; + s->has_first_reply_time = 1; + } r->next = s->reply_list; r->qname = regional_alloc_init(s->s.region, qinfo->qname, s->s.qinfo.qname_len); diff --git a/contrib/unbound/services/mesh.h b/contrib/unbound/services/mesh.h index f19f423a8cd3..a61f90993177 100644 --- a/contrib/unbound/services/mesh.h +++ b/contrib/unbound/services/mesh.h @@ -189,6 +189,12 @@ struct mesh_state { struct module_qstate s; /** the list of replies to clients for the results */ struct mesh_reply* reply_list; + /** if it has a first reply time */ + int has_first_reply_time; + /** wall-clock time the first client reply was attached; + * used by mesh_make_new_space() so duplicate retransmits + * cannot reset jostle aging. */ + struct timeval first_reply_time; /** the list of callbacks for the results */ struct mesh_cb* cb_list; /** set of superstates (that want this state's result) diff --git a/contrib/unbound/services/rpz.c b/contrib/unbound/services/rpz.c index f45cf65420d7..27f7de861eac 100644 --- a/contrib/unbound/services/rpz.c +++ b/contrib/unbound/services/rpz.c @@ -2468,6 +2468,7 @@ rpz_callback_from_iterator_module(struct module_qstate* ms, struct iter_qstate* { struct auth_zones* az; struct auth_zone* a; + struct dns_msg* ret = NULL; struct clientip_synthesized_rr* raddr = NULL; struct rpz* r = NULL; struct local_zone* z = NULL; @@ -2511,13 +2512,11 @@ rpz_callback_from_iterator_module(struct module_qstate* ms, struct iter_qstate* z = rpz_delegation_point_zone_lookup(is->dp, r->nsdname_zones, is->qchase.qclass, &match); if(z != NULL) { - lock_rw_unlock(&a->lock); break; } raddr = rpz_delegation_point_ipbased_trigger_lookup(r, is); if(raddr != NULL) { - lock_rw_unlock(&a->lock); break; } lock_rw_unlock(&a->lock); @@ -2532,9 +2531,12 @@ rpz_callback_from_iterator_module(struct module_qstate* ms, struct iter_qstate* if(z) { lock_rw_unlock(&z->lock); } - return rpz_apply_nsip_trigger(ms, &is->qchase, r, raddr, a); + ret = rpz_apply_nsip_trigger(ms, &is->qchase, r, raddr, a); + } else { + ret = rpz_apply_nsdname_trigger(ms, &is->qchase, r, z, &match, a); } - return rpz_apply_nsdname_trigger(ms, &is->qchase, r, z, &match, a); + lock_rw_unlock(&a->lock); + return ret; } struct dns_msg* rpz_callback_from_iterator_cname(struct module_qstate* ms, diff --git a/contrib/unbound/util/data/msgencode.c b/contrib/unbound/util/data/msgencode.c index 84aa3b9e75ae..f84c491b1c9f 100644 --- a/contrib/unbound/util/data/msgencode.c +++ b/contrib/unbound/util/data/msgencode.c @@ -352,7 +352,6 @@ compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs, (p = compress_tree_lookup(tree, dname, labs, &insertpt))) { if(!write_compressed_dname(pkt, dname, labs, p)) return RETVAL_TRUNC; - (*compress_count)++; } else { if(!dname_buffer_write(pkt, dname)) return RETVAL_TRUNC; @@ -360,6 +359,7 @@ compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs, if(*compress_count < MAX_COMPRESSION_PER_MESSAGE && !compress_tree_store(dname, labs, pos, region, p, insertpt)) return RETVAL_OUTMEM; + (*compress_count)++; return RETVAL_OK; } @@ -804,7 +804,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep, return 1; } -uint16_t +size_t calc_edns_field_size(struct edns_data* edns) { size_t rdatalen = 0; @@ -840,7 +840,7 @@ calc_edns_option_size(struct edns_data* edns, uint16_t code) } uint16_t -calc_ede_option_size(struct edns_data* edns, uint16_t* txt_size) +calc_ede_option_size(struct edns_data* edns, size_t* txt_size) { size_t rdatalen = 0; struct edns_option* opt; @@ -942,6 +942,10 @@ attach_edns_record_max_msg_sz(sldns_buffer* pkt, struct edns_data* edns, padding_option = opt; continue; } + if(sldns_buffer_position(pkt) + opt->opt_len + 4 > max_msg_sz) + break; /* no space for it */ + if(!sldns_buffer_available(pkt, 4 + opt->opt_len)) + break; sldns_buffer_write_u16(pkt, opt->opt_code); sldns_buffer_write_u16(pkt, opt->opt_len); if(opt->opt_len != 0) @@ -952,12 +956,18 @@ attach_edns_record_max_msg_sz(sldns_buffer* pkt, struct edns_data* edns, padding_option = opt; continue; } + if(sldns_buffer_position(pkt) + opt->opt_len + 4 > max_msg_sz) + break; /* no space for it */ + if(!sldns_buffer_available(pkt, 4 + opt->opt_len)) + break; sldns_buffer_write_u16(pkt, opt->opt_code); sldns_buffer_write_u16(pkt, opt->opt_len); if(opt->opt_len != 0) sldns_buffer_write(pkt, opt->opt_data, opt->opt_len); } - if (padding_option && edns->padding_block_size ) { + if (padding_option && edns->padding_block_size && + sldns_buffer_position(pkt)+4 <= max_msg_sz && + sldns_buffer_available(pkt, 4) /* if there is space for it */) { size_t pad_pos = sldns_buffer_position(pkt); size_t msg_sz = ((pad_pos + 3) / edns->padding_block_size + 1) * edns->padding_block_size; @@ -1001,7 +1011,7 @@ reply_info_answer_encode(struct query_info* qinf, struct reply_info* rep, { uint16_t flags; unsigned int attach_edns = 0; - uint16_t edns_field_size, ede_size, ede_txt_size; + size_t edns_field_size, ede_size, ede_txt_size; if(!cached || rep->authoritative) { /* original flags, copy RD and CD bits from query. */ @@ -1028,12 +1038,12 @@ reply_info_answer_encode(struct query_info* qinf, struct reply_info* rep, * calculate sizes once here */ edns_field_size = calc_edns_field_size(edns); ede_size = calc_ede_option_size(edns, &ede_txt_size); - if(sldns_buffer_capacity(pkt) < udpsize) + if(sldns_buffer_capacity(pkt) < (size_t)udpsize) udpsize = sldns_buffer_capacity(pkt); if(!edns || !edns->edns_present) { attach_edns = 0; /* EDEs are optional, try to fit anything else before them */ - } else if(udpsize < LDNS_HEADER_SIZE + edns_field_size - ede_size) { + } else if((size_t)udpsize < (size_t)LDNS_HEADER_SIZE + edns_field_size - ede_size) { /* packet too small to contain edns, omit it. */ attach_edns = 0; } else { @@ -1047,13 +1057,13 @@ reply_info_answer_encode(struct query_info* qinf, struct reply_info* rep, return 0; } if(attach_edns) { - if(udpsize >= sldns_buffer_limit(pkt) + edns_field_size) + if((size_t)udpsize >= sldns_buffer_limit(pkt) + edns_field_size) attach_edns_record_max_msg_sz(pkt, edns, udpsize); - else if(udpsize >= sldns_buffer_limit(pkt) + edns_field_size - ede_txt_size) { + else if((size_t)udpsize >= sldns_buffer_limit(pkt) + edns_field_size - ede_txt_size) { ede_trim_text(&edns->opt_list_inplace_cb_out); ede_trim_text(&edns->opt_list_out); attach_edns_record_max_msg_sz(pkt, edns, udpsize); - } else if(udpsize >= sldns_buffer_limit(pkt) + edns_field_size - ede_size) { + } else if((size_t)udpsize >= sldns_buffer_limit(pkt) + edns_field_size - ede_size) { edns_opt_list_remove(&edns->opt_list_inplace_cb_out, LDNS_EDNS_EDE); edns_opt_list_remove(&edns->opt_list_out, LDNS_EDNS_EDE); attach_edns_record_max_msg_sz(pkt, edns, udpsize); @@ -1115,22 +1125,30 @@ extended_error_encode(sldns_buffer* buf, uint16_t rcode, sldns_buffer_write_u16(buf, qinfo->qclass); } sldns_buffer_flip(buf); - if(edns) { + if(edns && edns->edns_present) { + size_t edns_field_size, ede_size, ede_txt_size; struct edns_data es = *edns; es.edns_version = EDNS_ADVERTISED_VERSION; es.udp_size = EDNS_ADVERTISED_SIZE; es.ext_rcode = (uint8_t)(rcode >> 4); es.bits &= EDNS_DO; - if(sldns_buffer_limit(buf) + calc_edns_field_size(&es) > - edns->udp_size) { + /* EDEs are optional. If space is a concern try in order: + * - removing any EXTRA-TEXT fields from explicit EDEs, or + * - removing all EDEs, + * to see if EDNS can fit. */ + edns_field_size = calc_edns_field_size(&es); + ede_size = calc_ede_option_size(&es, &ede_txt_size); + if((size_t)edns->udp_size >= sldns_buffer_limit(buf) + edns_field_size) + attach_edns_record_max_msg_sz(buf, &es, edns->udp_size); + else if((size_t)edns->udp_size >= sldns_buffer_limit(buf) + edns_field_size - ede_txt_size) { + ede_trim_text(&es.opt_list_inplace_cb_out); + ede_trim_text(&es.opt_list_out); + attach_edns_record_max_msg_sz(buf, &es, edns->udp_size); + } else if((size_t)edns->udp_size >= sldns_buffer_limit(buf) + edns_field_size - ede_size) { edns_opt_list_remove(&es.opt_list_inplace_cb_out, LDNS_EDNS_EDE); edns_opt_list_remove(&es.opt_list_out, LDNS_EDNS_EDE); - if(sldns_buffer_limit(buf) + calc_edns_field_size(&es) > - edns->udp_size) { - return; - } + attach_edns_record_max_msg_sz(buf, &es, edns->udp_size); } - attach_edns_record(buf, &es); } } diff --git a/contrib/unbound/util/data/msgencode.h b/contrib/unbound/util/data/msgencode.h index 08fcb59b8e36..64569555dc59 100644 --- a/contrib/unbound/util/data/msgencode.h +++ b/contrib/unbound/util/data/msgencode.h @@ -106,7 +106,7 @@ void qinfo_query_encode(struct sldns_buffer* pkt, struct query_info* qinfo); * @param edns: edns data or NULL. * @return octets to reserve for EDNS. */ -uint16_t calc_edns_field_size(struct edns_data* edns); +size_t calc_edns_field_size(struct edns_data* edns); /** * Calculate the size of a specific EDNS option in packet. @@ -127,7 +127,7 @@ uint16_t calc_edns_option_size(struct edns_data* edns, uint16_t code); * extra text. * @return octets the option will take up. */ -uint16_t calc_ede_option_size(struct edns_data* edns, uint16_t* txt_size); +uint16_t calc_ede_option_size(struct edns_data* edns, size_t* txt_size); /** * Attach EDNS record to buffer. Buffer has complete packet. There must diff --git a/contrib/unbound/util/data/msgparse.c b/contrib/unbound/util/data/msgparse.c index 6963d850171e..169709b7e3c0 100644 --- a/contrib/unbound/util/data/msgparse.c +++ b/contrib/unbound/util/data/msgparse.c @@ -53,6 +53,8 @@ #include "sldns/parseutil.h" #include "sldns/wire2str.h" +#define MAX_PARSED_EDNS_OPTIONS 100 + /** smart comparison of (compressed, valid) dnames from packet */ static int smart_compare(sldns_buffer* pkt, uint8_t* dnow, @@ -950,6 +952,7 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len, struct comm_reply* repinfo, uint32_t now, struct regional* region, struct cookie_secrets* cookie_secrets) { + int i = 0, nsid_seen = 0, cookie_seen = 0, padding_seen = 0; /* To respond with a Keepalive option, the client connection must have * received one message with a TCP Keepalive EDNS option, and that * option must have 0 length data. Subsequent messages sent on that @@ -969,7 +972,7 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len, /* while still more options, and have code+len to read */ /* ignores partial content (i.e. rdata len 3) */ - while(rdata_len >= 4) { + while(rdata_len >= 4 && i < MAX_PARSED_EDNS_OPTIONS) { uint16_t opt_code = sldns_read_uint16(rdata_ptr); uint16_t opt_len = sldns_read_uint16(rdata_ptr+2); uint8_t server_cookie[40]; @@ -984,8 +987,9 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len, /* handle parse time edns options here */ switch(opt_code) { case LDNS_EDNS_NSID: - if (!cfg || !cfg->nsid) + if (!cfg || !cfg->nsid || nsid_seen) break; + nsid_seen = 1; if(!edns_opt_list_append(&edns->opt_list_out, LDNS_EDNS_NSID, cfg->nsid_len, cfg->nsid, region)) { @@ -1027,8 +1031,9 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len, case LDNS_EDNS_PADDING: if(!cfg || !cfg->pad_responses || - !c || c->type != comm_tcp ||!c->ssl) + !c || c->type != comm_tcp ||!c->ssl || padding_seen) break; + padding_seen = 1; if(!edns_opt_list_append(&edns->opt_list_out, LDNS_EDNS_PADDING, 0, NULL, region)) { @@ -1039,8 +1044,9 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len, break; case LDNS_EDNS_COOKIE: - if(!cfg || !cfg->do_answer_cookie || !repinfo) + if(!cfg || !cfg->do_answer_cookie || !repinfo || cookie_seen) break; + cookie_seen = 1; if(opt_len != 8 && (opt_len < 16 || opt_len > 40)) { verbose(VERB_ALGO, "worker request: " "badly formatted cookie"); @@ -1146,6 +1152,7 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len, } rdata_ptr += opt_len; rdata_len -= opt_len; + i++; } return LDNS_RCODE_NOERROR; } @@ -1160,6 +1167,7 @@ parse_extract_edns_from_response_msg(struct msg_parse* msg, struct rrset_parse* found_prev = 0; size_t rdata_len; uint8_t* rdata_ptr; + int i = 0; /* since the class encodes the UDP size, we cannot use hash table to * find the EDNS OPT record. Scan the packet. */ while(rrset) { @@ -1219,7 +1227,7 @@ parse_extract_edns_from_response_msg(struct msg_parse* msg, /* while still more options, and have code+len to read */ /* ignores partial content (i.e. rdata len 3) */ - while(rdata_len >= 4) { + while(rdata_len >= 4 && i < MAX_PARSED_EDNS_OPTIONS) { uint16_t opt_code = sldns_read_uint16(rdata_ptr); uint16_t opt_len = sldns_read_uint16(rdata_ptr+2); rdata_ptr += 4; @@ -1234,6 +1242,7 @@ parse_extract_edns_from_response_msg(struct msg_parse* msg, } rdata_ptr += opt_len; rdata_len -= opt_len; + i++; } /* ignore rrsigs */ return LDNS_RCODE_NOERROR; diff --git a/contrib/unbound/util/data/msgparse.h b/contrib/unbound/util/data/msgparse.h index 7de4e394f2ae..d6e459d330ce 100644 --- a/contrib/unbound/util/data/msgparse.h +++ b/contrib/unbound/util/data/msgparse.h @@ -98,6 +98,10 @@ extern time_t SERVE_EXPIRED_REPLY_TTL; /** If we serve the original TTL or decrementing TTLs */ extern int SERVE_ORIGINAL_TTL; +/** Check if TTL is expired. 0 TTL is considered expired. + * Used mainly to identify parts of the code that do this comparison. */ +#define TTL_IS_EXPIRED(ttl, now) ((ttl) <= (now)) + /** * Data stored in scratch pad memory during parsing. * Stores the data that will enter into the msgreply and packet result. diff --git a/contrib/unbound/validator/val_neg.c b/contrib/unbound/validator/val_neg.c index bc3a83aeb4c9..0f2751121326 100644 --- a/contrib/unbound/validator/val_neg.c +++ b/contrib/unbound/validator/val_neg.c @@ -62,6 +62,13 @@ #include "sldns/rrdef.h" #include "sldns/sbuffer.h" +/** + * The maximum salt length that the negative cache is willing to use. + * Larger salt increases the computation time, while recommendations are + * for zero salt length for zones. + */ +#define MAX_SALT_LENGTH 64 + int val_neg_data_compare(const void* a, const void* b) { struct val_neg_data* x = (struct val_neg_data*)a; @@ -826,7 +833,11 @@ void neg_insert_data(struct val_neg_cache* neg, (slen != 0 && zone->nsec3_salt && s && memcmp(zone->nsec3_salt, s, slen) != 0))) { - if(slen > 0) { + if(slen > MAX_SALT_LENGTH) { + /* RFC 9276 s3.1: operators SHOULD NOT use a salt; large + * salts inflate per-hash block count. Decline to cache. */ + return; + } else if(slen > 0) { uint8_t* sa = memdup(s, slen); if(sa) { free(zone->nsec3_salt); @@ -1169,6 +1180,15 @@ neg_find_nsec3_ce(struct val_neg_zone* zone, uint8_t* qname, size_t qname_len, uint8_t hashce[NSEC3_SHA_LEN]; uint8_t b32[257]; size_t celen, b32len; + int hashmax = MAX_NSEC3_CALCULATIONS; + if(qlabs > hashmax) { + /* strip leading labels so the walk costs at most + * MAX_NSEC3_CALCULATIONS hashes, mirroring val_nsec3.c */ + while(qlabs > hashmax) { + dname_remove_label(&qname, &qname_len); + qlabs--; + } + } *nclen = 0; while(qlabs > 0) { @@ -1269,6 +1289,12 @@ neg_nsec3_proof_ds(struct val_neg_zone* zone, uint8_t* qname, size_t qname_len, if(!zone->nsec3_hash) return NULL; /* not nsec3 zone */ + if(!topname && qlabs > zone->labs + 1) + return NULL; /* iterator caller; opt-out proof would be discarded + * at the !topname check below anyway. + * The qlabs check allows the exact-match for + * the one-label-below-zone case. */ + if(!(data=neg_find_nsec3_ce(zone, qname, qname_len, qlabs, buf, hashnc, &nclen))) { return NULL; diff --git a/contrib/unbound/validator/val_nsec3.c b/contrib/unbound/validator/val_nsec3.c index 998fcc4e38ee..62effde2093f 100644 --- a/contrib/unbound/validator/val_nsec3.c +++ b/contrib/unbound/validator/val_nsec3.c @@ -59,11 +59,6 @@ #include "sldns/sbuffer.h" #include "util/config_file.h" -/** - * Max number of NSEC3 calculations at once, suspend query for later. - * 8 is low enough and allows for cases where multiple proofs are needed. - */ -#define MAX_NSEC3_CALCULATIONS 8 /** * When all allowed NSEC3 calculations at once resulted in error treat as * bogus. NSEC3 hash errors are not cached and this helps breaks loops with @@ -456,6 +451,67 @@ filter_init(struct nsec3_filter* filter, struct ub_packed_rrset_key** list, } } +/** Check if the NSEC3s have the same parameter set. */ +static int +param_set_same(struct nsec3_filter* flt, char** reason) +{ + size_t rrsetnum; + int rrnum; + struct ub_packed_rrset_key* rrset; + int have_params = 0; + int first_algo = 0; + size_t first_iter = 0; + uint8_t* first_salt = NULL; + size_t first_saltlen = 0; + + /* If the NSEC3 parameter sets have distinct values, then they are + * from different NSEC3 chains, and we do not want that. */ + for(rrset=filter_first(flt, &rrsetnum, &rrnum); rrset; + rrset=filter_next(flt, &rrsetnum, &rrnum)) { + if(!have_params) { + first_algo = nsec3_get_algo(rrset, rrnum); + first_iter = nsec3_get_iter(rrset, rrnum); + if(!nsec3_get_salt(rrset, rrnum, &first_salt, + &first_saltlen)) { + verbose(VERB_ALGO, "NSEC3 salt malformed"); + if(reason) + *reason = "NSEC3 salt malformed"; + return 0; + } + have_params = 1; + } else { + uint8_t* salt = NULL; + size_t saltlen = 0; + if(nsec3_get_algo(rrset, rrnum) != first_algo) { + verbose(VERB_ALGO, "NSEC3 algorithm mismatch"); + if(reason) + *reason = "NSEC3 algorithm mismatch"; + return 0; + } + if(nsec3_get_iter(rrset, rrnum) != first_iter) { + verbose(VERB_ALGO, "NSEC3 iterations mismatch"); + if(reason) + *reason = "NSEC3 iterations mismatch"; + return 0; + } + if(!nsec3_get_salt(rrset, rrnum, &salt, &saltlen)) { + verbose(VERB_ALGO, "NSEC3 salt malformed"); + if(reason) + *reason = "NSEC3 salt malformed"; + return 0; + } + if(saltlen != first_saltlen || + memcmp(salt, first_salt, saltlen) != 0) { + verbose(VERB_ALGO, "NSEC3 salt mismatch"); + if(reason) + *reason = "NSEC3 salt mismatch"; + return 0; + } + } + } + return 1; +} + /** * Find max iteration count using config settings and key size * @param ve: validator environment with iteration count config settings. @@ -1192,6 +1248,8 @@ nsec3_prove_nameerror(struct module_env* env, struct val_env* ve, filter_init(&flt, list, num, qinfo); /* init RR iterator */ if(!flt.zone) return sec_status_bogus; /* no RRs */ + if(!param_set_same(&flt, NULL)) + return sec_status_bogus; /* nsec3 params from distinct chains*/ if(nsec3_iteration_count_high(ve, &flt, kkey)) return sec_status_insecure; /* iteration count too high */ log_nametypeclass(VERB_ALGO, "start nsec3 nameerror proof, zone", @@ -1378,6 +1436,8 @@ nsec3_prove_nodata(struct module_env* env, struct val_env* ve, filter_init(&flt, list, num, qinfo); /* init RR iterator */ if(!flt.zone) return sec_status_bogus; /* no RRs */ + if(!param_set_same(&flt, NULL)) + return sec_status_bogus; /* nsec3 params from distinct chains*/ if(nsec3_iteration_count_high(ve, &flt, kkey)) return sec_status_insecure; /* iteration count too high */ return nsec3_do_prove_nodata(env, &flt, ct, qinfo, calc); @@ -1401,6 +1461,8 @@ nsec3_prove_wildcard(struct module_env* env, struct val_env* ve, filter_init(&flt, list, num, qinfo); /* init RR iterator */ if(!flt.zone) return sec_status_bogus; /* no RRs */ + if(!param_set_same(&flt, NULL)) + return sec_status_bogus; /* nsec3 params from distinct chains*/ if(nsec3_iteration_count_high(ve, &flt, kkey)) return sec_status_insecure; /* iteration count too high */ @@ -1503,6 +1565,8 @@ nsec3_prove_nods(struct module_env* env, struct val_env* ve, *reason = "no NSEC3 records"; return sec_status_bogus; /* no RRs */ } + if(!param_set_same(&flt, reason)) + return sec_status_bogus; /* nsec3 params from distinct chains*/ if(nsec3_iteration_count_high(ve, &flt, kkey)) return sec_status_insecure; /* iteration count too high */ @@ -1596,6 +1660,8 @@ nsec3_prove_nxornodata(struct module_env* env, struct val_env* ve, filter_init(&flt, list, num, qinfo); /* init RR iterator */ if(!flt.zone) return sec_status_bogus; /* no RRs */ + if(!param_set_same(&flt, NULL)) + return sec_status_bogus; /* nsec3 params from distinct chains*/ if(nsec3_iteration_count_high(ve, &flt, kkey)) return sec_status_insecure; /* iteration count too high */ diff --git a/contrib/unbound/validator/val_nsec3.h b/contrib/unbound/validator/val_nsec3.h index f668a270ff12..a13e92991106 100644 --- a/contrib/unbound/validator/val_nsec3.h +++ b/contrib/unbound/validator/val_nsec3.h @@ -98,6 +98,12 @@ struct sldns_buffer; /** The SHA1 hash algorithm for NSEC3 */ #define NSEC3_HASH_SHA1 0x01 +/** + * Max number of NSEC3 calculations at once, suspend query for later. + * 8 is low enough and allows for cases where multiple proofs are needed. + */ +#define MAX_NSEC3_CALCULATIONS 8 + /** * Cache table for NSEC3 hashes. * It keeps a *pointer* to the region its items are allocated. diff --git a/contrib/unbound/validator/val_utils.c b/contrib/unbound/validator/val_utils.c index 549264d76a1f..4495695ac853 100644 --- a/contrib/unbound/validator/val_utils.c +++ b/contrib/unbound/validator/val_utils.c @@ -1066,10 +1066,10 @@ val_fill_reply(struct reply_info* chase, struct reply_info* orig, if(query_dname_compare(name, orig->rrsets[i]->rk.dname) == 0) chase->rrsets[chase->an_numrrsets - +orig->ns_numrrsets+chase->ar_numrrsets++] + +chase->ns_numrrsets+chase->ar_numrrsets++] = orig->rrsets[i]; } else if(rrset_has_signer(orig->rrsets[i], name, len)) { - chase->rrsets[chase->an_numrrsets+orig->ns_numrrsets+ + chase->rrsets[chase->an_numrrsets+chase->ns_numrrsets+ chase->ar_numrrsets++] = orig->rrsets[i]; } } From nobody Tue Jun 9 19:19:16 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxw6PyFz6gVJm for ; Tue, 09 Jun 2026 19:19:16 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdxw55Fxz3PqL for ; Tue, 09 Jun 2026 19:19:16 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032756; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=7Kd21+qAX/xCriuvVxlO9vjZxntYomfLREv70LCWM4Y=; b=PjTaCZlCoQI9A/YvwUsYL+/E8zy3MDQDi3fKGAaglYIwPXp6/Js0VOLGI6yodvyUd07CXV QFQdRt/OEMcGnm4IhtV8tVTwssZWuGHhUFhk5bbG2gAlfqy8m0my1vUo3+1O2eTdy5fwdg FvzyEfZ6z7MolrcEWFLVc3JQSJxYHmkpw7P31Ny0x5sbvDYe3UpsPtJZCXWdIL2LAkmMqP 0rOeajRPaR79D1c0h6/91L68aF5DJe6x2oIMcwIq+wxD0jKhvqm2MkPh2bnjaiYRoz1KWY 30oQAIHOj39F+vWYNQI3Mfwk4l8YDZVsPR4uUfOqP6Pd/kxo0+4rN6uZiIribw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032756; a=rsa-sha256; cv=none; b=EdZJpmPvi7GxgnUg2vGVcUwe0s604PC/NzwVSOW0VyDBbaDED0ocDkKDwR8OFWugFYNy2b HoJky1UfUbPacP5AhcMCxI23NdH+Sy0ZUuAtefpNeS0m4cFXL1TxhoNLnrqwv0AlK1wStR jPKNf32amriwQjA96Jln1tBc5kReqcAoglA6NVXvtzVzl1uiiwh/zJf10eCrv85MHVugrV f9HJsQmg+LCX4IHFuAl7ntekOo+VpAzrY0UM0OIscSA5c1xH1pXtJP5g931IT1i8Etng2j vJUwKznTLrv6YOUrDvaffGln0pPP3V1GQ4tw3RkxG9D5B0WX5VWKdCslaiKOcA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032756; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=7Kd21+qAX/xCriuvVxlO9vjZxntYomfLREv70LCWM4Y=; b=n5uchtEiKgBjwlJCbcRg53yiXHCflqQ9I3nL3TF8ofJswnNJg7gfWfu9+XL69aRpsPGJUv ZIvc8w4cB7ATVo2bTYoZPK6QyMxsVZNY2csMu1ms4UQm7xZfG2CL4cySz8SEXeJqQESWVl 0Zt7P3J/elKJmuCmJ8Cxxxy/m9OcYq+S+09thHO/JRPf5T1j4pD0cw6gjduybKBL+FjeAu dkmaQZXZt3jcX1BszlHPvM/e1uPfcvu/3r5sGIhlZ3JC0y6tbmZgytvIjCTPhR2XW9MAFe X01rXmVt4JnvQV+XkyVeSJ7YTvv51HxVGS00kToDSiUZT+YnyeEtzt0z6lhfYA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxw43qrzp1W for ; Tue, 09 Jun 2026 19:19:16 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3e841 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:19:16 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Gordon Tetlow From: Mark Johnston Subject: git: 1929d9e173e5 - releng/14.4 - openssl: Fix multiple vulnerabilities List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.4 X-Git-Reftype: branch X-Git-Commit: 1929d9e173e5c959be4343ddc68f75f28ac88e5c Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:19:16 +0000 Message-Id: <6a286734.3e841.7fa7fda7@gitrepo.freebsd.org> The branch releng/14.4 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=1929d9e173e5c959be4343ddc68f75f28ac88e5c commit 1929d9e173e5c959be4343ddc68f75f28ac88e5c Author: Gordon Tetlow AuthorDate: 2026-06-07 03:24:17 +0000 Commit: Mark Johnston CommitDate: 2026-06-08 13:21:34 +0000 openssl: Fix multiple vulnerabilities This is a rollup commit from upstream to fix: Reject oversized inputs in ASN1_mbstring_ncopy() cms: kek_unwrap_key: Fix out-of-bounds read in check-byte validation cms: kek_unwrap_key: test for fix out-of-bounds read in check-byte validation Avoid length truncation in ASN1_STRING_set Reject potentially forged encrypted CMS AuthEnvelopedData messages Fix potential NULL dereference processing CMS PasswordRecipientInfo Match the local q DHX parameter against the peer's q Apply the buffered IV on the AES-OCB EVP_Cipher() path Fix handling of empty-ciphertext messages in AES-GCM-SIV and AES-SIV Fix possible use-after-free in OpenSSL PKCS7_verify() Approved by: so Obtained from: OpenSSL Security: FreeBSD-SA-26:35.openssl Security: CVE-2026-7383 Security: CVE-2026-9076 Security: CVE-2026-34180 Security: CVE-2026-34182 Security: CVE-2026-42766 Security: CVE-2026-42770 Security: CVE-2026-45445 Security: CVE-2026-45446 Security: CVE-2026-45447 --- crypto/openssl/crypto/asn1/a_mbstr.c | 31 ++++++++++- crypto/openssl/crypto/asn1/tasn_dec.c | 24 +++++--- crypto/openssl/crypto/cms/cms_enc.c | 18 ++++-- crypto/openssl/crypto/cms/cms_env.c | 6 +- crypto/openssl/crypto/cms/cms_err.c | 4 +- crypto/openssl/crypto/cms/cms_local.h | 2 +- crypto/openssl/crypto/cms/cms_pwri.c | 15 ++++- crypto/openssl/crypto/err/openssl.txt | 3 +- crypto/openssl/crypto/pkcs7/pk7_smime.c | 9 +-- crypto/openssl/include/crypto/cmserr.h | 2 +- crypto/openssl/include/openssl/cmserr.h | 4 +- .../implementations/ciphers/cipher_aes_ocb.c | 13 +++++ .../implementations/ciphers/cipher_aes_siv.c | 3 + .../providers/implementations/exchange/dh_exch.c | 5 +- .../cms-msg/enveloped-content-type-for-aes-gcm.pem | 7 +++ crypto/openssl/test/cmsapitest.c | 54 +++++++++++++++++- crypto/openssl/test/evp_extra_test.c | 61 +++++++++++++++++++++ crypto/openssl/test/recipes/80-test_cms.t | 12 +++- crypto/openssl/test/recipes/80-test_cmsapi.t | 3 +- .../80-test_cmsapi_data/cms_pwri_kek_oob.der | Bin 0 -> 193 bytes 20 files changed, 239 insertions(+), 37 deletions(-) diff --git a/crypto/openssl/crypto/asn1/a_mbstr.c b/crypto/openssl/crypto/asn1/a_mbstr.c index 531e01d33257..9329e5795a9e 100644 --- a/crypto/openssl/crypto/asn1/a_mbstr.c +++ b/crypto/openssl/crypto/asn1/a_mbstr.c @@ -174,11 +174,27 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len, break; case MBSTRING_BMP: + if (nchar > INT_MAX / 2) { + ERR_raise(ERR_LIB_ASN1, ASN1_R_STRING_TOO_LONG); + if (free_out) { + ASN1_STRING_free(dest); + *out = NULL; + } + return -1; + } outlen = nchar << 1; cpyfunc = cpy_bmp; break; case MBSTRING_UNIV: + if (nchar > INT_MAX / 4) { + ERR_raise(ERR_LIB_ASN1, ASN1_R_STRING_TOO_LONG); + if (free_out) { + ASN1_STRING_free(dest); + *out = NULL; + } + return -1; + } outlen = nchar << 2; cpyfunc = cpy_univ; break; @@ -186,8 +202,11 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len, case MBSTRING_UTF8: outlen = 0; ret = traverse_string(in, len, inform, out_utf8, &outlen); - if (ret < 0) { - ERR_raise(ERR_LIB_ASN1, ASN1_R_INVALID_UTF8STRING); + if (ret < 0) { /* error already raised in out_utf8() */ + if (free_out) { + ASN1_STRING_free(dest); + *out = NULL; + } return -1; } cpyfunc = cpy_utf8; @@ -271,9 +290,15 @@ static int out_utf8(unsigned long value, void *arg) int *outlen, len; len = UTF8_putc(NULL, -1, value); - if (len <= 0) + if (len <= 0) { + ERR_raise(ERR_LIB_ASN1, ASN1_R_INVALID_UTF8STRING); return len; + } outlen = arg; + if (*outlen > INT_MAX - len) { + ERR_raise(ERR_LIB_ASN1, ASN1_R_STRING_TOO_LONG); + return -1; + } *outlen += len; return 1; } diff --git a/crypto/openssl/crypto/asn1/tasn_dec.c b/crypto/openssl/crypto/asn1/tasn_dec.c index 9138ad381f7d..4cbc6275cc35 100644 --- a/crypto/openssl/crypto/asn1/tasn_dec.c +++ b/crypto/openssl/crypto/asn1/tasn_dec.c @@ -54,7 +54,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx); -static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, +static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, long len, int utype, char *free_cont, const ASN1_ITEM *it); /* Table to convert tags to bit values, used for MSTRING type */ @@ -855,19 +855,24 @@ err: /* Translate ASN1 content octets into a structure */ -static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, +static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, long len, int utype, char *free_cont, const ASN1_ITEM *it) { ASN1_VALUE **opval = NULL; ASN1_STRING *stmp; ASN1_TYPE *typ = NULL; int ret = 0; + int ilen = (int)len; const ASN1_PRIMITIVE_FUNCS *pf; ASN1_INTEGER **tint; pf = it->funcs; - if (pf && pf->prim_c2i) - return pf->prim_c2i(pval, cont, len, utype, free_cont, it); + if (pf && pf->prim_c2i) { + if (len == (long)ilen) + return pf->prim_c2i(pval, cont, ilen, utype, free_cont, it); + ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG); + return 0; + } /* If ANY type clear type and set pointer to internal value */ if (it->utype == V_ASN1_ANY) { if (*pval == NULL) { @@ -885,7 +890,8 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, } switch (utype) { case V_ASN1_OBJECT: - if (!ossl_c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &cont, len)) + if (len != (long)ilen + || !ossl_c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &cont, ilen)) goto err; break; @@ -940,6 +946,10 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, case V_ASN1_SET: case V_ASN1_SEQUENCE: default: + if (len != (long)ilen) { + ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG); + goto err; + } if (utype == V_ASN1_BMPSTRING && (len & 1)) { ERR_raise(ERR_LIB_ASN1, ASN1_R_BMPSTRING_IS_WRONG_LENGTH); goto err; @@ -964,10 +974,10 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, if (*free_cont) { OPENSSL_free(stmp->data); stmp->data = (unsigned char *)cont; /* UGLY CAST! RL */ - stmp->length = len; + stmp->length = ilen; *free_cont = 0; } else { - if (!ASN1_STRING_set(stmp, cont, len)) { + if (!ASN1_STRING_set(stmp, cont, ilen)) { ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE); ASN1_STRING_free(stmp); *pval = NULL; diff --git a/crypto/openssl/crypto/cms/cms_enc.c b/crypto/openssl/crypto/cms/cms_enc.c index 8c1a15aeda71..367617576175 100644 --- a/crypto/openssl/crypto/cms/cms_enc.c +++ b/crypto/openssl/crypto/cms/cms_enc.c @@ -23,7 +23,7 @@ /* Return BIO based on EncryptedContentInfo and key */ BIO *ossl_cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec, - const CMS_CTX *cms_ctx) + const CMS_CTX *cms_ctx, int auth) { BIO *b; EVP_CIPHER_CTX *ctx; @@ -104,14 +104,20 @@ BIO *ossl_cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec, goto err; } if ((EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)) { + if (!auth) { + ERR_raise(ERR_LIB_CMS, CMS_R_CIPHER_AEAD_IN_ENVELOPED_DATA); + goto err; + } piv = aparams.iv; - if (ec->taglen > 0 - && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, - ec->taglen, ec->tag) - <= 0) { + + if (ec->taglen < 4 || ec->taglen > 16 + || EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, (int)ec->taglen, ec->tag) <= 0) { ERR_raise(ERR_LIB_CMS, CMS_R_CIPHER_AEAD_SET_TAG_ERROR); goto err; } + } else if (auth) { + ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM); + goto err; } } len = EVP_CIPHER_CTX_get_key_length(ctx); @@ -263,5 +269,5 @@ BIO *ossl_cms_EncryptedData_init_bio(const CMS_ContentInfo *cms) if (enc->encryptedContentInfo->cipher && enc->unprotectedAttrs) enc->version = 2; return ossl_cms_EncryptedContent_init_bio(enc->encryptedContentInfo, - ossl_cms_get0_cmsctx(cms)); + ossl_cms_get0_cmsctx(cms), 0); } diff --git a/crypto/openssl/crypto/cms/cms_env.c b/crypto/openssl/crypto/cms/cms_env.c index 2326253b6743..d2eace4fef5d 100644 --- a/crypto/openssl/crypto/cms/cms_env.c +++ b/crypto/openssl/crypto/cms/cms_env.c @@ -1099,7 +1099,7 @@ static BIO *cms_EnvelopedData_Decryption_init_bio(CMS_ContentInfo *cms) { CMS_EncryptedContentInfo *ec = cms->d.envelopedData->encryptedContentInfo; BIO *contentBio = ossl_cms_EncryptedContent_init_bio(ec, - ossl_cms_get0_cmsctx(cms)); + ossl_cms_get0_cmsctx(cms), 0); EVP_CIPHER_CTX *ctx = NULL; if (contentBio == NULL) @@ -1137,7 +1137,7 @@ static BIO *cms_EnvelopedData_Encryption_init_bio(CMS_ContentInfo *cms) /* Get BIO first to set up key */ ec = env->encryptedContentInfo; - ret = ossl_cms_EncryptedContent_init_bio(ec, ossl_cms_get0_cmsctx(cms)); + ret = ossl_cms_EncryptedContent_init_bio(ec, ossl_cms_get0_cmsctx(cms), 0); /* If error end of processing */ if (!ret) @@ -1189,7 +1189,7 @@ BIO *ossl_cms_AuthEnvelopedData_init_bio(CMS_ContentInfo *cms) ec->tag = aenv->mac->data; ec->taglen = aenv->mac->length; } - ret = ossl_cms_EncryptedContent_init_bio(ec, ossl_cms_get0_cmsctx(cms)); + ret = ossl_cms_EncryptedContent_init_bio(ec, ossl_cms_get0_cmsctx(cms), 1); /* If error or no cipher end of processing */ if (ret == NULL || ec->cipher == NULL) diff --git a/crypto/openssl/crypto/cms/cms_err.c b/crypto/openssl/crypto/cms/cms_err.c index 37e52963e16d..bc922d0ee03d 100644 --- a/crypto/openssl/crypto/cms/cms_err.c +++ b/crypto/openssl/crypto/cms/cms_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2026 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -25,6 +25,8 @@ static const ERR_STRING_DATA CMS_str_reasons[] = { "certificate has no keyid" }, { ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CERTIFICATE_VERIFY_ERROR), "certificate verify error" }, + { ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CIPHER_AEAD_IN_ENVELOPED_DATA), + "cipher aead in enveloped data" }, { ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CIPHER_AEAD_SET_TAG_ERROR), "cipher aead set tag error" }, { ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CIPHER_GET_TAG), "cipher get tag" }, diff --git a/crypto/openssl/crypto/cms/cms_local.h b/crypto/openssl/crypto/cms/cms_local.h index a92a67fa8b24..d80689f64d68 100644 --- a/crypto/openssl/crypto/cms/cms_local.h +++ b/crypto/openssl/crypto/cms/cms_local.h @@ -429,7 +429,7 @@ int ossl_cms_set1_ias(CMS_IssuerAndSerialNumber **pias, X509 *cert); int ossl_cms_set1_keyid(ASN1_OCTET_STRING **pkeyid, X509 *cert); BIO *ossl_cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec, - const CMS_CTX *ctx); + const CMS_CTX *ctx, int auth); BIO *ossl_cms_EncryptedData_init_bio(const CMS_ContentInfo *cms); int ossl_cms_EncryptedContent_init(CMS_EncryptedContentInfo *ec, const EVP_CIPHER *cipher, diff --git a/crypto/openssl/crypto/cms/cms_pwri.c b/crypto/openssl/crypto/cms/cms_pwri.c index 46313f2bfe2c..8b0ea233fd6d 100644 --- a/crypto/openssl/crypto/cms/cms_pwri.c +++ b/crypto/openssl/crypto/cms/cms_pwri.c @@ -189,14 +189,18 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen, const unsigned char *in, size_t inlen, EVP_CIPHER_CTX *ctx) { - size_t blocklen = EVP_CIPHER_CTX_get_block_size(ctx); + int blocklen = EVP_CIPHER_CTX_get_block_size(ctx); unsigned char *tmp; int outl, rv = 0; - if (inlen < 2 * blocklen) { + + if (blocklen < 4) + return 0; + + if (inlen < 2 * (size_t)blocklen) { /* too small */ return 0; } - if (inlen % blocklen) { + if (inlen > INT_MAX || inlen % blocklen) { /* Invalid size */ return 0; } @@ -350,6 +354,11 @@ int ossl_cms_RecipientInfo_pwri_crypt(const CMS_ContentInfo *cms, /* Finish password based key derivation to setup key in "ctx" */ + if (algtmp == NULL) { + ERR_raise_data(ERR_LIB_CMS, CMS_R_INVALID_KEY_ENCRYPTION_PARAMETER, + "Missing KeyDerivationAlgorithm"); + goto err; + } if (!EVP_PBE_CipherInit_ex(algtmp->algorithm, (char *)pwri->pass, (int)pwri->passlen, algtmp->parameter, kekctx, en_de, diff --git a/crypto/openssl/crypto/err/openssl.txt b/crypto/openssl/crypto/err/openssl.txt index 756fafdfa24a..dc4e3f310f08 100644 --- a/crypto/openssl/crypto/err/openssl.txt +++ b/crypto/openssl/crypto/err/openssl.txt @@ -1,4 +1,4 @@ -# Copyright 1999-2025 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1999-2026 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -284,6 +284,7 @@ CMS_R_ATTRIBUTE_ERROR:161:attribute error CMS_R_CERTIFICATE_ALREADY_PRESENT:175:certificate already present CMS_R_CERTIFICATE_HAS_NO_KEYID:160:certificate has no keyid CMS_R_CERTIFICATE_VERIFY_ERROR:100:certificate verify error +CMS_R_CIPHER_AEAD_IN_ENVELOPED_DATA:182:cipher aead in enveloped data CMS_R_CIPHER_AEAD_SET_TAG_ERROR:184:cipher aead set tag error CMS_R_CIPHER_GET_TAG:185:cipher get tag CMS_R_CIPHER_INITIALISATION_ERROR:101:cipher initialisation error diff --git a/crypto/openssl/crypto/pkcs7/pk7_smime.c b/crypto/openssl/crypto/pkcs7/pk7_smime.c index 001b96d31183..fadf543e9db7 100644 --- a/crypto/openssl/crypto/pkcs7/pk7_smime.c +++ b/crypto/openssl/crypto/pkcs7/pk7_smime.c @@ -218,6 +218,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, int i, j = 0, k, ret = 0; BIO *p7bio = NULL; BIO *tmpin = NULL, *tmpout = NULL; + BIO *next = NULL; const PKCS7_CTX *p7_ctx; if (p7 == NULL) { @@ -366,11 +367,11 @@ err: BIO_free(tmpout); X509_STORE_CTX_free(cert_ctx); OPENSSL_free(buf); - if (tmpin == indata) { - if (indata) - BIO_pop(p7bio); + while (p7bio != NULL && p7bio != indata) { + next = BIO_pop(p7bio); + BIO_free(p7bio); + p7bio = next; } - BIO_free_all(p7bio); sk_X509_free(signers); return ret; } diff --git a/crypto/openssl/include/crypto/cmserr.h b/crypto/openssl/include/crypto/cmserr.h index f9fd933682e5..8b896822d091 100644 --- a/crypto/openssl/include/crypto/cmserr.h +++ b/crypto/openssl/include/crypto/cmserr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2026 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/openssl/include/openssl/cmserr.h b/crypto/openssl/include/openssl/cmserr.h index c584b90574e2..6c0baf2362fc 100644 --- a/crypto/openssl/include/openssl/cmserr.h +++ b/crypto/openssl/include/openssl/cmserr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2026 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -17,7 +17,6 @@ #include #ifndef OPENSSL_NO_CMS - /* * CMS reason codes. */ @@ -26,6 +25,7 @@ #define CMS_R_CERTIFICATE_ALREADY_PRESENT 175 #define CMS_R_CERTIFICATE_HAS_NO_KEYID 160 #define CMS_R_CERTIFICATE_VERIFY_ERROR 100 +#define CMS_R_CIPHER_AEAD_IN_ENVELOPED_DATA 182 #define CMS_R_CIPHER_AEAD_SET_TAG_ERROR 184 #define CMS_R_CIPHER_GET_TAG 185 #define CMS_R_CIPHER_INITIALISATION_ERROR 101 diff --git a/crypto/openssl/providers/implementations/ciphers/cipher_aes_ocb.c b/crypto/openssl/providers/implementations/ciphers/cipher_aes_ocb.c index 8a8eddf36eec..70c0703ddb7c 100644 --- a/crypto/openssl/providers/implementations/ciphers/cipher_aes_ocb.c +++ b/crypto/openssl/providers/implementations/ciphers/cipher_aes_ocb.c @@ -516,6 +516,19 @@ static int aes_ocb_cipher(void *vctx, unsigned char *out, size_t *outl, return 0; } + /* + * Mirror the streaming handler: refuse if the key has not been set, + * and push the buffered IV into the OCB context before any data is + * processed. Without this, CRYPTO_ocb128_encrypt/decrypt runs with + * Offset_0 = 0 regardless of the caller's IV -- catastrophic + * (key, nonce) reuse, and a subsequent EVP_*Final_ex() emits a tag + * that is a function of (key, iv) only. + */ + if (!ctx->key_set || !update_iv(ctx)) { + ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED); + return 0; + } + if (!aes_generic_ocb_cipher(ctx, in, out, inl)) { ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED); return 0; diff --git a/crypto/openssl/providers/implementations/ciphers/cipher_aes_siv.c b/crypto/openssl/providers/implementations/ciphers/cipher_aes_siv.c index 510c1581b593..c3facacfbcf4 100644 --- a/crypto/openssl/providers/implementations/ciphers/cipher_aes_siv.c +++ b/crypto/openssl/providers/implementations/ciphers/cipher_aes_siv.c @@ -203,6 +203,7 @@ static int aes_siv_set_ctx_params(void *vctx, const OSSL_PARAM params[]) PROV_AES_SIV_CTX *ctx = (PROV_AES_SIV_CTX *)vctx; const OSSL_PARAM *p; unsigned int speed = 0; + SIV128_CONTEXT *sctx = &ctx->siv; if (params == NULL) return 1; @@ -237,6 +238,8 @@ static int aes_siv_set_ctx_params(void *vctx, const OSSL_PARAM params[]) if (keylen != ctx->keylen) return 0; } + sctx->final_ret = -1; + return 1; } diff --git a/crypto/openssl/providers/implementations/exchange/dh_exch.c b/crypto/openssl/providers/implementations/exchange/dh_exch.c index bb2d355c8143..668602a5e523 100644 --- a/crypto/openssl/providers/implementations/exchange/dh_exch.c +++ b/crypto/openssl/providers/implementations/exchange/dh_exch.c @@ -113,12 +113,15 @@ static int dh_init(void *vpdhctx, void *vdh, const OSSL_PARAM params[]) static int dh_match_params(DH *priv, DH *peer) { int ret; + int ignore_q = 1; FFC_PARAMS *dhparams_priv = ossl_dh_get0_params(priv); FFC_PARAMS *dhparams_peer = ossl_dh_get0_params(peer); + if (dhparams_priv != NULL && dhparams_priv->q != NULL) + ignore_q = 0; ret = dhparams_priv != NULL && dhparams_peer != NULL - && ossl_ffc_params_cmp(dhparams_priv, dhparams_peer, 1); + && ossl_ffc_params_cmp(dhparams_priv, dhparams_peer, ignore_q); if (!ret) ERR_raise(ERR_LIB_PROV, PROV_R_MISMATCHING_DOMAIN_PARAMETERS); return ret; diff --git a/crypto/openssl/test/cms-msg/enveloped-content-type-for-aes-gcm.pem b/crypto/openssl/test/cms-msg/enveloped-content-type-for-aes-gcm.pem new file mode 100644 index 000000000000..b0610a7ec8a2 --- /dev/null +++ b/crypto/openssl/test/cms-msg/enveloped-content-type-for-aes-gcm.pem @@ -0,0 +1,7 @@ +-----BEGIN PKCS7----- +MIAGCSqGSIb3DQEHA6CAMIACAQIxNqI0AgEEMAgEBkMwRkVFMDALBglghkgBZQME +AQUEGPN0q9rM3neSiY7HIADpnqWym33mRZC4JDCABgkqhkiG9w0BBwEwHgYJYIZI +AWUDBAEGMBEEDIExQGiHZFSYa0ZBqQIBEKCABGNap+JL1B21Mq7ojKPzVuxtRkg3 +LWt8khnK1EzfmV7e64l5KnTdjq9+gfbwOfbuhTavfBI7VK/ZtpH3HII4fCOe37kV +mju8/YnYeRq2KcxESmJBySV/veMwxqmHGAw71JyHpg4AAAAAAAAAAAAA +-----END PKCS7----- diff --git a/crypto/openssl/test/cmsapitest.c b/crypto/openssl/test/cmsapitest.c index 7e74c5daf221..0a7e536bbe75 100644 --- a/crypto/openssl/test/cmsapitest.c +++ b/crypto/openssl/test/cmsapitest.c @@ -20,6 +20,7 @@ static X509 *cert = NULL; static EVP_PKEY *privkey = NULL; static char *derin = NULL; static char *too_long_iv_cms_in = NULL; +static char *pwri_kek_oob_der_in = NULL; static int test_encrypt_decrypt(const EVP_CIPHER *cipher) { @@ -45,6 +46,12 @@ static int test_encrypt_decrypt(const EVP_CIPHER *cipher) CMS_TEXT))) goto end; + if (!(EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) + && !TEST_ptr(contentbio = CMS_EnvelopedData_decrypt(content->d.envelopedData, + NULL, privkey, cert, NULL, + CMS_TEXT, NULL, NULL))) + goto end; + /* Check we got the message we first started with */ if (!TEST_int_eq(BIO_gets(outmsgbio, buf, sizeof(buf)), strlen(msg)) || !TEST_int_eq(strcmp(buf, msg), 0)) @@ -484,7 +491,48 @@ end: return ret; } -OPT_TEST_DECLARE_USAGE("certfile privkeyfile derfile\n") +/* + * CMS EnvelopedData with a single PasswordRecipientInfo using + * id-alg-PWRI-KEK and an AES-128-CFB key encryption cipher + * (1-byte effective block size). The encryptedKey OCTET STRING is + * only two bytes long, so the wrapped key buffer is shorter than + * the seven octets read by the check-byte test in kek_unwrap_key(). + * Prior to CVE-2026-9076 this triggered an out-of-bounds heap read; + * CMS_decrypt() must now fail cleanly. + */ +static int test_pwri_kek_unwrap_short_encrypted_key(void) +{ + BIO *in = NULL; + CMS_ContentInfo *cms = NULL; + unsigned long err = 0; + int ret = 0; + + if (!TEST_ptr(in = BIO_new_file(pwri_kek_oob_der_in, "rb")) + || !TEST_ptr(cms = d2i_CMS_bio(in, NULL))) + goto end; + + /* + * The unwrap is attempted eagerly inside CMS_decrypt_set1_password(). + * It must fail cleanly (no OOB read) and report CMS_R_UNWRAP_FAILURE. + */ + if (!TEST_false(CMS_decrypt_set1_password(cms, + (unsigned char *)"password", -1))) + goto end; + + err = ERR_peek_last_error(); + if (!TEST_int_eq(ERR_GET_LIB(err), ERR_LIB_CMS) + || !TEST_int_eq(ERR_GET_REASON(err), CMS_R_UNWRAP_FAILURE)) + goto end; + + ERR_clear_error(); + ret = 1; +end: + CMS_ContentInfo_free(cms); + BIO_free(in); + return ret; +} + +OPT_TEST_DECLARE_USAGE("certfile privkeyfile derfile tooLongIVpem pwriKekOobDer\n") int setup_tests(void) { @@ -499,7 +547,8 @@ int setup_tests(void) if (!TEST_ptr(certin = test_get_argument(0)) || !TEST_ptr(privkeyin = test_get_argument(1)) || !TEST_ptr(derin = test_get_argument(2)) - || !TEST_ptr(too_long_iv_cms_in = test_get_argument(3))) + || !TEST_ptr(too_long_iv_cms_in = test_get_argument(3)) + || !TEST_ptr(pwri_kek_oob_der_in = test_get_argument(4))) return 0; certbio = BIO_new_file(certin, "r"); @@ -535,6 +584,7 @@ int setup_tests(void) ADD_TEST(test_encrypted_data_aead); ADD_ALL_TESTS(test_d2i_CMS_decode, 2); ADD_TEST(test_cms_aesgcm_iv_too_long); + ADD_TEST(test_pwri_kek_unwrap_short_encrypted_key); return 1; } diff --git a/crypto/openssl/test/evp_extra_test.c b/crypto/openssl/test/evp_extra_test.c index 1b0f0711cb57..7bd41db115ca 100644 --- a/crypto/openssl/test/evp_extra_test.c +++ b/crypto/openssl/test/evp_extra_test.c @@ -5414,6 +5414,64 @@ static int test_aes_rc4_keylen_change_cve_2023_5363(void) } #endif +/* + * AES-SIV reuse-without-rekey: + * msg1: legit non-empty CT, tag verifies, final_ret=0 + * msg2: no reinit (or reinit with key=NULL), set forged tag, + * AAD only, DecryptFinal -> does stale final_ret leak through? + */ +static int test_aes_siv_ctx_reuse(void) +{ + unsigned char key[32] = { 7 }; /* AES-128-SIV => 2*16 */ + unsigned char pt[9] = "payload!"; + unsigned char ct[9], tagbuf[16], out[16], zero16[16] = { 0 }; + unsigned char aad[14] = "forged header"; + int outl, ret = 0; + EVP_CIPHER_CTX *e = NULL, *d = NULL; + EVP_CIPHER *c = EVP_CIPHER_fetch(NULL, "AES-128-SIV", NULL); + + if (c == NULL) { + return TEST_skip("AES-128-SIV cipher is not available"); + } + + /* produce a valid (ct,tag) for msg1 */ + e = EVP_CIPHER_CTX_new(); + if (!TEST_ptr(e) + || !TEST_true(EVP_EncryptInit_ex2(e, c, key, NULL, NULL)) + || !TEST_true(EVP_EncryptUpdate(e, NULL, &outl, (unsigned char *)"hdr1", 4)) + || !TEST_true(EVP_EncryptUpdate(e, ct, &outl, pt, sizeof(pt))) + || !TEST_true(EVP_EncryptFinal_ex(e, out, &outl)) + || !TEST_true(EVP_CIPHER_CTX_ctrl(e, EVP_CTRL_AEAD_GET_TAG, 16, tagbuf))) { + EVP_CIPHER_CTX_free(e); + goto err; + } + EVP_CIPHER_CTX_free(e); + + /* msg1 decrypt */ + d = EVP_CIPHER_CTX_new(); + if (!TEST_ptr(d) + || !TEST_true(EVP_DecryptInit_ex2(d, c, key, NULL, NULL)) + || !TEST_true(EVP_CIPHER_CTX_ctrl(d, EVP_CTRL_AEAD_SET_TAG, 16, tagbuf)) + || !TEST_true(EVP_DecryptUpdate(d, NULL, &outl, (unsigned char *)"hdr1", 4)) + || !TEST_true(EVP_DecryptUpdate(d, out, &outl, ct, sizeof(ct))) + || !TEST_true(EVP_DecryptFinal_ex(d, out, &outl))) + goto err; + + /* msg2 on SAME ctx, reinit with key=NULL => initkey skipped, final_ret should be reset */ + if (!TEST_true(EVP_DecryptInit_ex2(d, NULL, NULL, NULL, NULL)) + || !TEST_true(EVP_CIPHER_CTX_ctrl(d, EVP_CTRL_AEAD_SET_TAG, 16, zero16)) + || !TEST_true(EVP_DecryptUpdate(d, NULL, &outl, aad, sizeof(aad))) /* forged AAD */ + || !TEST_false(EVP_DecryptFinal_ex(d, out, &outl))) + goto err; + + ret = 1; + +err: + EVP_CIPHER_CTX_free(d); + EVP_CIPHER_free(c); + return ret; +} + static int test_invalid_ctx_for_digest(void) { int ret; @@ -5637,6 +5695,9 @@ int setup_tests(void) ADD_TEST(test_aes_rc4_keylen_change_cve_2023_5363); #endif + /* Test case for CVE-2026-45446 */ + ADD_TEST(test_aes_siv_ctx_reuse); + ADD_TEST(test_invalid_ctx_for_digest); ADD_TEST(test_evp_cipher_negative_length); diff --git a/crypto/openssl/test/recipes/80-test_cms.t b/crypto/openssl/test/recipes/80-test_cms.t index b6ee61464409..f573651e26bc 100644 --- a/crypto/openssl/test/recipes/80-test_cms.t +++ b/crypto/openssl/test/recipes/80-test_cms.t @@ -51,7 +51,7 @@ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib) $no_rc2 = 1 if disabled("legacy"); -plan tests => 23; +plan tests => 24; ok(run(test(["pkcs7_test"])), "test pkcs7"); @@ -1054,6 +1054,16 @@ ok(!run(app(['openssl', 'cms', '-verify', ])), "issue#19643"); +# Check that users get error when using incorrect envelope type for AEAD algorithms +ok(!run(app(['openssl', 'cms', '-decrypt', + '-inform', 'PEM', '-stream', + '-secretkey', '000102030405060708090A0B0C0D0E0F', + '-secretkeyid', 'C0FEE0', + '-in', srctop_file("test/cms-msg", + "enveloped-content-type-for-aes-gcm.pem") + ])), + "Error AES-GCM in enveloped content type"); + # Check that kari encryption with originator does not segfault with({ exit_checker => sub { return shift == 3; } }, sub { diff --git a/crypto/openssl/test/recipes/80-test_cmsapi.t b/crypto/openssl/test/recipes/80-test_cmsapi.t index 8d9371e005c0..3d1dae846464 100644 --- a/crypto/openssl/test/recipes/80-test_cmsapi.t +++ b/crypto/openssl/test/recipes/80-test_cmsapi.t @@ -19,5 +19,6 @@ plan tests => 1; ok(run(test(["cmsapitest", srctop_file("test", "certs", "servercert.pem"), srctop_file("test", "certs", "serverkey.pem"), srctop_file("test", "recipes", "80-test_cmsapi_data", "encryptedData.der"), - srctop_file("test", "recipes", "80-test_cmsapi_data", "encDataWithTooLongIV.pem")])), + srctop_file("test", "recipes", "80-test_cmsapi_data", "encDataWithTooLongIV.pem"), + srctop_file("test", "recipes", "80-test_cmsapi_data", "cms_pwri_kek_oob.der")])), "running cmsapitest"); diff --git a/crypto/openssl/test/recipes/80-test_cmsapi_data/cms_pwri_kek_oob.der b/crypto/openssl/test/recipes/80-test_cmsapi_data/cms_pwri_kek_oob.der new file mode 100644 index 000000000000..c3ef3abd10e6 Binary files /dev/null and b/crypto/openssl/test/recipes/80-test_cmsapi_data/cms_pwri_kek_oob.der differ From nobody Tue Jun 9 19:19:15 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxw0LZBz6gVJj for ; Tue, 09 Jun 2026 19:19:16 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdxv4BPTz3PhQ for ; Tue, 09 Jun 2026 19:19:15 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032755; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=m1OQF+EYw1w9aMARbC2Q1hz0culhU7RAr2fgk5Ntzo4=; b=De1nWlU9J4r9Krniz5wGsqNh/145rYvCRPMtT+H+R3AxL9u8pHb85Gd9MCYBn5X4GME2bT kVFo5jfTYkhmqcJR8vTjZbdpPJ/+NJVqnlq+C74qfSRhNr1Ph3swhxF9M1HwfL3vPRdpDX CfI5XXecyG1Kqx64jFnHuhWdRFbh9eXBcwxR4uwX2o3P4e9keNn9xBdLezcsGOimJaqYA7 gxYd9baWsuDsMQ52W/x5OImwf9MkQ9CPo9zt4s+/MYjY+6Ls0Cg6Fl1b24eDwDZL/e0v1V Ez/gXooOmQBM8ie/MEQeqaTO8WUvcp91SkBSSa/6rjtnCG7luhYK27qQxNNrjw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032755; a=rsa-sha256; cv=none; b=MPMXe0Dc4wlizsKc1eMsJaVwNGhd2TL6a1BWMfCea81Fw5yh6+NQcu3RKy+dHzJY8zne/z rFYEsKSKZjEePPOrJIbSViXqCLMxxO10a5/Yj7K45sJDuPZeJZaWNRF44USpcYlNg/FuSS kvL22ilMw+XU1nCdOmvSUuE+eVLFoSe3ZANAUVCHCdmjfIf3PYh5gcCs0n6D5f8adrbfLw nlQZQhiE0FtWFfdeBzIbLRQ9NUdAGh34+T07yB863DhDFVWGznY++/fxjQn9mSI0qZkfdZ rfcV9sGvPB9b5ir+dulNTmLL/SfMdXbIZ1Xbl86A9yBoDaiJUDGVoQOYSR9ZOg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032755; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=m1OQF+EYw1w9aMARbC2Q1hz0culhU7RAr2fgk5Ntzo4=; b=QNc27Z3Ik+oSxhouU2FK6gK2a6EFCidvUZg7kTGly3pqluXmtRIPwkABO0leafwR0fFnzR f0IJiDo2nIkDubHAZS0LvnGyaPLfNIcXM69pRD0Fft8grW5O9gHhNBgTSm0zT3rGysWWPX R8+EDBUqTRhzN2MRzlO3WbFzKe+tIS13ZunqTafiEQ0YXdoskhY0WcgLNgCj9yCc1tGii0 sso109UU8x81WCujGu9RZ59NPFPVQqaxBfDL36nP0zI+4VYZJ+b7P0+Uirv7iK+f60H9gl 6sPlySBdWSNbF6ZjTwTNHGGuTH4EAjSx07mx9uBLKJQkyAoSqlxFu+9+MbOZ6g== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxv3XxQzp1T for ; Tue, 09 Jun 2026 19:19:15 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3ea6e by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:19:15 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Ed Maste From: Mark Johnston Subject: git: 799e830134d5 - releng/14.4 - vt: Avoid integer overflow in CONS_HISTORY ioctl List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.4 X-Git-Reftype: branch X-Git-Commit: 799e830134d51209defe76c0298080a86c62b996 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:19:15 +0000 Message-Id: <6a286733.3ea6e.15883dfc@gitrepo.freebsd.org> The branch releng/14.4 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=799e830134d51209defe76c0298080a86c62b996 commit 799e830134d51209defe76c0298080a86c62b996 Author: Ed Maste AuthorDate: 2026-05-26 16:19:47 +0000 Commit: Mark Johnston CommitDate: 2026-06-08 13:21:34 +0000 vt: Avoid integer overflow in CONS_HISTORY ioctl Approved by: so Security: FreeBSD-SA-26:34.vt Security: CVE-2026-49416 Reviewed by: markj, vexeduxr Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57250 (cherry picked from commit 0ae946e7223df5ef3f7980af1d774d7f593f6421) (cherry picked from commit deaaddf1d3c4283649945553ad7e3208c8424308) (cherry picked from commit b5a4f4bfbc95d5d5361da708728f7f4a6db2ee60) --- sys/dev/vt/vt_buf.c | 9 ++++----- sys/dev/vt/vt_core.c | 6 ++++-- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/sys/dev/vt/vt_buf.c b/sys/dev/vt/vt_buf.c index ea27ea8a5ebf..0fd301bb662a 100644 --- a/sys/dev/vt/vt_buf.c +++ b/sys/dev/vt/vt_buf.c @@ -500,7 +500,6 @@ vtbuf_grow(struct vt_buf *vb, const term_pos_t *p, unsigned int history_size) { term_char_t *old, *new, **rows, **oldrows, **copyrows, *row, *oldrow; unsigned int w, h, c, r, old_history_size; - size_t bufsize, rowssize; int history_full; const teken_attr_t *a; term_char_t ch; @@ -511,10 +510,10 @@ vtbuf_grow(struct vt_buf *vb, const term_pos_t *p, unsigned int history_size) history_size = MAX(history_size, p->tp_row); /* Allocate new buffer. */ - bufsize = history_size * p->tp_col * sizeof(term_char_t); - new = malloc(bufsize, M_VTBUF, M_WAITOK | M_ZERO); - rowssize = history_size * sizeof(term_pos_t *); - rows = malloc(rowssize, M_VTBUF, M_WAITOK | M_ZERO); + new = mallocarray(history_size, p->tp_col * sizeof(term_char_t), + M_VTBUF, M_WAITOK | M_ZERO); + rows = mallocarray(history_size, sizeof(term_pos_t *), M_VTBUF, + M_WAITOK | M_ZERO); /* Toggle it. */ VTBUF_LOCK(vb); diff --git a/sys/dev/vt/vt_core.c b/sys/dev/vt/vt_core.c index 5cf45a7c61b2..6e6f58d9e215 100644 --- a/sys/dev/vt/vt_core.c +++ b/sys/dev/vt/vt_core.c @@ -41,6 +41,7 @@ #include #include #include +#include #include #include #include @@ -2771,8 +2772,9 @@ skip_thunk: /* XXX */ return (0); case CONS_HISTORY: - if (*(int *)data < 0) - return EINVAL; + if (*(int *)data < 0 || + *(int *)data > UINT_MAX / USHRT_MAX / sizeof(term_char_t)) + return (EINVAL); if (*(int *)data != vw->vw_buf.vb_history_size) vtbuf_sethistory_size(&vw->vw_buf, *(int *)data); return (0); From nobody Tue Jun 9 19:19:17 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxy1RnNz6gV9N for ; Tue, 09 Jun 2026 19:19:18 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdxx50XSz3PnH for ; Tue, 09 Jun 2026 19:19:17 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032757; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=HcSfaJZ/fGTUf3s3MeI/oApJjJPSCCrFtXTb+H1bjVM=; b=rPiP6605h1bfYkb1LwwHa1kikAgp+eFZgWz3DBsSKa5ycnGatVZBlNp4xHy5lA06WrhxW3 wzAzJI4wEe3NMn4l5sCHHv4UEmP6tL/a47LKT0GknHRVCBOaO5ZHr/saaADcivA+f44WAV ye2y8rlIw3VCueX//+vnCgk5JEU2E1sx2zFbuZCEtcXBt+fnJVmu+2DlvCDoDg8udPMs1i n7NOWCC8v8oMOJMEPnY/54RbVsIBsioC12Jg+OqpWaRfReY3KJ8cC+0qsewZ6VowAvgQon sk1AoYS+nw6YL14oZFzc9vGebsEftUjbB2WhLfPz7sFFLu/EF+aybxJyUPPDNg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032757; a=rsa-sha256; cv=none; b=ForwelqOY93TW69txdiQk4KP4qC2QyABR60w57U/dIwP/5EFc3PWntvgq0bn/wOpfCaI8O 0dbf1BSZnsMinsaaP31YzYqfDm9ke6R9rz3Wx2j5RdgZ5Gh962WwXEkGyfsNLxpXH5+SAg IBkpALanPL0I4y5hPEhi4i3btxe31PDZuOUoByrcI43qsOd94pL1bMXEEZ9/lNGQh4u4N/ 5csm03vzAc1Q5+yJeK9Du0+ASNTY4vcKOCAepDuo1Blrcw3xMhz4e+MF8DxamhOIH8gBzs DqIJ3/O6BRO+8kK3QEmLJKjhs3gQT9NtHzNJ1iHT7mCt0Zv2ImTXvgfVzigmNw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032757; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=HcSfaJZ/fGTUf3s3MeI/oApJjJPSCCrFtXTb+H1bjVM=; b=fJMweeaNpwar/HgeQNexhRhSMvFjpHI2O+VuQYbgmRdXAsPL4nrOsD0MRSsn8QSumnSv// WRAWJyuRJxLKVVXtJXaIUhDNS5oyMOqaYmpQZGXKxOdwdZ3u+RYhh8HVCwqGbabbiFMhqO zBw3cOg6hxaUu6WY5OmCCAQOe4NwmRIEXq5Tp0bWNWYCUGoh9ehy/FEeoV2tm/xh7kcrUI HNPTnZ0ZM+ACEgBPdnstK+EyupFldAeu7miyCjGmBI0SQfoFW/OZNPNB9nryx1+dONfZnN XB+rbJ5cXOW4JUlV9re9HQ26hTol4XKGqnPqKQySZRs50Cxmguuk+ZRtSmN9mg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxx4Y0nznG7 for ; Tue, 09 Jun 2026 19:19:17 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3e52e by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:19:17 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Gordon Tetlow From: Mark Johnston Subject: git: 410ab2bff36f - releng/14.4 - ldns: Fix query response validation List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.4 X-Git-Reftype: branch X-Git-Commit: 410ab2bff36fa31666d310e6e49b3775d63342c6 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:19:17 +0000 Message-Id: <6a286735.3e52e.189ad7af@gitrepo.freebsd.org> The branch releng/14.4 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=410ab2bff36fa31666d310e6e49b3775d63342c6 commit 410ab2bff36fa31666d310e6e49b3775d63342c6 Author: Gordon Tetlow AuthorDate: 2026-06-07 15:40:46 +0000 Commit: Mark Johnston CommitDate: 2026-06-08 13:21:34 +0000 ldns: Fix query response validation Approved by: so Security: FreeBSD-SA-26:36.ldns Security: CVE-2026-10846 --- contrib/ldns/error.c | 13 +++++++ contrib/ldns/ldns/error.h | 8 ++++- contrib/ldns/net.c | 92 +++++++++++++++++++++++++++++++++++++++++++++-- 3 files changed, 110 insertions(+), 3 deletions(-) diff --git a/contrib/ldns/error.c b/contrib/ldns/error.c index e3fd12112789..4fc05d6d0d8f 100644 --- a/contrib/ldns/error.c +++ b/contrib/ldns/error.c @@ -184,6 +184,19 @@ ldns_lookup_table ldns_error_str[] = { { LDNS_STATUS_INVALID_SVCPARAM_VALUE, "Invalid wireformat of a value " "in the ServiceParam rdata field of SVCB or HTTPS RR" }, + { LDNS_STATUS_NOT_EDE, + "The EDNS option is not an extended error code" }, + { LDNS_STATUS_EDE_OPTION_MALFORMED, + "The extended error code option is malformed, expected " + "at least 2 bytes of option data" }, + { LDNS_STATUS_EQUAL_RR, + "An identical RR already existed in the zone" }, + { LDNS_STATUS_ID_DID_NOT_MATCH, + "Response ID did not match the query ID" }, + { LDNS_STATUS_QDCOUNT_MUST_BE_ONE, + "The query section MUST contain exactly one question" }, + { LDNS_STATUS_QUERY_DID_NOT_MATCH, + "The question in the response did not match the query" }, { 0, NULL } }; diff --git a/contrib/ldns/ldns/error.h b/contrib/ldns/ldns/error.h index 2429b7703dfa..41d64cc0815f 100644 --- a/contrib/ldns/ldns/error.h +++ b/contrib/ldns/ldns/error.h @@ -141,7 +141,13 @@ enum ldns_enum_status { LDNS_STATUS_RESERVED_SVCPARAM_KEY, LDNS_STATUS_NO_SVCPARAM_VALUE_EXPECTED, LDNS_STATUS_SVCPARAM_KEY_MORE_THAN_ONCE, - LDNS_STATUS_INVALID_SVCPARAM_VALUE + LDNS_STATUS_INVALID_SVCPARAM_VALUE, + LDNS_STATUS_NOT_EDE, + LDNS_STATUS_EDE_OPTION_MALFORMED, + LDNS_STATUS_EQUAL_RR, + LDNS_STATUS_ID_DID_NOT_MATCH, + LDNS_STATUS_QDCOUNT_MUST_BE_ONE, + LDNS_STATUS_QUERY_DID_NOT_MATCH }; typedef enum ldns_enum_status ldns_status; diff --git a/contrib/ldns/net.c b/contrib/ldns/net.c index 57d4dff24dbe..215c0cac891c 100644 --- a/contrib/ldns/net.c +++ b/contrib/ldns/net.c @@ -441,6 +441,50 @@ ldns_udp_bgsend2(ldns_buffer *qbin, return ldns_udp_bgsend_from(qbin, to, tolen, NULL, 0, timeout); } +/** helper sockaddr compare function. returns -1, 0 or 1. */ +static int +ldns_sockaddr_cmp(const struct sockaddr_storage* addr1, socklen_t len1, + const struct sockaddr_storage* addr2, socklen_t len2) +{ + struct sockaddr_in* p1_in = (struct sockaddr_in*)addr1; + struct sockaddr_in* p2_in = (struct sockaddr_in*)addr2; + struct sockaddr_in6* p1_in6 = (struct sockaddr_in6*)addr1; + struct sockaddr_in6* p2_in6 = (struct sockaddr_in6*)addr2; + if(len1 < len2) + return -1; + if(len1 > len2) + return 1; + assert(len1 == len2); + if( p1_in->sin_family < p2_in->sin_family) + return -1; + if( p1_in->sin_family > p2_in->sin_family) + return 1; + assert( p1_in->sin_family == p2_in->sin_family ); + /* compare ip4 */ + if( p1_in->sin_family == AF_INET ) { + /* just order it, ntohs not required */ + if(p1_in->sin_port < p2_in->sin_port) + return -1; + if(p1_in->sin_port > p2_in->sin_port) + return 1; + assert(p1_in->sin_port == p2_in->sin_port); + return memcmp(&p1_in->sin_addr, &p2_in->sin_addr, + sizeof(p1_in->sin_addr)); + } else if (p1_in6->sin6_family == AF_INET6) { + /* just order it, ntohs not required */ + if(p1_in6->sin6_port < p2_in6->sin6_port) + return -1; + if(p1_in6->sin6_port > p2_in6->sin6_port) + return 1; + assert(p1_in6->sin6_port == p2_in6->sin6_port); + return memcmp(&p1_in6->sin6_addr, &p2_in6->sin6_addr, + sizeof(p1_in6->sin6_addr)); + } else { + /* eek unknown type, perform this comparison for sanity. */ + return memcmp(addr1, addr2, len1); + } +} + static ldns_status ldns_udp_send_from(uint8_t **result, ldns_buffer *qbin, const struct sockaddr_storage *to , socklen_t tolen, @@ -449,6 +493,8 @@ ldns_udp_send_from(uint8_t **result, ldns_buffer *qbin, { int sockfd; uint8_t *answer; + struct sockaddr_storage reply_addr; + socklen_t reply_addr_len; sockfd = ldns_udp_bgsend_from(qbin, to, tolen, from, fromlen, timeout); @@ -467,13 +513,21 @@ ldns_udp_send_from(uint8_t **result, ldns_buffer *qbin, * but returns a 'NETWORK_ERROR' much like a timeout. */ ldns_sock_nonblock(sockfd); - answer = ldns_udp_read_wire(sockfd, answer_size, NULL, NULL); + reply_addr_len = sizeof(reply_addr); + memset(&reply_addr, 0, reply_addr_len); + answer = ldns_udp_read_wire(sockfd, answer_size, &reply_addr, + &reply_addr_len); close_socket(sockfd); if (!answer) { /* oops */ return LDNS_STATUS_NETWORK_ERR; } + /* Check that the reply came from the to addr. */ + if(ldns_sockaddr_cmp(to, tolen, &reply_addr, reply_addr_len) != 0) { + free(answer); + return LDNS_STATUS_NETWORK_ERR; + } *result = answer; return LDNS_STATUS_OK; @@ -512,6 +566,10 @@ ldns_send_buffer(ldns_pkt **result, ldns_resolver *r, ldns_buffer *qb, ldns_rdf assert(r != NULL); + /* The query should at least have one question */ + if(ldns_buffer_limit(qb) < 6 || ldns_buffer_read_u16_at(qb, 4) != 1) + return LDNS_STATUS_QDCOUNT_MUST_BE_ONE; + status = LDNS_STATUS_OK; rtt = ldns_resolver_rtt(r); ns_array = ldns_resolver_nameservers(r); @@ -599,6 +657,16 @@ ldns_send_buffer(ldns_pkt **result, ldns_resolver *r, ldns_buffer *qb, ldns_rdf ldns_resolver_set_nameserver_rtt(r, i, LDNS_RESOLV_RTT_INF); status = send_status; } + if(reply_bytes && ldns_buffer_limit(qb) >= 2) { + uint16_t txid = ldns_buffer_read_u16_at(qb, 0); + if(reply_size < 2 || + ldns_read_uint16(reply_bytes) != txid) { + status = LDNS_STATUS_ID_DID_NOT_MATCH; + LDNS_FREE(reply_bytes); + reply_bytes = NULL; + reply_size = 0; + } + } /* obey the fail directive */ if (!reply_bytes) { @@ -608,7 +676,7 @@ ldns_send_buffer(ldns_pkt **result, ldns_resolver *r, ldns_buffer *qb, ldns_rdf LDNS_FREE(src); } LDNS_FREE(ns); - return LDNS_STATUS_ERR; + return status ? status : LDNS_STATUS_ERR; } else { LDNS_FREE(ns); continue; @@ -670,6 +738,26 @@ ldns_send_buffer(ldns_pkt **result, ldns_resolver *r, ldns_buffer *qb, ldns_rdf #endif /* HAVE_SSL */ LDNS_FREE(reply_bytes); + if (reply) { + ldns_pkt *query = NULL; + + if(ldns_pkt_qdcount(reply) != 1) { + status = LDNS_STATUS_QDCOUNT_MUST_BE_ONE; + ldns_pkt_free(reply); + reply = NULL; + + } else if(ldns_wire2pkt(&query + , ldns_buffer_begin(qb) + , ldns_buffer_position(qb)) != LDNS_STATUS_OK + || ldns_pkt_qdcount(query) != 1 + || ldns_rr_compare(ldns_rr_list_rr(ldns_pkt_question(query),0) + ,ldns_rr_list_rr(ldns_pkt_question(reply),0))){ + status = LDNS_STATUS_QUERY_DID_NOT_MATCH; + ldns_pkt_free(reply); + reply = NULL; + } + ldns_pkt_free(query); + } if (result) { *result = reply; } From nobody Tue Jun 9 19:19:18 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxz11Bmz6gVH4 for ; Tue, 09 Jun 2026 19:19:19 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdxy5pbtz3PqY for ; Tue, 09 Jun 2026 19:19:18 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032758; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Q5hpzY+9lpN7SF+a6qoh6Ms8suI3L+EIeRk1O2VwzDc=; b=PmCeCJkZtHN+s2VWRcLluXpd0GnyJEAfbpgfC60FPQCIg5b9sK16YcOeikqx9LPwWIWrj5 p7KDLNO39jjEJfjo/+oCRcZbxQdXWh6XTAGYEkey7sFM2wKqd1Zy7Fw5NBoJCkuvDoDrWG w0kOTCiP0Dk9cZorVDblFCDSiqTvPjy4Guvlaiy29yTYbguYq3lTJawmuWdEZXrdnss6D2 Sd7C5jj7fPDbdOEDBE/SVh7D0i5C8pa087jmJSecrsf40OJta4ULhgBLLwBLnEKoaJCP3/ PD+emFUbhTYt2EYk+EMWKMMnscr8dxg1cYubEJTRBueEiWT5ar+SHdddvCSFFg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032758; a=rsa-sha256; cv=none; b=jOEBXyAOGScSX224b0my0ZhvyO0X+bsQKr7yDhYKV/WxqHmuwkpvG0wJfiGHTDjnugdhjE bxsNsee8PupuGztrjSOm4ttepyxwQti0kfAwNYF1iWbNwqPRXlcZ68ni5OU75N6PH5/42i 4JRZHj5bnFJE1PmtO14F1xcVnvOz5fBFn1Zf2+woxuLuD49mEgviAylo14X3ge0pLe8G0b HGp+IW8RJV+LiKvm29MQ0IPCHH0DvMOnE3DyuyIKimtmOga0aG3gCSddhFKNUifQu/F7aO QTG2bwqxYJeSWz1kIUhGNsLmIMCfug234tmmqNgYEDt2051M81FszitCaeSh6A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032758; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Q5hpzY+9lpN7SF+a6qoh6Ms8suI3L+EIeRk1O2VwzDc=; b=KO/5OTX1fiF0bBQz9ZRJZyTkJHQ4ysp4/5fcqyEj+4DhO6ryasIK0mmeTYLQyCQtkgRjIx 83/eCEfzo3Eo0e+yqD4ospdYlJEc6W8590ZznyZ20FTBwSNaEwMFMji08hdshMDZFUglNk 8WStIMVULwD5BfPVLKMXd1PQUkpEVkXqJAZhpUMtjGwuE6j4MkALte1Izb/hc48tPQHNk3 x2XhPO4T4UInyUidyuCRmO8cJhwcpxquGbOOZNggGPkdiYQ7a46HFwDhoCvQaPcZK5WnFy R2TzixelGMUKCyU3fKDrwmSigEmh7oz3YZfzBjqhYovUfxGBTqW14mNYTbFS7A== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdxy5HYWznrl for ; Tue, 09 Jun 2026 19:19:18 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3f487 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:19:18 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 3d95ec875867 - releng/14.4 - Add UPDATING entries and bump version List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.4 X-Git-Reftype: branch X-Git-Commit: 3d95ec87586781c366e6c01c6a40c3e80056d24b Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:19:18 +0000 Message-Id: <6a286736.3f487.27a5983f@gitrepo.freebsd.org> The branch releng/14.4 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=3d95ec87586781c366e6c01c6a40c3e80056d24b commit 3d95ec87586781c366e6c01c6a40c3e80056d24b Author: Mark Johnston AuthorDate: 2026-06-07 16:55:09 +0000 Commit: Mark Johnston CommitDate: 2026-06-08 15:38:31 +0000 Add UPDATING entries and bump version Approved by: so --- UPDATING | 41 +++++++++++++++++++++++++++++++++++++++++ sys/conf/newvers.sh | 2 +- 2 files changed, 42 insertions(+), 1 deletion(-) diff --git a/UPDATING b/UPDATING index 14e25a3b5cb3..6433576d48b2 100644 --- a/UPDATING +++ b/UPDATING @@ -12,6 +12,47 @@ Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before updating system packages and/or ports. +20260609: + 14.4-RELEASE-p6 EN-26:15.openssl + SA-26:25.thr + SA-26:26.ktls + SA-26:27.sound + SA-26:28.capsicum + SA-26:29.ip6_multicast + SA-26:30.linux + SA-26:31.arm64 + SA-26:32.elf + SA-26:33.unbound + SA-26:34.vt + SA-26:35.openssl + SA-26:36.ldns + + Update OpenSSL to 3.0.20 and 3.5.6. [EN-26:15.openssl] + + Missing permission check in thr_kill2(2). [SA-26:25.thr] + + Arbitrary file overwrite via the KTLS receive path. [SA-26:26.ktls] + + Multiple vulnerabilities in the sound(4) mmap path. [SA-26:27.sound] + + sigqueue(2) missing capability mode restriction. [SA-26:28.capsicum] + + Use-after-free bug in the IPV6_MSFILTER socket option handler. [SA-26:29.ip6_multicast] + + Flaw in Linuxulator execution of setugid binaries. [SA-26:30.linux] + + Arm CPU errata may bypass page table permission changes. [SA-26:31.arm64] + + ASLR bypass for setuid executables via procctl(2). [SA-26:32.elf] + + Multiple vulnerabilities in unbound. [SA-26:33.unbound] + + Integer overflow in vt(4) CONS_HISTORY ioctl. [SA-26:34.vt] + + Multiple vulnerabilities in OpenSSL. [SA-26:35.openssl] + + Insufficient response validation in the ldns stub resolver. [SA-26:36.ldns] + 20260520: 14.4-RELEASE-p5 SA-26:18.setcred SA-26:19.file diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index c71cb6eb9b68..3d7d8d5145a5 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -53,7 +53,7 @@ TYPE="FreeBSD" REVISION="14.4" -BRANCH="RELEASE-p5" +BRANCH="RELEASE-p6" if [ -n "${BRANCH_OVERRIDE}" ]; then BRANCH=${BRANCH_OVERRIDE} fi From nobody Tue Jun 9 19:19:32 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyF2cBVz6gVD7 for ; Tue, 09 Jun 2026 19:19:33 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdyD66cjz3QDw for ; Tue, 09 Jun 2026 19:19:32 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032772; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=RqZsANotLjglfbfMBbHiXERt1EjKhxLRpwvvpqkuRkI=; b=bp188X2FZ5Z2PNGqcStJPhX7Z7OUnD17G/Vr0+u32LgHFEYSX9ROYQ79hdyepfPAfV07FF oTMGF3VxVjkSJFzDQ4JlTTlsXWyrW+fbXzuPFWKy3J4dZrIWA04ttHFRhUH1ictf7XKLm1 HwVKwC7XAp2/zVmuvlu75/3xUu1WKa82gOomyKHLM94shgy1XmrwHxPIxt6MA37HMdj8fv bIzY3OI2l27q8YITTSGkm5LihCe2lOhA9zbcddtmOP5KCR8UIzenqcxIoaTDcwWq3PS6If v63ZBqS85ZIq8lyupdlyZX0XdOhA1cX0KStwGIcUdZKL8o//D8nvR0JxhTdmDQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032772; a=rsa-sha256; cv=none; b=qckQVqJ0iflnADol26p1plkLp3SaRCf+o9wJvC/2wOyqGPYx0AP05zKo8kWqNC3wb6eHrD ZvmI5ElwO6ayVlnQherfjO17YKwu2AFO+Hg619EaaT7Z8sKL8W8SHlgAqflyuEenv5AcSM w1uOjhQywpuzQGUDTKPXqK0r0j+u2Y34bRPmLXPlqKNC5usrt7D9ju5wPEuHi7w93U7vBZ W/JYxAawejx/cBugwvWXSbj7roMHuUq4Ui7zWTiBh1AEGe30pdRREADpITh24aCEL9JyyZ orNZ1e2SdtZ3ClmZCKIyhUIT5m1rsC9L8hQVklm8yqlYIUoQLwotHXen4HvXyw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032772; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=RqZsANotLjglfbfMBbHiXERt1EjKhxLRpwvvpqkuRkI=; b=h6pjSQIPcks2AxgtrceJVoQfFeHIlKazYviRyBuHsOdibzQtjOPigrk/9anStIvry9lncF GJJiULbGNM+dxVrgYfO4wNXvHmc+PTCSeGN6T0YqjIbVt2/egQ1IozrgFHOq9W5ztfaAiE lM/tiEQqRf/mjatx04M0jGUfi/QBoiakzcJfSjQmOqt3rD/3khdvYWKTWpebqf9D3COjri MjMEaREEMaBj8uv9wAvXFQxNirT/ajcZk5gbhI3VZJTmKs7Ti8OW79XBTWhYWbUAsV0/5c 251JCJ4hFs+geyZU3aBOHlZbcjYdrQF6PpCzyaCwbTXTIBgJz8drg5/1QfC4qg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyD5ZhDznky for ; Tue, 09 Jun 2026 19:19:32 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3ebc9 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:19:32 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Pat Maddox From: Mark Johnston Subject: git: 998de2d14e25 - releng/15.0 - syslogd: fix memory leak in casper_ttymsg() List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/15.0 X-Git-Reftype: branch X-Git-Commit: 998de2d14e25c1246b8fe75f85c053e0b9781a8f Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:19:32 +0000 Message-Id: <6a286744.3ebc9.c30959f@gitrepo.freebsd.org> The branch releng/15.0 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=998de2d14e25c1246b8fe75f85c053e0b9781a8f commit 998de2d14e25c1246b8fe75f85c053e0b9781a8f Author: Pat Maddox AuthorDate: 2026-05-22 21:45:30 +0000 Commit: Mark Johnston CommitDate: 2026-05-29 19:50:43 +0000 syslogd: fix memory leak in casper_ttymsg() nvlist_take_string_array(9) takes ownership of the array and its strings. casper_ttymsg() freed neither, leaking memory on every F_CONSOLE and F_TTY message. On long-running systems with high error-rate syslog traffic routed to /dev/console, syslogd.casper grew to hundreds of MB. Use nvlist_get_string_array(9) to borrow the array instead. Update casper_wallmsg() similarly. Approved by: so Security: FreeBSD-EN-26:14.syslogd Approved by: src (des) Closes: https://github.com/freebsd/freebsd-src/pull/2222 Fixes: 61a29eca550b ("syslogd: Log messages using libcasper") PR: 295488 Reported by: Pat Maddox Reviewed by: markj Tested by: dch (cherry picked from commit c783d7181d6a71cb2453f06e40c08c892510c2f2) (cherry picked from commit be03b0fb2241260ec94db431cf4f2954161f227e) --- usr.sbin/syslogd/syslogd_cap_log.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/usr.sbin/syslogd/syslogd_cap_log.c b/usr.sbin/syslogd/syslogd_cap_log.c index 0156cc6f6b6c..5e2034abd9eb 100644 --- a/usr.sbin/syslogd/syslogd_cap_log.c +++ b/usr.sbin/syslogd/syslogd_cap_log.c @@ -128,19 +128,19 @@ cap_ttymsg(cap_channel_t *chan, struct iovec *iov, int iovcnt, int casper_ttymsg(nvlist_t *nvlin, nvlist_t *nvlout) { - char **nvlstrs; + const char * const *nvlstrs; struct iovec *iov; size_t iovcnt; int tmout; const char *line; - nvlstrs = nvlist_take_string_array(nvlin, "iov_strs", &iovcnt); + nvlstrs = nvlist_get_string_array(nvlin, "iov_strs", &iovcnt); assert(iovcnt <= TTYMSG_IOV_MAX); iov = calloc(iovcnt, sizeof(*iov)); if (iov == NULL) err(EXIT_FAILURE, "calloc"); for (size_t i = 0; i < iovcnt; ++i) { - iov[i].iov_base = nvlstrs[i]; + iov[i].iov_base = __DECONST(char *, nvlstrs[i]); iov[i].iov_len = strlen(nvlstrs[i]); } line = nvlist_get_string(nvlin, "line"); @@ -187,25 +187,23 @@ int casper_wallmsg(nvlist_t *nvlin) { const struct filed *f; - char **nvlstrs; + const char * const *nvlstrs; struct iovec *iov; size_t sz; f = nvlist_get_binary(nvlin, "filed", &sz); assert(sz == sizeof(*f)); - nvlstrs = nvlist_take_string_array(nvlin, "iov_strs", &sz); + nvlstrs = nvlist_get_string_array(nvlin, "iov_strs", &sz); assert(sz <= TTYMSG_IOV_MAX); iov = calloc(sz, sizeof(*iov)); if (iov == NULL) err(EXIT_FAILURE, "calloc"); for (size_t i = 0; i < sz; ++i) { - iov[i].iov_base = nvlstrs[i]; + iov[i].iov_base = __DECONST(char *, nvlstrs[i]); iov[i].iov_len = strlen(nvlstrs[i]); } wallmsg(f, iov, sz); - for (size_t i = 0; i < sz; ++i) - free(iov[i].iov_base); free(iov); return (0); } From nobody Tue Jun 9 19:19:33 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyP5qk6z6gVDg for ; Tue, 09 Jun 2026 19:19:41 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdyP2bq8z3QGf for ; Tue, 09 Jun 2026 19:19:41 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032781; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=woCQUH9KA7/F3tsCX+pykI2VJK56nWTlX7BChxuK+qk=; b=u8og5pUz6nalKtY5LaBEkwZ3oFhDd/y9qqF23bZ8rsEJMpPR3XGsaM2y0jKqZyBMDm1V5e falbe6Jl3t2MCR8sZeVVE3Z6nWDaZXGgXLtdf8Yzl+BsVFCwYv+jzdcn12jCk6vPVn3Stt O484VZ6SqQjQq4PZOweXJz5q0OQZfyfnz064mxyvev75lGeT1+g4erWjTLqimBw9dhT8vT kJcDYUvFFcAcoVz6/VSZ3/DkQ2l8J58b90ctRrMLgxNjcOrZ++9e4zOjcg71ebhFi6z9Kb gBavkyefRBkKDBCHrFvjbg9aCGoHMAHlqjhCCQ6k77crabPoHR9JMk0119J5vg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032781; a=rsa-sha256; cv=none; b=dWmmcqW3rzMZ8nsqO+ootJKdu4AiuiqlIt46wbuoSY7J+bCV57dDQvfAfce042xAPnOXKr iHKgTnLF8uyRkLezlYL4b0N48noF0Ivy8y2v40GN8Tw2gPddv0Lc7QaJOfXwZIJxJ7+SCX t1w4hS+khtvAdyzzx1ugPtk4lH8PuI1AAcq9RvRczxzqqLugC1OkTOFuQErzPOK53Jhvqi zKM4hscDcvlGc5yRt/sE1NOj+gZMVsXK9zPY0a1iaWguhNhzH6cbbf6GUMRbmHcjo6cZiN 4GapuzQX4TaJ/AxcyXCszykqG/8MbRB02kcUnPuaviqnhzzfN+2zY+LAHSwnJw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032781; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=woCQUH9KA7/F3tsCX+pykI2VJK56nWTlX7BChxuK+qk=; b=wF2QsxDIYSOFnkvtlABkoec0amzHPpqSwmykNQKVxUBo/JzyeeS8wcYWbae3DnaE7XRMQ+ /YhXRZMW4Z+wEdzuNFCiKquSjT99bvGSDHXFIn/GUO70vX42N5eiWIWphr5Pl/8xdXtmyh 5lAOd/jFd2UOaXOXgPvy/+2wizwnDeJQiDRfFaIvgVugEwh/ZkZvWd3czaqZlQMRdix+cL 2MSyVN9lkbwvY4XXPkDIDRwtK7YxbHzPjEeu3legXEpCVJKt9sIJJBBHCQ9gKjVw7g/qez 8ILp91KdS8uXM4Wwy1bEFn2V8zipqGlfQ1OAvzsaKgW48JWw2yjfAGbW2miuhw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyP21HPznl0 for ; Tue, 09 Jun 2026 19:19:41 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3eb2a by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:19:33 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Enji Cooper From: Mark Johnston Subject: git: 0f6e90c4cc4f - releng/15.0 - openssl: Update to 3.5.6 and associated fixes. List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/15.0 X-Git-Reftype: branch X-Git-Commit: 0f6e90c4cc4f9bb006de556b46db0dcb3283491a Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:19:33 +0000 Message-Id: <6a286745.3eb2a.4320db0e@gitrepo.freebsd.org> The branch releng/15.0 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=0f6e90c4cc4f9bb006de556b46db0dcb3283491a commit 0f6e90c4cc4f9bb006de556b46db0dcb3283491a Author: Enji Cooper AuthorDate: 2025-09-08 03:20:42 +0000 Commit: Mark Johnston CommitDate: 2026-06-07 16:57:09 +0000 openssl: Update to 3.5.6 and associated fixes. Included fixes: OpenSSL: update Makefiles to reflect 3.5.1 release (cherry picked from commit ee6882e6b1287aa910a4f74f5290ae397dbd5054) crypto/openssl: fix importing new versions from pristine trees (cherry picked from commit f43d0ac1b0e29bbd77d6b0b1c87dca075cd7b9bf) openssl: import 3.5.5 (cherry picked from commit f775385affefd7beac0d038d5cd9cbf01bfc4a06) OpenSSL: update vendor sources to match 3.5.5 content (cherry picked from commit 12eecb3bcc0be4d7fd35847252c40998806fc551) OpenSSL: install EVP_CIPHER_CTX_get_app_data.3 once (cherry picked from commit b0476eea5ef4ab2ccf2479652f486af3d4ab9cc0) MFV: crypto/openssl: update to 3.5.6 (cherry picked from commit e2fcde7333a515907316cf1a4ee4858edc90419d) OpenSSL: commit sys/crypto changes for 3.5.5 (cherry picked from commit e6c8997a8958c7aaec8e266d2eeefbfaa137e218) crypto/openssl: update artifacts to match 3.5.6 release artifacts (cherry picked from commit 293c738aa45003423f45eb7f0e37f3047e52c502) crypto/openssl: add new manpage from release 3.5.6 (cherry picked from commit 51a80be04fe63a8d6950a7524b3ca0d511ade131) Approved by: so Security: FreeBSD-EN-26:15.openssl Security: CVE-2026-2673 Security: CVE-2026-28387 Security: CVE-2026-28388 Security: CVE-2026-28389 Security: CVE-2026-31789 Security: CVE-2026-31790 --- crypto/openssl/.ctags.d/exclude.ctags | 3 +- crypto/openssl/BSDmakefile | 7 +- crypto/openssl/CHANGES.md | 820 +- crypto/openssl/CONTRIBUTING.md | 20 + crypto/openssl/Configurations/10-main.conf | 3 +- crypto/openssl/Configurations/50-nonstop.conf | 2 + crypto/openssl/Configurations/unix-Makefile.tmpl | 20 +- .../openssl/Configurations/windows-makefile.tmpl | 5 +- crypto/openssl/NEWS.md | 465 +- crypto/openssl/NOTES-NONSTOP.md | 12 +- crypto/openssl/README.md | 2 +- crypto/openssl/VERSION.dat | 4 +- crypto/openssl/apps/asn1parse.c | 72 +- crypto/openssl/apps/ca.c | 765 +- crypto/openssl/apps/ciphers.c | 55 +- crypto/openssl/apps/cmp.c | 1455 +- crypto/openssl/apps/cms.c | 509 +- crypto/openssl/apps/crl.c | 126 +- crypto/openssl/apps/crl2pkcs7.c | 36 +- crypto/openssl/apps/dgst.c | 163 +- crypto/openssl/apps/dhparam.c | 159 +- crypto/openssl/apps/dsa.c | 78 +- crypto/openssl/apps/dsaparam.c | 71 +- crypto/openssl/apps/ec.c | 78 +- crypto/openssl/apps/ecparam.c | 117 +- crypto/openssl/apps/enc.c | 216 +- crypto/openssl/apps/engine.c | 112 +- crypto/openssl/apps/errstr.c | 17 +- crypto/openssl/apps/fipsinstall.c | 524 +- crypto/openssl/apps/gendsa.c | 42 +- crypto/openssl/apps/genpkey.c | 97 +- crypto/openssl/apps/genrsa.c | 61 +- crypto/openssl/apps/include/app_libctx.h | 4 +- crypto/openssl/apps/include/app_params.h | 1 - crypto/openssl/apps/include/apps.h | 252 +- crypto/openssl/apps/include/apps_ui.h | 5 +- crypto/openssl/apps/include/cmp_mock_srv.h | 23 +- crypto/openssl/apps/include/engine_loader.h | 8 +- crypto/openssl/apps/include/fmt.h | 32 +- crypto/openssl/apps/include/function.h | 17 +- crypto/openssl/apps/include/http_server.h | 64 +- crypto/openssl/apps/include/log.h | 34 +- crypto/openssl/apps/include/names.h | 2 +- crypto/openssl/apps/include/opt.h | 585 +- crypto/openssl/apps/include/platform.h | 12 +- crypto/openssl/apps/include/s_apps.h | 60 +- crypto/openssl/apps/include/vms_term_sock.h | 12 +- crypto/openssl/apps/info.c | 39 +- crypto/openssl/apps/kdf.c | 45 +- crypto/openssl/apps/lib/app_libctx.c | 1 - crypto/openssl/apps/lib/app_params.c | 7 +- crypto/openssl/apps/lib/app_provider.c | 15 +- crypto/openssl/apps/lib/app_rand.c | 5 +- crypto/openssl/apps/lib/app_x509.c | 54 +- crypto/openssl/apps/lib/apps.c | 699 +- crypto/openssl/apps/lib/apps_opt_printf.c | 1 - crypto/openssl/apps/lib/apps_ui.c | 39 +- crypto/openssl/apps/lib/cmp_mock_srv.c | 369 +- crypto/openssl/apps/lib/columns.c | 1 - crypto/openssl/apps/lib/engine.c | 15 +- crypto/openssl/apps/lib/engine_loader.c | 38 +- crypto/openssl/apps/lib/http_server.c | 125 +- crypto/openssl/apps/lib/log.c | 8 +- crypto/openssl/apps/lib/names.c | 2 +- crypto/openssl/apps/lib/opt.c | 202 +- crypto/openssl/apps/lib/s_cb.c | 650 +- crypto/openssl/apps/lib/s_socket.c | 115 +- crypto/openssl/apps/lib/tlssrp_depr.c | 47 +- crypto/openssl/apps/lib/vms_decc_argv.c | 2 +- crypto/openssl/apps/lib/vms_term_sock.c | 501 +- crypto/openssl/apps/lib/win32_init.c | 31 +- crypto/openssl/apps/list.c | 610 +- crypto/openssl/apps/mac.c | 40 +- crypto/openssl/apps/nseq.c | 22 +- crypto/openssl/apps/ocsp.c | 464 +- crypto/openssl/apps/openssl.c | 66 +- crypto/openssl/apps/passwd.c | 250 +- crypto/openssl/apps/pkcs12.c | 369 +- crypto/openssl/apps/pkcs7.c | 46 +- crypto/openssl/apps/pkcs8.c | 92 +- crypto/openssl/apps/pkey.c | 100 +- crypto/openssl/apps/pkeyparam.c | 32 +- crypto/openssl/apps/pkeyutl.c | 257 +- crypto/openssl/apps/prime.c | 45 +- crypto/openssl/apps/progs.c | 2 +- crypto/openssl/apps/progs.h | 2 +- crypto/openssl/apps/progs.pl | 7 +- crypto/openssl/apps/rand.c | 36 +- crypto/openssl/apps/rehash.c | 172 +- crypto/openssl/apps/req.c | 479 +- crypto/openssl/apps/rsa.c | 103 +- crypto/openssl/apps/rsautl.c | 91 +- crypto/openssl/apps/s_client.c | 1869 +- crypto/openssl/apps/s_server.c | 929 +- crypto/openssl/apps/s_time.c | 158 +- crypto/openssl/apps/sess_id.c | 42 +- crypto/openssl/apps/skeyutl.c | 38 +- crypto/openssl/apps/smime.c | 225 +- crypto/openssl/apps/speed.c | 1648 +- crypto/openssl/apps/spkac.c | 56 +- crypto/openssl/apps/srp.c | 196 +- crypto/openssl/apps/storeutl.c | 159 +- crypto/openssl/apps/testdsa.h | 1490 +- crypto/openssl/apps/testrsa.h | 4912 +++- crypto/openssl/apps/timeouts.h | 8 +- crypto/openssl/apps/ts.c | 268 +- crypto/openssl/apps/verify.c | 137 +- crypto/openssl/apps/version.c | 58 +- crypto/openssl/apps/vms_decc_init.c | 73 +- crypto/openssl/apps/x509.c | 417 +- crypto/openssl/build.info | 16 +- crypto/openssl/crypto/LPdir_nyi.c | 2 +- crypto/openssl/crypto/LPdir_unix.c | 23 +- crypto/openssl/crypto/LPdir_vms.c | 24 +- crypto/openssl/crypto/LPdir_win.c | 35 +- crypto/openssl/crypto/LPdir_win32.c | 2 + crypto/openssl/crypto/LPdir_wince.c | 2 + crypto/openssl/crypto/aes/aes_cbc.c | 8 +- crypto/openssl/crypto/aes/aes_cfb.c | 18 +- crypto/openssl/crypto/aes/aes_core.c | 3589 ++- crypto/openssl/crypto/aes/aes_ecb.c | 2 +- crypto/openssl/crypto/aes/aes_ige.c | 56 +- crypto/openssl/crypto/aes/aes_local.h | 51 +- crypto/openssl/crypto/aes/aes_misc.c | 6 +- crypto/openssl/crypto/aes/aes_ofb.c | 6 +- crypto/openssl/crypto/aes/aes_wrap.c | 12 +- crypto/openssl/crypto/aes/aes_x86core.c | 591 +- crypto/openssl/crypto/aes/asm/aes-riscv32-zkn.pl | 7 +- crypto/openssl/crypto/aes/asm/aes-riscv64-zkn.pl | 7 +- .../openssl/crypto/aes/asm/aes-riscv64-zvkned.pl | 13 +- crypto/openssl/crypto/aes/asm/aes-riscv64.pl | 10 +- crypto/openssl/crypto/aes/asm/aesni-xts-avx512.pl | 14 +- crypto/openssl/crypto/aria/aria.c | 335 +- crypto/openssl/crypto/arm_arch.h | 369 +- crypto/openssl/crypto/armcap.c | 241 +- crypto/openssl/crypto/asn1/a_bitstr.c | 12 +- crypto/openssl/crypto/asn1/a_d2i_fp.c | 40 +- crypto/openssl/crypto/asn1/a_digest.c | 9 +- crypto/openssl/crypto/asn1/a_dup.c | 6 +- crypto/openssl/crypto/asn1/a_gentm.c | 8 +- crypto/openssl/crypto/asn1/a_i2d_fp.c | 4 +- crypto/openssl/crypto/asn1/a_int.c | 33 +- crypto/openssl/crypto/asn1/a_mbstr.c | 58 +- crypto/openssl/crypto/asn1/a_object.c | 32 +- crypto/openssl/crypto/asn1/a_octet.c | 4 +- crypto/openssl/crypto/asn1/a_print.c | 3 +- crypto/openssl/crypto/asn1/a_sign.c | 45 +- crypto/openssl/crypto/asn1/a_strex.c | 91 +- crypto/openssl/crypto/asn1/a_strnid.c | 16 +- crypto/openssl/crypto/asn1/a_time.c | 53 +- crypto/openssl/crypto/asn1/a_type.c | 12 +- crypto/openssl/crypto/asn1/a_utctm.c | 2 +- crypto/openssl/crypto/asn1/a_utf8.c | 4 +- crypto/openssl/crypto/asn1/a_verify.c | 29 +- crypto/openssl/crypto/asn1/ameth_lib.c | 172 +- crypto/openssl/crypto/asn1/asn1_err.c | 374 +- crypto/openssl/crypto/asn1/asn1_gen.c | 103 +- crypto/openssl/crypto/asn1/asn1_item_list.h | 4 +- crypto/openssl/crypto/asn1/asn1_lib.c | 12 +- crypto/openssl/crypto/asn1/asn1_local.h | 28 +- crypto/openssl/crypto/asn1/asn1_parse.c | 74 +- crypto/openssl/crypto/asn1/asn_mime.c | 99 +- crypto/openssl/crypto/asn1/asn_mstbl.c | 12 +- crypto/openssl/crypto/asn1/asn_pack.c | 9 +- crypto/openssl/crypto/asn1/bio_asn1.c | 44 +- crypto/openssl/crypto/asn1/bio_ndef.c | 17 +- crypto/openssl/crypto/asn1/d2i_param.c | 2 +- crypto/openssl/crypto/asn1/d2i_pr.c | 43 +- crypto/openssl/crypto/asn1/d2i_pu.c | 4 +- crypto/openssl/crypto/asn1/evp_asn1.c | 26 +- crypto/openssl/crypto/asn1/f_int.c | 4 +- crypto/openssl/crypto/asn1/f_string.c | 4 +- crypto/openssl/crypto/asn1/i2d_evp.c | 34 +- crypto/openssl/crypto/asn1/n_pkey.c | 23 +- crypto/openssl/crypto/asn1/nsseq.c | 6 +- crypto/openssl/crypto/asn1/p5_pbe.c | 19 +- crypto/openssl/crypto/asn1/p5_pbev2.c | 50 +- crypto/openssl/crypto/asn1/p5_scrypt.c | 63 +- crypto/openssl/crypto/asn1/p8_pkey.c | 24 +- crypto/openssl/crypto/asn1/t_bitst.c | 4 +- crypto/openssl/crypto/asn1/t_pkey.c | 19 +- crypto/openssl/crypto/asn1/t_spki.c | 6 +- crypto/openssl/crypto/asn1/tasn_dec.c | 227 +- crypto/openssl/crypto/asn1/tasn_enc.c | 51 +- crypto/openssl/crypto/asn1/tasn_new.c | 30 +- crypto/openssl/crypto/asn1/tasn_prn.c | 92 +- crypto/openssl/crypto/asn1/tasn_scn.c | 2 +- crypto/openssl/crypto/asn1/tasn_typ.c | 26 +- crypto/openssl/crypto/asn1/tasn_utl.c | 22 +- crypto/openssl/crypto/asn1/tbl_standard.h | 85 +- crypto/openssl/crypto/asn1/x_algor.c | 24 +- crypto/openssl/crypto/asn1/x_bignum.c | 29 +- crypto/openssl/crypto/asn1/x_int64.c | 87 +- crypto/openssl/crypto/asn1/x_long.c | 25 +- crypto/openssl/crypto/asn1/x_sig.c | 8 +- crypto/openssl/crypto/asn1/x_spki.c | 10 +- crypto/openssl/crypto/asn1/x_val.c | 4 +- crypto/openssl/crypto/asn1_dsa.c | 61 +- crypto/openssl/crypto/async/arch/async_null.c | 5 +- crypto/openssl/crypto/async/arch/async_null.h | 17 +- crypto/openssl/crypto/async/arch/async_posix.c | 14 +- crypto/openssl/crypto/async/arch/async_posix.h | 53 +- crypto/openssl/crypto/async/arch/async_win.c | 14 +- crypto/openssl/crypto/async/arch/async_win.h | 38 +- crypto/openssl/crypto/async/async.c | 29 +- crypto/openssl/crypto/async/async_err.c | 16 +- crypto/openssl/crypto/async/async_local.h | 9 +- crypto/openssl/crypto/async/async_wait.c | 48 +- crypto/openssl/crypto/bf/bf_cfb64.c | 8 +- crypto/openssl/crypto/bf/bf_ecb.c | 2 +- crypto/openssl/crypto/bf/bf_enc.c | 12 +- crypto/openssl/crypto/bf/bf_local.h | 134 +- crypto/openssl/crypto/bf/bf_ofb64.c | 8 +- crypto/openssl/crypto/bf/bf_pi.h | 1548 +- crypto/openssl/crypto/bio/bf_buff.c | 21 +- crypto/openssl/crypto/bio/bf_lbuf.c | 18 +- crypto/openssl/crypto/bio/bf_prefix.c | 14 +- crypto/openssl/crypto/bio/bf_readbuff.c | 64 +- crypto/openssl/crypto/bio/bio_addr.c | 145 +- crypto/openssl/crypto/bio/bio_cb.c | 26 +- crypto/openssl/crypto/bio/bio_dump.c | 22 +- crypto/openssl/crypto/bio/bio_err.c | 142 +- crypto/openssl/crypto/bio/bio_lib.c | 78 +- crypto/openssl/crypto/bio/bio_local.h | 145 +- crypto/openssl/crypto/bio/bio_meth.c | 56 +- crypto/openssl/crypto/bio/bio_print.c | 148 +- crypto/openssl/crypto/bio/bio_sock.c | 243 +- crypto/openssl/crypto/bio/bio_sock2.c | 140 +- crypto/openssl/crypto/bio/bss_acpt.c | 140 +- crypto/openssl/crypto/bio/bss_bio.c | 68 +- crypto/openssl/crypto/bio/bss_conn.c | 236 +- crypto/openssl/crypto/bio/bss_core.c | 6 +- crypto/openssl/crypto/bio/bss_dgram.c | 1477 +- crypto/openssl/crypto/bio/bss_dgram_pair.c | 110 +- crypto/openssl/crypto/bio/bss_fd.c | 46 +- crypto/openssl/crypto/bio/bss_file.c | 88 +- crypto/openssl/crypto/bio/bss_log.c | 208 +- crypto/openssl/crypto/bio/bss_mem.c | 12 +- crypto/openssl/crypto/bio/bss_null.c | 2 +- crypto/openssl/crypto/bio/bss_sock.c | 135 +- crypto/openssl/crypto/bio/ossl_core_bio.c | 4 +- crypto/openssl/crypto/bn/asm/armv4-gf2m.pl | 4 +- crypto/openssl/crypto/bn/asm/rsaz-2k-avx512.pl | 10 +- crypto/openssl/crypto/bn/asm/rsaz-2k-avxifma.pl | 115 +- crypto/openssl/crypto/bn/asm/rsaz-3k-avx512.pl | 10 +- crypto/openssl/crypto/bn/asm/rsaz-3k-avxifma.pl | 41 +- crypto/openssl/crypto/bn/asm/rsaz-4k-avx512.pl | 10 +- crypto/openssl/crypto/bn/asm/rsaz-4k-avxifma.pl | 41 +- crypto/openssl/crypto/bn/asm/rsaz-x86_64.pl | 10 +- crypto/openssl/crypto/bn/asm/sparcv9-mont.pl | 4 +- crypto/openssl/crypto/bn/asm/x86_64-gcc.c | 306 +- crypto/openssl/crypto/bn/asm/x86_64-mont5.pl | 10 +- crypto/openssl/crypto/bn/bn_add.c | 3 +- crypto/openssl/crypto/bn/bn_asm.c | 445 +- crypto/openssl/crypto/bn/bn_blind.c | 35 +- crypto/openssl/crypto/bn/bn_const.c | 253 +- crypto/openssl/crypto/bn/bn_conv.c | 14 +- crypto/openssl/crypto/bn/bn_ctx.c | 37 +- crypto/openssl/crypto/bn/bn_depr.c | 16 +- crypto/openssl/crypto/bn/bn_dh.c | 1135 +- crypto/openssl/crypto/bn/bn_div.c | 160 +- crypto/openssl/crypto/bn/bn_err.c | 54 +- crypto/openssl/crypto/bn/bn_exp.c | 348 +- crypto/openssl/crypto/bn/bn_exp2.c | 29 +- crypto/openssl/crypto/bn/bn_gcd.c | 37 +- crypto/openssl/crypto/bn/bn_gf2m.c | 158 +- crypto/openssl/crypto/bn/bn_intern.c | 14 +- crypto/openssl/crypto/bn/bn_kron.c | 6 +- crypto/openssl/crypto/bn/bn_lib.c | 71 +- crypto/openssl/crypto/bn/bn_local.h | 826 +- crypto/openssl/crypto/bn/bn_mod.c | 20 +- crypto/openssl/crypto/bn/bn_mont.c | 73 +- crypto/openssl/crypto/bn/bn_mpi.c | 3 +- crypto/openssl/crypto/bn/bn_mul.c | 69 +- crypto/openssl/crypto/bn/bn_nist.c | 422 +- crypto/openssl/crypto/bn/bn_ppc.c | 20 +- crypto/openssl/crypto/bn/bn_prime.c | 72 +- crypto/openssl/crypto/bn/bn_print.c | 6 +- crypto/openssl/crypto/bn/bn_rand.c | 78 +- crypto/openssl/crypto/bn/bn_recp.c | 12 +- crypto/openssl/crypto/bn/bn_rsa_fips186_4.c | 45 +- crypto/openssl/crypto/bn/bn_s390x.c | 28 +- crypto/openssl/crypto/bn/bn_shift.c | 8 +- crypto/openssl/crypto/bn/bn_sparc.c | 65 +- crypto/openssl/crypto/bn/bn_sqr.c | 16 +- crypto/openssl/crypto/bn/bn_sqrt.c | 13 +- crypto/openssl/crypto/bn/bn_srp.c | 26 +- crypto/openssl/crypto/bn/bn_word.c | 3 +- crypto/openssl/crypto/bn/bn_x931p.c | 25 +- crypto/openssl/crypto/bn/rsaz_exp.c | 32 +- crypto/openssl/crypto/bn/rsaz_exp.h | 67 +- crypto/openssl/crypto/bn/rsaz_exp_x2.c | 269 +- crypto/openssl/crypto/bsearch.c | 12 +- crypto/openssl/crypto/buffer/buf_err.c | 2 +- crypto/openssl/crypto/camellia/camellia.c | 426 +- crypto/openssl/crypto/camellia/cmll_cbc.c | 8 +- crypto/openssl/crypto/camellia/cmll_cfb.c | 18 +- crypto/openssl/crypto/camellia/cmll_ctr.c | 10 +- crypto/openssl/crypto/camellia/cmll_ecb.c | 2 +- crypto/openssl/crypto/camellia/cmll_local.h | 18 +- crypto/openssl/crypto/camellia/cmll_misc.c | 6 +- crypto/openssl/crypto/camellia/cmll_ofb.c | 6 +- crypto/openssl/crypto/cast/c_cfb64.c | 8 +- crypto/openssl/crypto/cast/c_ecb.c | 2 +- crypto/openssl/crypto/cast/c_enc.c | 4 +- crypto/openssl/crypto/cast/c_ofb64.c | 8 +- crypto/openssl/crypto/cast/c_skey.c | 15 +- crypto/openssl/crypto/cast/cast_local.h | 233 +- crypto/openssl/crypto/cast/cast_s.h | 2560 +- crypto/openssl/crypto/chacha/asm/chacha-x86.pl | 8 +- crypto/openssl/crypto/chacha/asm/chacha-x86_64.pl | 11 +- crypto/openssl/crypto/chacha/chacha_enc.c | 82 +- crypto/openssl/crypto/chacha/chacha_ppc.c | 35 +- crypto/openssl/crypto/chacha/chacha_riscv.c | 14 +- crypto/openssl/crypto/cmac/cmac.c | 7 +- crypto/openssl/crypto/cmp/cmp_asn.c | 291 +- crypto/openssl/crypto/cmp/cmp_client.c | 264 +- crypto/openssl/crypto/cmp/cmp_ctx.c | 582 +- crypto/openssl/crypto/cmp/cmp_err.c | 356 +- crypto/openssl/crypto/cmp/cmp_genm.c | 124 +- crypto/openssl/crypto/cmp/cmp_hdr.c | 50 +- crypto/openssl/crypto/cmp/cmp_http.c | 46 +- crypto/openssl/crypto/cmp/cmp_local.h | 228 +- crypto/openssl/crypto/cmp/cmp_msg.c | 272 +- crypto/openssl/crypto/cmp/cmp_protect.c | 42 +- crypto/openssl/crypto/cmp/cmp_server.c | 142 +- crypto/openssl/crypto/cmp/cmp_status.c | 59 +- crypto/openssl/crypto/cmp/cmp_util.c | 73 +- crypto/openssl/crypto/cmp/cmp_vfy.c | 242 +- crypto/openssl/crypto/cms/cms_asn1.c | 301 +- crypto/openssl/crypto/cms/cms_att.c | 88 +- crypto/openssl/crypto/cms/cms_cd.c | 10 +- crypto/openssl/crypto/cms/cms_dd.c | 13 +- crypto/openssl/crypto/cms/cms_dh.c | 41 +- crypto/openssl/crypto/cms/cms_ec.c | 42 +- crypto/openssl/crypto/cms/cms_enc.c | 36 +- crypto/openssl/crypto/cms/cms_env.c | 198 +- crypto/openssl/crypto/cms/cms_err.c | 310 +- crypto/openssl/crypto/cms/cms_ess.c | 57 +- crypto/openssl/crypto/cms/cms_io.c | 30 +- crypto/openssl/crypto/cms/cms_kari.c | 110 +- crypto/openssl/crypto/cms/cms_lib.c | 56 +- crypto/openssl/crypto/cms/cms_local.h | 94 +- crypto/openssl/crypto/cms/cms_pwri.c | 60 +- crypto/openssl/crypto/cms/cms_rsa.c | 45 +- crypto/openssl/crypto/cms/cms_sd.c | 181 +- crypto/openssl/crypto/cms/cms_smime.c | 146 +- crypto/openssl/crypto/comp/c_brotli.c | 139 +- crypto/openssl/crypto/comp/c_zlib.c | 190 +- crypto/openssl/crypto/comp/c_zstd.c | 206 +- crypto/openssl/crypto/comp/comp_err.c | 48 +- crypto/openssl/crypto/comp/comp_lib.c | 6 +- crypto/openssl/crypto/comp/comp_local.h | 22 +- crypto/openssl/crypto/comp_methods.c | 6 +- crypto/openssl/crypto/conf/conf_api.c | 6 +- crypto/openssl/crypto/conf/conf_def.c | 72 +- crypto/openssl/crypto/conf/conf_err.c | 90 +- crypto/openssl/crypto/conf/conf_lib.c | 27 +- crypto/openssl/crypto/conf/conf_mod.c | 68 +- crypto/openssl/crypto/conf/conf_sap.c | 6 +- crypto/openssl/crypto/conf/conf_ssl.c | 13 +- crypto/openssl/crypto/context.c | 8 +- crypto/openssl/crypto/core_algorithm.c | 52 +- crypto/openssl/crypto/core_fetch.c | 36 +- crypto/openssl/crypto/core_namemap.c | 54 +- crypto/openssl/crypto/cpt_err.c | 120 +- crypto/openssl/crypto/cpuid.c | 39 +- crypto/openssl/crypto/crmf/crmf_asn.c | 75 +- crypto/openssl/crypto/crmf/crmf_err.c | 114 +- crypto/openssl/crypto/crmf/crmf_lib.c | 269 +- crypto/openssl/crypto/crmf/crmf_local.h | 34 +- crypto/openssl/crypto/crmf/crmf_pbm.c | 28 +- crypto/openssl/crypto/cryptlib.c | 112 +- crypto/openssl/crypto/ct/ct_b64.c | 16 +- crypto/openssl/crypto/ct/ct_err.c | 62 +- crypto/openssl/crypto/ct/ct_local.h | 97 +- crypto/openssl/crypto/ct/ct_log.c | 27 +- crypto/openssl/crypto/ct/ct_oct.c | 22 +- crypto/openssl/crypto/ct/ct_policy.c | 12 +- crypto/openssl/crypto/ct/ct_prn.c | 16 +- crypto/openssl/crypto/ct/ct_sct.c | 11 +- crypto/openssl/crypto/ct/ct_sct_ctx.c | 13 +- crypto/openssl/crypto/ct/ct_vfy.c | 9 +- crypto/openssl/crypto/ct/ct_x509v3.c | 62 +- crypto/openssl/crypto/ctype.c | 410 +- crypto/openssl/crypto/cversion.c | 28 +- crypto/openssl/crypto/defaults.c | 36 +- crypto/openssl/crypto/der_writer.c | 23 +- crypto/openssl/crypto/des/cbc_cksm.c | 4 +- crypto/openssl/crypto/des/cbc_enc.c | 2 + crypto/openssl/crypto/des/cfb64ede.c | 16 +- crypto/openssl/crypto/des/cfb64enc.c | 8 +- crypto/openssl/crypto/des/cfb_enc.c | 13 +- crypto/openssl/crypto/des/des_enc.c | 144 +- crypto/openssl/crypto/des/des_local.h | 379 +- crypto/openssl/crypto/des/ecb3_enc.c | 4 +- crypto/openssl/crypto/des/ecb_enc.c | 3 +- crypto/openssl/crypto/des/fcrypt.c | 154 +- crypto/openssl/crypto/des/fcrypt_b.c | 52 +- crypto/openssl/crypto/des/ncbc_enc.c | 6 +- crypto/openssl/crypto/des/ofb64ede.c | 10 +- crypto/openssl/crypto/des/ofb64enc.c | 8 +- crypto/openssl/crypto/des/ofb_enc.c | 8 +- crypto/openssl/crypto/des/pcbc_enc.c | 4 +- crypto/openssl/crypto/des/qud_cksm.c | 22 +- crypto/openssl/crypto/des/set_key.c | 726 +- crypto/openssl/crypto/des/spr.h | 640 +- crypto/openssl/crypto/des/xcbc_enc.c | 6 +- crypto/openssl/crypto/deterministic_nonce.c | 62 +- crypto/openssl/crypto/dh/dh_ameth.c | 48 +- crypto/openssl/crypto/dh/dh_asn1.c | 38 +- crypto/openssl/crypto/dh/dh_backend.c | 21 +- crypto/openssl/crypto/dh/dh_check.c | 14 +- crypto/openssl/crypto/dh/dh_depr.c | 2 +- crypto/openssl/crypto/dh/dh_err.c | 94 +- crypto/openssl/crypto/dh/dh_gen.c | 21 +- crypto/openssl/crypto/dh/dh_group_params.c | 5 +- crypto/openssl/crypto/dh/dh_kdf.c | 26 +- crypto/openssl/crypto/dh/dh_key.c | 45 +- crypto/openssl/crypto/dh/dh_lib.c | 16 +- crypto/openssl/crypto/dh/dh_local.h | 24 +- crypto/openssl/crypto/dh/dh_meth.c | 28 +- crypto/openssl/crypto/dh/dh_pmeth.c | 47 +- crypto/openssl/crypto/dh/dh_rfc5114.c | 34 +- crypto/openssl/crypto/dllmain.c | 11 +- crypto/openssl/crypto/dsa/dsa_ameth.c | 141 +- crypto/openssl/crypto/dsa/dsa_asn1.c | 30 +- crypto/openssl/crypto/dsa/dsa_backend.c | 24 +- crypto/openssl/crypto/dsa/dsa_check.c | 8 +- crypto/openssl/crypto/dsa/dsa_depr.c | 10 +- crypto/openssl/crypto/dsa/dsa_err.c | 50 +- crypto/openssl/crypto/dsa/dsa_gen.c | 24 +- crypto/openssl/crypto/dsa/dsa_key.c | 26 +- crypto/openssl/crypto/dsa/dsa_lib.c | 19 +- crypto/openssl/crypto/dsa/dsa_local.h | 42 +- crypto/openssl/crypto/dsa/dsa_meth.c | 52 +- crypto/openssl/crypto/dsa/dsa_ossl.c | 96 +- crypto/openssl/crypto/dsa/dsa_pmeth.c | 39 +- crypto/openssl/crypto/dsa/dsa_sign.c | 22 +- crypto/openssl/crypto/dsa/dsa_vrf.c | 2 +- crypto/openssl/crypto/dso/dso_dl.c | 59 +- crypto/openssl/crypto/dso/dso_dlfcn.c | 132 +- crypto/openssl/crypto/dso/dso_err.c | 56 +- crypto/openssl/crypto/dso/dso_lib.c | 8 +- crypto/openssl/crypto/dso/dso_local.h | 16 +- crypto/openssl/crypto/dso/dso_vms.c | 172 +- crypto/openssl/crypto/dso/dso_win32.c | 160 +- crypto/openssl/crypto/ebcdic.c | 110 +- crypto/openssl/crypto/ec/curve25519.c | 5161 ++-- .../crypto/ec/curve448/arch_32/arch_intrinsics.h | 8 +- crypto/openssl/crypto/ec/curve448/arch_32/f_impl.h | 18 +- .../openssl/crypto/ec/curve448/arch_32/f_impl32.c | 10 +- .../crypto/ec/curve448/arch_64/arch_intrinsics.h | 12 +- crypto/openssl/crypto/ec/curve448/arch_64/f_impl.h | 15 +- .../openssl/crypto/ec/curve448/arch_64/f_impl64.c | 8 +- crypto/openssl/crypto/ec/curve448/curve448.c | 217 +- crypto/openssl/crypto/ec/curve448/curve448_local.h | 6 +- .../openssl/crypto/ec/curve448/curve448_tables.c | 3028 +-- crypto/openssl/crypto/ec/curve448/curve448utils.h | 44 +- crypto/openssl/crypto/ec/curve448/ed448.h | 102 +- crypto/openssl/crypto/ec/curve448/eddsa.c | 211 +- crypto/openssl/crypto/ec/curve448/f_generic.c | 25 +- crypto/openssl/crypto/ec/curve448/field.h | 87 +- crypto/openssl/crypto/ec/curve448/point_448.h | 101 +- crypto/openssl/crypto/ec/curve448/scalar.c | 82 +- crypto/openssl/crypto/ec/curve448/word.h | 48 +- crypto/openssl/crypto/ec/ec2_oct.c | 30 +- crypto/openssl/crypto/ec/ec2_smpl.c | 122 +- crypto/openssl/crypto/ec/ec_ameth.c | 87 +- crypto/openssl/crypto/ec/ec_asn1.c | 150 +- crypto/openssl/crypto/ec/ec_backend.c | 88 +- crypto/openssl/crypto/ec/ec_check.c | 14 +- crypto/openssl/crypto/ec/ec_curve.c | 1575 +- crypto/openssl/crypto/ec/ec_cvt.c | 4 +- crypto/openssl/crypto/ec/ec_deprecated.c | 8 +- crypto/openssl/crypto/ec/ec_err.c | 212 +- crypto/openssl/crypto/ec/ec_key.c | 56 +- crypto/openssl/crypto/ec/ec_kmeth.c | 147 +- crypto/openssl/crypto/ec/ec_lib.c | 192 +- crypto/openssl/crypto/ec/ec_local.h | 519 +- crypto/openssl/crypto/ec/ec_mult.c | 113 +- crypto/openssl/crypto/ec/ec_oct.c | 34 +- crypto/openssl/crypto/ec/ec_pmeth.c | 29 +- crypto/openssl/crypto/ec/ec_print.c | 8 +- crypto/openssl/crypto/ec/ecdh_kdf.c | 22 +- crypto/openssl/crypto/ec/ecdh_ossl.c | 6 +- crypto/openssl/crypto/ec/ecdsa_ossl.c | 85 +- crypto/openssl/crypto/ec/ecdsa_sign.c | 13 +- crypto/openssl/crypto/ec/ecdsa_vrf.c | 6 +- crypto/openssl/crypto/ec/eck_prn.c | 23 +- crypto/openssl/crypto/ec/ecp_mont.c | 32 +- crypto/openssl/crypto/ec/ecp_nist.c | 28 +- crypto/openssl/crypto/ec/ecp_nistp224.c | 603 +- crypto/openssl/crypto/ec/ecp_nistp256.c | 783 +- crypto/openssl/crypto/ec/ecp_nistp384.c | 929 +- crypto/openssl/crypto/ec/ecp_nistp521.c | 940 +- crypto/openssl/crypto/ec/ecp_nistputil.c | 62 +- crypto/openssl/crypto/ec/ecp_nistz256.c | 376 +- crypto/openssl/crypto/ec/ecp_nistz256_table.c | 24407 +++++++++++-------- crypto/openssl/crypto/ec/ecp_oct.c | 31 +- crypto/openssl/crypto/ec/ecp_ppc.c | 8 +- crypto/openssl/crypto/ec/ecp_s390x_nistp.c | 323 +- crypto/openssl/crypto/ec/ecp_sm2p256.c | 100 +- crypto/openssl/crypto/ec/ecp_sm2p256_table.c | 2 +- crypto/openssl/crypto/ec/ecp_smpl.c | 169 +- crypto/openssl/crypto/ec/ecx_backend.c | 32 +- crypto/openssl/crypto/ec/ecx_backend.h | 18 +- crypto/openssl/crypto/ec/ecx_key.c | 18 +- crypto/openssl/crypto/ec/ecx_meth.c | 235 +- crypto/openssl/crypto/ec/ecx_s390x.c | 28 +- crypto/openssl/crypto/encode_decode/decoder_err.c | 14 +- crypto/openssl/crypto/encode_decode/decoder_lib.c | 388 +- crypto/openssl/crypto/encode_decode/decoder_meth.c | 85 +- crypto/openssl/crypto/encode_decode/decoder_pkey.c | 226 +- crypto/openssl/crypto/encode_decode/encoder_err.c | 14 +- crypto/openssl/crypto/encode_decode/encoder_lib.c | 254 +- .../openssl/crypto/encode_decode/encoder_local.h | 18 +- crypto/openssl/crypto/encode_decode/encoder_meth.c | 95 +- crypto/openssl/crypto/encode_decode/encoder_pkey.c | 95 +- crypto/openssl/crypto/engine/eng_all.c | 4 +- crypto/openssl/crypto/engine/eng_cnf.c | 13 +- crypto/openssl/crypto/engine/eng_ctrl.c | 28 +- crypto/openssl/crypto/engine/eng_dyn.c | 116 +- crypto/openssl/crypto/engine/eng_err.c | 128 +- crypto/openssl/crypto/engine/eng_fat.c | 2 +- crypto/openssl/crypto/engine/eng_lib.c | 4 +- crypto/openssl/crypto/engine/eng_list.c | 17 +- crypto/openssl/crypto/engine/eng_local.h | 48 +- crypto/openssl/crypto/engine/eng_openssl.c | 132 +- crypto/openssl/crypto/engine/eng_pkey.c | 20 +- crypto/openssl/crypto/engine/eng_rdrand.c | 44 +- crypto/openssl/crypto/engine/eng_table.c | 46 +- crypto/openssl/crypto/engine/tb_asnmth.c | 22 +- crypto/openssl/crypto/engine/tb_cipher.c | 10 +- crypto/openssl/crypto/engine/tb_dh.c | 10 +- crypto/openssl/crypto/engine/tb_digest.c | 10 +- crypto/openssl/crypto/engine/tb_dsa.c | 10 +- crypto/openssl/crypto/engine/tb_eckey.c | 10 +- crypto/openssl/crypto/engine/tb_pkmeth.c | 10 +- crypto/openssl/crypto/engine/tb_rand.c | 10 +- crypto/openssl/crypto/engine/tb_rsa.c | 10 +- crypto/openssl/crypto/err/err.c | 238 +- crypto/openssl/crypto/err/err_all.c | 52 +- crypto/openssl/crypto/err/err_all_legacy.c | 112 +- crypto/openssl/crypto/err/err_local.h | 21 +- crypto/openssl/crypto/err/err_mark.c | 7 +- crypto/openssl/crypto/err/err_prn.c | 12 +- crypto/openssl/crypto/err/err_save.c | 48 +- crypto/openssl/crypto/err/openssl.txt | 4 +- crypto/openssl/crypto/ess/ess_asn1.c | 24 +- crypto/openssl/crypto/ess/ess_err.c | 38 +- crypto/openssl/crypto/ess/ess_lib.c | 51 +- crypto/openssl/crypto/evp/asymcipher.c | 106 +- crypto/openssl/crypto/evp/bio_b64.c | 42 +- crypto/openssl/crypto/evp/bio_enc.c | 53 +- crypto/openssl/crypto/evp/bio_md.c | 8 +- crypto/openssl/crypto/evp/bio_ok.c | 51 +- crypto/openssl/crypto/evp/c_allc.c | 8 +- crypto/openssl/crypto/evp/cmeth_lib.c | 57 +- crypto/openssl/crypto/evp/ctrl_params_translate.c | 1365 +- crypto/openssl/crypto/evp/dh_ctrl.c | 46 +- crypto/openssl/crypto/evp/dh_support.c | 10 +- crypto/openssl/crypto/evp/digest.c | 214 +- crypto/openssl/crypto/evp/dsa_ctrl.c | 18 +- crypto/openssl/crypto/evp/e_aes.c | 1545 +- crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c | 439 +- crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha256.c | 440 +- crypto/openssl/crypto/evp/e_aria.c | 334 +- crypto/openssl/crypto/evp/e_bf.c | 20 +- crypto/openssl/crypto/evp/e_camellia.c | 224 +- crypto/openssl/crypto/evp/e_cast.c | 22 +- crypto/openssl/crypto/evp/e_chacha20_poly1305.c | 265 +- crypto/openssl/crypto/evp/e_des.c | 130 +- crypto/openssl/crypto/evp/e_des3.c | 189 +- crypto/openssl/crypto/evp/e_idea.c | 28 +- crypto/openssl/crypto/evp/e_null.c | 8 +- crypto/openssl/crypto/evp/e_old.c | 16 +- crypto/openssl/crypto/evp/e_rc2.c | 53 +- crypto/openssl/crypto/evp/e_rc4.c | 22 +- crypto/openssl/crypto/evp/e_rc4_hmac_md5.c | 161 +- crypto/openssl/crypto/evp/e_rc5.c | 26 +- crypto/openssl/crypto/evp/e_seed.c | 8 +- crypto/openssl/crypto/evp/e_sm4.c | 175 +- crypto/openssl/crypto/evp/e_xcbc_d.c | 34 +- crypto/openssl/crypto/evp/ec_ctrl.c | 39 +- crypto/openssl/crypto/evp/ec_support.c | 194 +- crypto/openssl/crypto/evp/encode.c | 352 +- crypto/openssl/crypto/evp/evp_cnf.c | 7 +- crypto/openssl/crypto/evp/evp_enc.c | 378 +- crypto/openssl/crypto/evp/evp_err.c | 408 +- crypto/openssl/crypto/evp/evp_fetch.c | 164 +- crypto/openssl/crypto/evp/evp_key.c | 22 +- crypto/openssl/crypto/evp/evp_lib.c | 187 +- crypto/openssl/crypto/evp/evp_local.h | 183 +- crypto/openssl/crypto/evp/evp_pbe.c | 133 +- crypto/openssl/crypto/evp/evp_pkey.c | 46 +- crypto/openssl/crypto/evp/evp_rand.c | 143 +- crypto/openssl/crypto/evp/evp_utils.c | 70 +- crypto/openssl/crypto/evp/exchange.c | 107 +- crypto/openssl/crypto/evp/kdf_lib.c | 10 +- crypto/openssl/crypto/evp/kdf_meth.c | 27 +- crypto/openssl/crypto/evp/kem.c | 83 +- crypto/openssl/crypto/evp/keymgmt_lib.c | 72 +- crypto/openssl/crypto/evp/keymgmt_meth.c | 108 +- crypto/openssl/crypto/evp/legacy_blake2.c | 6 +- crypto/openssl/crypto/evp/legacy_md5_sha1.c | 6 +- crypto/openssl/crypto/evp/legacy_mdc2.c | 2 +- crypto/openssl/crypto/evp/legacy_meth.h | 55 +- crypto/openssl/crypto/evp/legacy_ripemd.c | 2 +- crypto/openssl/crypto/evp/legacy_sha.c | 130 +- crypto/openssl/crypto/evp/legacy_wp.c | 2 +- crypto/openssl/crypto/evp/m_sigver.c | 164 +- crypto/openssl/crypto/evp/mac_lib.c | 37 +- crypto/openssl/crypto/evp/mac_meth.c | 39 +- crypto/openssl/crypto/evp/names.c | 50 +- crypto/openssl/crypto/evp/p5_crpt.c | 24 +- crypto/openssl/crypto/evp/p5_crpt2.c | 69 +- crypto/openssl/crypto/evp/p_dec.c | 7 +- crypto/openssl/crypto/evp/p_enc.c | 7 +- crypto/openssl/crypto/evp/p_lib.c | 589 +- crypto/openssl/crypto/evp/p_open.c | 6 +- crypto/openssl/crypto/evp/p_seal.c | 6 +- crypto/openssl/crypto/evp/p_sign.c | 8 +- crypto/openssl/crypto/evp/p_verify.c | 8 +- crypto/openssl/crypto/evp/pbe_scrypt.c | 32 +- crypto/openssl/crypto/evp/pmeth_check.c | 25 +- crypto/openssl/crypto/evp/pmeth_gn.c | 57 +- crypto/openssl/crypto/evp/pmeth_lib.c | 692 +- crypto/openssl/crypto/evp/s_lib.c | 39 +- crypto/openssl/crypto/evp/signature.c | 286 +- crypto/openssl/crypto/evp/skeymgmt_meth.c | 44 +- crypto/openssl/crypto/ex_data.c | 47 +- crypto/openssl/crypto/ffc/ffc_backend.c | 16 +- crypto/openssl/crypto/ffc/ffc_dh.c | 64 +- crypto/openssl/crypto/ffc/ffc_key_generate.c | 2 +- crypto/openssl/crypto/ffc/ffc_key_validate.c | 10 +- crypto/openssl/crypto/ffc/ffc_params.c | 62 +- crypto/openssl/crypto/ffc/ffc_params_generate.c | 174 +- crypto/openssl/crypto/ffc/ffc_params_validate.c | 46 +- crypto/openssl/crypto/getenv.c | 18 +- crypto/openssl/crypto/hashtable/hashtable.c | 81 +- crypto/openssl/crypto/hmac/hmac.c | 32 +- crypto/openssl/crypto/hmac/hmac_local.h | 20 +- crypto/openssl/crypto/hmac/hmac_s390x.c | 33 +- crypto/openssl/crypto/hpke/hpke.c | 241 +- crypto/openssl/crypto/hpke/hpke_util.c | 185 +- crypto/openssl/crypto/http/http_client.c | 381 +- crypto/openssl/crypto/http/http_err.c | 122 +- crypto/openssl/crypto/http/http_lib.c | 46 +- crypto/openssl/crypto/idea/i_cbc.c | 4 +- crypto/openssl/crypto/idea/i_cfb64.c | 7 +- crypto/openssl/crypto/idea/i_ecb.c | 2 +- crypto/openssl/crypto/idea/i_ofb64.c | 7 +- crypto/openssl/crypto/idea/idea_local.h | 179 +- crypto/openssl/crypto/indicator_core.c | 7 +- crypto/openssl/crypto/info.c | 251 +- crypto/openssl/crypto/init.c | 166 +- crypto/openssl/crypto/initthread.c | 46 +- crypto/openssl/crypto/lhash/lh_stats.c | 22 +- crypto/openssl/crypto/lhash/lhash.c | 47 +- crypto/openssl/crypto/lhash/lhash_local.h | 4 +- crypto/openssl/crypto/loongarch_arch.h | 10 +- crypto/openssl/crypto/loongarchcap.c | 2 +- crypto/openssl/crypto/md2/md2_dgst.c | 296 +- crypto/openssl/crypto/md4/md4_dgst.c | 16 +- crypto/openssl/crypto/md4/md4_local.h | 63 +- crypto/openssl/crypto/md4/md4_one.c | 2 +- crypto/openssl/crypto/md5/md5_dgst.c | 16 +- crypto/openssl/crypto/md5/md5_local.h | 98 +- crypto/openssl/crypto/md5/md5_one.c | 2 +- crypto/openssl/crypto/mdc2/mdc2dgst.c | 16 +- crypto/openssl/crypto/mem.c | 99 +- crypto/openssl/crypto/mem_sec.c | 141 +- crypto/openssl/crypto/mips_arch.h | 48 +- crypto/openssl/crypto/ml_dsa/ml_dsa_encoders.c | 76 +- crypto/openssl/crypto/ml_dsa/ml_dsa_hash.h | 12 +- crypto/openssl/crypto/ml_dsa/ml_dsa_key.c | 52 +- crypto/openssl/crypto/ml_dsa/ml_dsa_key.h | 6 +- crypto/openssl/crypto/ml_dsa/ml_dsa_key_compress.c | 12 +- crypto/openssl/crypto/ml_dsa/ml_dsa_local.h | 86 +- crypto/openssl/crypto/ml_dsa/ml_dsa_matrix.c | 2 +- crypto/openssl/crypto/ml_dsa/ml_dsa_matrix.h | 2 +- crypto/openssl/crypto/ml_dsa/ml_dsa_ntt.c | 49 +- crypto/openssl/crypto/ml_dsa/ml_dsa_params.c | 89 +- crypto/openssl/crypto/ml_dsa/ml_dsa_poly.h | 14 +- crypto/openssl/crypto/ml_dsa/ml_dsa_sample.c | 34 +- crypto/openssl/crypto/ml_dsa/ml_dsa_sign.c | 72 +- crypto/openssl/crypto/ml_dsa/ml_dsa_vector.h | 24 +- crypto/openssl/crypto/ml_kem/ml_kem.c | 807 +- crypto/openssl/crypto/modes/asm/aes-gcm-avx512.pl | 4 +- crypto/openssl/crypto/modes/asm/aes-gcm-ppc.pl | 2056 +- .../openssl/crypto/modes/asm/aesni-gcm-x86_64.pl | 10 +- crypto/openssl/crypto/modes/asm/ghash-armv4.pl | 4 +- crypto/openssl/crypto/modes/build.info | 2 +- crypto/openssl/crypto/modes/cbc128.c | 38 +- crypto/openssl/crypto/modes/ccm128.c | 108 +- crypto/openssl/crypto/modes/cfb128.c | 64 +- crypto/openssl/crypto/modes/ctr128.c | 38 +- crypto/openssl/crypto/modes/cts128.c | 86 +- crypto/openssl/crypto/modes/gcm128.c | 500 +- crypto/openssl/crypto/modes/ocb128.c | 67 +- crypto/openssl/crypto/modes/ofb128.c | 20 +- crypto/openssl/crypto/modes/siv128.c | 56 +- crypto/openssl/crypto/modes/wrap128.c | 49 +- crypto/openssl/crypto/modes/xts128.c | 22 +- crypto/openssl/crypto/modes/xts128gb.c | 22 +- crypto/openssl/crypto/o_dir.c | 2 + crypto/openssl/crypto/o_fopen.c | 50 +- crypto/openssl/crypto/o_str.c | 94 +- crypto/openssl/crypto/o_time.c | 20 +- crypto/openssl/crypto/objects/o_names.c | 44 +- crypto/openssl/crypto/objects/obj_compat.h | 62 +- crypto/openssl/crypto/objects/obj_dat.c | 49 +- crypto/openssl/crypto/objects/obj_err.c | 10 +- crypto/openssl/crypto/objects/obj_lib.c | 6 +- crypto/openssl/crypto/objects/obj_xref.c | 6 +- crypto/openssl/crypto/ocsp/ocsp_asn.c | 90 +- crypto/openssl/crypto/ocsp/ocsp_cl.c | 42 +- crypto/openssl/crypto/ocsp/ocsp_err.c | 90 +- crypto/openssl/crypto/ocsp/ocsp_ext.c | 77 +- crypto/openssl/crypto/ocsp/ocsp_http.c | 16 +- crypto/openssl/crypto/ocsp/ocsp_lib.c | 12 +- crypto/openssl/crypto/ocsp/ocsp_local.h | 94 +- crypto/openssl/crypto/ocsp/ocsp_prn.c | 65 +- crypto/openssl/crypto/ocsp/ocsp_srv.c | 61 +- crypto/openssl/crypto/ocsp/ocsp_vfy.c | 50 +- crypto/openssl/crypto/ocsp/v3_ocsp.c | 60 +- crypto/openssl/crypto/packet.c | 49 +- crypto/openssl/crypto/param_build.c | 178 +- crypto/openssl/crypto/param_build_set.c | 20 +- crypto/openssl/crypto/params.c | 162 +- crypto/openssl/crypto/params_dup.c | 26 +- crypto/openssl/crypto/params_from_text.c | 28 +- crypto/openssl/crypto/params_idx.c | 4 + crypto/openssl/crypto/params_idx.c.in | 4 + crypto/openssl/crypto/passphrase.c | 73 +- crypto/openssl/crypto/pem/pem_all.c | 35 +- crypto/openssl/crypto/pem/pem_err.c | 94 +- crypto/openssl/crypto/pem/pem_info.c | 61 +- crypto/openssl/crypto/pem/pem_lib.c | 130 +- crypto/openssl/crypto/pem/pem_local.h | 145 +- crypto/openssl/crypto/pem/pem_oth.c | 2 +- crypto/openssl/crypto/pem/pem_pk8.c | 74 +- crypto/openssl/crypto/pem/pem_pkey.c | 113 +- crypto/openssl/crypto/pem/pem_sign.c | 6 +- crypto/openssl/crypto/pem/pvkfmt.c | 123 +- crypto/openssl/crypto/perlasm/x86_64-xlate.pl | 5 +- crypto/openssl/crypto/pkcs12/p12_add.c | 53 +- crypto/openssl/crypto/pkcs12/p12_asn.c | 46 +- crypto/openssl/crypto/pkcs12/p12_attr.c | 35 +- crypto/openssl/crypto/pkcs12/p12_crpt.c | 25 +- crypto/openssl/crypto/pkcs12/p12_crt.c | 107 +- crypto/openssl/crypto/pkcs12/p12_decr.c | 83 +- crypto/openssl/crypto/pkcs12/p12_init.c | 2 +- crypto/openssl/crypto/pkcs12/p12_key.c | 58 +- crypto/openssl/crypto/pkcs12/p12_kiss.c | 48 +- crypto/openssl/crypto/pkcs12/p12_local.h | 6 +- crypto/openssl/crypto/pkcs12/p12_mutl.c | 115 +- crypto/openssl/crypto/pkcs12/p12_npas.c | 37 +- crypto/openssl/crypto/pkcs12/p12_p8d.c | 11 +- crypto/openssl/crypto/pkcs12/p12_p8e.c | 31 +- crypto/openssl/crypto/pkcs12/p12_sbag.c | 101 +- crypto/openssl/crypto/pkcs12/p12_utl.c | 83 +- crypto/openssl/crypto/pkcs12/pk12err.c | 66 +- crypto/openssl/crypto/pkcs7/pk7_asn1.c | 125 +- crypto/openssl/crypto/pkcs7/pk7_attr.c | 16 +- crypto/openssl/crypto/pkcs7/pk7_doit.c | 112 +- crypto/openssl/crypto/pkcs7/pk7_lib.c | 62 +- crypto/openssl/crypto/pkcs7/pk7_mime.c | 12 +- crypto/openssl/crypto/pkcs7/pk7_smime.c | 52 +- crypto/openssl/crypto/pkcs7/pkcs7err.c | 138 +- crypto/openssl/crypto/poly1305/poly1305.c | 102 +- crypto/openssl/crypto/poly1305/poly1305_base2_44.c | 29 +- crypto/openssl/crypto/poly1305/poly1305_ieee754.c | 279 +- crypto/openssl/crypto/poly1305/poly1305_ppc.c | 24 +- crypto/openssl/crypto/ppccap.c | 103 +- crypto/openssl/crypto/property/defn_cache.c | 15 +- crypto/openssl/crypto/property/property.c | 111 +- crypto/openssl/crypto/property/property_err.c | 36 +- crypto/openssl/crypto/property/property_local.h | 18 +- crypto/openssl/crypto/property/property_parse.c | 135 +- crypto/openssl/crypto/property/property_query.c | 22 +- crypto/openssl/crypto/property/property_string.c | 30 +- crypto/openssl/crypto/provider.c | 26 +- crypto/openssl/crypto/provider_child.c | 41 +- crypto/openssl/crypto/provider_conf.c | 86 +- crypto/openssl/crypto/provider_core.c | 454 +- crypto/openssl/crypto/provider_local.h | 8 +- crypto/openssl/crypto/provider_predefined.c | 4 +- crypto/openssl/crypto/punycode.c | 17 +- crypto/openssl/crypto/quic_vlint.c | 26 +- crypto/openssl/crypto/rand/prov_seed.c | 36 +- crypto/openssl/crypto/rand/rand_deprecated.c | 8 +- crypto/openssl/crypto/rand/rand_egd.c | 97 +- crypto/openssl/crypto/rand/rand_err.c | 164 +- crypto/openssl/crypto/rand/rand_lib.c | 228 +- crypto/openssl/crypto/rand/rand_local.h | 30 +- crypto/openssl/crypto/rand/rand_meth.c | 2 +- crypto/openssl/crypto/rand/rand_pool.c | 25 +- crypto/openssl/crypto/rand/rand_uniform.c | 10 +- crypto/openssl/crypto/rand/randfile.c | 87 +- crypto/openssl/crypto/rc2/rc2_cbc.c | 30 +- crypto/openssl/crypto/rc2/rc2_ecb.c | 2 +- crypto/openssl/crypto/rc2/rc2_local.h | 117 +- crypto/openssl/crypto/rc2/rc2_skey.c | 284 +- crypto/openssl/crypto/rc2/rc2cfb64.c | 8 +- crypto/openssl/crypto/rc2/rc2ofb64.c | 8 +- crypto/openssl/crypto/rc4/rc4_enc.c | 19 +- crypto/openssl/crypto/rc4/rc4_local.h | 6 +- crypto/openssl/crypto/rc4/rc4_skey.c | 15 +- crypto/openssl/crypto/rc5/rc5_ecb.c | 2 +- crypto/openssl/crypto/rc5/rc5_enc.c | 4 +- crypto/openssl/crypto/rc5/rc5_local.h | 206 +- crypto/openssl/crypto/rc5/rc5_skey.c | 5 +- crypto/openssl/crypto/rc5/rc5cfb64.c | 8 +- crypto/openssl/crypto/rc5/rc5ofb64.c | 8 +- crypto/openssl/crypto/rcu_internal.h | 4 +- crypto/openssl/crypto/ripemd/rmd_dgst.c | 19 +- crypto/openssl/crypto/ripemd/rmd_local.h | 112 +- crypto/openssl/crypto/ripemd/rmdconst.h | 360 +- crypto/openssl/crypto/riscvcap.c | 63 +- crypto/openssl/crypto/rsa/rsa_acvp_test_params.c | 29 +- crypto/openssl/crypto/rsa/rsa_ameth.c | 272 +- crypto/openssl/crypto/rsa/rsa_asn1.c | 51 +- crypto/openssl/crypto/rsa/rsa_backend.c | 138 +- crypto/openssl/crypto/rsa/rsa_chk.c | 12 +- crypto/openssl/crypto/rsa/rsa_crpt.c | 18 +- crypto/openssl/crypto/rsa/rsa_depr.c | 4 +- crypto/openssl/crypto/rsa/rsa_err.c | 274 +- crypto/openssl/crypto/rsa/rsa_gen.c | 64 +- crypto/openssl/crypto/rsa/rsa_lib.c | 157 +- crypto/openssl/crypto/rsa/rsa_local.h | 78 +- crypto/openssl/crypto/rsa/rsa_meth.c | 132 +- crypto/openssl/crypto/rsa/rsa_mp.c | 4 +- crypto/openssl/crypto/rsa/rsa_none.c | 4 +- crypto/openssl/crypto/rsa/rsa_oaep.c | 52 +- crypto/openssl/crypto/rsa/rsa_ossl.c | 160 +- crypto/openssl/crypto/rsa/rsa_pk1.c | 97 +- crypto/openssl/crypto/rsa/rsa_pmeth.c | 105 +- crypto/openssl/crypto/rsa/rsa_pss.c | 78 +- crypto/openssl/crypto/rsa/rsa_saos.c | 17 +- crypto/openssl/crypto/rsa/rsa_schemes.c | 20 +- crypto/openssl/crypto/rsa/rsa_sign.c | 267 +- crypto/openssl/crypto/rsa/rsa_sp800_56b_check.c | 121 +- crypto/openssl/crypto/rsa/rsa_sp800_56b_gen.c | 22 +- crypto/openssl/crypto/rsa/rsa_x931.c | 5 +- crypto/openssl/crypto/rsa/rsa_x931g.c | 31 +- crypto/openssl/crypto/s390x_arch.h | 228 +- crypto/openssl/crypto/s390xcap.c | 720 +- crypto/openssl/crypto/s390xcpuid.pl | 8 +- crypto/openssl/crypto/seed/seed.c | 752 +- crypto/openssl/crypto/seed/seed_cbc.c | 8 +- crypto/openssl/crypto/seed/seed_cfb.c | 8 +- crypto/openssl/crypto/seed/seed_ecb.c | 2 +- crypto/openssl/crypto/seed/seed_local.h | 123 +- crypto/openssl/crypto/seed/seed_ofb.c | 6 +- crypto/openssl/crypto/self_test_core.c | 24 +- crypto/openssl/crypto/sha/asm/keccak1600-s390x.pl | 3 +- crypto/openssl/crypto/sha/keccak1600.c | 267 +- crypto/openssl/crypto/sha/sha256.c | 197 +- crypto/openssl/crypto/sha/sha3.c | 4 +- crypto/openssl/crypto/sha/sha512.c | 319 +- crypto/openssl/crypto/sha/sha_local.h | 251 +- crypto/openssl/crypto/sha/sha_ppc.c | 6 +- crypto/openssl/crypto/sha/sha_riscv.c | 5 +- crypto/openssl/crypto/siphash/siphash.c | 61 +- crypto/openssl/crypto/sleep.c | 26 +- crypto/openssl/crypto/slh_dsa/slh_adrs.c | 42 +- crypto/openssl/crypto/slh_dsa/slh_adrs.h | 38 +- crypto/openssl/crypto/slh_dsa/slh_dsa.c | 99 +- crypto/openssl/crypto/slh_dsa/slh_dsa_hash_ctx.c | 8 +- crypto/openssl/crypto/slh_dsa/slh_dsa_key.c | 45 +- crypto/openssl/crypto/slh_dsa/slh_dsa_key.h | 2 +- crypto/openssl/crypto/slh_dsa/slh_dsa_local.h | 60 +- crypto/openssl/crypto/slh_dsa/slh_fors.c | 44 +- crypto/openssl/crypto/slh_dsa/slh_hash.c | 126 +- crypto/openssl/crypto/slh_dsa/slh_hash.h | 62 +- crypto/openssl/crypto/slh_dsa/slh_hypertree.c | 18 +- crypto/openssl/crypto/slh_dsa/slh_params.c | 49 +- crypto/openssl/crypto/slh_dsa/slh_params.h | 12 +- crypto/openssl/crypto/slh_dsa/slh_wots.c | 38 +- crypto/openssl/crypto/slh_dsa/slh_xmss.c | 30 +- crypto/openssl/crypto/sm2/sm2_crypt.c | 74 +- crypto/openssl/crypto/sm2/sm2_err.c | 42 +- crypto/openssl/crypto/sm2/sm2_key.c | 8 +- crypto/openssl/crypto/sm2/sm2_sign.c | 136 +- crypto/openssl/crypto/sm3/legacy_sm3.c | 3 +- crypto/openssl/crypto/sm3/sm3.c | 6 +- crypto/openssl/crypto/sm3/sm3_local.h | 141 +- crypto/openssl/crypto/sm4/asm/vpsm4_ex-armv8.pl | 27 +- crypto/openssl/crypto/sm4/sm4.c | 50 +- crypto/openssl/crypto/sparcv9cap.c | 85 +- crypto/openssl/crypto/sparse_array.c | 28 +- crypto/openssl/crypto/srp/srp_lib.c | 71 +- crypto/openssl/crypto/srp/srp_vfy.c | 115 +- crypto/openssl/crypto/ssl_err.c | 1212 +- crypto/openssl/crypto/sslerr.h | 16 +- crypto/openssl/crypto/stack/stack.c | 25 +- crypto/openssl/crypto/store/store_err.c | 92 +- crypto/openssl/crypto/store/store_lib.c | 214 +- crypto/openssl/crypto/store/store_local.h | 20 +- crypto/openssl/crypto/store/store_meth.c | 67 +- crypto/openssl/crypto/store/store_register.c | 52 +- crypto/openssl/crypto/store/store_result.c | 118 +- crypto/openssl/crypto/store/store_strings.c | 12 +- crypto/openssl/crypto/thread/arch.c | 2 +- crypto/openssl/crypto/thread/arch/thread_none.c | 2 +- crypto/openssl/crypto/thread/arch/thread_posix.c | 14 +- crypto/openssl/crypto/thread/arch/thread_win.c | 48 +- crypto/openssl/crypto/thread/internal.c | 8 +- crypto/openssl/crypto/threads_lib.c | 4 +- crypto/openssl/crypto/threads_none.c | 47 +- crypto/openssl/crypto/threads_pthread.c | 323 +- crypto/openssl/crypto/threads_win.c | 148 +- crypto/openssl/crypto/time.c | 12 +- crypto/openssl/crypto/trace.c | 142 +- crypto/openssl/crypto/ts/ts_asn1.c | 64 +- crypto/openssl/crypto/ts/ts_conf.c | 108 +- crypto/openssl/crypto/ts/ts_err.c | 122 +- crypto/openssl/crypto/ts/ts_lib.c | 4 +- crypto/openssl/crypto/ts/ts_local.h | 18 +- crypto/openssl/crypto/ts/ts_req_print.c | 2 +- crypto/openssl/crypto/ts/ts_rsp_print.c | 41 +- crypto/openssl/crypto/ts/ts_rsp_sign.c | 154 +- crypto/openssl/crypto/ts/ts_rsp_verify.c | 104 +- crypto/openssl/crypto/ts/ts_verify_ctx.c | 8 +- crypto/openssl/crypto/txt_db/txt_db.c | 22 +- crypto/openssl/crypto/ui/ui_err.c | 36 +- crypto/openssl/crypto/ui/ui_lib.c | 224 +- crypto/openssl/crypto/ui/ui_local.h | 56 +- crypto/openssl/crypto/ui/ui_null.c | 10 +- crypto/openssl/crypto/ui/ui_openssl.c | 536 +- crypto/openssl/crypto/ui/ui_util.c | 65 +- crypto/openssl/crypto/uid.c | 34 +- crypto/openssl/crypto/vms_rms.h | 86 +- crypto/openssl/crypto/whrlpool/wp_block.c | 811 +- crypto/openssl/crypto/whrlpool/wp_dgst.c | 20 +- *** 688720 LINES SKIPPED *** From nobody Tue Jun 9 19:19:42 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyR0mB5z6gVPp for ; Tue, 09 Jun 2026 19:19:43 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdyQ3nyYz3QWS for ; Tue, 09 Jun 2026 19:19:42 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032782; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=dL470eS6Dkr/1uxhDpZEQBqNSSbt9pIo3h9aS79Uro0=; b=qVSLUGWYaw/yI49oWfEHJ29svvs3oYL0jenM5/8o+lHaXBGdnLkm9re7/phYq4cODHbTwk a0B0xlrm5x8WBuiNsr/yailUQs9zkK4w9qQk1GFEm7VzAX18rLQ/Nl9bocwvnrFeHXep8v 5pzJMiK7qIuYfVFlAxbB0Q7e2IJ2xPfw0nsbYSNFuFtiLuVYYmuTrAAI5TTiupYN4kSb9p K11i6VkFjvQwdKh0NyLcQ1tdC+pUxVxWWk9vZhozzRd3yKvLbptk1ZZd+oPuPYWCaEQAbX /O3LIxCoc870qvgLFHeWSlX0SjBwjH6L2+C28UyfGBeVxZYn/RbjP4QaMxYdFg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032782; a=rsa-sha256; cv=none; b=wTuohLcHtpvxWztQ3B4jCTGOhiA8NBh7yzAsE2PMgkI+O0LDpOHiFT2DENRO2lyt02FMSQ qmLe7YX/xx0yzdAUWoPXuJqOvc2XTt8GA05wDwBu+25ULqxAvPPisCuzScsOh2B1d9dudg L1xasd7jvtaii2BDcKNzQXEdlIlYBLtJb+VrH9kPq3pJyrLQ590U7D7t/KblMoZNKZFhcF o9q3GZvZRE2Aap6pNN6hDY1SzD1vOHNxyVTL5hmBYpj9M3mWHi79yiG0QMfZZiDYv5X766 Gr8ygBsLHGUGh2vi90T4y2UpRiiF9z/UHwgIqdmbfL2uP6KRnyy/ngcpcA0xWA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032782; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=dL470eS6Dkr/1uxhDpZEQBqNSSbt9pIo3h9aS79Uro0=; b=RurYjwCSYBBlhSs3beVx4ygQdlZx6TQIuaGqKisTmkbe/iCeBPzblPt2ikvkBIfd1pbA1s SYIoiSqrc6ym/BMTDA+uRhC7oNrC2vmB5XbPkSEj9USGSfNdM9Zey65WqNxtd96C/u+pLi 1Enikl1dRYT1aKddkERFtg2DyI06Y/ezQQS7ZZiTJP49zAhB7tJr+rHFZDVtNRIgQpXAVV a4j9kGrsJrDMG9p1u9VbCZAeyJukB88GUrBdydhGUEOsAxyaxWxVq/Zt/m0nYAFq//8WRM 12xatSzDp0pdQl1PsTf2FyCc06ifGQWUkRhLpbXeH/A+O5HMD8eA1PNbPuPG2w== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyQ2m0mzp1Y for ; Tue, 09 Jun 2026 19:19:42 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3ea73 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:19:42 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 6f6c7b996719 - releng/15.0 - thr_kill2: Respect p_cansignal() List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/15.0 X-Git-Reftype: branch X-Git-Commit: 6f6c7b99671987f2531e7dff8edb92bbc19d7eba Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:19:42 +0000 Message-Id: <6a28674e.3ea73.1c3af55b@gitrepo.freebsd.org> The branch releng/15.0 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=6f6c7b99671987f2531e7dff8edb92bbc19d7eba commit 6f6c7b99671987f2531e7dff8edb92bbc19d7eba Author: Mark Johnston AuthorDate: 2026-05-25 15:12:57 +0000 Commit: Mark Johnston CommitDate: 2026-06-08 15:39:32 +0000 thr_kill2: Respect p_cansignal() Approved by: so Security: FreeBSD-SA-26:25.thr Security: CVE-2026-45256 Reported by: Igor Gabriel Sousa e Souza Reported by: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai Reviewed by: emaste, kib Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57237 --- sys/kern/kern_thr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/kern/kern_thr.c b/sys/kern/kern_thr.c index 4329959a2ef4..4a439eee0210 100644 --- a/sys/kern/kern_thr.c +++ b/sys/kern/kern_thr.c @@ -506,7 +506,7 @@ sys_thr_kill2(struct thread *td, struct thr_kill2_args *uap) p = ttd->td_proc; AUDIT_ARG_PROCESS(p); error = p_cansignal(td, p, uap->sig); - if (uap->sig == 0) + if (error != 0 || uap->sig == 0) ; else if (!_SIG_VALID(uap->sig)) error = EINVAL; From nobody Tue Jun 9 19:19:44 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyT2tpbz6gVKH for ; Tue, 09 Jun 2026 19:19:45 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdyS4vDHz3QZ4 for ; Tue, 09 Jun 2026 19:19:44 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032784; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=tTIVAs8/HSxVV74l+EootG+FHdmXnvDFiyHOD5vDrMY=; b=xoX+sw0ZSaXwRxc4WKQkT4wV1mIhCfyB1x+sLv7AOtc16yRg7dVxEx2Z44+FdrOSS6PGqH VWAMLTSrhWHwRtbo6YlgeuWWE1yOlEFQpJWMd7c1cl5DN6Tl3bKPQu/PHVRANq+6y/dzZR rgSc6vO7hBTnPIjSMsezRSBivKNTN9bS+sIetOA96Lg2uGQTfwqBvFsFBUkrY96BYlscfo kGfaD71CnAiUcVujn6VpeMmLwM8GgOeKDeKkXvrQ/TOYm8jUh9IDtKkS/dN3TXX7RoDsd7 B4knUozuZjF7n8FoVw87/XjjS5fmhmyTqLoTWOVdm9AxI+dX9kXIWSy5FPN6zg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032784; a=rsa-sha256; cv=none; b=vfi628AUwR16kGtj4VP783Pchy6JrkK0dcbJ47nGLgxF23+DmkVTzQILYnyRMDvIpLvXL9 8zhdpz/Leo0w/EzV5d5bz6MDYhRCeP3nItVKRSr+qr6srSFbcw6E0/m9MQ2RS4WxrscYFS XGKMfuLispPez11XLEllcuK1x8fm9rdXHbhaJLKjFbKKO+NMbWYcxhva8QTcNdXeWFko1M y6Jo8tAhEjnvvU6t19yWiyaHpk/xJhKICaSfiCy8mo8+9dr+RG9zV7RZ95D2QWmkFcRg94 o+nBLgMM1qpH0D5Z1Pb+Oo8ewY6isMRSn8C3iZcKEMRy+mSbKbGCmTiimX3Qyg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032784; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=tTIVAs8/HSxVV74l+EootG+FHdmXnvDFiyHOD5vDrMY=; b=BIUM44NT7+30AWio82+ZgTE5CSqobrBEvx246vFgjCZ8TNBvNcDLPj/4RGqNIvQlANrL9g VplHV7i4UXkQNjEbEPurps+u8E4Ct0zw3rLnpnZMzwIbzuiKsOQVSeXchPhnxr0UA1sZaM +NFEn6DcWet4rhCltQ1xT71eSmwv7gu+vBmAKuqImK7tujp/Rh8ZVl7rwc/P5T3DxknKNK c6v+98l7Hkxq4iNoWIksDRKFreWm3Z/BK3lVsYMu9nVeowAOn0zkMpayIj+ByCAVvR3h2h 0j9DT1zT9W/Pkt9lOyBPyOIXXo9CemH2crmlsdqAL2fn08Icg2nhPJZgBvaASg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyS4RMyznrp for ; Tue, 09 Jun 2026 19:19:44 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3ecc3 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:19:44 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Christos Margiolis From: Mark Johnston Subject: git: c42ee04c521e - releng/15.0 - sound: Check for offset overflow in dsp_mmap_single() List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/15.0 X-Git-Reftype: branch X-Git-Commit: c42ee04c521ed8268421173f961859233a321b17 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:19:44 +0000 Message-Id: <6a286750.3ecc3.5176f660@gitrepo.freebsd.org> The branch releng/15.0 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=c42ee04c521ed8268421173f961859233a321b17 commit c42ee04c521ed8268421173f961859233a321b17 Author: Christos Margiolis AuthorDate: 2026-05-27 15:50:33 +0000 Commit: Mark Johnston CommitDate: 2026-06-08 15:39:32 +0000 sound: Check for offset overflow in dsp_mmap_single() Approved by: so Security: FreeBSD-SA-26:27.sound Security: CVE-2026-45258 Reviewed by: markj Sponsored by: The FreeBSD Foundation --- sys/dev/sound/pcm/dsp.c | 3 +++ tests/sys/sound/Makefile | 1 + tests/sys/sound/mmap.c | 51 ++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 55 insertions(+) diff --git a/sys/dev/sound/pcm/dsp.c b/sys/dev/sound/pcm/dsp.c index fe5576baf017..72bde9c1066f 100644 --- a/sys/dev/sound/pcm/dsp.c +++ b/sys/dev/sound/pcm/dsp.c @@ -1953,6 +1953,9 @@ dsp_mmap_single(struct cdev *i_dev, vm_ooffset_t *offset, struct pcm_channel *wrch, *rdch, *c; int err; + if (*offset >= *offset + size) + return (EINVAL); + /* * Reject PROT_EXEC by default. It just doesn't makes sense. * Unfortunately, we have to give up this one due to linux_mmap diff --git a/tests/sys/sound/Makefile b/tests/sys/sound/Makefile index 74a0765a0540..ce156ae8c4cf 100644 --- a/tests/sys/sound/Makefile +++ b/tests/sys/sound/Makefile @@ -2,6 +2,7 @@ PACKAGE= tests TESTSDIR= ${TESTSBASE}/sys/sound +ATF_TESTS_C+= mmap ATF_TESTS_C+= pcm_read_write ATF_TESTS_C+= sndstat diff --git a/tests/sys/sound/mmap.c b/tests/sys/sound/mmap.c new file mode 100644 index 000000000000..ab203a39194c --- /dev/null +++ b/tests/sys/sound/mmap.c @@ -0,0 +1,51 @@ +/*- + * SPDX-License-Identifier: BSD-2-Clause + * + * Copyright (c) 2026 The FreeBSD Foundation + */ + +#include +#include + +#include +#include +#include +#include + +#define FMT_ERR(s) s ": %s", strerror(errno) + +ATF_TC(mmap_offset_overflow); +ATF_TC_HEAD(mmap_offset_overflow, tc) +{ + atf_tc_set_md_var(tc, "descr", "mmap offset overflow test"); + atf_tc_set_md_var(tc, "require.kmods", "snd_dummy"); +} + +ATF_TC_BODY(mmap_offset_overflow, tc) +{ + uint8_t *buf; + off_t off; + size_t len; + int fd; + + fd = open("/dev/dsp0", O_RDWR); + ATF_REQUIRE_MSG(fd >= 0, FMT_ERR("open")); + + /* off + len will overflow and wrap back to 0. */ + off = 0xfffffffffffff000; + len = 0x1000; + + buf = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_SHARED, fd, off); + ATF_REQUIRE_MSG(buf == MAP_FAILED, FMT_ERR("mmap")); + + munmap(buf, len); + + close(fd); +} + +ATF_TP_ADD_TCS(tp) +{ + ATF_TP_ADD_TC(tp, mmap_offset_overflow); + + return (atf_no_error()); +} From nobody Tue Jun 9 19:19:43 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyS512Fz6gVDh for ; Tue, 09 Jun 2026 19:19:44 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdyR42spz3QTB for ; Tue, 09 Jun 2026 19:19:43 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032783; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Qf6piFB4Y+sW89fjkl9fywA4ksKsB3uiW+7NmEA9ISA=; b=KSOh1L4qKMXriRH9nAJ7QaBj1D+U+g9xKKRy5MZxIBX0OlY2lwRydkGA2I42uky57oYg4s jReCpQkzX3yDnuoCC3GGFzyupkt6vx1YDIQlvcDtIpqmxBYHD1DX7pCAHsQLo/H9H75iVQ JPUnrfKYDanUE9Sm4P1nycwL3Ze0yV493JnbvWS+EWjD2VyD8ijVz0cNZ0RP6Ki5phjYC+ YydbraXk6yTLdVesZze7yYp4oLy8DOiaj/m4cohKG018Wqbkbn/6Pe7cPYhv92r0N2bleR 2AGT2a0s1t+6FCead8zj1jy4GAV6XN2/nx9ZLwNgpOdDjor1UGpIFAy7wnQsCg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032783; a=rsa-sha256; cv=none; b=xiNROumfcLF4HB1QkT+dGnrNEX/AuvJrH37KtLbNHknnwmxUfhyGYWnK0F+XEKrCf3kdqQ G2CNb5ufq/4vFCePigI6oUjUnVNZbTODqm/0nTQ18NxtDhbb3q1+TpIjZXduNajF/s2Jnr ETFTsDuD/PzauxzrEeS8Doet2IW/DT3Kt+mDin59Bhhp8nz+Kh6PS1oi09gyWgZB6nnRPa h60fHhGCLDnBJJpi4G39b8ZpSBFCZXQXgj9xGJnJCkNGqC/YY0EaWSOUnvlL7ntBzMm2sZ 5sijDFvv8sqTKgubfE9ZjGH1O7KxljkdiJbSAIjK5rPLNOwcoZXh9MexfHN2Ng== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032783; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Qf6piFB4Y+sW89fjkl9fywA4ksKsB3uiW+7NmEA9ISA=; b=OpWWpdEL3/zXElN1DQcq3iGGLg6BvJloVBeXLGyzTs2Y5S0ZEMRqBX0WB+5Z3TlGD+t8LF k/L08+CSFYiwDFFB/hAGV1Y7B01RmxTFFCiOo3I8xffU5XIN8+ZvlTKEkaCigrd2ouwxt6 mDlj4Ptni4rESgR/Mc72tJpBQ8Bxw3sMdIIzL1451g0XXuvNvjBtRhSU5zgq6AChfLPe56 L3K1DopDSsquFOFHe+Z64OH09wkdPwso7CPZa7/zF015DDu/RvOSO9IPk2FvFYlJer1xax HwMAK1RG2yOFh9FnCNOoGKeJMd/nyRIAu+rDvlYj9dyOmo/T5hJMZJK3ihfXgA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyR3f3gzp1b for ; Tue, 09 Jun 2026 19:19:43 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3d544 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:19:43 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: John Baldwin From: Mark Johnston Subject: git: 540a315cdb46 - releng/15.0 - ktls: Don't attempt to modify non-anonymous mbufs on the receive path List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/15.0 X-Git-Reftype: branch X-Git-Commit: 540a315cdb46d6aa3cdbb3797710db652b3c4f4a Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:19:43 +0000 Message-Id: <6a28674f.3d544.633ffb3c@gitrepo.freebsd.org> The branch releng/15.0 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=540a315cdb46d6aa3cdbb3797710db652b3c4f4a commit 540a315cdb46d6aa3cdbb3797710db652b3c4f4a Author: John Baldwin AuthorDate: 2026-06-03 23:22:00 +0000 Commit: Mark Johnston CommitDate: 2026-06-08 15:39:32 +0000 ktls: Don't attempt to modify non-anonymous mbufs on the receive path Normally, data processed on the KTLS receive path is contained in anonymous mbufs that can be modified in place. Either the data originates in receive buffers from a NIC driver, or for loopback connections the data is anonymous-backed mbufs created when writing to a socket. One potential source of non-anonymous mbufs are mbufs created by sendfile(2) which borrow the pages of the underlying file, either via M_EXTPG or EXT_SFBUF that are sent over a loopback connection. For a well-formed loopback TLS session, the sender should only use sendfile(2) if KTLS is enabled. If TLS is fully handled in userspace, the sender must use write(2) or send(2) which allocate anonymous mbufs. If KTLS transmit is enabled, then sendfile(2) on a loopback connection will always use crypto via OCF and will allocate anonymous pages to hold the encrypted data. However, if sendfile(2) is used to send file-backed data directly over a loopback connection where KTLS is not enabled on the sender side, the KTLS receive path can modify the file-backed pages in place overwriting the file's data. One potential fix would be to replace non-anonymous mbufs in a received TLS record with anonymous mbufs (e.g. via m_dup()) before passing the record to OCF. However, there is no legitimate use case for using sendfile(2) over a loopback TLS connection without using KTLS on the sender side, so instead simply fail decryption requests and close the connection if non-anonymous mbufs are encountered in the RX decryption path. Add a test for this that verifies that the original data backing the file descriptor used as the source for sendfile() is unchanged after being processed. Approved by: so Security: FreeBSD-SA-26:26.ktls Security: CVE-2026-45257 Co-authored-by: Drew Gallatin Sponsored by: Chelsio Communications Sponsored by: Netflix --- sys/kern/uipc_ktls.c | 17 +++++++-- sys/sys/ktls.h | 1 + tests/sys/kern/ktls_test.c | 93 ++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 108 insertions(+), 3 deletions(-) diff --git a/sys/kern/uipc_ktls.c b/sys/kern/uipc_ktls.c index 66ce1b5a081d..2bc56d166a18 100644 --- a/sys/kern/uipc_ktls.c +++ b/sys/kern/uipc_ktls.c @@ -2416,8 +2416,10 @@ tls13_find_record_type(struct ktls_session *tls, struct mbuf *m, int tls_len, * Check if a mbuf chain is fully decrypted at the given offset and * length. Returns KTLS_MBUF_CRYPTO_ST_DECRYPTED if all data is * decrypted. KTLS_MBUF_CRYPTO_ST_MIXED if there is a mix of encrypted - * and decrypted data. Else KTLS_MBUF_CRYPTO_ST_ENCRYPTED if all data - * is encrypted. + * and decrypted data. KTLS_MBUF_CRYPTO_ST_ENCRYPTED if all data is + * encrypted. KTLS_MBUF_CRYPTO_ST_SHAREDMBUF if any mbuf points at + * shared data that must not be modified in place (non-anonymous + * M_EXTPG or sendfile M_EXT buffers). */ ktls_mbuf_crypto_st_t ktls_mbuf_crypto_state(struct mbuf *mb, int offset, int len) @@ -2433,6 +2435,13 @@ ktls_mbuf_crypto_state(struct mbuf *mb, int offset, int len) offset += len; for (; mb != NULL; mb = mb->m_next) { + if ((mb->m_flags & M_EXTPG) != 0 && + (mb->m_epg_flags & EPG_FLAG_ANON) == 0) + return (KTLS_MBUF_CRYPTO_ST_SHAREDMBUF); + if ((mb->m_flags & M_EXT) != 0 && + mb->m_ext.ext_type == EXT_SFBUF) + return (KTLS_MBUF_CRYPTO_ST_SHAREDMBUF); + m_flags_ored |= mb->m_flags; m_flags_anded &= mb->m_flags; @@ -2633,9 +2642,11 @@ ktls_decrypt(struct socket *so) record_type = hdr->tls_type; } break; - default: + case KTLS_MBUF_CRYPTO_ST_SHAREDMBUF: error = EINVAL; break; + default: + __assert_unreachable(); } if (error) { counter_u64_add(ktls_offload_failed_crypto, 1); diff --git a/sys/sys/ktls.h b/sys/sys/ktls.h index a940bcfaba25..b856dbe8acae 100644 --- a/sys/sys/ktls.h +++ b/sys/sys/ktls.h @@ -238,6 +238,7 @@ typedef enum { KTLS_MBUF_CRYPTO_ST_MIXED = 0, KTLS_MBUF_CRYPTO_ST_ENCRYPTED = 1, KTLS_MBUF_CRYPTO_ST_DECRYPTED = -1, + KTLS_MBUF_CRYPTO_ST_SHAREDMBUF = -2, } ktls_mbuf_crypto_st_t; void ktls_check_rx(struct sockbuf *sb); diff --git a/tests/sys/kern/ktls_test.c b/tests/sys/kern/ktls_test.c index 72497196b945..3970083e7f72 100644 --- a/tests/sys/kern/ktls_test.c +++ b/tests/sys/kern/ktls_test.c @@ -30,6 +30,7 @@ #include #include #include +#include #include #include #include @@ -2817,6 +2818,97 @@ ATF_TC_BODY(ktls_listening_socket, tc) ATF_REQUIRE(close(s) == 0); } +/* + * Verify that the KTLS receive path does not overwrite data belonging + * to a file whose payload is transmitted over a loopback connection + * via plain sendfile. + */ +ATF_TC_WITHOUT_HEAD(ktls_receive_loopback_sendfile); +ATF_TC_BODY(ktls_receive_loopback_sendfile, tc) +{ + struct tls_enable en; + struct msghdr msg; + struct sf_hdtr hdtr; + struct iovec iov[2]; + uint64_t seqno; + off_t sbytes; + char cbuf[CMSG_SPACE(sizeof(struct tls_get_record))]; + char *plaintext, *ciphertext, *outbuf; + void *p; + const size_t payload_len = PAGE_SIZE; + ssize_t rv; + size_t len; + int mode, shm, sockets[2]; + socklen_t slen; + + ATF_REQUIRE_KTLS(); + seqno = random(); + build_tls_enable(tc, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0, + TLS_MINOR_VER_TWO, seqno, &en); + + len = tls_header_len(&en) + payload_len + tls_trailer_len(&en); + plaintext = alloc_buffer(payload_len); + ciphertext = malloc(len); + ATF_REQUIRE_INTEQ(len, encrypt_tls_record(tc, &en, TLS_RLTYPE_APP, + seqno, plaintext, payload_len, ciphertext, len, 0)); + + ATF_REQUIRE((shm = shm_open(SHM_ANON, O_RDWR, 0600)) > 0); + ATF_REQUIRE_INTEQ(0, ftruncate(shm, payload_len)); + ATF_REQUIRE((p = mmap(NULL, payload_len, PROT_READ | PROT_WRITE, + MAP_SHARED, shm, 0)) != MAP_FAILED); + memcpy(p, ciphertext + tls_header_len(&en), payload_len); + + ATF_REQUIRE_MSG(socketpair_tcp(sockets), "failed to create sockets"); + ATF_REQUIRE(setsockopt(sockets[0], IPPROTO_TCP, TCP_RXTLS_ENABLE, &en, + sizeof(en)) == 0); + slen = sizeof(mode); + ATF_REQUIRE_INTEQ(0, getsockopt(sockets[0], IPPROTO_TCP, TCP_RXTLS_MODE, + &mode, &slen)); + ATF_REQUIRE_INTEQ(TCP_TLS_MODE_SW, mode); + + fd_set_blocking(sockets[0]); + fd_set_blocking(sockets[1]); + + iov[0].iov_base = ciphertext; + iov[0].iov_len = tls_header_len(&en); + iov[1].iov_base = ciphertext + tls_header_len(&en) + payload_len; + iov[1].iov_len = tls_trailer_len(&en); + hdtr.headers = iov; + hdtr.hdr_cnt = 1; + hdtr.trailers = iov + 1; + hdtr.trl_cnt = 1; + debug_hexdump(tc, p, payload_len, "shm buffer before"); + ATF_REQUIRE_INTEQ(0, sendfile(shm, sockets[1], 0, payload_len, &hdtr, + &sbytes, 0)); + ATF_REQUIRE_INTEQ(sbytes, len); + + outbuf = calloc(payload_len, 1); + + memset(&msg, 0, sizeof(msg)); + + msg.msg_control = cbuf; + msg.msg_controllen = sizeof(cbuf); + + iov[0].iov_base = outbuf; + iov[0].iov_len = payload_len; + msg.msg_iov = iov; + msg.msg_iovlen = 1; + + rv = recvmsg(sockets[0], &msg, 0); + if (rv >= 0) { + ATF_REQUIRE_INTEQ(payload_len, rv); + ATF_REQUIRE_INTEQ(0, memcmp(outbuf, plaintext, payload_len)); + } else + ATF_REQUIRE_ERRNO(EBADMSG, true); + + debug_hexdump(tc, p, payload_len, "shm buffer after"); + ATF_REQUIRE_INTEQ(0, memcmp(p, ciphertext + tls_header_len(&en), + payload_len)); + + close_sockets_ignore_errors(sockets); + (void)close(shm); +} + ATF_TP_ADD_TCS(tp) { /* Transmit tests */ @@ -2843,6 +2935,7 @@ ATF_TP_ADD_TCS(tp) /* Miscellaneous */ ATF_TP_ADD_TC(tp, ktls_sendto_baddst); ATF_TP_ADD_TC(tp, ktls_listening_socket); + ATF_TP_ADD_TC(tp, ktls_receive_loopback_sendfile); return (atf_no_error()); } From nobody Tue Jun 9 19:19:45 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyV1ct7z6gVVR for ; Tue, 09 Jun 2026 19:19:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdyT5pHlz3QZG for ; Tue, 09 Jun 2026 19:19:45 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032785; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=1Yb0fo3qclfaVdsJz2vmSYydVX2rYppdVLb/AO7+GfY=; b=aifbaS2GHZDW0d+XUBfk3E6voj46WsQJ/Wo6EQ7K0jTnktdxX1RhDgeiOES9qkwFjlCzID Qkfq1kuqjNEDwuD0o2mvb3/a5PTBkS526qkHbBw2954yEZVSrMA/vKfxuub7utzCWxE1An QmEJVIWjstXXIxW/fevYDsN5IV+5BYpIJndoms5vSnNHgHe/f+1gSsntUkH2Zb9MqzjjkR 5gaApJFE8rH9R86mhYOdcTJ7rVFweBBRJFlYmLv3Hjsw2SnSuS+Ue+lQmmD/PRrpRl7BwY zcITYA+vDYsplQzVxYAgMgfxwbfcMEkexnXusGsI1QBx17sYFINiJUTLiMq7qw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032785; a=rsa-sha256; cv=none; b=brSirAnjTZDOHu4HoycHQICB0wt0FcFS+Wf+hDWyy+tMu89Nfs0hR6AGfKC+MnV1PJSl7B 5NpfQ7lPLiMQiDc3mYFt/Go9iJ0mfORHh3M8yNIGuY5OnxDO4DII22Ts69NKGWFRGcFGew U/haHmB/j5tCzZrxwwkXR16lHr+9t6GNgBmakqt2oGpr+gWD8P2hxl/vZrJgc51fUcnZWE OJmq0QTBnvnJapOOv+xCbSvkJrOlJL30ILCTPY1SeyjYglwl1Oa5lLfixdUuYwx7VLMmg4 4ZHuU+bObyrlHLwIKvQXjXoUK8pLlHU2SKlSSk/nGtLE1I5vQyTqIk3++ruA9A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032785; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=1Yb0fo3qclfaVdsJz2vmSYydVX2rYppdVLb/AO7+GfY=; b=bYGcY1fc9RIVUzLPWbwefT3QczlKJIgxJvFXEhkSujUu2rGBFcrz9jZzHptg71m+QAbvQW YgkyDX4iNlKiMWYOKqbyC4wyRgEyUv25XDtg7/hRItsXDlrcAu9CWMqhQIhUZWSrCXLeJ9 XvENxCoGfZo0ZqMROO2jBJ6Obcw1E+uAf8g1yOSD26BmC27TMF83ow9wL3ob6Nbg0ObRY+ kfoHHbWQ6+1lApLs390ClpmkYAw/WJAGuWuaQd66dhPJaZlTBcq02m80svehN6vdk8rf3D sbWreRytKFqwF9g50hgKfR9tiogtQ5Rv4P7hb4QSEUvmpJj++SCQFCrpcuopcw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyT5DxYznl2 for ; Tue, 09 Jun 2026 19:19:45 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3e5b3 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:19:45 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: bda153dc04b4 - releng/15.0 - sound: Fix software buffer lifetime issues List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/15.0 X-Git-Reftype: branch X-Git-Commit: bda153dc04b4ddb667856874c083bd117fc0b9a1 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:19:45 +0000 Message-Id: <6a286751.3e5b3.538be532@gitrepo.freebsd.org> The branch releng/15.0 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=bda153dc04b4ddb667856874c083bd117fc0b9a1 commit bda153dc04b4ddb667856874c083bd117fc0b9a1 Author: Mark Johnston AuthorDate: 2026-06-01 21:57:40 +0000 Commit: Mark Johnston CommitDate: 2026-06-08 15:39:32 +0000 sound: Fix software buffer lifetime issues The channel buffer mapped by dsp_mmap_single() may be freed when the device handle is closed, but the mapping persists beyond that, allowing userspace to read or write memory owned by a different consumer. Fix the problem by adding a reference counter to the sound buffer. Define pager ops for the VM object returned by dsp_mmap_single() and use them to manage the extra reference. Add a regression test. Approved by: so Security: FreeBSD-SA-26:27.sound Security: CVE-2026-49417 Reported by: Lexpl0it, 75Acol, Liyw979, Rob1n Reviewed by kib Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57393 --- sys/dev/sound/pcm/buffer.c | 38 ++++++++++++++++++-- sys/dev/sound/pcm/buffer.h | 4 +++ sys/dev/sound/pcm/dsp.c | 89 ++++++++++++++++++++++++++++++++++++++-------- tests/sys/sound/mmap.c | 60 +++++++++++++++++++++++++++++++ 4 files changed, 175 insertions(+), 16 deletions(-) diff --git a/sys/dev/sound/pcm/buffer.c b/sys/dev/sound/pcm/buffer.c index de535ec2dcba..ddcf14fbc1c2 100644 --- a/sys/dev/sound/pcm/buffer.c +++ b/sys/dev/sound/pcm/buffer.c @@ -32,6 +32,7 @@ #include "opt_snd.h" #endif +#include #include #include "feeder_if.h" @@ -46,6 +47,7 @@ sndbuf_create(device_t dev, char *drv, char *desc, struct pcm_channel *channel) struct snd_dbuf *b; b = malloc(sizeof(*b), M_DEVBUF, M_WAITOK | M_ZERO); + refcount_init(&b->refcount, 1); snprintf(b->name, SNDBUF_NAMELEN, "%s:%s", drv, desc); b->dev = dev; b->channel = channel; @@ -56,8 +58,30 @@ sndbuf_create(device_t dev, char *drv, char *desc, struct pcm_channel *channel) void sndbuf_destroy(struct snd_dbuf *b) { - sndbuf_free(b); - free(b, M_DEVBUF); + b->flags |= SNDBUF_F_DETACHED; + sndbuf_rele(b); +} + +void +sndbuf_ref(struct snd_dbuf *b) +{ + unsigned int count __diagused; + + CHN_LOCK(b->channel); + count = refcount_acquire(&b->refcount); + KASSERT(count > 0, ("sndbuf %p refcount 0", b)); + CHN_UNLOCK(b->channel); +} + +void +sndbuf_rele(struct snd_dbuf *b) +{ + if (refcount_release(&b->refcount)) { + sndbuf_free(b); + KASSERT(refcount_load(&b->refcount) == 0, + ("sndbuf %p still referenced", b)); + free(b, M_DEVBUF); + } } bus_addr_t @@ -183,6 +207,11 @@ sndbuf_resize(struct snd_dbuf *b, unsigned int blkcnt, unsigned int blksz) if (bufsize > b->allocsize || bufsize < (b->allocsize >> SNDBUF_CACHE_SHIFT)) { + if (refcount_load(&b->refcount) > 1 || + (b->flags & SNDBUF_F_DETACHED) != 0) { + CHN_UNLOCK(b->channel); + return (EBUSY); + } allocsize = round_page(bufsize); CHN_UNLOCK(b->channel); tmpbuf = malloc(allocsize, M_DEVBUF, M_WAITOK); @@ -218,10 +247,15 @@ sndbuf_remalloc(struct snd_dbuf *b, unsigned int blkcnt, unsigned int blksz) if (blkcnt < 2 || blksz < 16) return EINVAL; + CHN_LOCKASSERT(b->channel); + bufsize = blksz * blkcnt; if (bufsize > b->allocsize || bufsize < (b->allocsize >> SNDBUF_CACHE_SHIFT)) { + if (refcount_load(&b->refcount) > 1 || + (b->flags & SNDBUF_F_DETACHED) != 0) + return (EBUSY); allocsize = round_page(bufsize); CHN_UNLOCK(b->channel); buf = malloc(allocsize, M_DEVBUF, M_WAITOK); diff --git a/sys/dev/sound/pcm/buffer.h b/sys/dev/sound/pcm/buffer.h index ddf4083ec19f..99bc6c0611d2 100644 --- a/sys/dev/sound/pcm/buffer.h +++ b/sys/dev/sound/pcm/buffer.h @@ -27,6 +27,7 @@ */ #define SNDBUF_F_MANAGED 0x00000008 +#define SNDBUF_F_DETACHED 0x00000010 #define SNDBUF_NAMELEN 48 @@ -50,6 +51,7 @@ struct snd_dbuf { bus_dma_tag_t dmatag; bus_addr_t buf_addr; int dmaflags; + unsigned int refcount; struct selinfo sel; struct pcm_channel *channel; char name[SNDBUF_NAMELEN]; @@ -57,6 +59,8 @@ struct snd_dbuf { struct snd_dbuf *sndbuf_create(device_t dev, char *drv, char *desc, struct pcm_channel *channel); void sndbuf_destroy(struct snd_dbuf *b); +void sndbuf_ref(struct snd_dbuf *b); +void sndbuf_rele(struct snd_dbuf *b); void sndbuf_dump(struct snd_dbuf *b, char *s, u_int32_t what); diff --git a/sys/dev/sound/pcm/dsp.c b/sys/dev/sound/pcm/dsp.c index 72bde9c1066f..01d848180eec 100644 --- a/sys/dev/sound/pcm/dsp.c +++ b/sys/dev/sound/pcm/dsp.c @@ -79,7 +79,6 @@ static d_read_t dsp_read; static d_write_t dsp_write; static d_ioctl_t dsp_ioctl; static d_poll_t dsp_poll; -static d_mmap_t dsp_mmap; static d_mmap_single_t dsp_mmap_single; struct cdevsw dsp_cdevsw = { @@ -89,7 +88,6 @@ struct cdevsw dsp_cdevsw = { .d_write = dsp_write, .d_ioctl = dsp_ioctl, .d_poll = dsp_poll, - .d_mmap = dsp_mmap, .d_mmap_single = dsp_mmap_single, .d_name = "dsp", }; @@ -1931,23 +1929,81 @@ dsp_poll(struct cdev *i_dev, int events, struct thread *td) return (ret); } +struct dsp_mmap_handle { + struct cdev *cdev; + struct snd_dbuf *buf; +}; + static int -dsp_mmap(struct cdev *i_dev, vm_ooffset_t offset, vm_paddr_t *paddr, - int nprot, vm_memattr_t *memattr) +dsp_dev_pager_ctor(void *handle, vm_ooffset_t size, vm_prot_t prot, + vm_ooffset_t foff, struct ucred *cred, u_short *color) { + struct dsp_mmap_handle *h = handle; - /* - * offset is in range due to checks in dsp_mmap_single(). - * XXX memattr is not honored. - */ - *paddr = vtophys(offset); + dev_ref(h->cdev); + sndbuf_ref(h->buf); return (0); } +static void +dsp_dev_pager_dtor(void *handle) +{ + struct dsp_mmap_handle *h = handle; + + sndbuf_rele(h->buf); + dev_rel(h->cdev); + free(h, M_DEVBUF); +} + +static int +dsp_dev_pager_fault(vm_object_t object, vm_ooffset_t offset, int prot, + vm_page_t *mres) +{ + struct dsp_mmap_handle *h = object->handle; + vm_page_t m; + uintptr_t addr; + vm_paddr_t paddr; + + addr = (uintptr_t)offset; + if (addr < (uintptr_t)h->buf->buf || + addr >= (uintptr_t)h->buf->buf + h->buf->allocsize) + return (VM_PAGER_ERROR); + paddr = vtophys((void *)addr); + + if (((*mres)->flags & PG_FICTITIOUS) != 0) { + m = *mres; + vm_page_updatefake(m, paddr, object->memattr); + } else { + VM_OBJECT_WUNLOCK(object); + m = vm_page_getfake(paddr, object->memattr); + VM_OBJECT_WLOCK(object); + vm_page_replace(m, object, (*mres)->pindex, *mres); + *mres = m; + } + m->valid = VM_PAGE_BITS_ALL; + return (VM_PAGER_OK); +} + +static void +dsp_dev_pager_path(void *handle, char *path, size_t len) +{ + struct dsp_mmap_handle *h = handle; + + dev_copyname(h->cdev, path, len); +} + +static const struct cdev_pager_ops dsp_dev_pager_ops = { + .cdev_pg_ctor = dsp_dev_pager_ctor, + .cdev_pg_dtor = dsp_dev_pager_dtor, + .cdev_pg_fault = dsp_dev_pager_fault, + .cdev_pg_path = dsp_dev_pager_path, +}; + static int -dsp_mmap_single(struct cdev *i_dev, vm_ooffset_t *offset, +dsp_mmap_single(struct cdev *cdev, vm_ooffset_t *offset, vm_size_t size, struct vm_object **object, int nprot) { + struct dsp_mmap_handle *handle; struct dsp_cdevpriv *priv; struct snddev_info *d; struct pcm_channel *wrch, *rdch, *c; @@ -2010,13 +2066,18 @@ dsp_mmap_single(struct cdev *i_dev, vm_ooffset_t *offset, *offset = (uintptr_t)sndbuf_getbufofs(c->bufsoft, *offset); dsp_unlock_chans(priv, FREAD | FWRITE); - *object = vm_pager_allocate(OBJT_DEVICE, i_dev, - size, nprot, *offset, curthread->td_ucred); + handle = malloc(sizeof(*handle), M_DEVBUF, M_WAITOK); + handle->cdev = cdev; + handle->buf = c->bufsoft; + *object = cdev_pager_allocate(handle, OBJT_DEVICE, &dsp_dev_pager_ops, + size, nprot, *offset, curthread->td_ucred); PCM_GIANT_LEAVE(d); + if (*object == NULL) { + free(handle, M_DEVBUF); + return (EINVAL); + } - if (*object == NULL) - return (EINVAL); return (0); } diff --git a/tests/sys/sound/mmap.c b/tests/sys/sound/mmap.c index ab203a39194c..f775c0f8da8a 100644 --- a/tests/sys/sound/mmap.c +++ b/tests/sys/sound/mmap.c @@ -4,12 +4,14 @@ * Copyright (c) 2026 The FreeBSD Foundation */ +#include #include #include #include #include #include +#include #include #define FMT_ERR(s) s ": %s", strerror(errno) @@ -43,9 +45,67 @@ ATF_TC_BODY(mmap_offset_overflow, tc) close(fd); } +/* + * Verify that a MAP_SHARED mapping of a DSP device's software buffer remains + * valid after the file descriptor is closed. + */ +ATF_TC(mmap_buffer_lifetime); +ATF_TC_HEAD(mmap_buffer_lifetime, tc) +{ + atf_tc_set_md_var(tc, "descr", "mmap data survives close()"); + atf_tc_set_md_var(tc, "require.kmods", "snd_dummy"); +} +ATF_TC_BODY(mmap_buffer_lifetime, tc) +{ + audio_buf_info abi; + uint8_t *buf; + size_t len; + int fd, arg; + + fd = open("/dev/dsp0", O_RDWR); + ATF_REQUIRE_MSG(fd >= 0, FMT_ERR("open")); + + arg = (2 << 16) | 14; /* 2*16KB */ + ATF_REQUIRE_MSG(ioctl(fd, SNDCTL_DSP_SETFRAGMENT, &arg) == 0, + FMT_ERR("SNDCTL_DSP_SETFRAGMENT")); + ATF_REQUIRE_MSG(ioctl(fd, SNDCTL_DSP_GETOSPACE, &abi) == 0, + FMT_ERR("SNDCTL_DSP_GETOSPACE")); + + len = abi.bytes; + ATF_REQUIRE_MSG(len >= PAGE_SIZE, "buffer too small: %zu", len); + + buf = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); + ATF_REQUIRE_MSG(buf != MAP_FAILED, FMT_ERR("mmap")); + + for (size_t i = 0; i < len; i++) { + ATF_REQUIRE_MSG(buf[i] == 0, + "mmap data corrupted at offset %zu: want 0 got 0x%02x", + i, buf[i]); + } + + memset(buf, 0xa5, len); + for (size_t i = 0; i < len; i++) { + ATF_REQUIRE_MSG(buf[i] == 0xa5, + "mmap data corrupted at offset %zu: want 0xa5 got 0x%02x", + i, buf[i]); + } + + ATF_REQUIRE(close(fd) == 0); + + /* Closing the device causes the buffer to be reset. */ + for (size_t i = 0; i < len; i++) { + ATF_REQUIRE_MSG(buf[i] == 0 || buf[i] == 0xa5, + "mmap data corrupted at offset %zu: got 0x%02x", i, buf[i]); + } + memset(buf, 0xa5, len); + + ATF_REQUIRE(munmap(buf, len) == 0); +} + ATF_TP_ADD_TCS(tp) { ATF_TP_ADD_TC(tp, mmap_offset_overflow); + ATF_TP_ADD_TC(tp, mmap_buffer_lifetime); return (atf_no_error()); } From nobody Tue Jun 9 19:19:47 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyX39Gsz6gVDp for ; Tue, 09 Jun 2026 19:19:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdyW6zVXz3QV3 for ; Tue, 09 Jun 2026 19:19:47 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032788; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Nadpof7yXtJPB3wF198n1IVGg4EAYZAfIvWtqfOajfw=; b=qh4yOXWIu1XKe0EDKBMpwcil175Pbb1rINdQ9XdioZTyvZHBdGuqfwTS2H0gSFM79hA4gt EmeclXf4yxjg+W1yotjgYSB01qcnOAl8/DdbuN8atYh4MYz+ZlPRUmjsigLnKDobNSvJOe byraBej6/mxkzS90ev4DGtqQWvC+iL8sMrtecKjx+rarcbbj0vprI+RbMimSQs586g0PU5 oK4xpRRqpbgwIGOVtY6BQEsmYUxq7vd6p0BJb52mLi9nxCcLUualQCHN0+IGGhbITce3uR 7lsj99e98Br67zwRq9PFRmZCvO9fmZym8bvYztyV17mJSsNOmFudoeu5MGK+Yw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032788; a=rsa-sha256; cv=none; b=lTIGmChJ+AVEKZlE0IHwruXxCVJkiwDdYbMx8N83BasEJp1NnWCuZ7IedGKDD19/aDMqYn iHXwmxgYyqWI24dDGt4MqdIARTxkKEBlTdQrfyWI93if9sSDcz2g7YuSWq03BRrYEmzwtc nccSqwQOge8yVkmfreD4CG+ErC8quEdIUHGnFnVENX5uIhL+wuLtQbpQr8WwFm5cMPsEhG IJqoKaeGEpngpPojMfBMVCMoupRwh5ev8ZbvAj8BfbyWHV4sASo6CxGv+Rdcixtufh42Jo w/HSHIRJAwXpfvrRQKQlS19Y8Fw0ywHdfvtRH0u2UwjX3NokEx4l35tMRKUzTQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032788; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Nadpof7yXtJPB3wF198n1IVGg4EAYZAfIvWtqfOajfw=; b=EBf3TwR9qm0wwYEA0g76sINMMPbOpySeN/oI8sHpRE2VhbO8JIQ5KZJGgK4pnM+asZA44D og9p6iOoNMmYfejGsONhNBoYhvL+LC7mhJdZ2abCu38pz1yhrkBKQ4G5lqulKJrNTlZn7N 5UUX9xIeqQoMjzW0oSFJFJQFU6kmAg2M3VQEcGp6Vp+cOZDIbF+aW6PUZyy8J/XPLGGzYu aFJlR980HXvnOquL8LFtrR6i8sqi7lwaJThQDb1qR80VzAeKEvFgVfDle6QtNaeTrcmy/2 AiifCOLB6sXckp/a4iOKWC7yUZgo7VE1FXCqdlKxf7s9bj/Ehc/waXCtUjtLcg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyW6XjkzntS for ; Tue, 09 Jun 2026 19:19:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3e792 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:19:47 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: ed4692b8226e - releng/15.0 - in6_mcast: Fix a race in in6p_set_source_filter() List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/15.0 X-Git-Reftype: branch X-Git-Commit: ed4692b8226e81e03d1cf43ed4fa8ee311c9b851 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:19:47 +0000 Message-Id: <6a286753.3e792.6cfd3013@gitrepo.freebsd.org> The branch releng/15.0 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=ed4692b8226e81e03d1cf43ed4fa8ee311c9b851 commit ed4692b8226e81e03d1cf43ed4fa8ee311c9b851 Author: Mark Johnston AuthorDate: 2026-05-29 20:12:24 +0000 Commit: Mark Johnston CommitDate: 2026-06-08 15:39:32 +0000 in6_mcast: Fix a race in in6p_set_source_filter() We drop the inpcb lock in order to copy in the source list, but this leaves a window where the multicast filter structure might be freed. This can be exploited to obtain root privileges. In the v4 code this race is mitigated by holding the global multicast lock across the gap. Restructure the code to copy in filters before doing anything else, so that there's no need to drop the inpcb lock and reason about the correctness of doing so. Do the same in the v4 code for consistency. Approved by: so Security: FreeBSD-SA-26:29.ip6_multicast Security: CVE-2026-49412 Reported by: Andrew Griffiths Reported by: Maik Münch Reviewed by: glebius Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57347 --- sys/netinet/in_mcast.c | 39 +++++++++++++++++---------------------- sys/netinet6/in6_mcast.c | 41 +++++++++++++++++++---------------------- 2 files changed, 36 insertions(+), 44 deletions(-) diff --git a/sys/netinet/in_mcast.c b/sys/netinet/in_mcast.c index f5b20c49ffd2..43fa96616c70 100644 --- a/sys/netinet/in_mcast.c +++ b/sys/netinet/in_mcast.c @@ -2523,6 +2523,7 @@ inp_set_source_filters(struct inpcb *inp, struct sockopt *sopt) { struct epoch_tracker et; struct __msfilterreq msfr; + struct sockaddr_storage *kss; sockunion_t *gsa; struct ifnet *ifp; struct in_mfilter *imf; @@ -2535,9 +2536,6 @@ inp_set_source_filters(struct inpcb *inp, struct sockopt *sopt) if (error) return (error); - if (msfr.msfr_nsrcs > in_mcast_maxsocksrc) - return (ENOBUFS); - if ((msfr.msfr_fmode != MCAST_EXCLUDE && msfr.msfr_fmode != MCAST_INCLUDE)) return (EINVAL); @@ -2550,13 +2548,24 @@ inp_set_source_filters(struct inpcb *inp, struct sockopt *sopt) if (!IN_MULTICAST(ntohl(gsa->sin.sin_addr.s_addr))) return (EINVAL); + if (msfr.msfr_nsrcs > in_mcast_maxsocksrc) + return (ENOBUFS); + kss = mallocarray(msfr.msfr_nsrcs, sizeof(struct sockaddr_storage), + M_TEMP, M_WAITOK); + error = copyin(msfr.msfr_srcs, kss, + sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs); + if (error) + goto out_inp_unlocked; + gsa->sin.sin_port = 0; /* ignore port */ NET_EPOCH_ENTER(et); ifp = ifnet_byindex(msfr.msfr_ifindex); NET_EPOCH_EXIT(et); /* XXXGL: unsafe ifp */ - if (ifp == NULL) - return (EADDRNOTAVAIL); + if (ifp == NULL) { + error = EADDRNOTAVAIL; + goto out_inp_unlocked; + } IN_MULTI_LOCK(); @@ -2588,24 +2597,9 @@ inp_set_source_filters(struct inpcb *inp, struct sockopt *sopt) if (msfr.msfr_nsrcs > 0) { struct in_msource *lims; struct sockaddr_in *psin; - struct sockaddr_storage *kss, *pkss; + struct sockaddr_storage *pkss; int i; - INP_WUNLOCK(inp); - - CTR2(KTR_IGMPV3, "%s: loading %lu source list entries", - __func__, (unsigned long)msfr.msfr_nsrcs); - kss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs, - M_TEMP, M_WAITOK); - error = copyin(msfr.msfr_srcs, kss, - sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs); - if (error) { - free(kss, M_TEMP); - return (error); - } - - INP_WLOCK(inp); - /* * Mark all source filters as UNDEFINED at t1. * Restore new group filter mode, as imf_leave() @@ -2640,7 +2634,6 @@ inp_set_source_filters(struct inpcb *inp, struct sockopt *sopt) break; lims->imsl_st[1] = imf->imf_st[1]; } - free(kss, M_TEMP); } if (error) @@ -2677,6 +2670,8 @@ out_imf_rollback: out_inp_locked: INP_WUNLOCK(inp); IN_MULTI_UNLOCK(); +out_inp_unlocked: + free(kss, M_TEMP); return (error); } diff --git a/sys/netinet6/in6_mcast.c b/sys/netinet6/in6_mcast.c index a6186568ecb2..4ec9f36cd9ac 100644 --- a/sys/netinet6/in6_mcast.c +++ b/sys/netinet6/in6_mcast.c @@ -2489,6 +2489,7 @@ in6p_set_source_filters(struct inpcb *inp, struct sockopt *sopt) { struct __msfilterreq msfr; struct epoch_tracker et; + struct sockaddr_storage *kss; sockunion_t *gsa; struct ifnet *ifp; struct in6_mfilter *imf; @@ -2501,9 +2502,6 @@ in6p_set_source_filters(struct inpcb *inp, struct sockopt *sopt) if (error) return (error); - if (msfr.msfr_nsrcs > in6_mcast_maxsocksrc) - return (ENOBUFS); - if (msfr.msfr_fmode != MCAST_EXCLUDE && msfr.msfr_fmode != MCAST_INCLUDE) return (EINVAL); @@ -2516,19 +2514,31 @@ in6p_set_source_filters(struct inpcb *inp, struct sockopt *sopt) if (!IN6_IS_ADDR_MULTICAST(&gsa->sin6.sin6_addr)) return (EINVAL); + if (msfr.msfr_nsrcs > in6_mcast_maxsocksrc) + return (ENOBUFS); + kss = mallocarray(msfr.msfr_nsrcs, sizeof(struct sockaddr_storage), + M_TEMP, M_WAITOK); + error = copyin(msfr.msfr_srcs, kss, + sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs); + if (error) + goto out_in6p_unlocked; + gsa->sin6.sin6_port = 0; /* ignore port */ NET_EPOCH_ENTER(et); ifp = ifnet_byindex(msfr.msfr_ifindex); NET_EPOCH_EXIT(et); - if (ifp == NULL) - return (EADDRNOTAVAIL); + if (ifp == NULL) { + error = EADDRNOTAVAIL; + goto out_in6p_unlocked; + } (void)in6_setscope(&gsa->sin6.sin6_addr, ifp, NULL); /* * Take the INP write lock. * Check if this socket is a member of this group. */ + IN6_MULTI_LOCK(); imo = in6p_findmoptions(inp); imf = im6o_match_group(imo, ifp, &gsa->sa); if (imf == NULL) { @@ -2553,24 +2563,9 @@ in6p_set_source_filters(struct inpcb *inp, struct sockopt *sopt) if (msfr.msfr_nsrcs > 0) { struct in6_msource *lims; struct sockaddr_in6 *psin; - struct sockaddr_storage *kss, *pkss; + struct sockaddr_storage *pkss; int i; - INP_WUNLOCK(inp); - - CTR2(KTR_MLD, "%s: loading %lu source list entries", - __func__, (unsigned long)msfr.msfr_nsrcs); - kss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs, - M_TEMP, M_WAITOK); - error = copyin(msfr.msfr_srcs, kss, - sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs); - if (error) { - free(kss, M_TEMP); - return (error); - } - - INP_WLOCK(inp); - /* * Mark all source filters as UNDEFINED at t1. * Restore new group filter mode, as im6f_leave() @@ -2615,7 +2610,6 @@ in6p_set_source_filters(struct inpcb *inp, struct sockopt *sopt) break; lims->im6sl_st[1] = imf->im6f_st[1]; } - free(kss, M_TEMP); } if (error) @@ -2650,6 +2644,9 @@ out_im6f_rollback: out_in6p_locked: INP_WUNLOCK(inp); + IN6_MULTI_UNLOCK(); +out_in6p_unlocked: + free(kss, M_TEMP); return (error); } From nobody Tue Jun 9 19:19:46 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyW5sHVz6gVM4 for ; Tue, 09 Jun 2026 19:19:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdyW0GxZz3QRQ for ; Tue, 09 Jun 2026 19:19:47 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032787; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=s9RTQwBJ6FsaW2fr6jvOlm6xuyZ+0iZPP8FrcwdTnio=; b=D8itYSdyWX2MBCzbNcI0i0ilmp7dIutOxSpqSj3xFvHgBRh+OoeQdbslx9uvp76ywrS3Xr CFbItL6AcpYH1bT+WOWTs1BnJanIZdNVtG/YSLtnoJdnz78GWyaAYJ3DKU5iMJBpLb+GwS 7HqQy+4SQ3NjvI7i0ua69HQyxdGVpD/5fZXvkY8GUHMKdcdiwzg9wAGRhktBJ/SzxbEagK MBlrwBn7yIGYlEvGqBW6YiPj++Zjz1nJkp+twHPNEu4MWxIthYYyHWSuMXzzzhxZdMM44F xvlohAlT6rLPgNdZYuYOK0pWMUZoBV+XjqTspJwZ0C2Yj4immAgxAqNm2QqLfw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032787; a=rsa-sha256; cv=none; b=G8UgulaarshDGBe5pNgkwF8wnuzx2MUrzQMDa+z2anO12wJe+C2U37DlEgIdsuw/TlZ3tP /+LCWvfblewzg/zZQ/Ls5vfVlizwOMD9+xwvh9CgA0Z65he9FENh13FVNzxUdm/Ctyp1cd zHocXKA/MaOYvY/j0nKNK1Gl4g7EkF/taaXuJkDoeFDh0jlNmsvGV9U45QO82EbgqThnXU h4nuA4/LkzVvsfIVhrdceCatoA/SbDvYtnddR0YMXVi6IttxjBVi92t1IzOAmltH4KL+8Q Us/gseP7rxNLA6mCmvAdVIwKlRWDB67hcgoy4VUd0nvH90vtoAVjQnDspfdU7Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032787; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=s9RTQwBJ6FsaW2fr6jvOlm6xuyZ+0iZPP8FrcwdTnio=; b=yPJw7gLisd5hAJkkvqcQalx6P5T13C9pD4ovpBkSEIdmHAQLoeGm3Ke1H4WUDTyHqMcY+X 6yaMCTMFBYum0K/fSZoHDKHdZ1xaearwvIVy2ciuC+38gV48+17+Wrcq6y4x43yTJCH0Ar Hklrsn1oFRgUAspjrTDREHU3OWGg8N7u05Ddzb9EDwUGVjXpe8LrSv/CBNLX6itgwQYAwZ ujCiw7uPjtpnSTppzpApeQPsQ27uo0weBWedIhwh96UdGjT0RLvIHcz9uQ3uIoge0PiQRw JMqqfPXglnnSz8UvPIoTQYEfndjATFGe+lXiflqQEINMZt09WzLlh3N/4ZRgkg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyV63xlznwC for ; Tue, 09 Jun 2026 19:19:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3dab5 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:19:46 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Ed Maste From: Mark Johnston Subject: git: 77ee83d12625 - releng/15.0 - sigqueue: In capability mode, only allow signalling self List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/15.0 X-Git-Reftype: branch X-Git-Commit: 77ee83d12625fea81a278d53cc621c610c353955 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:19:46 +0000 Message-Id: <6a286752.3dab5.18213e15@gitrepo.freebsd.org> The branch releng/15.0 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=77ee83d12625fea81a278d53cc621c610c353955 commit 77ee83d12625fea81a278d53cc621c610c353955 Author: Ed Maste AuthorDate: 2026-05-26 13:24:36 +0000 Commit: Mark Johnston CommitDate: 2026-06-08 15:39:32 +0000 sigqueue: In capability mode, only allow signalling self This is copied from the check in kern_kill. Approved by: so Security: FreeBSD-SA-26:28.capsicum Security: CVE-2026-45259 Reviewed by: markj, oshogbo Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57244 (cherry picked from commit b9d16b7fd2fa6bc4b3e8364804cbdc1b76ebe8a5) (cherry picked from commit defd9b86ef995ce70363eae9b323d616bda865be) --- contrib/capsicum-test/capmode.cc | 12 +++++++++--- sys/kern/kern_sig.c | 10 ++++++++++ 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/contrib/capsicum-test/capmode.cc b/contrib/capsicum-test/capmode.cc index 5ff025290211..d2eb1e8633a8 100644 --- a/contrib/capsicum-test/capmode.cc +++ b/contrib/capsicum-test/capmode.cc @@ -746,8 +746,8 @@ FORK_TEST(Capmode, NewThread) { close(thread_pipe[1]); } -static volatile sig_atomic_t had_signal = 0; -static void handle_signal(int) { had_signal = 1; } +static volatile sig_atomic_t signal_cnt = 0; +static void handle_signal(int) { signal_cnt++; } FORK_TEST(Capmode, SelfKill) { pid_t me = getpid(); @@ -765,7 +765,13 @@ FORK_TEST(Capmode, SelfKill) { // Can only kill(2) to own pid. EXPECT_CAPMODE(kill(child, SIGUSR1)); EXPECT_OK(kill(me, SIGUSR1)); - EXPECT_EQ(1, had_signal); + EXPECT_EQ(1, signal_cnt); + + union sigval sv; + sv.sival_int = 0x1234; + EXPECT_CAPMODE(sigqueue(child, SIGUSR1, sv)); + EXPECT_OK(sigqueue(me, SIGUSR1, sv)); + EXPECT_EQ(2, signal_cnt); signal(SIGUSR1, original); } diff --git a/sys/kern/kern_sig.c b/sys/kern/kern_sig.c index 1eac5cc2993f..40da0a79b810 100644 --- a/sys/kern/kern_sig.c +++ b/sys/kern/kern_sig.c @@ -2037,6 +2037,16 @@ kern_sigqueue(struct thread *td, pid_t pid, int signumf, union sigval *value) if (pid <= 0) return (EINVAL); + /* + * A process in capability mode can send signals only to itself. + */ + if (pid != td->td_proc->p_pid) { + if (CAP_TRACING(td)) + ktrcapfail(CAPFAIL_SIGNAL, &signum); + if (IN_CAPABILITY_MODE(td)) + return (ECAPMODE); + } + if ((signumf & __SIGQUEUE_TID) == 0) { if ((p = pfind_any(pid)) == NULL) return (ESRCH); From nobody Tue Jun 9 19:19:50 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyZ5rlwz6gVRv for ; Tue, 09 Jun 2026 19:19:50 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdyZ1JN2z3QgV for ; Tue, 09 Jun 2026 19:19:50 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032790; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=UYcX+tp0kc+wwhsVP28q+KjaT5OtZzBHlfoDHxfoFGQ=; b=NPNgkPK3fDLQVcJYoGd+azQlZybMyK3rEvEBgKOd0nReHofv4NgRhWBV6m0vfmITtFFx/q tEcQPDeeFMuE9cJYiINC5l2RW9ZVkOu0w8bMTIj55f8mihRrfL259C3BdC0xo8Q1LPKaHf XTVm1F2HdjXisnf9i9QlsENTPj9po3q/nmQIPx9l4WPgiLiFQeYSLAQm8IYVJRvBnqERig zdTIDdhjxeR4aLOzPx9+kkFzWI49jj8YRFiVncgYZMMe4dO/QN99kUqrR+y0woHHiCRSa+ D16IlDNuezxZlkxSzwnNcN0C0LFPM4HhxGVI0/vIutO9J6O5fD7vgD4TQujGyQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032790; a=rsa-sha256; cv=none; b=vh2EfAduqA+bOx3n7nCMrLH2jBl4jm98Et8G/KeIEtCU6/edb1UF4X9wpTNcP61DSUd1gz B+yy5o4XwfuWfm9dUf9iSz3LDpG4ggB+NVXXVx7ge4a7CeWJpguRH4yZOpoEVeH2N9wtzP 7JHLKjImjo5ULBZd9m+2j1EYxMxCH4VmR5TZ4/yd/Av2lL4uLwHRmlfamraxTQJCAarTxD 4WgTU77qp+uRt6mJ2h+BV4LcGJ/DelLYeUCD8K6nw0oOO9cVTfFgJfy23pj9lNI6n5HP3P nYvMNtD6hOP1JlTSK5Qt3XijMheb0R2TEz20gFUVwq8yoY8EabK9ucXX69fM6g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032790; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=UYcX+tp0kc+wwhsVP28q+KjaT5OtZzBHlfoDHxfoFGQ=; b=nczaFCjKIU1Hvhs4BNWIbqaIjXZvz5BnPiuuCPzevV8X3gzXc+kv6iCIOmZqDD1PCbutAv NB59md/HxheWXV0mbD5eq120mYE0IxmpMMNnaQy/Weq8HITlk83hR6i5DuQ+y7cznD3gz/ jGgVyOTQLfEeIuax02VxOI2gg3QQFLOuKPCn2nTkmYH0czAFWOGM2Gq8/ZStles5nkkAQ3 JFimJT/whhDIe76hwUYY82mRutpuAQd5A1wYvxEotyvqbpfIgyTzIFUM/xdpXtz61kIrpJ 58AcAFoRUat8oXdYzOtfZoJ+24jlJiGiKYvxuOsol548DcEHCA4AX/QFI+2y+g== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyZ0npXzny7 for ; Tue, 09 Jun 2026 19:19:50 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3d549 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:19:50 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Andrew Turner From: Mark Johnston Subject: git: a53619675cdc - releng/15.0 - arm64: Workaround the following errata List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/15.0 X-Git-Reftype: branch X-Git-Commit: a53619675cdcdf495baf6c0f9932bb71ee7a733f Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:19:50 +0000 Message-Id: <6a286756.3d549.bd6792@gitrepo.freebsd.org> The branch releng/15.0 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=a53619675cdcdf495baf6c0f9932bb71ee7a733f commit a53619675cdcdf495baf6c0f9932bb71ee7a733f Author: Andrew Turner AuthorDate: 2026-05-28 09:25:30 +0000 Commit: Mark Johnston CommitDate: 2026-06-08 15:39:32 +0000 arm64: Workaround the following errata - ARM C1-Premium erratum 4193780 - ARM C1-Ultra erratum 4193780 - ARM Cortex-A76 erratum 4193800 - ARM Cortex-A76AE erratum 4193801 - ARM Cortex-A77 erratum 4193798 - ARM Cortex-A78 erratum 4193791 - ARM Cortex-A78AE erratum 4193793 - ARM Cortex-A78C erratum 4193794 - ARM Cortex-A710 erratum 4193788 - ARM Cortex-X1 erratum 4193791 - ARM Cortex-X1C erratum 4193792 - ARM Cortex-X2 erratum 4193788 - ARM Cortex-X3 erratum 4193786 - ARM Cortex-X4 erratum 4118414 - ARM Cortex-X925 erratum 4193781 - ARM Neoverse-N1 erratum 4193800 - ARM Neoverse-N2 erratum 4193789 - ARM Neoverse-V1 erratum 4193790 - ARM Neoverse-V2 erratum 4193787 - ARM Neoverse-V3 erratum 4193784 - ARM Neoverse-V3AE erratum 4193784 These are all variants on an erratum where TLBI+DSB instructions on one CPU may incorrectly complete early leading to stores to an updated address using an incorrect translation on another CPU. In all cases the workaround is to add a second TLBI+DSB. Approved by: so Security: FreeBSD-SA-26:31.arm64 Security: CVE-2025-10263 Sponsored by: Arm Ltd --- sys/arm64/arm64/pmap.c | 60 ++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 51 insertions(+), 9 deletions(-) diff --git a/sys/arm64/arm64/pmap.c b/sys/arm64/arm64/pmap.c index dbf5c820d20b..7465c4193854 100644 --- a/sys/arm64/arm64/pmap.c +++ b/sys/arm64/arm64/pmap.c @@ -1729,20 +1729,62 @@ static cpu_feat_en pmap_multiple_tlbi_check(const struct cpu_feat *feat __unused, u_int midr) { /* - * Cortex-A55 erratum 2441007 (Cat B rare) + * ARM C1-Premium erratum 4193780 + * ARM C1-Ultra erratum 4193780 + * ARM Cortex-A76 erratum 4193800 + * ARM Cortex-A76AE erratum 4193801 + * ARM Cortex-A77 erratum 4193798 + * ARM Cortex-A78 erratum 4193791 + * ARM Cortex-A78AE erratum 4193793 + * ARM Cortex-A78C erratum 4193794 + * ARM Cortex-A710 erratum 4193788 + * ARM Cortex-X1 erratum 4193791 + * ARM Cortex-X1C erratum 4193792 + * ARM Cortex-X2 erratum 4193788 + * ARM Cortex-X3 erratum 4193786 + * ARM Cortex-X4 erratum 4118414 + * ARM Cortex-X925 erratum 4193781 + * ARM Neoverse-N1 erratum 4193800 + * ARM Neoverse-N2 erratum 4193789 + * ARM Neoverse-V1 erratum 4193790 + * ARM Neoverse-V2 erratum 4193787 + * ARM Neoverse-V3 erratum 4193784 + * ARM Neoverse-V3AE erratum 4193784 * Present in all revisions */ - if (CPU_IMPL(midr) == CPU_IMPL_ARM && - CPU_PART(midr) == CPU_PART_CORTEX_A55) - return (FEAT_DEFAULT_DISABLE); + if (CPU_IMPL(midr) == CPU_IMPL_ARM) { + switch(CPU_PART(midr)) { + case CPU_PART_C1_PREMIUM: + case CPU_PART_C1_ULTRA: + case CPU_PART_CORTEX_A76: + case CPU_PART_CORTEX_A76AE: + case CPU_PART_CORTEX_A77: + case CPU_PART_CORTEX_A78: + case CPU_PART_CORTEX_A78AE: + case CPU_PART_CORTEX_A78C: + case CPU_PART_CORTEX_A710: + case CPU_PART_CORTEX_X1: + case CPU_PART_CORTEX_X1C: + case CPU_PART_CORTEX_X2: + case CPU_PART_CORTEX_X3: + case CPU_PART_CORTEX_X4: + case CPU_PART_CORTEX_X925: + case CPU_PART_NEOVERSE_N1: + case CPU_PART_NEOVERSE_N2: + case CPU_PART_NEOVERSE_V1: + case CPU_PART_NEOVERSE_V2: + case CPU_PART_NEOVERSE_V3: + case CPU_PART_NEOVERSE_V3AE: + return (FEAT_DEFAULT_ENABLE); + } + } /* - * Cortex-A76 erratum 1286807 (Cat B rare) - * Present in r0p0 - r3p0 - * Fixed in r3p1 + * Cortex-A55 erratum 2441007 (Cat B rare) + * Present in all revisions */ - if (midr_check_var_part_range(midr, CPU_IMPL_ARM, CPU_PART_CORTEX_A76, - 0, 0, 3, 0)) + if (CPU_IMPL(midr) == CPU_IMPL_ARM && + CPU_PART(midr) == CPU_PART_CORTEX_A55) return (FEAT_DEFAULT_DISABLE); /* From nobody Tue Jun 9 19:19:48 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyY3sQVz6gVKY for ; Tue, 09 Jun 2026 19:19:49 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdyY0Wkfz3QgS for ; Tue, 09 Jun 2026 19:19:49 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032789; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=K1GvGY4pc3c6MoctBvXO6tK13LShIugISATqv1qvEyY=; b=OoyGa92pfuJCP0/z0zY8uvjIXjtRpsB6rJnac2X02C1jmn4btsKmJL5dxEqbH37cu0M+bB ZfYqh9qCMJLcMC7GFYGWr8a3k/SJzilwg0KM4fuUfvzAx4BgU1aWSRcemFccNQp9W0QDMX kxVZQt5b5yhYUu7vjhgR9EUZU6KweQOB624tKb25AdV13NYye8rMdiLXzYsTXKnuXha54k tcZ5nc5psvHS5KnUw6JsvIloFS9fkIYnSqt+yGmQ+GA3G+bU0XvqJq4UWqgHPjZbDxSR4E XKCh11+9F1b1uaMTAnxdeFAYzdqaNSsIvG3wSUjsbm1gMptK+lIcd9AGDDKvAw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032789; a=rsa-sha256; cv=none; b=WlYmGjCywwHPv6+osEcvSb2/hAmYBVaLcTnaqmGLK8LR2NfB9heucPcfWxr7DoP1nbAgC1 fC1fdZ66wY9us37JYIlxsfwZ5+7mmonLIjNYlr9Pm38uLa163AqW8zb2IYhFlB9C3s3OcM Dl6eOz8Q71o+rrXWxs+DOd7HipXEwxh0605XsM3HNj4nebEyNjRpdAe2ztIIHX+H2MyoLd 0iqE3AMwTelpwEDlFC1t2GbBfKBzC/ifZREU26eLjQnCrNprnVtz16DjsJCTiICKtQPimm cGYa5A51yteIFHaqWd8ESgdkH9eYluI9b8ctD/RTs3JfzZ4CEAGS7SPmZZiG4w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032789; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=K1GvGY4pc3c6MoctBvXO6tK13LShIugISATqv1qvEyY=; b=IoygGGd4Py5PstS40IaShkFgS4iLSWUOrd2NnSKhhqC6dtIyBXIkQI1vW9xwMo2BWaivHy MCsFy/+zbTl27+byZmzE6x2MvTMLitkpV1KBH+9j4sXom/CWxyYInQleAptkVyQbD4+16s BkHrWfy3WrlluaHofPaZaVyXAnWFCP2GRxXuCp8Kgv5P5bExvOoqQzZ0vqhUDQJsylg+68 KcKwtlmmr6H2I78ARO7o81DAeNKqrPz/QGw29j0FKMXZyPngair9+JtFVhyh0HkpyW5zgH QZzMHZTjKcfWYGAhXrYHgbsk8Ltkl6VnVUo1Odd7zRC0074znJ53mO/pEPyXcw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyX71CpznwF for ; Tue, 09 Jun 2026 19:19:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3f428 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:19:48 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 0b18ec59972b - releng/15.0 - linux: Correct the issetugid check in copyout_auxargs List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/15.0 X-Git-Reftype: branch X-Git-Commit: 0b18ec59972b1c378e1a092f5abc6bc03f614123 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:19:48 +0000 Message-Id: <6a286754.3f428.18db784a@gitrepo.freebsd.org> The branch releng/15.0 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=0b18ec59972b1c378e1a092f5abc6bc03f614123 commit 0b18ec59972b1c378e1a092f5abc6bc03f614123 Author: Mark Johnston AuthorDate: 2026-05-29 21:41:35 +0000 Commit: Mark Johnston CommitDate: 2026-06-08 15:39:32 +0000 linux: Correct the issetugid check in copyout_auxargs The runtime linker in glibc relies on the AT_SECURE auxv entry to know whether the executable is set-ugid, if so then various dangerous functionality such as LD_PRELOAD is disabled. The check added in commit 669414e4fb74 failed to take into account the fact that during execve, P_SUGID may not yet be set for a set-ugid process. Correct the test. Approved by: so Security: FreeBSD-SA-26:30.linux Security: CVE-2026-49413 Reported by: Minseong Kim Fixes: 669414e4fb74 ("Implement AT_SECURE properly.") Reviewed by: kib Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57350 --- sys/compat/linux/linux_elf.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/sys/compat/linux/linux_elf.c b/sys/compat/linux/linux_elf.c index c9eb6aea8373..6c9f785c97e7 100644 --- a/sys/compat/linux/linux_elf.c +++ b/sys/compat/linux/linux_elf.c @@ -492,11 +492,9 @@ __linuxN(copyout_auxargs)(struct image_params *imgp, uintptr_t base) struct thread *td = curthread; Elf_Auxargs *args; Elf_Auxinfo *aarray, *pos; - struct proc *p; int error, issetugid; - p = imgp->proc; - issetugid = p->p_flag & P_SUGID ? 1 : 0; + issetugid = imgp->credential_setid ? 1 : 0; args = imgp->auxargs; aarray = pos = malloc(LINUX_AT_COUNT * sizeof(*pos), M_TEMP, M_WAITOK | M_ZERO); From nobody Tue Jun 9 19:19:51 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyb4xQFz6gVXD for ; Tue, 09 Jun 2026 19:19:51 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdyb2DBbz3QbG for ; Tue, 09 Jun 2026 19:19:51 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032791; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=zFBfl2p6tMgJCJdr/ogrQ3A4+DICKXUhTk3r9nQkAbE=; b=MuZKQra8eHMCJ0igDb/74itPbSfH5L5I/fV9jmiFPA8CPFeiSRQi7B4IrnSA+49LZ0xf/l JuEmv8NERRHtxEFHcAIqlgaz3Ex4BROyVPfWRS7f3BPSabVeJbEu10DUVB9L/x9Z4dl3U3 7ac3i5wfhbfSPvUoBGSfQuJE+bzlyAfmTGnqMh4uemCgsr9ZcCUhQg2G+6sIvUhdiuCoG1 dwKKJJ6riQIBB3EkrmNjDTzh5cg+gpc9bOGkhENNyDlwfheHqELeixrnRJj6O1jUqq4rZ0 Lwq/WgKQOe95jlXceMbKf83eg+huLg1n2vuVzrTF2nuOfK42rpRlX8+m9JXe2Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032791; a=rsa-sha256; cv=none; b=UODAxjuuMulWi3iyTO0PIlzcUDYKqRRCW6R9g75v8xasRvZuCyWlFJFXYHv5esWQjJTnwB D1WJPc/viS6iKeLrIaYWlQEC8ek3h7lzXRnXGt0UFcCzUZQi/U8WBDFCnyGQ5ZOydl2AXv kZpUbPKs/CSrxn+NKWVr6Vtus9tN1lHbnDs8x6pHwWa5NCcGrL5OyooqK18Ya0jGu6laqJ jtlbkbxuWwx0QpJckT9Bk1+PlqeREyZC8D/BxNCLa+A/DJMC3EwNg4Ue7Uh87P7xQsfBur sx/NjhQUmqarGdBYwxnJ84Yc1BI2qXnMel8xAi/ypybeyBonm74ggsJ1Iw00OQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032791; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=zFBfl2p6tMgJCJdr/ogrQ3A4+DICKXUhTk3r9nQkAbE=; b=TymgkzA+Mk34/5vG7ItQ/32QqQjd632uawvRL90Fmv6yJsaUzgexcLxAVaeH6Bp7Meoieb oDvuJP09K+VuzXrSJIyyfTlPhQGBf0a8CxT7x7ZNeWsYxXgKJzlNZM0fvTdTJ+ONfu7W5p +zs5YKTzVTia7C5C/AQXOcP2ZeIiRErpaN68IpvYthXsHBHp/P1ii6wbMqcFQwsX2jCVlw XBc9FHotvXLxt5WX/Jjmzc0iNTgPAOE5RWKsP9f1uS715BSha5iUO4vLu2a6sSA+qQ3pdt gH9rzmTKcbdNeLR/SferR3qfpml9h35DBWo4pJAWrfhU2wU7Sgi0murYerMjqw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyb1lyzznl4 for ; Tue, 09 Jun 2026 19:19:51 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3c8e5 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:19:51 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 6e51dfc401e7 - releng/15.0 - imgact_elf: Clear no-ASLR and -WXORX flags earlier for setugid images List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/15.0 X-Git-Reftype: branch X-Git-Commit: 6e51dfc401e73efbdfab14885317fde8ff8f21ce Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:19:51 +0000 Message-Id: <6a286757.3c8e5.7aac7f0a@gitrepo.freebsd.org> The branch releng/15.0 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=6e51dfc401e73efbdfab14885317fde8ff8f21ce commit 6e51dfc401e73efbdfab14885317fde8ff8f21ce Author: Mark Johnston AuthorDate: 2026-06-02 20:29:00 +0000 Commit: Mark Johnston CommitDate: 2026-06-08 15:39:32 +0000 imgact_elf: Clear no-ASLR and -WXORX flags earlier for setugid images Otherwise an unprivileged user can disable randomization of the base address for PIEs even if they are setugid. Add a regression test. Approved by: so Security: FreeBSD-SA-26:32.elf Security: CVE-2026-49414 Reported by: David Berard Reviewed by: kib Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57397 --- sys/kern/imgact_elf.c | 55 ++++++++--------- tests/sys/kern/Makefile | 2 + tests/sys/kern/aslr.c | 157 ++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 187 insertions(+), 27 deletions(-) diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c index bc4fcad6c61b..ca5066c634f8 100644 --- a/sys/kern/imgact_elf.c +++ b/sys/kern/imgact_elf.c @@ -1241,11 +1241,39 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *imgp) error = ENOEXEC; goto ret; } + + /* + * Avoid a possible deadlock if the current address space is destroyed + * and that address space maps the locked vnode. In the common case, + * the locked vnode's v_usecount is decremented but remains greater + * than zero. Consequently, the vnode lock is not needed by vrele(). + * However, in cases where the vnode lock is external, such as nullfs, + * v_usecount may become zero. + * + * The VV_TEXT flag prevents modifications to the executable while + * the vnode is unlocked. + */ + VOP_UNLOCK(imgp->vp); + + /* + * Decide whether to enable randomization of user mappings. First, + * reset user preferences for the setid binaries. Then, account for the + * support of randomization by the ABI, by user preferences, and make + * special treatment for PIE binaries. + */ + if (imgp->credential_setid) { + PROC_LOCK(imgp->proc); + imgp->proc->p_flag2 &= ~(P2_ASLR_ENABLE | P2_ASLR_DISABLE | + P2_WXORX_DISABLE | P2_WXORX_ENABLE_EXEC); + PROC_UNLOCK(imgp->proc); + } + sv = brand_info->sysvec; if (hdr->e_type == ET_DYN) { if ((brand_info->flags & BI_CAN_EXEC_DYN) == 0) { uprintf("Cannot execute shared object\n"); error = ENOEXEC; + (void)vn_lock(imgp->vp, LK_SHARED | LK_RETRY); goto ret; } /* @@ -1264,33 +1292,6 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *imgp) imgp->et_dyn_addr = __elfN(pie_base); } } - - /* - * Avoid a possible deadlock if the current address space is destroyed - * and that address space maps the locked vnode. In the common case, - * the locked vnode's v_usecount is decremented but remains greater - * than zero. Consequently, the vnode lock is not needed by vrele(). - * However, in cases where the vnode lock is external, such as nullfs, - * v_usecount may become zero. - * - * The VV_TEXT flag prevents modifications to the executable while - * the vnode is unlocked. - */ - VOP_UNLOCK(imgp->vp); - - /* - * Decide whether to enable randomization of user mappings. - * First, reset user preferences for the setid binaries. - * Then, account for the support of the randomization by the - * ABI, by user preferences, and make special treatment for - * PIE binaries. - */ - if (imgp->credential_setid) { - PROC_LOCK(imgp->proc); - imgp->proc->p_flag2 &= ~(P2_ASLR_ENABLE | P2_ASLR_DISABLE | - P2_WXORX_DISABLE | P2_WXORX_ENABLE_EXEC); - PROC_UNLOCK(imgp->proc); - } if ((sv->sv_flags & SV_ASLR) == 0 || (imgp->proc->p_flag2 & P2_ASLR_DISABLE) != 0 || (fctl0 & NT_FREEBSD_FCTL_ASLR_DISABLE) != 0) { diff --git a/tests/sys/kern/Makefile b/tests/sys/kern/Makefile index 8a2788470a8d..0384529a5a97 100644 --- a/tests/sys/kern/Makefile +++ b/tests/sys/kern/Makefile @@ -7,6 +7,7 @@ TESTSRC= ${SRCTOP}/contrib/netbsd-tests/kernel TESTSDIR= ${TESTSBASE}/sys/kern +ATF_TESTS_C+= aslr ATF_TESTS_C+= basic_signal ATF_TESTS_C+= copy_file_range .if ${MACHINE_ARCH} != "i386" && ${MACHINE_ARCH} != "powerpc" && \ @@ -84,6 +85,7 @@ PROGS+= coredump_phnum_helper PROGS+= pdeathsig_helper PROGS+= sendfile_helper +LIBADD.aslr+= util LIBADD.copy_file_range+= md LIBADD.jail_lookup_root+= jail util LIBADD.jaildesc+= pthread diff --git a/tests/sys/kern/aslr.c b/tests/sys/kern/aslr.c new file mode 100644 index 000000000000..13038054603c --- /dev/null +++ b/tests/sys/kern/aslr.c @@ -0,0 +1,157 @@ +/* + * Copyright (c) 2026 The FreeBSD Foundation + * + * This software was developed by Mark Johnston under sponsorship from the + * FreeBSD Foundation. + */ + +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include + +#include + +/* + * Spawn an unprivileged child with ASLR force-disabled, which then execs + * /sbin/ping (setuid root). + */ +static pid_t +spawn_ping(const atf_tc_t *tc) +{ + const char *user; + struct passwd *passwd; + pid_t child; + int arg, error; + + user = atf_tc_get_config_var(tc, "unprivileged_user"); + passwd = getpwnam(user); + ATF_REQUIRE(passwd != NULL); + + child = fork(); + ATF_REQUIRE(child >= 0); + if (child == 0) { + if (seteuid(passwd->pw_uid) != 0) + _exit(1); + + arg = PROC_ASLR_FORCE_DISABLE; + error = procctl(P_PID, getpid(), PROC_ASLR_CTL, &arg); + if (error != 0) + _exit(2); + + execl("/sbin/ping", "ping", "127.0.0.1", NULL); + _exit(127); + } + usleep(500000); /* XXX-MJ */ + + return (child); +} + +/* + * Return the base address of the first mapping backed by the specified + * executable in the given process, or 0 if not found. + */ +static uint64_t +text_base(pid_t pid, const char *path) +{ + struct kinfo_vmentry *vmmap; + uint64_t base; + int cnt; + + base = 0; + vmmap = kinfo_getvmmap(pid, &cnt); + if (vmmap == NULL) + return (0); + for (int i = 0; i < cnt; i++) { + if (vmmap[i].kve_type == KVME_TYPE_VNODE && + strcmp(vmmap[i].kve_path, path) == 0) { + base = vmmap[i].kve_start; + break; + } + } + free(vmmap); + return (base); +} + +/* + * Make sure that ASLR can't be disabled for a setuid executable by an + * unprivileged user. + */ +ATF_TC(aslr_setuid); +ATF_TC_HEAD(aslr_setuid, tc) +{ + atf_tc_set_md_var(tc, "require.user", "root"); + atf_tc_set_md_var(tc, "require.config", "unprivileged_user"); +} +ATF_TC_BODY(aslr_setuid, tc) +{ + struct stat sb; + uint64_t bases[5]; + pid_t child, pid; + int arg, error, st; + + if (!atf_tc_has_config_var(tc, "unprivileged_user")) + atf_tc_skip("unprivileged_user not set"); + + error = stat("/sbin/ping", &sb); + ATF_REQUIRE(error == 0); + ATF_REQUIRE_MSG(sb.st_uid == 0 && (sb.st_mode & S_ISUID) != 0, + "/sbin/ping is not setuid root"); + + child = spawn_ping(tc); + bases[0] = text_base(child, "/sbin/ping"); + ATF_REQUIRE_MSG(bases[0] != 0, + "failed to find /sbin/ping text segment"); + + arg = 0; + error = procctl(P_PID, child, PROC_ASLR_STATUS, &arg); + ATF_REQUIRE_MSG(error == 0, "procctl ASLR_STATUS failed: %s", + strerror(errno)); + ATF_REQUIRE_MSG((arg & PROC_ASLR_ACTIVE) != 0, + "ASLR is not active for setuid child"); + ATF_REQUIRE_MSG((arg & ~PROC_ASLR_ACTIVE) == PROC_ASLR_NOFORCE, + "expected NOFORCE for setuid child, got %d", + arg & ~PROC_ASLR_ACTIVE); + + error = kill(child, SIGTERM); + ATF_REQUIRE(error == 0); + pid = waitpid(child, &st, 0); + ATF_REQUIRE(pid == child); + ATF_REQUIRE(WIFSIGNALED(st) && WTERMSIG(st) == SIGTERM); + + for (size_t i = 1; i < nitems(bases); i++) { + child = spawn_ping(tc); + bases[i] = text_base(child, "/sbin/ping"); + ATF_REQUIRE_MSG(bases[i] != 0, + "failed to find /sbin/ping text segment"); + error = kill(child, SIGTERM); + ATF_REQUIRE(error == 0); + pid = waitpid(child, &st, 0); + ATF_REQUIRE(pid == child); + ATF_REQUIRE(WIFSIGNALED(st) && WTERMSIG(st) == SIGTERM); + } + + /* Verify that the text base is different across all runs. */ + for (size_t i = 0; i < nitems(bases); i++) { + for (size_t j = i + 1; j < nitems(bases); j++) { + ATF_REQUIRE_MSG(bases[i] != bases[j], + "ping text base collision 0x%jx", + (uintmax_t)bases[i]); + } + } +} + +ATF_TP_ADD_TCS(tp) +{ + ATF_TP_ADD_TC(tp, aslr_setuid); + + return (atf_no_error()); +} From nobody Tue Jun 9 19:19:55 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyh0pj9z6gVWB for ; Tue, 09 Jun 2026 19:19:56 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdyg5cCLz3Qh9 for ; Tue, 09 Jun 2026 19:19:55 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032795; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Gka9XfiKBibwn4fpLSuXhEGLZvh5kXDyxeS/IUc1wsM=; b=aDIsLKUzk1noBwnMWY5iL9BqWNGKl0HiGxTb9D5+PAavqei9B7DOM+EOL6YmMEo8B8uqpL w8Vy/h3sr4Sif9RQPYkcpWeHGGnjcTNJyKu7EDmYJIFgyQZSTac0RY20STfTE9khm2+4Yp V0xF2QlHUdwJBVm+aF8JBQY3re9t7RdKBvsAGg2higRQ3g00RNLwmRAYRkZSWxpI0nCUEw hromOG6jlevjq2MqKzWr7hqtx2FShCH3uTq3NR+p154PXQIag4FnWbA/jPGJZj/zrNbAgR v3GyKfVowWlc33LJwYGw2Xu8DwF3kJIiO4EdU5uTn1yYok4CF7UxdevhQm4FKg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032795; a=rsa-sha256; cv=none; b=M547Qp2xU11tjiEMAeF3hFqfbODsT8Ar79NPSIpRgVMLzEKur91nCtH0vjwCcgrS7iZ1HL qOBLbFnd+Zv8LV9QwgAsmbQzfuUy4jJiEYuhHi8N5Qasl3RK0BAlr9awsoQELP3E9D/FFG XMpsBN4R5t0WkOZnYl3JaakcGRjT1gVs6MO/45+zfvuMsBZLk+XcSL9zpgQw11WdYHQh6r eywa7dJCuaMhp6vJvikjk6Im73fDzrW/PWhLRelGqHzV6+wvY2RDG3L/0XTut8m4e1DnA0 vJWzCKZFMPe18Eb2iJvcFOyQ8jb7M8/f+wR+OanM9kfiVYHoyR88KUhB0V+XuQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032795; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Gka9XfiKBibwn4fpLSuXhEGLZvh5kXDyxeS/IUc1wsM=; b=v3hoRe5WtjaN4AABeeuSZINPOQtX1JwA1DrqWxRLR9s0NcRxAQHX2Q9HSiEP3Izbr+RpdT WsjI5iUzgULEoZG13R2CUNE7helS6QdQhL6xYxSpz+5xvvR9u8JUBrPfMrr7fRAA2wA7F0 P6O9TMU3mqHu4Rjlxed1ZyL4xlFNKqlrFsv9+rjGIdvgyaVATG98KACje6NCFvuAc4Qvze ok1QARZj1vWBrijr4MB40k8iAksNqt7aTAS8yJZOxrbO328d8cmyveNpd+XRYRTIDzyMaN Qt8d6vBkC4HN3Ic0guQXaB/vfH+WtDFMIWUQ4+ej8fO6mpeuaaZ6kHg/dGVf3g== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyg54q4zp1h for ; Tue, 09 Jun 2026 19:19:55 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3d656 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:19:55 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Gordon Tetlow From: Mark Johnston Subject: git: fbb19baa29ce - releng/15.0 - ldns: Fix query response validation List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/15.0 X-Git-Reftype: branch X-Git-Commit: fbb19baa29cea586ee13c173afe64180285d2b90 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:19:55 +0000 Message-Id: <6a28675b.3d656.4a8e086f@gitrepo.freebsd.org> The branch releng/15.0 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=fbb19baa29cea586ee13c173afe64180285d2b90 commit fbb19baa29cea586ee13c173afe64180285d2b90 Author: Gordon Tetlow AuthorDate: 2026-06-07 15:17:33 +0000 Commit: Mark Johnston CommitDate: 2026-06-08 15:39:33 +0000 ldns: Fix query response validation Approved by: so Security: FreeBSD-SA-26:36.ldns Security: CVE-2026-10846 --- contrib/ldns/error.c | 13 +++++++ contrib/ldns/ldns/error.h | 8 ++++- contrib/ldns/net.c | 92 +++++++++++++++++++++++++++++++++++++++++++++-- 3 files changed, 110 insertions(+), 3 deletions(-) diff --git a/contrib/ldns/error.c b/contrib/ldns/error.c index e3fd12112789..4fc05d6d0d8f 100644 --- a/contrib/ldns/error.c +++ b/contrib/ldns/error.c @@ -184,6 +184,19 @@ ldns_lookup_table ldns_error_str[] = { { LDNS_STATUS_INVALID_SVCPARAM_VALUE, "Invalid wireformat of a value " "in the ServiceParam rdata field of SVCB or HTTPS RR" }, + { LDNS_STATUS_NOT_EDE, + "The EDNS option is not an extended error code" }, + { LDNS_STATUS_EDE_OPTION_MALFORMED, + "The extended error code option is malformed, expected " + "at least 2 bytes of option data" }, + { LDNS_STATUS_EQUAL_RR, + "An identical RR already existed in the zone" }, + { LDNS_STATUS_ID_DID_NOT_MATCH, + "Response ID did not match the query ID" }, + { LDNS_STATUS_QDCOUNT_MUST_BE_ONE, + "The query section MUST contain exactly one question" }, + { LDNS_STATUS_QUERY_DID_NOT_MATCH, + "The question in the response did not match the query" }, { 0, NULL } }; diff --git a/contrib/ldns/ldns/error.h b/contrib/ldns/ldns/error.h index 2429b7703dfa..41d64cc0815f 100644 --- a/contrib/ldns/ldns/error.h +++ b/contrib/ldns/ldns/error.h @@ -141,7 +141,13 @@ enum ldns_enum_status { LDNS_STATUS_RESERVED_SVCPARAM_KEY, LDNS_STATUS_NO_SVCPARAM_VALUE_EXPECTED, LDNS_STATUS_SVCPARAM_KEY_MORE_THAN_ONCE, - LDNS_STATUS_INVALID_SVCPARAM_VALUE + LDNS_STATUS_INVALID_SVCPARAM_VALUE, + LDNS_STATUS_NOT_EDE, + LDNS_STATUS_EDE_OPTION_MALFORMED, + LDNS_STATUS_EQUAL_RR, + LDNS_STATUS_ID_DID_NOT_MATCH, + LDNS_STATUS_QDCOUNT_MUST_BE_ONE, + LDNS_STATUS_QUERY_DID_NOT_MATCH }; typedef enum ldns_enum_status ldns_status; diff --git a/contrib/ldns/net.c b/contrib/ldns/net.c index 57d4dff24dbe..215c0cac891c 100644 --- a/contrib/ldns/net.c +++ b/contrib/ldns/net.c @@ -441,6 +441,50 @@ ldns_udp_bgsend2(ldns_buffer *qbin, return ldns_udp_bgsend_from(qbin, to, tolen, NULL, 0, timeout); } +/** helper sockaddr compare function. returns -1, 0 or 1. */ +static int +ldns_sockaddr_cmp(const struct sockaddr_storage* addr1, socklen_t len1, + const struct sockaddr_storage* addr2, socklen_t len2) +{ + struct sockaddr_in* p1_in = (struct sockaddr_in*)addr1; + struct sockaddr_in* p2_in = (struct sockaddr_in*)addr2; + struct sockaddr_in6* p1_in6 = (struct sockaddr_in6*)addr1; + struct sockaddr_in6* p2_in6 = (struct sockaddr_in6*)addr2; + if(len1 < len2) + return -1; + if(len1 > len2) + return 1; + assert(len1 == len2); + if( p1_in->sin_family < p2_in->sin_family) + return -1; + if( p1_in->sin_family > p2_in->sin_family) + return 1; + assert( p1_in->sin_family == p2_in->sin_family ); + /* compare ip4 */ + if( p1_in->sin_family == AF_INET ) { + /* just order it, ntohs not required */ + if(p1_in->sin_port < p2_in->sin_port) + return -1; + if(p1_in->sin_port > p2_in->sin_port) + return 1; + assert(p1_in->sin_port == p2_in->sin_port); + return memcmp(&p1_in->sin_addr, &p2_in->sin_addr, + sizeof(p1_in->sin_addr)); + } else if (p1_in6->sin6_family == AF_INET6) { + /* just order it, ntohs not required */ + if(p1_in6->sin6_port < p2_in6->sin6_port) + return -1; + if(p1_in6->sin6_port > p2_in6->sin6_port) + return 1; + assert(p1_in6->sin6_port == p2_in6->sin6_port); + return memcmp(&p1_in6->sin6_addr, &p2_in6->sin6_addr, + sizeof(p1_in6->sin6_addr)); + } else { + /* eek unknown type, perform this comparison for sanity. */ + return memcmp(addr1, addr2, len1); + } +} + static ldns_status ldns_udp_send_from(uint8_t **result, ldns_buffer *qbin, const struct sockaddr_storage *to , socklen_t tolen, @@ -449,6 +493,8 @@ ldns_udp_send_from(uint8_t **result, ldns_buffer *qbin, { int sockfd; uint8_t *answer; + struct sockaddr_storage reply_addr; + socklen_t reply_addr_len; sockfd = ldns_udp_bgsend_from(qbin, to, tolen, from, fromlen, timeout); @@ -467,13 +513,21 @@ ldns_udp_send_from(uint8_t **result, ldns_buffer *qbin, * but returns a 'NETWORK_ERROR' much like a timeout. */ ldns_sock_nonblock(sockfd); - answer = ldns_udp_read_wire(sockfd, answer_size, NULL, NULL); + reply_addr_len = sizeof(reply_addr); + memset(&reply_addr, 0, reply_addr_len); + answer = ldns_udp_read_wire(sockfd, answer_size, &reply_addr, + &reply_addr_len); close_socket(sockfd); if (!answer) { /* oops */ return LDNS_STATUS_NETWORK_ERR; } + /* Check that the reply came from the to addr. */ + if(ldns_sockaddr_cmp(to, tolen, &reply_addr, reply_addr_len) != 0) { + free(answer); + return LDNS_STATUS_NETWORK_ERR; + } *result = answer; return LDNS_STATUS_OK; @@ -512,6 +566,10 @@ ldns_send_buffer(ldns_pkt **result, ldns_resolver *r, ldns_buffer *qb, ldns_rdf assert(r != NULL); + /* The query should at least have one question */ + if(ldns_buffer_limit(qb) < 6 || ldns_buffer_read_u16_at(qb, 4) != 1) + return LDNS_STATUS_QDCOUNT_MUST_BE_ONE; + status = LDNS_STATUS_OK; rtt = ldns_resolver_rtt(r); ns_array = ldns_resolver_nameservers(r); @@ -599,6 +657,16 @@ ldns_send_buffer(ldns_pkt **result, ldns_resolver *r, ldns_buffer *qb, ldns_rdf ldns_resolver_set_nameserver_rtt(r, i, LDNS_RESOLV_RTT_INF); status = send_status; } + if(reply_bytes && ldns_buffer_limit(qb) >= 2) { + uint16_t txid = ldns_buffer_read_u16_at(qb, 0); + if(reply_size < 2 || + ldns_read_uint16(reply_bytes) != txid) { + status = LDNS_STATUS_ID_DID_NOT_MATCH; + LDNS_FREE(reply_bytes); + reply_bytes = NULL; + reply_size = 0; + } + } /* obey the fail directive */ if (!reply_bytes) { @@ -608,7 +676,7 @@ ldns_send_buffer(ldns_pkt **result, ldns_resolver *r, ldns_buffer *qb, ldns_rdf LDNS_FREE(src); } LDNS_FREE(ns); - return LDNS_STATUS_ERR; + return status ? status : LDNS_STATUS_ERR; } else { LDNS_FREE(ns); continue; @@ -670,6 +738,26 @@ ldns_send_buffer(ldns_pkt **result, ldns_resolver *r, ldns_buffer *qb, ldns_rdf #endif /* HAVE_SSL */ LDNS_FREE(reply_bytes); + if (reply) { + ldns_pkt *query = NULL; + + if(ldns_pkt_qdcount(reply) != 1) { + status = LDNS_STATUS_QDCOUNT_MUST_BE_ONE; + ldns_pkt_free(reply); + reply = NULL; + + } else if(ldns_wire2pkt(&query + , ldns_buffer_begin(qb) + , ldns_buffer_position(qb)) != LDNS_STATUS_OK + || ldns_pkt_qdcount(query) != 1 + || ldns_rr_compare(ldns_rr_list_rr(ldns_pkt_question(query),0) + ,ldns_rr_list_rr(ldns_pkt_question(reply),0))){ + status = LDNS_STATUS_QUERY_DID_NOT_MATCH; + ldns_pkt_free(reply); + reply = NULL; + } + ldns_pkt_free(query); + } if (result) { *result = reply; } From nobody Tue Jun 9 19:19:52 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyd24Nhz6gVMG for ; Tue, 09 Jun 2026 19:19:53 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdyc37SLz3QbW for ; Tue, 09 Jun 2026 19:19:52 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032792; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=XfZrvU6sqd8qVMjeBG2KCnG8k6orzaLatLOfVX2/7BI=; b=V69Fm8NU1HpWjNrA2AoqY9HMdBMv1sWx73rz78VgSBmoidfzW66Vm+akWi64IRPfAdKA1k oFlN8jtsR9RH6suUu/EaCEeSojspUm/FrXDHLPhBY9R9ztBUhpC7Kr0wgAZPx6fnBlIho9 KJyEOcpiON+CADucIxy8iwvIWC95kybBVb+zfOBPrkBqQ6xBXFDj2v+tpV4sarEfmx4C/9 VT2diPANAVlJAmGOoayoPsWbczeQYh4Hvc5/A4D0Hrl5vyfx0we26Hif8b4ZJnSkHeMpOp IPacWCEo9/gpV4nBwTYpkW3Nvxwp9ZTSAzn+rQeTsfD0V5BJqVyfrfB8dwgW4g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032792; a=rsa-sha256; cv=none; b=vJnKvt1LD51WyyUyeJGAQ91/1gwCFrv7SIM+d+K7tTiKaWtwVbUes/Ptnzt9xgnwANSh5i lc+uO+C3jWsKlKrw3dF2U2bbDd3l4dtyU01r5DRj7dQblhBOgi0+TX6thxWcjtfFH/H7u7 ohd5zG9+LwkhrcxBSAlr7qSnhYf563BaL9qBiyoIVMmTGQfn6S/1K2Ed7ZtrcGizgOcOHv t5JcOQvJHmeZwsej7vpcqgBx+VDaNxIYFV91Yc26itGZVimgOLwn+DTtn3yllaRP7gHgsB J2kPC2FjHPywWOWOMPvlkz19Y1a81ZRnFTaBC4vH5LP1eXOHwjmM/6H7tDPVZQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032792; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=XfZrvU6sqd8qVMjeBG2KCnG8k6orzaLatLOfVX2/7BI=; b=hbV02QWdrjdnq7YusR5rB9Z6do6MgVoYBuzpIhqlI37yOUGCsJH20X2ITphdTVW5RXNkdc GwpyM9gbO3F4YN3dkpt+VQyZEruDTKQ08eewvL93gZYRD9h0jqlSxBwWBY8xoGUKJ1b058 eqFqyg83PRuyQQfyY+Yt1C2IEOC5EQGP3mbH3Y9Y2CNG08DDyxS8VRnK5HKqbocd++OLpS EJi3z2Yu7sjeLsDMwRukmQNXwkuvuVN+06Oac1ZUKJ+tsKNPmeqVHPnbyoYfNRbbA+pzvc braOhTc2qJHjHIT1qK54eSUe3qLRPb4QKa8huzfEKcLTFs7LFL3QOdYn6HA1iQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyc2gGhzp3t for ; Tue, 09 Jun 2026 19:19:52 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3d651 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:19:52 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Dag-Erling=?utf-8?Q? Sm=C3=B8rg?=rav From: Mark Johnston Subject: git: 6160bd311a1b - releng/15.0 - unbound: Apply upstream patches List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/15.0 X-Git-Reftype: branch X-Git-Commit: 6160bd311a1be94e7c7ad8a0440401bd6f9f8075 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:19:52 +0000 Message-Id: <6a286758.3d651.1ac68b44@gitrepo.freebsd.org> The branch releng/15.0 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=6160bd311a1be94e7c7ad8a0440401bd6f9f8075 commit 6160bd311a1be94e7c7ad8a0440401bd6f9f8075 Author: Dag-Erling Smørgrav AuthorDate: 2026-05-29 22:21:50 +0000 Commit: Mark Johnston CommitDate: 2026-06-08 15:39:32 +0000 unbound: Apply upstream patches - Use the same EDE removal logic when encoding errors as when encoding replies. - Fix CVE-2026-33278, Possible remote code execution during DNSSEC validation. Thanks to Qifan Zhang, Palo Alto Networks, for the report. - Fix CVE-2026-42944, Heap overflow and crash with multiple nsid, cookie, padding EDNS options. Thanks to Qifan Zhang, Palo Alto Networks, for the report. - Fix CVE-2026-42959, Crash during DNSSEC validation of malicious content. Thanks to Qifan Zhang, Palo Alto Networks, for the report. - Fix CVE-2026-32792, Packet of death with DNSCrypt. Thanks to Andrew Griffiths from 'calif.io' for the report. - Fix CVE-2026-40622, "Ghost domain name" variant. Thanks to Qifan Zhang, Palo Alto Networks, for the report. - Fix CVE-2026-41292, Parsing a long list of incoming EDNS options degrades performance. Thanks to GitHub user 'N0zoM1z0', also Qifan Zhang from Palo Alto Networks, for the report. - Fix CVE-2026-42534, Jostle logic bypass degrades resolution performance. Thanks to Qifan Zhang, Palo Alto Networks, for the report. - Fix CVE-2026-42923, Degradation of service with unbounded NSEC3 hash calculations. Thanks to Qifan Zhang, Palo Alto Networks, for the report. - Fix CVE-2026-42960, Possible cache poisoning attack while following delegation. Thanks to TaoFei Guo from Peking University, Yang Luo and JianJun Chen, Tsinghua University, for the report. - Fix CVE-2026-44390, Unbounded name compression in certain cases causes degradation of service. Thanks to Qifan Zhang, Palo Alto Networks, for the report. - Fix CVE-2026-44608, Use after free and crash in RPZ code. Thanks to Qifan Zhang, Palo Alto Networks, for the report. Approved by: so Security: FreeBSD-SA-26:33.unbound Security: CVE-2026-33278 Security: CVE-2026-42944 Security: CVE-2026-42959 Security: CVE-2026-32792 Security: CVE-2026-40622 Security: CVE-2026-41292 Security: CVE-2026-42534 Security: CVE-2026-42923 Security: CVE-2026-42960 Security: CVE-2026-44390 Security: CVE-2026-44608 --- contrib/unbound/dnscrypt/dnscrypt.c | 2 +- contrib/unbound/iterator/iter_scrub.c | 8 +++- contrib/unbound/services/cache/dns.c | 8 +++- contrib/unbound/services/cache/rrset.c | 10 +++++ contrib/unbound/services/mesh.c | 14 +++++-- contrib/unbound/services/mesh.h | 6 +++ contrib/unbound/services/rpz.c | 10 +++-- contrib/unbound/util/data/msgencode.c | 54 ++++++++++++++++-------- contrib/unbound/util/data/msgencode.h | 4 +- contrib/unbound/util/data/msgparse.c | 19 ++++++--- contrib/unbound/util/data/msgparse.h | 4 ++ contrib/unbound/validator/val_neg.c | 28 ++++++++++++- contrib/unbound/validator/val_nsec3.c | 76 +++++++++++++++++++++++++++++++--- contrib/unbound/validator/val_nsec3.h | 6 +++ contrib/unbound/validator/val_utils.c | 4 +- 15 files changed, 209 insertions(+), 44 deletions(-) diff --git a/contrib/unbound/dnscrypt/dnscrypt.c b/contrib/unbound/dnscrypt/dnscrypt.c index 4902447fda01..173484cdf0b1 100644 --- a/contrib/unbound/dnscrypt/dnscrypt.c +++ b/contrib/unbound/dnscrypt/dnscrypt.c @@ -361,7 +361,7 @@ dnscrypt_server_uncurve(struct dnsc_env* env, len -= DNSCRYPT_QUERY_HEADER_SIZE; - while (*sldns_buffer_at(buffer, --len) == 0) + while (len>0 && *sldns_buffer_at(buffer, --len) == 0) ; if (*sldns_buffer_at(buffer, len) != 0x80) { diff --git a/contrib/unbound/iterator/iter_scrub.c b/contrib/unbound/iterator/iter_scrub.c index 8507a3fb65ac..852705db3ee9 100644 --- a/contrib/unbound/iterator/iter_scrub.c +++ b/contrib/unbound/iterator/iter_scrub.c @@ -725,7 +725,13 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, rrset->rrset_all_next = NULL; return 1; } - mark_additional_rrset(pkt, msg, rrset); + /* Only mark glue as allowed for type NS in the authority + * section. Other RR types do not get glue for them, it + * is allowed from the answer section, but not authority + * so that a message can not have address records cached + * as a side effect to the query. */ + if(rrset->type==LDNS_RR_TYPE_NS) + mark_additional_rrset(pkt, msg, rrset); prev = rrset; rrset = rrset->rrset_all_next; } diff --git a/contrib/unbound/services/cache/dns.c b/contrib/unbound/services/cache/dns.c index 351b3568c80b..8dae2ffcca90 100644 --- a/contrib/unbound/services/cache/dns.c +++ b/contrib/unbound/services/cache/dns.c @@ -675,10 +675,16 @@ struct dns_msg* dns_msg_deepcopy_region(struct dns_msg* origin, struct regional* region) { size_t i; + struct ub_packed_rrset_key** saved_rrsets; struct dns_msg* res = NULL; + size_t rep_alloc_size = sizeof(struct reply_info) + - sizeof(struct rrset_ref); /* this is the size of res->rep + allocated in gen_dns_msg() */ res = gen_dns_msg(region, &origin->qinfo, origin->rep->rrset_count); if(!res) return NULL; - *res->rep = *origin->rep; + saved_rrsets = res->rep->rrsets; /* save rrsets alloc by gen_dns_msg */ + memcpy(res->rep, origin->rep, rep_alloc_size); + res->rep->rrsets = saved_rrsets; if(origin->rep->reason_bogus_str) { res->rep->reason_bogus_str = regional_strdup(region, origin->rep->reason_bogus_str); diff --git a/contrib/unbound/services/cache/rrset.c b/contrib/unbound/services/cache/rrset.c index 6d5c24f8053e..81f4e2820edd 100644 --- a/contrib/unbound/services/cache/rrset.c +++ b/contrib/unbound/services/cache/rrset.c @@ -149,6 +149,16 @@ need_to_update_rrset(void* nd, void* cd, time_t timenow, int equal, int ns) if(equal && cached->ttl >= timenow && cached->security == sec_status_bogus) return 0; + /* ghost-domain: never let an NS overwrite extend lifetime + * past the entry it replaces, regardless of trust. */ + if(ns && !TTL_IS_EXPIRED(cached->ttl, timenow) && + newd->ttl > cached->ttl) { + size_t i; + newd->ttl = cached->ttl; + for(i=0; i<(newd->count+newd->rrsig_count); i++) + if(newd->rr_ttl[i] > newd->ttl) + newd->rr_ttl[i] = newd->ttl; + } return 1; } /* o item in cache has expired */ diff --git a/contrib/unbound/services/mesh.c b/contrib/unbound/services/mesh.c index 3212a6abf4c6..23499dcef960 100644 --- a/contrib/unbound/services/mesh.c +++ b/contrib/unbound/services/mesh.c @@ -296,12 +296,14 @@ int mesh_make_new_space(struct mesh_area* mesh, sldns_buffer* qbuf) if(mesh->num_reply_states < mesh->max_reply_states) return 1; /* try to kick out a jostle-list item */ - if(m && m->reply_list && m->list_select == mesh_jostle_list) { + if(m && m->list_select == mesh_jostle_list) { /* how old is it? */ struct timeval age; - timeval_subtract(&age, mesh->env->now_tv, - &m->reply_list->start_time); - if(timeval_smaller(&mesh->jostle_max, &age)) { + if(m->has_first_reply_time) + timeval_subtract(&age, mesh->env->now_tv, + &m->first_reply_time); + if(!m->has_first_reply_time || + timeval_smaller(&mesh->jostle_max, &age)) { /* its a goner */ log_nametypeclass(VERB_ALGO, "query jostled out to " "make space for a new one", @@ -1960,6 +1962,10 @@ int mesh_state_add_reply(struct mesh_state* s, struct edns_data* edns, r->qid = qid; r->qflags = qflags; r->start_time = *s->s.env->now_tv; + if(s->reply_list == NULL && !s->has_first_reply_time) { + s->first_reply_time = r->start_time; + s->has_first_reply_time = 1; + } r->next = s->reply_list; r->qname = regional_alloc_init(s->s.region, qinfo->qname, s->s.qinfo.qname_len); diff --git a/contrib/unbound/services/mesh.h b/contrib/unbound/services/mesh.h index f19f423a8cd3..a61f90993177 100644 --- a/contrib/unbound/services/mesh.h +++ b/contrib/unbound/services/mesh.h @@ -189,6 +189,12 @@ struct mesh_state { struct module_qstate s; /** the list of replies to clients for the results */ struct mesh_reply* reply_list; + /** if it has a first reply time */ + int has_first_reply_time; + /** wall-clock time the first client reply was attached; + * used by mesh_make_new_space() so duplicate retransmits + * cannot reset jostle aging. */ + struct timeval first_reply_time; /** the list of callbacks for the results */ struct mesh_cb* cb_list; /** set of superstates (that want this state's result) diff --git a/contrib/unbound/services/rpz.c b/contrib/unbound/services/rpz.c index f45cf65420d7..27f7de861eac 100644 --- a/contrib/unbound/services/rpz.c +++ b/contrib/unbound/services/rpz.c @@ -2468,6 +2468,7 @@ rpz_callback_from_iterator_module(struct module_qstate* ms, struct iter_qstate* { struct auth_zones* az; struct auth_zone* a; + struct dns_msg* ret = NULL; struct clientip_synthesized_rr* raddr = NULL; struct rpz* r = NULL; struct local_zone* z = NULL; @@ -2511,13 +2512,11 @@ rpz_callback_from_iterator_module(struct module_qstate* ms, struct iter_qstate* z = rpz_delegation_point_zone_lookup(is->dp, r->nsdname_zones, is->qchase.qclass, &match); if(z != NULL) { - lock_rw_unlock(&a->lock); break; } raddr = rpz_delegation_point_ipbased_trigger_lookup(r, is); if(raddr != NULL) { - lock_rw_unlock(&a->lock); break; } lock_rw_unlock(&a->lock); @@ -2532,9 +2531,12 @@ rpz_callback_from_iterator_module(struct module_qstate* ms, struct iter_qstate* if(z) { lock_rw_unlock(&z->lock); } - return rpz_apply_nsip_trigger(ms, &is->qchase, r, raddr, a); + ret = rpz_apply_nsip_trigger(ms, &is->qchase, r, raddr, a); + } else { + ret = rpz_apply_nsdname_trigger(ms, &is->qchase, r, z, &match, a); } - return rpz_apply_nsdname_trigger(ms, &is->qchase, r, z, &match, a); + lock_rw_unlock(&a->lock); + return ret; } struct dns_msg* rpz_callback_from_iterator_cname(struct module_qstate* ms, diff --git a/contrib/unbound/util/data/msgencode.c b/contrib/unbound/util/data/msgencode.c index 84aa3b9e75ae..f84c491b1c9f 100644 --- a/contrib/unbound/util/data/msgencode.c +++ b/contrib/unbound/util/data/msgencode.c @@ -352,7 +352,6 @@ compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs, (p = compress_tree_lookup(tree, dname, labs, &insertpt))) { if(!write_compressed_dname(pkt, dname, labs, p)) return RETVAL_TRUNC; - (*compress_count)++; } else { if(!dname_buffer_write(pkt, dname)) return RETVAL_TRUNC; @@ -360,6 +359,7 @@ compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs, if(*compress_count < MAX_COMPRESSION_PER_MESSAGE && !compress_tree_store(dname, labs, pos, region, p, insertpt)) return RETVAL_OUTMEM; + (*compress_count)++; return RETVAL_OK; } @@ -804,7 +804,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep, return 1; } -uint16_t +size_t calc_edns_field_size(struct edns_data* edns) { size_t rdatalen = 0; @@ -840,7 +840,7 @@ calc_edns_option_size(struct edns_data* edns, uint16_t code) } uint16_t -calc_ede_option_size(struct edns_data* edns, uint16_t* txt_size) +calc_ede_option_size(struct edns_data* edns, size_t* txt_size) { size_t rdatalen = 0; struct edns_option* opt; @@ -942,6 +942,10 @@ attach_edns_record_max_msg_sz(sldns_buffer* pkt, struct edns_data* edns, padding_option = opt; continue; } + if(sldns_buffer_position(pkt) + opt->opt_len + 4 > max_msg_sz) + break; /* no space for it */ + if(!sldns_buffer_available(pkt, 4 + opt->opt_len)) + break; sldns_buffer_write_u16(pkt, opt->opt_code); sldns_buffer_write_u16(pkt, opt->opt_len); if(opt->opt_len != 0) @@ -952,12 +956,18 @@ attach_edns_record_max_msg_sz(sldns_buffer* pkt, struct edns_data* edns, padding_option = opt; continue; } + if(sldns_buffer_position(pkt) + opt->opt_len + 4 > max_msg_sz) + break; /* no space for it */ + if(!sldns_buffer_available(pkt, 4 + opt->opt_len)) + break; sldns_buffer_write_u16(pkt, opt->opt_code); sldns_buffer_write_u16(pkt, opt->opt_len); if(opt->opt_len != 0) sldns_buffer_write(pkt, opt->opt_data, opt->opt_len); } - if (padding_option && edns->padding_block_size ) { + if (padding_option && edns->padding_block_size && + sldns_buffer_position(pkt)+4 <= max_msg_sz && + sldns_buffer_available(pkt, 4) /* if there is space for it */) { size_t pad_pos = sldns_buffer_position(pkt); size_t msg_sz = ((pad_pos + 3) / edns->padding_block_size + 1) * edns->padding_block_size; @@ -1001,7 +1011,7 @@ reply_info_answer_encode(struct query_info* qinf, struct reply_info* rep, { uint16_t flags; unsigned int attach_edns = 0; - uint16_t edns_field_size, ede_size, ede_txt_size; + size_t edns_field_size, ede_size, ede_txt_size; if(!cached || rep->authoritative) { /* original flags, copy RD and CD bits from query. */ @@ -1028,12 +1038,12 @@ reply_info_answer_encode(struct query_info* qinf, struct reply_info* rep, * calculate sizes once here */ edns_field_size = calc_edns_field_size(edns); ede_size = calc_ede_option_size(edns, &ede_txt_size); - if(sldns_buffer_capacity(pkt) < udpsize) + if(sldns_buffer_capacity(pkt) < (size_t)udpsize) udpsize = sldns_buffer_capacity(pkt); if(!edns || !edns->edns_present) { attach_edns = 0; /* EDEs are optional, try to fit anything else before them */ - } else if(udpsize < LDNS_HEADER_SIZE + edns_field_size - ede_size) { + } else if((size_t)udpsize < (size_t)LDNS_HEADER_SIZE + edns_field_size - ede_size) { /* packet too small to contain edns, omit it. */ attach_edns = 0; } else { @@ -1047,13 +1057,13 @@ reply_info_answer_encode(struct query_info* qinf, struct reply_info* rep, return 0; } if(attach_edns) { - if(udpsize >= sldns_buffer_limit(pkt) + edns_field_size) + if((size_t)udpsize >= sldns_buffer_limit(pkt) + edns_field_size) attach_edns_record_max_msg_sz(pkt, edns, udpsize); - else if(udpsize >= sldns_buffer_limit(pkt) + edns_field_size - ede_txt_size) { + else if((size_t)udpsize >= sldns_buffer_limit(pkt) + edns_field_size - ede_txt_size) { ede_trim_text(&edns->opt_list_inplace_cb_out); ede_trim_text(&edns->opt_list_out); attach_edns_record_max_msg_sz(pkt, edns, udpsize); - } else if(udpsize >= sldns_buffer_limit(pkt) + edns_field_size - ede_size) { + } else if((size_t)udpsize >= sldns_buffer_limit(pkt) + edns_field_size - ede_size) { edns_opt_list_remove(&edns->opt_list_inplace_cb_out, LDNS_EDNS_EDE); edns_opt_list_remove(&edns->opt_list_out, LDNS_EDNS_EDE); attach_edns_record_max_msg_sz(pkt, edns, udpsize); @@ -1115,22 +1125,30 @@ extended_error_encode(sldns_buffer* buf, uint16_t rcode, sldns_buffer_write_u16(buf, qinfo->qclass); } sldns_buffer_flip(buf); - if(edns) { + if(edns && edns->edns_present) { + size_t edns_field_size, ede_size, ede_txt_size; struct edns_data es = *edns; es.edns_version = EDNS_ADVERTISED_VERSION; es.udp_size = EDNS_ADVERTISED_SIZE; es.ext_rcode = (uint8_t)(rcode >> 4); es.bits &= EDNS_DO; - if(sldns_buffer_limit(buf) + calc_edns_field_size(&es) > - edns->udp_size) { + /* EDEs are optional. If space is a concern try in order: + * - removing any EXTRA-TEXT fields from explicit EDEs, or + * - removing all EDEs, + * to see if EDNS can fit. */ + edns_field_size = calc_edns_field_size(&es); + ede_size = calc_ede_option_size(&es, &ede_txt_size); + if((size_t)edns->udp_size >= sldns_buffer_limit(buf) + edns_field_size) + attach_edns_record_max_msg_sz(buf, &es, edns->udp_size); + else if((size_t)edns->udp_size >= sldns_buffer_limit(buf) + edns_field_size - ede_txt_size) { + ede_trim_text(&es.opt_list_inplace_cb_out); + ede_trim_text(&es.opt_list_out); + attach_edns_record_max_msg_sz(buf, &es, edns->udp_size); + } else if((size_t)edns->udp_size >= sldns_buffer_limit(buf) + edns_field_size - ede_size) { edns_opt_list_remove(&es.opt_list_inplace_cb_out, LDNS_EDNS_EDE); edns_opt_list_remove(&es.opt_list_out, LDNS_EDNS_EDE); - if(sldns_buffer_limit(buf) + calc_edns_field_size(&es) > - edns->udp_size) { - return; - } + attach_edns_record_max_msg_sz(buf, &es, edns->udp_size); } - attach_edns_record(buf, &es); } } diff --git a/contrib/unbound/util/data/msgencode.h b/contrib/unbound/util/data/msgencode.h index 08fcb59b8e36..64569555dc59 100644 --- a/contrib/unbound/util/data/msgencode.h +++ b/contrib/unbound/util/data/msgencode.h @@ -106,7 +106,7 @@ void qinfo_query_encode(struct sldns_buffer* pkt, struct query_info* qinfo); * @param edns: edns data or NULL. * @return octets to reserve for EDNS. */ -uint16_t calc_edns_field_size(struct edns_data* edns); +size_t calc_edns_field_size(struct edns_data* edns); /** * Calculate the size of a specific EDNS option in packet. @@ -127,7 +127,7 @@ uint16_t calc_edns_option_size(struct edns_data* edns, uint16_t code); * extra text. * @return octets the option will take up. */ -uint16_t calc_ede_option_size(struct edns_data* edns, uint16_t* txt_size); +uint16_t calc_ede_option_size(struct edns_data* edns, size_t* txt_size); /** * Attach EDNS record to buffer. Buffer has complete packet. There must diff --git a/contrib/unbound/util/data/msgparse.c b/contrib/unbound/util/data/msgparse.c index 6963d850171e..169709b7e3c0 100644 --- a/contrib/unbound/util/data/msgparse.c +++ b/contrib/unbound/util/data/msgparse.c @@ -53,6 +53,8 @@ #include "sldns/parseutil.h" #include "sldns/wire2str.h" +#define MAX_PARSED_EDNS_OPTIONS 100 + /** smart comparison of (compressed, valid) dnames from packet */ static int smart_compare(sldns_buffer* pkt, uint8_t* dnow, @@ -950,6 +952,7 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len, struct comm_reply* repinfo, uint32_t now, struct regional* region, struct cookie_secrets* cookie_secrets) { + int i = 0, nsid_seen = 0, cookie_seen = 0, padding_seen = 0; /* To respond with a Keepalive option, the client connection must have * received one message with a TCP Keepalive EDNS option, and that * option must have 0 length data. Subsequent messages sent on that @@ -969,7 +972,7 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len, /* while still more options, and have code+len to read */ /* ignores partial content (i.e. rdata len 3) */ - while(rdata_len >= 4) { + while(rdata_len >= 4 && i < MAX_PARSED_EDNS_OPTIONS) { uint16_t opt_code = sldns_read_uint16(rdata_ptr); uint16_t opt_len = sldns_read_uint16(rdata_ptr+2); uint8_t server_cookie[40]; @@ -984,8 +987,9 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len, /* handle parse time edns options here */ switch(opt_code) { case LDNS_EDNS_NSID: - if (!cfg || !cfg->nsid) + if (!cfg || !cfg->nsid || nsid_seen) break; + nsid_seen = 1; if(!edns_opt_list_append(&edns->opt_list_out, LDNS_EDNS_NSID, cfg->nsid_len, cfg->nsid, region)) { @@ -1027,8 +1031,9 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len, case LDNS_EDNS_PADDING: if(!cfg || !cfg->pad_responses || - !c || c->type != comm_tcp ||!c->ssl) + !c || c->type != comm_tcp ||!c->ssl || padding_seen) break; + padding_seen = 1; if(!edns_opt_list_append(&edns->opt_list_out, LDNS_EDNS_PADDING, 0, NULL, region)) { @@ -1039,8 +1044,9 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len, break; case LDNS_EDNS_COOKIE: - if(!cfg || !cfg->do_answer_cookie || !repinfo) + if(!cfg || !cfg->do_answer_cookie || !repinfo || cookie_seen) break; + cookie_seen = 1; if(opt_len != 8 && (opt_len < 16 || opt_len > 40)) { verbose(VERB_ALGO, "worker request: " "badly formatted cookie"); @@ -1146,6 +1152,7 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len, } rdata_ptr += opt_len; rdata_len -= opt_len; + i++; } return LDNS_RCODE_NOERROR; } @@ -1160,6 +1167,7 @@ parse_extract_edns_from_response_msg(struct msg_parse* msg, struct rrset_parse* found_prev = 0; size_t rdata_len; uint8_t* rdata_ptr; + int i = 0; /* since the class encodes the UDP size, we cannot use hash table to * find the EDNS OPT record. Scan the packet. */ while(rrset) { @@ -1219,7 +1227,7 @@ parse_extract_edns_from_response_msg(struct msg_parse* msg, /* while still more options, and have code+len to read */ /* ignores partial content (i.e. rdata len 3) */ - while(rdata_len >= 4) { + while(rdata_len >= 4 && i < MAX_PARSED_EDNS_OPTIONS) { uint16_t opt_code = sldns_read_uint16(rdata_ptr); uint16_t opt_len = sldns_read_uint16(rdata_ptr+2); rdata_ptr += 4; @@ -1234,6 +1242,7 @@ parse_extract_edns_from_response_msg(struct msg_parse* msg, } rdata_ptr += opt_len; rdata_len -= opt_len; + i++; } /* ignore rrsigs */ return LDNS_RCODE_NOERROR; diff --git a/contrib/unbound/util/data/msgparse.h b/contrib/unbound/util/data/msgparse.h index 7de4e394f2ae..d6e459d330ce 100644 --- a/contrib/unbound/util/data/msgparse.h +++ b/contrib/unbound/util/data/msgparse.h @@ -98,6 +98,10 @@ extern time_t SERVE_EXPIRED_REPLY_TTL; /** If we serve the original TTL or decrementing TTLs */ extern int SERVE_ORIGINAL_TTL; +/** Check if TTL is expired. 0 TTL is considered expired. + * Used mainly to identify parts of the code that do this comparison. */ +#define TTL_IS_EXPIRED(ttl, now) ((ttl) <= (now)) + /** * Data stored in scratch pad memory during parsing. * Stores the data that will enter into the msgreply and packet result. diff --git a/contrib/unbound/validator/val_neg.c b/contrib/unbound/validator/val_neg.c index bc3a83aeb4c9..0f2751121326 100644 --- a/contrib/unbound/validator/val_neg.c +++ b/contrib/unbound/validator/val_neg.c @@ -62,6 +62,13 @@ #include "sldns/rrdef.h" #include "sldns/sbuffer.h" +/** + * The maximum salt length that the negative cache is willing to use. + * Larger salt increases the computation time, while recommendations are + * for zero salt length for zones. + */ +#define MAX_SALT_LENGTH 64 + int val_neg_data_compare(const void* a, const void* b) { struct val_neg_data* x = (struct val_neg_data*)a; @@ -826,7 +833,11 @@ void neg_insert_data(struct val_neg_cache* neg, (slen != 0 && zone->nsec3_salt && s && memcmp(zone->nsec3_salt, s, slen) != 0))) { - if(slen > 0) { + if(slen > MAX_SALT_LENGTH) { + /* RFC 9276 s3.1: operators SHOULD NOT use a salt; large + * salts inflate per-hash block count. Decline to cache. */ + return; + } else if(slen > 0) { uint8_t* sa = memdup(s, slen); if(sa) { free(zone->nsec3_salt); @@ -1169,6 +1180,15 @@ neg_find_nsec3_ce(struct val_neg_zone* zone, uint8_t* qname, size_t qname_len, uint8_t hashce[NSEC3_SHA_LEN]; uint8_t b32[257]; size_t celen, b32len; + int hashmax = MAX_NSEC3_CALCULATIONS; + if(qlabs > hashmax) { + /* strip leading labels so the walk costs at most + * MAX_NSEC3_CALCULATIONS hashes, mirroring val_nsec3.c */ + while(qlabs > hashmax) { + dname_remove_label(&qname, &qname_len); + qlabs--; + } + } *nclen = 0; while(qlabs > 0) { @@ -1269,6 +1289,12 @@ neg_nsec3_proof_ds(struct val_neg_zone* zone, uint8_t* qname, size_t qname_len, if(!zone->nsec3_hash) return NULL; /* not nsec3 zone */ + if(!topname && qlabs > zone->labs + 1) + return NULL; /* iterator caller; opt-out proof would be discarded + * at the !topname check below anyway. + * The qlabs check allows the exact-match for + * the one-label-below-zone case. */ + if(!(data=neg_find_nsec3_ce(zone, qname, qname_len, qlabs, buf, hashnc, &nclen))) { return NULL; diff --git a/contrib/unbound/validator/val_nsec3.c b/contrib/unbound/validator/val_nsec3.c index 998fcc4e38ee..62effde2093f 100644 --- a/contrib/unbound/validator/val_nsec3.c +++ b/contrib/unbound/validator/val_nsec3.c @@ -59,11 +59,6 @@ #include "sldns/sbuffer.h" #include "util/config_file.h" -/** - * Max number of NSEC3 calculations at once, suspend query for later. - * 8 is low enough and allows for cases where multiple proofs are needed. - */ -#define MAX_NSEC3_CALCULATIONS 8 /** * When all allowed NSEC3 calculations at once resulted in error treat as * bogus. NSEC3 hash errors are not cached and this helps breaks loops with @@ -456,6 +451,67 @@ filter_init(struct nsec3_filter* filter, struct ub_packed_rrset_key** list, } } +/** Check if the NSEC3s have the same parameter set. */ +static int +param_set_same(struct nsec3_filter* flt, char** reason) +{ + size_t rrsetnum; + int rrnum; + struct ub_packed_rrset_key* rrset; + int have_params = 0; + int first_algo = 0; + size_t first_iter = 0; + uint8_t* first_salt = NULL; + size_t first_saltlen = 0; + + /* If the NSEC3 parameter sets have distinct values, then they are + * from different NSEC3 chains, and we do not want that. */ + for(rrset=filter_first(flt, &rrsetnum, &rrnum); rrset; + rrset=filter_next(flt, &rrsetnum, &rrnum)) { + if(!have_params) { + first_algo = nsec3_get_algo(rrset, rrnum); + first_iter = nsec3_get_iter(rrset, rrnum); + if(!nsec3_get_salt(rrset, rrnum, &first_salt, + &first_saltlen)) { + verbose(VERB_ALGO, "NSEC3 salt malformed"); + if(reason) + *reason = "NSEC3 salt malformed"; + return 0; + } + have_params = 1; + } else { + uint8_t* salt = NULL; + size_t saltlen = 0; + if(nsec3_get_algo(rrset, rrnum) != first_algo) { + verbose(VERB_ALGO, "NSEC3 algorithm mismatch"); + if(reason) + *reason = "NSEC3 algorithm mismatch"; + return 0; + } + if(nsec3_get_iter(rrset, rrnum) != first_iter) { + verbose(VERB_ALGO, "NSEC3 iterations mismatch"); + if(reason) + *reason = "NSEC3 iterations mismatch"; + return 0; + } + if(!nsec3_get_salt(rrset, rrnum, &salt, &saltlen)) { + verbose(VERB_ALGO, "NSEC3 salt malformed"); + if(reason) + *reason = "NSEC3 salt malformed"; + return 0; + } + if(saltlen != first_saltlen || + memcmp(salt, first_salt, saltlen) != 0) { + verbose(VERB_ALGO, "NSEC3 salt mismatch"); + if(reason) + *reason = "NSEC3 salt mismatch"; + return 0; + } + } + } + return 1; +} + /** * Find max iteration count using config settings and key size * @param ve: validator environment with iteration count config settings. @@ -1192,6 +1248,8 @@ nsec3_prove_nameerror(struct module_env* env, struct val_env* ve, filter_init(&flt, list, num, qinfo); /* init RR iterator */ if(!flt.zone) return sec_status_bogus; /* no RRs */ + if(!param_set_same(&flt, NULL)) + return sec_status_bogus; /* nsec3 params from distinct chains*/ if(nsec3_iteration_count_high(ve, &flt, kkey)) return sec_status_insecure; /* iteration count too high */ log_nametypeclass(VERB_ALGO, "start nsec3 nameerror proof, zone", @@ -1378,6 +1436,8 @@ nsec3_prove_nodata(struct module_env* env, struct val_env* ve, filter_init(&flt, list, num, qinfo); /* init RR iterator */ if(!flt.zone) return sec_status_bogus; /* no RRs */ + if(!param_set_same(&flt, NULL)) + return sec_status_bogus; /* nsec3 params from distinct chains*/ if(nsec3_iteration_count_high(ve, &flt, kkey)) return sec_status_insecure; /* iteration count too high */ return nsec3_do_prove_nodata(env, &flt, ct, qinfo, calc); @@ -1401,6 +1461,8 @@ nsec3_prove_wildcard(struct module_env* env, struct val_env* ve, filter_init(&flt, list, num, qinfo); /* init RR iterator */ if(!flt.zone) return sec_status_bogus; /* no RRs */ + if(!param_set_same(&flt, NULL)) + return sec_status_bogus; /* nsec3 params from distinct chains*/ if(nsec3_iteration_count_high(ve, &flt, kkey)) return sec_status_insecure; /* iteration count too high */ @@ -1503,6 +1565,8 @@ nsec3_prove_nods(struct module_env* env, struct val_env* ve, *reason = "no NSEC3 records"; return sec_status_bogus; /* no RRs */ } + if(!param_set_same(&flt, reason)) + return sec_status_bogus; /* nsec3 params from distinct chains*/ if(nsec3_iteration_count_high(ve, &flt, kkey)) return sec_status_insecure; /* iteration count too high */ @@ -1596,6 +1660,8 @@ nsec3_prove_nxornodata(struct module_env* env, struct val_env* ve, filter_init(&flt, list, num, qinfo); /* init RR iterator */ if(!flt.zone) return sec_status_bogus; /* no RRs */ + if(!param_set_same(&flt, NULL)) + return sec_status_bogus; /* nsec3 params from distinct chains*/ if(nsec3_iteration_count_high(ve, &flt, kkey)) return sec_status_insecure; /* iteration count too high */ diff --git a/contrib/unbound/validator/val_nsec3.h b/contrib/unbound/validator/val_nsec3.h index f668a270ff12..a13e92991106 100644 --- a/contrib/unbound/validator/val_nsec3.h +++ b/contrib/unbound/validator/val_nsec3.h @@ -98,6 +98,12 @@ struct sldns_buffer; /** The SHA1 hash algorithm for NSEC3 */ #define NSEC3_HASH_SHA1 0x01 +/** + * Max number of NSEC3 calculations at once, suspend query for later. + * 8 is low enough and allows for cases where multiple proofs are needed. + */ +#define MAX_NSEC3_CALCULATIONS 8 + /** * Cache table for NSEC3 hashes. * It keeps a *pointer* to the region its items are allocated. diff --git a/contrib/unbound/validator/val_utils.c b/contrib/unbound/validator/val_utils.c index 549264d76a1f..4495695ac853 100644 --- a/contrib/unbound/validator/val_utils.c +++ b/contrib/unbound/validator/val_utils.c @@ -1066,10 +1066,10 @@ val_fill_reply(struct reply_info* chase, struct reply_info* orig, if(query_dname_compare(name, orig->rrsets[i]->rk.dname) == 0) chase->rrsets[chase->an_numrrsets - +orig->ns_numrrsets+chase->ar_numrrsets++] + +chase->ns_numrrsets+chase->ar_numrrsets++] = orig->rrsets[i]; } else if(rrset_has_signer(orig->rrsets[i], name, len)) { - chase->rrsets[chase->an_numrrsets+orig->ns_numrrsets+ + chase->rrsets[chase->an_numrrsets+chase->ns_numrrsets+ chase->ar_numrrsets++] = orig->rrsets[i]; } } From nobody Tue Jun 9 19:19:54 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyf71HDz6gVZn for ; Tue, 09 Jun 2026 19:19:54 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdyf4jZvz3QPq for ; Tue, 09 Jun 2026 19:19:54 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032794; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=5ucOXBywgJOVo8mt28m7QHa1ezs9xW646rnm0iKezFE=; b=HQtc/fyJCvianYmm+NvCn56ix5FDp0x74QjvOB3IoA7zXyyDlXBAbDVjnHqkEA7fn1hfJo q3ciueW94yLPSWA4R6fWiY9JzTuJjmNo8aaBxdmyWrlL81WhxMe7AAPh+QordN0zo5kWDF NiRcrhtE8Dzri0UAmJN3xTJB7ruitxQNM95QAFL/fk+Fu5SmQKRtKK7L4jJubsNpi0xBZB imbdAJzbG+yMLay6eMG6bFmOvkhdisUxowgDHpG1c+2cnqinj4CRdKULlZpdKiB0uaOIWc KeAFymD4eFPfYtikTeHgRo6cJAtFu/vuEwhKDw3OgoA0Jgas365EW6flyNdenQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032794; a=rsa-sha256; cv=none; b=Xljaaig+AkMrYNywiXCJS0Q1nezZs9vqZI12BVXLlySnhVsUSM5e1nGs4bdS2PUzh6mVD7 3pn4zWcPAQbBAgBlaGiekVnzFl8ggSWjppJoIxh1aPz0JVyMN2/NzamIDnx8rHojYigOK/ GbQ0KNprsa8GlfSL68a91fcwABYJh731Vna6VlMQp3XMKJFoB6BOSrEN2vSOAZqPYJlalS ouTVhsS5PJWvuDsW4giAAQOW51CMJgXZYTPlDMhfUMs67Dhx8050dbmsujTka1HkkTNdEn xjFjQMsHmJ2gSNQVoKtA9nQWFaYUqWRuwC5pveNAPs723YuBN+gQ8x0TcQhyRw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032794; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=5ucOXBywgJOVo8mt28m7QHa1ezs9xW646rnm0iKezFE=; b=UmtFrgmw7vuUBVutwtDKLYUwDWEHcpUtLWxGccF23/WadjxODlc2yS4aPzOOkiXnRltegZ shF6oSsNh310MAAvvrgyBTkTzE52u81ULUsZhlqeqQ1D/vnhwEpk6z1ugOc8HJZ6ZAb2HA CMsBAslXbUaC3Z9miZ+0qA1KqOamRzP7s1AcDr96VV6sFU/priDWBrOX69Z0juwLhIfjyw BpOX91RiLtLtMESrp6IrQX/FGrZcmCxCpOYa6m7MK4RI6O/co1aJIZvOZw6okERMeGVgX+ wKLZVkDL6/8Yhi2pIYgm4xUXlEkSno/6MS7WVknFmotCPhaGOxup1scHBgMt7Q== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyf4HV4znCm for ; Tue, 09 Jun 2026 19:19:54 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3ecc8 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:19:54 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Gordon Tetlow From: Mark Johnston Subject: git: 0d6ccbb7524f - releng/15.0 - openssl: Fix multiple vulnerabilities List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/15.0 X-Git-Reftype: branch X-Git-Commit: 0d6ccbb7524f150422861c96a87de01ab171e1d0 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:19:54 +0000 Message-Id: <6a28675a.3ecc8.451815f@gitrepo.freebsd.org> The branch releng/15.0 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=0d6ccbb7524f150422861c96a87de01ab171e1d0 commit 0d6ccbb7524f150422861c96a87de01ab171e1d0 Author: Gordon Tetlow AuthorDate: 2026-04-29 08:23:24 +0000 Commit: Mark Johnston CommitDate: 2026-06-08 15:39:33 +0000 openssl: Fix multiple vulnerabilities This is a rollup commit from upstream to fix: Reject oversized inputs in ASN1_mbstring_ncopy() cms: kek_unwrap_key: Fix out-of-bounds read in check-byte validation cms: kek_unwrap_key: test for fix out-of-bounds read in check-byte validation Avoid length truncation in ASN1_STRING_set pkcs12: verify that the pbmac1 key length is safe Reject potentially forged encrypted CMS AuthEnvelopedData messages QUIC stack must limit the number of PATH_CHALLENGE frames processed in RX Fix NULL dereference in QUIC address validation Fix potential NULL dereference processing CMS PasswordRecipientInfo Fix potential NULL dereference in OSSL_CRMF_ENCRYPTEDVALUE_decrypt() Enforce implicit rejection for CMS/PKCS#7 decryption Use the correct issuer when validating rootCAKeyUpdate Match the local q DHX parameter against the peer's q Apply the buffered IV on the AES-OCB EVP_Cipher() path Fix handling of empty-ciphertext messages in AES-GCM-SIV and AES-SIV Fix possible use-after-free in OpenSSL PKCS7_verify() Approved by: so Obtained from: OpenSSL Security: FreeBSD-SA-26:35.openssl Security: CVE-2026-7383 Security: CVE-2026-9076 Security: CVE-2026-34180 Security: CVE-2026-34181 Security: CVE-2026-34182 Security: CVE-2026-34183 Security: CVE-2026-42764 Security: CVE-2026-42766 Security: CVE-2026-42767 Security: CVE-2026-42768 Security: CVE-2026-42769 Security: CVE-2026-42770 Security: CVE-2026-45445 Security: CVE-2026-45446 Security: CVE-2026-45447 --- crypto/openssl/crypto/asn1/a_mbstr.c | 31 ++++- crypto/openssl/crypto/asn1/tasn_dec.c | 24 ++-- crypto/openssl/crypto/cmp/cmp_genm.c | 6 +- crypto/openssl/crypto/cms/cms_enc.c | 10 +- crypto/openssl/crypto/cms/cms_env.c | 7 -- crypto/openssl/crypto/cms/cms_pwri.c | 13 +- crypto/openssl/crypto/crmf/crmf_lib.c | 10 +- crypto/openssl/crypto/pkcs12/p12_mutl.c | 8 +- crypto/openssl/crypto/pkcs7/pk7_doit.c | 7 -- crypto/openssl/crypto/pkcs7/pk7_smime.c | 9 +- crypto/openssl/doc/man3/CMS_decrypt.pod | 4 +- crypto/openssl/doc/man3/PKCS7_decrypt.pod | 10 +- crypto/openssl/include/internal/quic_cfq.h | 1 + crypto/openssl/include/internal/quic_channel.h | 1 + crypto/openssl/include/internal/quic_fifd.h | 1 + .../ciphers/cipher_aes_gcm_siv_hw.c | 27 ++-- .../implementations/ciphers/cipher_aes_ocb.c | 13 ++ .../implementations/ciphers/cipher_aes_siv.c | 3 + .../providers/implementations/exchange/dh_exch.c | 5 +- crypto/openssl/ssl/quic/quic_cfq.c | 15 +++ crypto/openssl/ssl/quic/quic_channel.c | 6 + crypto/openssl/ssl/quic/quic_channel_local.h | 39 ++++++ crypto/openssl/ssl/quic/quic_fifd.c | 43 +++++++ crypto/openssl/ssl/quic/quic_port.c | 6 +- crypto/openssl/ssl/quic/quic_rx_depack.c | 60 +++++---- crypto/openssl/ssl/quic/quic_txp.c | 2 + crypto/openssl/test/cmsapitest.c | 48 ++++++- crypto/openssl/test/evp_extra_test.c | 140 +++++++++++++++++++++ crypto/openssl/test/recipes/80-test_cmsapi.t | 3 +- .../80-test_cmsapi_data/cms_pwri_kek_oob.der | Bin 0 -> 193 bytes crypto/openssl/test/recipes/80-test_pkcs12.t | 13 +- .../pbmac1_256_256.bad-key-len.p12 | Bin 0 -> 2803 bytes .../pbmac1_256_256.good-shorter-key-len.p12 | Bin 0 -> 2803 bytes 33 files changed, 472 insertions(+), 93 deletions(-) diff --git a/crypto/openssl/crypto/asn1/a_mbstr.c b/crypto/openssl/crypto/asn1/a_mbstr.c index 2270e63d51d4..962e19b2ceaa 100644 --- a/crypto/openssl/crypto/asn1/a_mbstr.c +++ b/crypto/openssl/crypto/asn1/a_mbstr.c @@ -174,11 +174,27 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len, break; case MBSTRING_BMP: + if (nchar > INT_MAX / 2) { + ERR_raise(ERR_LIB_ASN1, ASN1_R_STRING_TOO_LONG); + if (free_out) { + ASN1_STRING_free(dest); + *out = NULL; + } + return -1; + } outlen = nchar << 1; cpyfunc = cpy_bmp; break; case MBSTRING_UNIV: + if (nchar > INT_MAX / 4) { + ERR_raise(ERR_LIB_ASN1, ASN1_R_STRING_TOO_LONG); + if (free_out) { + ASN1_STRING_free(dest); + *out = NULL; + } + return -1; + } outlen = nchar << 2; cpyfunc = cpy_univ; break; @@ -186,8 +202,11 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len, case MBSTRING_UTF8: outlen = 0; ret = traverse_string(in, len, inform, out_utf8, &outlen); - if (ret < 0) { - ERR_raise(ERR_LIB_ASN1, ASN1_R_INVALID_UTF8STRING); + if (ret < 0) { /* error already raised in out_utf8() */ + if (free_out) { + ASN1_STRING_free(dest); + *out = NULL; + } return -1; } cpyfunc = cpy_utf8; @@ -270,9 +289,15 @@ static int out_utf8(unsigned long value, void *arg) int *outlen, len; len = UTF8_putc(NULL, -1, value); - if (len <= 0) + if (len <= 0) { + ERR_raise(ERR_LIB_ASN1, ASN1_R_INVALID_UTF8STRING); return len; + } outlen = arg; + if (*outlen > INT_MAX - len) { + ERR_raise(ERR_LIB_ASN1, ASN1_R_STRING_TOO_LONG); + return -1; + } *outlen += len; return 1; } diff --git a/crypto/openssl/crypto/asn1/tasn_dec.c b/crypto/openssl/crypto/asn1/tasn_dec.c index 91c2e524f55b..e9532b9f48f7 100644 --- a/crypto/openssl/crypto/asn1/tasn_dec.c +++ b/crypto/openssl/crypto/asn1/tasn_dec.c @@ -54,7 +54,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx); -static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, +static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, long len, int utype, char *free_cont, const ASN1_ITEM *it); /* Table to convert tags to bit values, used for MSTRING type */ @@ -855,19 +855,24 @@ err: /* Translate ASN1 content octets into a structure */ -static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, +static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, long len, int utype, char *free_cont, const ASN1_ITEM *it) { ASN1_VALUE **opval = NULL; ASN1_STRING *stmp; ASN1_TYPE *typ = NULL; int ret = 0; + int ilen = (int)len; const ASN1_PRIMITIVE_FUNCS *pf; ASN1_INTEGER **tint; pf = it->funcs; - if (pf && pf->prim_c2i) - return pf->prim_c2i(pval, cont, len, utype, free_cont, it); + if (pf && pf->prim_c2i) { + if (len == (long)ilen) + return pf->prim_c2i(pval, cont, ilen, utype, free_cont, it); + ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG); + return 0; + } /* If ANY type clear type and set pointer to internal value */ if (it->utype == V_ASN1_ANY) { if (*pval == NULL) { @@ -885,7 +890,8 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, } switch (utype) { case V_ASN1_OBJECT: - if (!ossl_c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &cont, len)) + if (len != (long)ilen + || !ossl_c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &cont, ilen)) goto err; break; @@ -940,6 +946,10 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, case V_ASN1_SET: case V_ASN1_SEQUENCE: default: + if (len != (long)ilen) { + ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG); + goto err; + } if (utype == V_ASN1_BMPSTRING && (len & 1)) { ERR_raise(ERR_LIB_ASN1, ASN1_R_BMPSTRING_IS_WRONG_LENGTH); goto err; @@ -970,10 +980,10 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, } /* If we've already allocated a buffer use it */ if (*free_cont) { - ASN1_STRING_set0(stmp, (unsigned char *)cont /* UGLY CAST! */, len); + ASN1_STRING_set0(stmp, (unsigned char *)cont /* UGLY CAST! */, ilen); *free_cont = 0; } else { - if (!ASN1_STRING_set(stmp, cont, len)) { + if (!ASN1_STRING_set(stmp, cont, ilen)) { ERR_raise(ERR_LIB_ASN1, ERR_R_ASN1_LIB); ASN1_STRING_free(stmp); *pval = NULL; diff --git a/crypto/openssl/crypto/cmp/cmp_genm.c b/crypto/openssl/crypto/cmp/cmp_genm.c index bcc121f14695..ec1f03d20c1a 100644 --- a/crypto/openssl/crypto/cmp/cmp_genm.c +++ b/crypto/openssl/crypto/cmp/cmp_genm.c @@ -202,7 +202,7 @@ static int selfsigned_verify_cb(int ok, X509_STORE_CTX *store_ctx) for (i = 0; i < sk_X509_num(trust); i++) { issuer = sk_X509_value(trust, i); if ((*check_issued)(store_ctx, cert, issuer)) { - if (X509_add_cert(chain, cert, X509_ADD_FLAG_UP_REF)) + if (X509_add_cert(chain, issuer, X509_ADD_FLAG_UP_REF)) ok = 1; break; } @@ -235,6 +235,7 @@ static int verify_ss_cert(OSSL_LIB_CTX *libctx, const char *propq, if ((csc = X509_STORE_CTX_new_ex(libctx, propq)) == NULL || !X509_STORE_CTX_init(csc, ts, target, untrusted)) goto err; + X509_STORE_CTX_set_flags(csc, X509_V_FLAG_CHECK_SS_SIGNATURE); X509_STORE_CTX_set_verify_cb(csc, selfsigned_verify_cb); ok = X509_verify_cert(csc) > 0; @@ -253,7 +254,8 @@ verify_ss_cert_trans(OSSL_CMP_CTX *ctx, X509 *trusted /* may be NULL */, int res = 0; if (trusted != NULL) { - X509_VERIFY_PARAM *vpm = X509_STORE_get0_param(ts); + X509_VERIFY_PARAM *vpm = (ts == NULL) ? NULL + : X509_STORE_get0_param(ts); if ((ts = X509_STORE_new()) == NULL) return 0; diff --git a/crypto/openssl/crypto/cms/cms_enc.c b/crypto/openssl/crypto/cms/cms_enc.c index 08afb5ab114b..ba7082cebd72 100644 --- a/crypto/openssl/crypto/cms/cms_enc.c +++ b/crypto/openssl/crypto/cms/cms_enc.c @@ -109,13 +109,15 @@ BIO *ossl_cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec, goto err; } piv = aparams.iv; - if (ec->taglen > 0 - && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, - ec->taglen, ec->tag) - <= 0) { + + if (ec->taglen < 4 || ec->taglen > 16 + || EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, (int)ec->taglen, ec->tag) <= 0) { ERR_raise(ERR_LIB_CMS, CMS_R_CIPHER_AEAD_SET_TAG_ERROR); goto err; } + } else if (auth) { + ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM); + goto err; } } len = EVP_CIPHER_CTX_get_key_length(ctx); diff --git a/crypto/openssl/crypto/cms/cms_env.c b/crypto/openssl/crypto/cms/cms_env.c index 0828d157fad6..70dd59c06169 100644 --- a/crypto/openssl/crypto/cms/cms_env.c +++ b/crypto/openssl/crypto/cms/cms_env.c @@ -619,13 +619,6 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms, if (!ossl_cms_env_asn1_ctrl(ri, 1)) goto err; - if (EVP_PKEY_is_a(pkey, "RSA")) - /* upper layer CMS code incorrectly assumes that a successful RSA - * decryption means that the key matches ciphertext (which never - * was the case, implicit rejection or not), so to make it work - * disable implicit rejection for RSA keys */ - EVP_PKEY_CTX_ctrl_str(ktri->pctx, "rsa_pkcs1_implicit_rejection", "0"); - if (evp_pkey_decrypt_alloc(ktri->pctx, &ek, &eklen, fixlen, ktri->encryptedKey->data, ktri->encryptedKey->length) diff --git a/crypto/openssl/crypto/cms/cms_pwri.c b/crypto/openssl/crypto/cms/cms_pwri.c index d62dbbde881b..faf6a164669b 100644 --- a/crypto/openssl/crypto/cms/cms_pwri.c +++ b/crypto/openssl/crypto/cms/cms_pwri.c @@ -200,18 +200,18 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen, const unsigned char *in, size_t inlen, EVP_CIPHER_CTX *ctx) { - size_t blocklen = EVP_CIPHER_CTX_get_block_size(ctx); + int blocklen = EVP_CIPHER_CTX_get_block_size(ctx); unsigned char *tmp; int outl, rv = 0; - if (blocklen == 0) + if (blocklen < 4) return 0; - if (inlen < 2 * blocklen) { + if (inlen < 2 * (size_t)blocklen) { /* too small */ return 0; } - if (inlen % blocklen) { + if (inlen > INT_MAX || inlen % blocklen) { /* Invalid size */ return 0; } @@ -367,6 +367,11 @@ int ossl_cms_RecipientInfo_pwri_crypt(const CMS_ContentInfo *cms, /* Finish password based key derivation to setup key in "ctx" */ + if (algtmp == NULL) { + ERR_raise_data(ERR_LIB_CMS, CMS_R_INVALID_KEY_ENCRYPTION_PARAMETER, + "Missing KeyDerivationAlgorithm"); + goto err; + } if (!EVP_PBE_CipherInit_ex(algtmp->algorithm, (char *)pwri->pass, (int)pwri->passlen, algtmp->parameter, kekctx, en_de, diff --git a/crypto/openssl/crypto/crmf/crmf_lib.c b/crypto/openssl/crypto/crmf/crmf_lib.c index d5c8983b2fd4..34477d52662d 100644 --- a/crypto/openssl/crypto/crmf/crmf_lib.c +++ b/crypto/openssl/crypto/crmf/crmf_lib.c @@ -766,6 +766,7 @@ unsigned char *OSSL_CRMF_ENCRYPTEDVALUE_decrypt(const OSSL_CRMF_ENCRYPTEDVALUE * EVP_CIPHER *cipher = NULL; /* used cipher */ int cikeysize = 0; /* key size from cipher */ unsigned char *iv = NULL; /* initial vector for symmetric encryption */ + int iv_len; /* iv length */ unsigned char *out = NULL; /* decryption output buffer */ int n, ret = 0; EVP_PKEY_CTX *pkctx = NULL; /* private key context */ @@ -820,11 +821,12 @@ unsigned char *OSSL_CRMF_ENCRYPTEDVALUE_decrypt(const OSSL_CRMF_ENCRYPTEDVALUE * } else { goto end; } - if ((iv = OPENSSL_malloc(EVP_CIPHER_get_iv_length(cipher))) == NULL) + iv_len = EVP_CIPHER_get_iv_length(cipher); + if ((iv = OPENSSL_malloc(iv_len)) == NULL) goto end; - if (ASN1_TYPE_get_octetstring(enc->symmAlg->parameter, iv, - EVP_CIPHER_get_iv_length(cipher)) - != EVP_CIPHER_get_iv_length(cipher)) { + if (enc->symmAlg->parameter == NULL + || ASN1_TYPE_get_octetstring(enc->symmAlg->parameter, iv, iv_len) + != iv_len) { ERR_raise(ERR_LIB_CRMF, CRMF_R_MALFORMED_IV); goto end; } diff --git a/crypto/openssl/crypto/pkcs12/p12_mutl.c b/crypto/openssl/crypto/pkcs12/p12_mutl.c index 01956252df76..15072e12f26b 100644 --- a/crypto/openssl/crypto/pkcs12/p12_mutl.c +++ b/crypto/openssl/crypto/pkcs12/p12_mutl.c @@ -144,11 +144,13 @@ static int PBMAC1_PBKDF2_HMAC(OSSL_LIB_CTX *ctx, const char *propq, } pbkdf2_salt = pbkdf2_param->salt->value.octet_string; - /* RFC 9579 specifies missing key length as invalid */ + /* RFC 9879 specifies missing key length as invalid */ if (pbkdf2_param->keylength != NULL) keylen = ASN1_INTEGER_get(pbkdf2_param->keylength); - if (keylen <= 0 || keylen > EVP_MAX_MD_SIZE) { - ERR_raise(ERR_LIB_PKCS12, PKCS12_R_PARSE_ERROR); + /* RFC 9879 specifies too short key length as untrustworthy too */ + if (keylen < 20 || keylen > EVP_MAX_MD_SIZE) { + ERR_raise_data(ERR_LIB_PKCS12, PKCS12_R_PARSE_ERROR, + "Invalid Key length (%d is not in the range 20..64)", keylen); goto err; } diff --git a/crypto/openssl/crypto/pkcs7/pk7_doit.c b/crypto/openssl/crypto/pkcs7/pk7_doit.c index d6513cf3a379..1ec7895fc197 100644 --- a/crypto/openssl/crypto/pkcs7/pk7_doit.c +++ b/crypto/openssl/crypto/pkcs7/pk7_doit.c @@ -203,13 +203,6 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen, if (EVP_PKEY_decrypt_init(pctx) <= 0) goto err; - if (EVP_PKEY_is_a(pkey, "RSA")) - /* upper layer pkcs7 code incorrectly assumes that a successful RSA - * decryption means that the key matches ciphertext (which never - * was the case, implicit rejection or not), so to make it work - * disable implicit rejection for RSA keys */ - EVP_PKEY_CTX_ctrl_str(pctx, "rsa_pkcs1_implicit_rejection", "0"); - ret = evp_pkey_decrypt_alloc(pctx, &ek, &eklen, fixlen, ri->enc_key->data, ri->enc_key->length); if (ret <= 0) diff --git a/crypto/openssl/crypto/pkcs7/pk7_smime.c b/crypto/openssl/crypto/pkcs7/pk7_smime.c index 97f20058979f..dc003ee2affd 100644 --- a/crypto/openssl/crypto/pkcs7/pk7_smime.c +++ b/crypto/openssl/crypto/pkcs7/pk7_smime.c @@ -222,6 +222,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, int i, j = 0, k, ret = 0; BIO *p7bio = NULL; BIO *tmpout = NULL; + BIO *next = NULL; const PKCS7_CTX *p7_ctx; if (p7 == NULL) { @@ -352,9 +353,11 @@ err: BIO_free(tmpout); X509_STORE_CTX_free(cert_ctx); OPENSSL_free(buf); - if (indata != NULL) - BIO_pop(p7bio); - BIO_free_all(p7bio); + while (p7bio != NULL && p7bio != indata) { + next = BIO_pop(p7bio); + BIO_free(p7bio); + p7bio = next; + } sk_X509_free(signers); sk_X509_free(untrusted); return ret; diff --git a/crypto/openssl/doc/man3/CMS_decrypt.pod b/crypto/openssl/doc/man3/CMS_decrypt.pod index 121b74a30a10..66a94287b6f5 100644 --- a/crypto/openssl/doc/man3/CMS_decrypt.pod +++ b/crypto/openssl/doc/man3/CMS_decrypt.pod @@ -68,7 +68,7 @@ then the above behaviour is modified and an error B returned if no recipient encrypted key can be decrypted B generating a random content encryption key. Applications should use this flag with B especially in automated gateways as it can leave them -open to attack. +open to attack. See L for more details. It is possible to determine the correct recipient key by other means (for example looking them up in a database) and setting them in the CMS structure @@ -103,7 +103,7 @@ mentioned in CMS_verify() also applies to CMS_decrypt(). =head1 SEE ALSO -L, L +L, L, L =head1 HISTORY diff --git a/crypto/openssl/doc/man3/PKCS7_decrypt.pod b/crypto/openssl/doc/man3/PKCS7_decrypt.pod index aea15937ab86..cfb5b3f87376 100644 --- a/crypto/openssl/doc/man3/PKCS7_decrypt.pod +++ b/crypto/openssl/doc/man3/PKCS7_decrypt.pod @@ -22,6 +22,14 @@ B is an optional set of flags. Although the recipients certificate is not needed to decrypt the data it is needed to locate the appropriate (of possible several) recipients in the PKCS#7 structure. +When RSA PKCS#1 v1.5 Key Transport is in use, the invoked EVP_PKEY_decrypt() +will use implicit rejection mechanism. It always returns the result of RSA +decryption of the symmetric key to avoid Marvin attack. This result is +deterministic and can happen to match the symmetric cipher used for the content +encryption. In case when the certificate is not provided, the last +RecipientInfo producing the key looking valid will be used. It may cause +getting garbage content on decryption. + The following flags can be passed in the B parameter. If the B flag is set MIME headers for type B are deleted @@ -43,7 +51,7 @@ mentioned in PKCS7_sign() also applies to PKCS7_verify(). =head1 SEE ALSO -L, L +L, L, L =head1 COPYRIGHT diff --git a/crypto/openssl/include/internal/quic_cfq.h b/crypto/openssl/include/internal/quic_cfq.h index 0b2a3a4cb2d6..96c8d89eb600 100644 --- a/crypto/openssl/include/internal/quic_cfq.h +++ b/crypto/openssl/include/internal/quic_cfq.h @@ -149,6 +149,7 @@ QUIC_CFQ_ITEM *ossl_quic_cfq_get_priority_head(const QUIC_CFQ *cfq, QUIC_CFQ_ITEM *ossl_quic_cfq_item_get_priority_next(const QUIC_CFQ_ITEM *item, uint32_t pn_space); +int ossl_quic_cfq_discard_unreliable(QUIC_CFQ *cfq, QUIC_CFQ_ITEM *item); #endif #endif diff --git a/crypto/openssl/include/internal/quic_channel.h b/crypto/openssl/include/internal/quic_channel.h index b917b966abeb..cfaeab728178 100644 --- a/crypto/openssl/include/internal/quic_channel.h +++ b/crypto/openssl/include/internal/quic_channel.h @@ -468,6 +468,7 @@ int ossl_quic_bind_channel(QUIC_CHANNEL *ch, const BIO_ADDR *peer, const QUIC_CONN_ID *scid, const QUIC_CONN_ID *dcid, const QUIC_CONN_ID *odcid); +void ossl_ch_reset_rx_state(QUIC_CHANNEL *ch); #endif #endif diff --git a/crypto/openssl/include/internal/quic_fifd.h b/crypto/openssl/include/internal/quic_fifd.h index 4ea7a2e0d226..afa330cbc4a2 100644 --- a/crypto/openssl/include/internal/quic_fifd.h +++ b/crypto/openssl/include/internal/quic_fifd.h @@ -83,6 +83,7 @@ int ossl_quic_fifd_pkt_commit(QUIC_FIFD *fifd, QUIC_TXPIM_PKT *pkt); void ossl_quic_fifd_set_qlog_cb(QUIC_FIFD *fifd, QLOG *(*get_qlog_cb)(void *arg), void *arg); +void ossl_quic_fifd_pkt_discard_unreliable(QUIC_FIFD *fifd, QUIC_TXPIM_PKT *tpkt); #endif #endif diff --git a/crypto/openssl/providers/implementations/ciphers/cipher_aes_gcm_siv_hw.c b/crypto/openssl/providers/implementations/ciphers/cipher_aes_gcm_siv_hw.c index d0b6ae4b070d..5bdc567b4bb1 100644 --- a/crypto/openssl/providers/implementations/ciphers/cipher_aes_gcm_siv_hw.c +++ b/crypto/openssl/providers/implementations/ciphers/cipher_aes_gcm_siv_hw.c @@ -58,6 +58,9 @@ static int aes_gcm_siv_initkey(void *vctx) memset(&data, 0, sizeof(data)); memcpy(&data.block[sizeof(data.counter)], ctx->nonce, NONCE_SIZE); + ctx->generated_tag = 0; + memset(ctx->tag, 0, TAG_SIZE); + /* msg_auth_key is always 16 bytes in size, regardless of AES128/AES256 */ /* counter is stored little-endian */ for (i = 0; i < BLOCK_SIZE; i += 8) { @@ -134,17 +137,6 @@ static int aes_gcm_siv_aad(PROV_AES_GCM_SIV_CTX *ctx, return 1; } -static int aes_gcm_siv_finish(PROV_AES_GCM_SIV_CTX *ctx) -{ - int ret = 0; - - if (ctx->enc) - return ctx->generated_tag; - ret = !CRYPTO_memcmp(ctx->tag, ctx->user_tag, sizeof(ctx->tag)); - ret &= ctx->have_user_tag; - return ret; -} - static int aes_gcm_siv_encrypt(PROV_AES_GCM_SIV_CTX *ctx, const unsigned char *in, unsigned char *out, size_t len) { @@ -271,6 +263,19 @@ static int aes_gcm_siv_decrypt(PROV_AES_GCM_SIV_CTX *ctx, const unsigned char *i return !error; } +static int aes_gcm_siv_finish(PROV_AES_GCM_SIV_CTX *ctx) +{ + int ret = 0; + + if (ctx->enc) + return ctx->generated_tag; + if (!ctx->generated_tag) + aes_gcm_siv_decrypt(ctx, NULL, NULL, 0); + ret = !CRYPTO_memcmp(ctx->tag, ctx->user_tag, sizeof(ctx->tag)); + ret &= ctx->have_user_tag; + return ret; +} + static int aes_gcm_siv_cipher(void *vctx, unsigned char *out, const unsigned char *in, size_t len) { diff --git a/crypto/openssl/providers/implementations/ciphers/cipher_aes_ocb.c b/crypto/openssl/providers/implementations/ciphers/cipher_aes_ocb.c index b724c425e392..99254cb49a88 100644 --- a/crypto/openssl/providers/implementations/ciphers/cipher_aes_ocb.c +++ b/crypto/openssl/providers/implementations/ciphers/cipher_aes_ocb.c @@ -514,6 +514,19 @@ static int aes_ocb_cipher(void *vctx, unsigned char *out, size_t *outl, return 0; } + /* + * Mirror the streaming handler: refuse if the key has not been set, + * and push the buffered IV into the OCB context before any data is + * processed. Without this, CRYPTO_ocb128_encrypt/decrypt runs with + * Offset_0 = 0 regardless of the caller's IV -- catastrophic + * (key, nonce) reuse, and a subsequent EVP_*Final_ex() emits a tag + * that is a function of (key, iv) only. + */ + if (!ctx->key_set || !update_iv(ctx)) { + ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED); + return 0; + } + if (!aes_generic_ocb_cipher(ctx, in, out, inl)) { ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED); return 0; diff --git a/crypto/openssl/providers/implementations/ciphers/cipher_aes_siv.c b/crypto/openssl/providers/implementations/ciphers/cipher_aes_siv.c index 96f26757abe2..754e0757cda3 100644 --- a/crypto/openssl/providers/implementations/ciphers/cipher_aes_siv.c +++ b/crypto/openssl/providers/implementations/ciphers/cipher_aes_siv.c @@ -192,6 +192,7 @@ static int aes_siv_set_ctx_params(void *vctx, const OSSL_PARAM params[]) PROV_AES_SIV_CTX *ctx = (PROV_AES_SIV_CTX *)vctx; const OSSL_PARAM *p; unsigned int speed = 0; + SIV128_CONTEXT *sctx = &ctx->siv; if (ossl_param_is_empty(params)) return 1; @@ -226,6 +227,8 @@ static int aes_siv_set_ctx_params(void *vctx, const OSSL_PARAM params[]) if (keylen != ctx->keylen) return 0; } + sctx->final_ret = -1; + return 1; } diff --git a/crypto/openssl/providers/implementations/exchange/dh_exch.c b/crypto/openssl/providers/implementations/exchange/dh_exch.c index 94d4254ed5d2..2bfefc0aedf4 100644 --- a/crypto/openssl/providers/implementations/exchange/dh_exch.c +++ b/crypto/openssl/providers/implementations/exchange/dh_exch.c @@ -146,12 +146,15 @@ static int dh_init(void *vpdhctx, void *vdh, const OSSL_PARAM params[]) static int dh_match_params(DH *priv, DH *peer) { int ret; + int ignore_q = 1; FFC_PARAMS *dhparams_priv = ossl_dh_get0_params(priv); FFC_PARAMS *dhparams_peer = ossl_dh_get0_params(peer); + if (dhparams_priv != NULL && dhparams_priv->q != NULL) + ignore_q = 0; ret = dhparams_priv != NULL && dhparams_peer != NULL - && ossl_ffc_params_cmp(dhparams_priv, dhparams_peer, 1); + && ossl_ffc_params_cmp(dhparams_priv, dhparams_peer, ignore_q); if (!ret) ERR_raise(ERR_LIB_PROV, PROV_R_MISMATCHING_DOMAIN_PARAMETERS); return ret; diff --git a/crypto/openssl/ssl/quic/quic_cfq.c b/crypto/openssl/ssl/quic/quic_cfq.c index 3c59234ff0ff..16818e55f57d 100644 --- a/crypto/openssl/ssl/quic/quic_cfq.c +++ b/crypto/openssl/ssl/quic/quic_cfq.c @@ -7,6 +7,7 @@ * https://www.openssl.org/source/license.html */ +#include "internal/quic_channel.h" #include "internal/quic_cfq.h" #include "internal/numbers.h" @@ -307,6 +308,20 @@ void ossl_quic_cfq_mark_lost(QUIC_CFQ *cfq, QUIC_CFQ_ITEM *item, } } +int ossl_quic_cfq_discard_unreliable(QUIC_CFQ *cfq, QUIC_CFQ_ITEM *item) +{ + int discarded; + + if (ossl_quic_cfq_item_is_unreliable(item)) { + ossl_quic_cfq_release(cfq, item); + discarded = 1; + } else { + discarded = 0; + } + + return discarded; +} + /* * Releases a CFQ item. The item may be in either state (NEW or TX) prior to the * call. The QUIC_CFQ_ITEM pointer must not be used following this call. diff --git a/crypto/openssl/ssl/quic/quic_channel.c b/crypto/openssl/ssl/quic/quic_channel.c index 13692e5bd09e..5f81a8560d5f 100644 --- a/crypto/openssl/ssl/quic/quic_channel.c +++ b/crypto/openssl/ssl/quic/quic_channel.c @@ -2213,6 +2213,12 @@ static void ch_rx_check_forged_pkt_limit(QUIC_CHANNEL *ch) "forgery limit"); } +void ossl_ch_reset_rx_state(QUIC_CHANNEL *ch) +{ + ch->did_crypto_frame = 0; + ch->seen_path_challenge = 0; +} + /* Process queued incoming packets and handle frames, if any. */ static int ch_rx(QUIC_CHANNEL *ch, int channel_only, int *notify_other_threads) { diff --git a/crypto/openssl/ssl/quic/quic_channel_local.h b/crypto/openssl/ssl/quic/quic_channel_local.h index ae443fccca1e..e40b4901cbc7 100644 --- a/crypto/openssl/ssl/quic/quic_channel_local.h +++ b/crypto/openssl/ssl/quic/quic_channel_local.h @@ -12,6 +12,28 @@ #include "internal/quic_stream_map.h" #include "internal/quic_tls.h" +/* + * This is a part of PATH_CHALLENGE flood [1] mitigation. This limits the + * number of PATH_CHALLENGE frames QUIC stack is willing to process for + * connection. Local QUIC stack creates PATH_RESPONSE frame for PATH_CHALLENGE + * frame it receives from remote peer. The response frame is put Control Frame + * Queue waiting to be dispatched. The PATH_RESPONSE frame is removed from CFQ + * after it is dispatched. The QUIC_PATH_RESPONSE_QLEN limits the number of + * PATH_RESPONSE frames waiting to be dispatched. No new PATH_RESPONSE frames + * are inserted into CFQ if queue limit is exceeded. + * + * QUIC implementations use different limits for PATH_RESPONSE queue lengths: + * quic-go defines maxPathResponses as 256 + * quiche from cloadflare sets DEFAULT_MAX_PATH_CHALLENGE_RX_QUEUE_LEN to 3 + * t-quic from tencent chooses MAX_PATH_CHALS_RECV to be 8 + * + * OpenSSL here introduces QUIC_PATH_RESPONSE_QLEN as 32. + * + * [1] https://www.ietf.org/archive/id/draft-chen-quic-logical-vuln-mitigations-00.txt + * (section 4.2) + */ +#define QUIC_PATH_RESPONSE_QLEN 32 + /* * QUIC Channel Structure * ====================== @@ -457,6 +479,18 @@ struct quic_channel_st { /* Has qlog been requested? */ unsigned int is_tserver_ch : 1; + /* + * RFC 9000 Section 9.2.1 says: + * However, an endpoint SHOULD NOT send multiple + * PATH_CHALLENGE frames in a single packet. + * The counter here allows us to detect multiple presence + * of PATH_CHALLENGE frame in packet. We process only the + * first PATH_CHALLENGE frame found in packet. Remaining PATH_CHALLENGE + * frames are ignored. + * seen_path_challenge flag is always reset before + * ossl_quic_handle_frames() gets called. + */ + unsigned int seen_path_challenge : 1; /* Saved error stack in case permanent error was encountered */ ERR_STATE *err_state; @@ -467,6 +501,11 @@ struct quic_channel_st { /* Title for qlog purposes. We own this copy. */ char *qlog_title; + /* + * number of path responses waiting to be dispatched + * from control frame queue (CFQ) + */ + unsigned int path_response_limit; }; #endif diff --git a/crypto/openssl/ssl/quic/quic_fifd.c b/crypto/openssl/ssl/quic/quic_fifd.c index 03b8cebd3057..e80483b501d7 100644 --- a/crypto/openssl/ssl/quic/quic_fifd.c +++ b/crypto/openssl/ssl/quic/quic_fifd.c @@ -310,3 +310,46 @@ void ossl_quic_fifd_set_qlog_cb(QUIC_FIFD *fifd, QLOG *(*get_qlog_cb)(void *arg) fifd->get_qlog_cb = get_qlog_cb; fifd->get_qlog_cb_arg = get_qlog_cb_arg; } + +static void txpim_pkt_remove_cfq_item(QUIC_TXPIM_PKT *pkt, QUIC_CFQ_ITEM *cfq_item) +{ + QUIC_CFQ_ITEM *prev = cfq_item->pkt_prev; + + if (prev != NULL) { + prev->pkt_next = cfq_item->pkt_next; + } else { + pkt->retx_head = cfq_item->pkt_next; + } + + if (cfq_item->pkt_next != NULL) + cfq_item->pkt_next->pkt_prev = prev; + + cfq_item->pkt_prev = NULL; + cfq_item->pkt_next = NULL; +} + +void ossl_quic_fifd_pkt_discard_unreliable(QUIC_FIFD *fifd, QUIC_TXPIM_PKT *pkt) +{ + QUIC_CFQ_ITEM *cfq_item, *cfq_next; + + /* + * The packet has been written to network. We can discard frames we don't + * retransmit when loss is detected. + */ + cfq_item = pkt->retx_head; + while (cfq_item != NULL) { + /* + * Discarded items are moved to free list. If item + * got moved to free list we must also remove it from + * cfq list kept in pkt, so ACKM does not find it when + * receives an ACK for pkt. + */ + if (ossl_quic_cfq_discard_unreliable(fifd->cfq, cfq_item)) { + cfq_next = cfq_item->pkt_next; + txpim_pkt_remove_cfq_item(pkt, cfq_item); + cfq_item = cfq_next; + } else { + cfq_item = cfq_item->pkt_next; + } + } +} diff --git a/crypto/openssl/ssl/quic/quic_port.c b/crypto/openssl/ssl/quic/quic_port.c index 1e247e1ec624..dc79485b96a5 100644 --- a/crypto/openssl/ssl/quic/quic_port.c +++ b/crypto/openssl/ssl/quic/quic_port.c @@ -1666,8 +1666,10 @@ static void port_default_packet_handler(QUIC_URXE *e, void *arg, * forget qrx so channel can create a new one * with valid initial encryption level keys. */ - qrx_src = qrx; - qrx = NULL; + if (qrx != NULL) { + qrx_src = qrx; + qrx = NULL; + } } port_bind_channel(port, &e->peer, &scid, &hdr.dst_conn_id, diff --git a/crypto/openssl/ssl/quic/quic_rx_depack.c b/crypto/openssl/ssl/quic/quic_rx_depack.c index 786af9b4c221..1bdb43b7d639 100644 --- a/crypto/openssl/ssl/quic/quic_rx_depack.c +++ b/crypto/openssl/ssl/quic/quic_rx_depack.c @@ -931,6 +931,12 @@ static int depack_do_frame_retire_conn_id(PACKET *pkt, static void free_path_response(unsigned char *buf, size_t buf_len, void *arg) { + QUIC_CHANNEL *ch = (QUIC_CHANNEL *)arg; + + assert(ch->path_response_limit > 0); + + ch->path_response_limit--; + OPENSSL_free(buf); } @@ -951,33 +957,39 @@ static int depack_do_frame_path_challenge(PACKET *pkt, return 0; } - /* - * RFC 9000 s. 8.2.2: On receiving a PATH_CHALLENGE frame, an endpoint MUST - * respond by echoing the data contained in the PATH_CHALLENGE frame in a - * PATH_RESPONSE frame. - * - * TODO(QUIC FUTURE): We should try to avoid allocation here in the future. - */ - encoded_len = sizeof(uint64_t) + 1; - if ((encoded = OPENSSL_malloc(encoded_len)) == NULL) - goto err; + if (ch->seen_path_challenge == 0 + && ch->path_response_limit < QUIC_PATH_RESPONSE_QLEN) { + /* + * RFC 9000 s. 8.2.2: On receiving a PATH_CHALLENGE frame, an endpoint + * MUST respond by echoing the data contained in the PATH_CHALLENGE + * frame in a PATH_RESPONSE frame. + * + * TODO(QUIC FUTURE): We should try to avoid allocation here in the + * future. + */ + encoded_len = sizeof(uint64_t) + 1; + if ((encoded = OPENSSL_malloc(encoded_len)) == NULL) + goto err; - if (!WPACKET_init_static_len(&wpkt, encoded, encoded_len, 0)) - goto err; + if (!WPACKET_init_static_len(&wpkt, encoded, encoded_len, 0)) + goto err; - if (!ossl_quic_wire_encode_frame_path_response(&wpkt, frame_data)) { - WPACKET_cleanup(&wpkt); - goto err; - } + if (!ossl_quic_wire_encode_frame_path_response(&wpkt, frame_data)) { + WPACKET_cleanup(&wpkt); + goto err; + } - WPACKET_finish(&wpkt); + WPACKET_finish(&wpkt); - if (!ossl_quic_cfq_add_frame(ch->cfq, 0, QUIC_PN_SPACE_APP, - OSSL_QUIC_FRAME_TYPE_PATH_RESPONSE, - QUIC_CFQ_ITEM_FLAG_UNRELIABLE, - encoded, encoded_len, - free_path_response, NULL)) - goto err; + if (!ossl_quic_cfq_add_frame(ch->cfq, 0, QUIC_PN_SPACE_APP, + OSSL_QUIC_FRAME_TYPE_PATH_RESPONSE, + QUIC_CFQ_ITEM_FLAG_UNRELIABLE, + encoded, encoded_len, + free_path_response, ch)) + goto err; + ch->seen_path_challenge = 1; + ch->path_response_limit++; + } return 1; @@ -1432,7 +1444,7 @@ int ossl_quic_handle_frames(QUIC_CHANNEL *ch, OSSL_QRX_PKT *qpacket) if (ch == NULL) return 0; - ch->did_crypto_frame = 0; + ossl_ch_reset_rx_state(ch); /* Initialize |ackm_data| (and reinitialize |ok|)*/ memset(&ackm_data, 0, sizeof(ackm_data)); diff --git a/crypto/openssl/ssl/quic/quic_txp.c b/crypto/openssl/ssl/quic/quic_txp.c index 44aaad868d2f..b2565c1a9fee 100644 --- a/crypto/openssl/ssl/quic/quic_txp.c +++ b/crypto/openssl/ssl/quic/quic_txp.c @@ -3133,6 +3133,8 @@ static int txp_pkt_commit(OSSL_QUIC_TX_PACKETISER *txp, --probe_info->pto[pn_space]; } + ossl_quic_fifd_pkt_discard_unreliable(&txp->fifd, tpkt); + return rc; } diff --git a/crypto/openssl/test/cmsapitest.c b/crypto/openssl/test/cmsapitest.c index 0752d14df09c..d908bc6fc4c4 100644 --- a/crypto/openssl/test/cmsapitest.c +++ b/crypto/openssl/test/cmsapitest.c @@ -21,6 +21,7 @@ static X509 *cert = NULL; static EVP_PKEY *privkey = NULL; static char *derin = NULL; static char *too_long_iv_cms_in = NULL; +static char *pwri_kek_oob_der_in = NULL; static int test_encrypt_decrypt(const EVP_CIPHER *cipher) { @@ -512,7 +513,48 @@ end: return ret; } -OPT_TEST_DECLARE_USAGE("certfile privkeyfile derfile\n") +/* + * CMS EnvelopedData with a single PasswordRecipientInfo using + * id-alg-PWRI-KEK and an AES-128-CFB key encryption cipher + * (1-byte effective block size). The encryptedKey OCTET STRING is + * only two bytes long, so the wrapped key buffer is shorter than + * the seven octets read by the check-byte test in kek_unwrap_key(). + * Prior to CVE-2026-9076 this triggered an out-of-bounds heap read; + * CMS_decrypt() must now fail cleanly. + */ +static int test_pwri_kek_unwrap_short_encrypted_key(void) +{ + BIO *in = NULL; + CMS_ContentInfo *cms = NULL; + unsigned long err = 0; + int ret = 0; + + if (!TEST_ptr(in = BIO_new_file(pwri_kek_oob_der_in, "rb")) + || !TEST_ptr(cms = d2i_CMS_bio(in, NULL))) + goto end; + + /* + * The unwrap is attempted eagerly inside CMS_decrypt_set1_password(). + * It must fail cleanly (no OOB read) and report CMS_R_UNWRAP_FAILURE. + */ + if (!TEST_false(CMS_decrypt_set1_password(cms, + (unsigned char *)"password", -1))) + goto end; + + err = ERR_peek_last_error(); + if (!TEST_int_eq(ERR_GET_LIB(err), ERR_LIB_CMS) + || !TEST_int_eq(ERR_GET_REASON(err), CMS_R_UNWRAP_FAILURE)) + goto end; + + ERR_clear_error(); + ret = 1; +end: + CMS_ContentInfo_free(cms); + BIO_free(in); + return ret; +} + +OPT_TEST_DECLARE_USAGE("certfile privkeyfile derfile tooLongIVpem pwriKekOobDer\n") int setup_tests(void) { @@ -527,7 +569,8 @@ int setup_tests(void) if (!TEST_ptr(certin = test_get_argument(0)) || !TEST_ptr(privkeyin = test_get_argument(1)) || !TEST_ptr(derin = test_get_argument(2)) - || !TEST_ptr(too_long_iv_cms_in = test_get_argument(3))) + || !TEST_ptr(too_long_iv_cms_in = test_get_argument(3)) + || !TEST_ptr(pwri_kek_oob_der_in = test_get_argument(4))) *** 235 LINES SKIPPED *** From nobody Tue Jun 9 19:19:53 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyf02Ksz6gVTM for ; Tue, 09 Jun 2026 19:19:53 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdyd3z2Sz3Qbg for ; Tue, 09 Jun 2026 19:19:53 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032793; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=OVLD569+lxtbae578ncr4WDt6z6O8DwVLHoDj7eYAHs=; b=cwRZShZaNdPO5rz/oHYnTg5WGxCdGyVVWbZgEza00WyMc/RcQe6IIT5M2MoNgGPNVNyscc PjkAon4TrfFgsG6f73cZknowbmf5fXeGu5y5UB74rSQVZl5F5SJFjFULK76JYS0kpFwEPQ UMFhDVT1kDKxGI2leH3gkdZ7shaEhGa7rxsdLkpk9octlQzx9DOMpvbG9kLt2xIkRueuKE ryrelkdodj7LfFex0SFGNj7kb1kyOydLE/85XQU/cO9+90I0qU3DyHQrUSTWCDEFFF9zOr uJiu6a/rogXjHB+4+sF7mAXZz9B8UwRKAeTpSo7VBgkVkJKRbMwRJla7jpUvqA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032793; a=rsa-sha256; cv=none; b=dZgRGj2SJzRCi8OgIsl+jEmImyQFYQ5tWxQklgZ6X4r2O5VLSNSoyU0DdxRDl3FrkvcMuX bVq1W/M0Yaw0B/nvonzLUXSxmZ1I1B85lbXokXR0bg7bs3i408SPHbP6Oaq4/TN6YNhsbI 2thbD7J0gwVO+kaRSebwDHIUkyugcsH4lcyGz1jsrudYuUoQJ+SmRYnhudKBcZ+P+cXacA rqsikRjE2ER69TNbnC49/RSxz0hvGQbmiFS0U2IOOASvpFRDVbN4HpgHUcclbnxeHp1+C5 CtRbp+UmU1kYxMxHOTpyV9RrVKWOUI9XbfVOl1Eil/O5N4YY+0y8dUdObCoHww== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032793; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=OVLD569+lxtbae578ncr4WDt6z6O8DwVLHoDj7eYAHs=; b=gG0O75iBnACRYWlDfryvEECX0Flma3fK4Tz2TZVb4qJfTVl/y52+nUY2gBGuL7tKQeCRnl 3tbqdinjQ6pzlA5WHw1w5r29n6m+IRdYNs/n+Pg6/UpdOwvMU72r+nl5rXtvGjXxE7Z/1u ay5T92/1jGZRqNgaiuUlUm7nymmm4k+A0BgFoVi2d34iMkRPgXDhNhqzB6espbaTgmha6J CsZEQ7jN5VH/9TthMltZCMJSRw2humifwd1PkiYWyx7mI7BW4GDvseGJk57WR4KyVWo4rw 8In93Vnop9ld4vyQe/iDXXqKuSKlb1KAkmt9WXD6CUu8xfPOncU/qHnVvP6c+Q== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyd3VvRzny8 for ; Tue, 09 Jun 2026 19:19:53 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3ef39 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:19:53 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Ed Maste From: Mark Johnston Subject: git: f4cf977dfe92 - releng/15.0 - vt: Avoid integer overflow in CONS_HISTORY ioctl List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/15.0 X-Git-Reftype: branch X-Git-Commit: f4cf977dfe9295dd0824ac9ecf041d9974c896cf Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:19:53 +0000 Message-Id: <6a286759.3ef39.5e311cec@gitrepo.freebsd.org> The branch releng/15.0 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=f4cf977dfe9295dd0824ac9ecf041d9974c896cf commit f4cf977dfe9295dd0824ac9ecf041d9974c896cf Author: Ed Maste AuthorDate: 2026-05-26 16:19:47 +0000 Commit: Mark Johnston CommitDate: 2026-06-08 15:39:32 +0000 vt: Avoid integer overflow in CONS_HISTORY ioctl Approved by: so Security: FreeBSD-SA-26:34.vt Security: CVE-2026-49416 Reviewed by: markj, vexeduxr Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57250 (cherry picked from commit 0ae946e7223df5ef3f7980af1d774d7f593f6421) (cherry picked from commit deaaddf1d3c4283649945553ad7e3208c8424308) --- sys/dev/vt/vt_buf.c | 9 ++++----- sys/dev/vt/vt_core.c | 6 ++++-- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/sys/dev/vt/vt_buf.c b/sys/dev/vt/vt_buf.c index e1e4ebc23491..43657fcecbdc 100644 --- a/sys/dev/vt/vt_buf.c +++ b/sys/dev/vt/vt_buf.c @@ -499,7 +499,6 @@ vtbuf_grow(struct vt_buf *vb, const term_pos_t *p, unsigned int history_size) { term_char_t *old, *new, **rows, **oldrows, **copyrows, *row, *oldrow; unsigned int w, h, c, r, old_history_size; - size_t bufsize, rowssize; int history_full; const teken_attr_t *a; term_char_t ch; @@ -510,10 +509,10 @@ vtbuf_grow(struct vt_buf *vb, const term_pos_t *p, unsigned int history_size) history_size = MAX(history_size, p->tp_row); /* Allocate new buffer. */ - bufsize = history_size * p->tp_col * sizeof(term_char_t); - new = malloc(bufsize, M_VTBUF, M_WAITOK | M_ZERO); - rowssize = history_size * sizeof(term_pos_t *); - rows = malloc(rowssize, M_VTBUF, M_WAITOK | M_ZERO); + new = mallocarray(history_size, p->tp_col * sizeof(term_char_t), + M_VTBUF, M_WAITOK | M_ZERO); + rows = mallocarray(history_size, sizeof(term_pos_t *), M_VTBUF, + M_WAITOK | M_ZERO); /* Toggle it. */ VTBUF_LOCK(vb); diff --git a/sys/dev/vt/vt_core.c b/sys/dev/vt/vt_core.c index b51ef6766de4..7d4a79b4e4a5 100644 --- a/sys/dev/vt/vt_core.c +++ b/sys/dev/vt/vt_core.c @@ -40,6 +40,7 @@ #include #include #include +#include #include #include #include @@ -2766,8 +2767,9 @@ skip_thunk: /* XXX */ return (0); case CONS_HISTORY: - if (*(int *)data < 0) - return EINVAL; + if (*(int *)data < 0 || + *(int *)data > UINT_MAX / USHRT_MAX / sizeof(term_char_t)) + return (EINVAL); if (*(int *)data != vw->vw_buf.vb_history_size) vtbuf_sethistory_size(&vw->vw_buf, *(int *)data); return (0); From nobody Tue Jun 9 19:19:56 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyj18Hkz6gVKj for ; Tue, 09 Jun 2026 19:19:57 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdyh6K4Dz3QYw for ; Tue, 09 Jun 2026 19:19:56 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032796; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=CbZD5YAz1U2bUJR5TF+9L+td/5lvXiG380O+v0PB9dc=; b=sFR5rvNsThYlSIY+mS5vXcG6K8Ba9tetqf94+BMWD81jLV9BT4+yc9ZqBtOygvhWE7qFqZ INKwg5Jc6u1zkSe9IZf5Hg9HmXOzZqHpec7PdBEyuumDFcBFLl6HUQXe6W7RJSs09zs6Ic yHMZuSqPNCooklefnvtm9S+Mbs/iOks7Qw00sY4niLuQlIOkN76zpNwHOe/hmWesfr17Km ZbiG0+KWapabPam4DjhPOm2Nj4YfVBT510ivbsUdjdot3m5tpn0ZVimdYH9FK8zeGDEmAj cm51l3p/FZmg6JXJUfH62U4QfElL3ZCcEmLPGUDnyQBGj11v7c1vhZHqnm2cJA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032796; a=rsa-sha256; cv=none; b=naixL6UkgQqoDORuyzp3LmqpMWxLXjg0gmH4xUDzqAkMLzjo692LRxc3BbTTmuHjICwhyN cu6VoJ46amDpaabvvdYzEiCjZWQCaXR1oFQGGAgMesYiSb+EnCitlSqyA7E34e/dHoYVr0 /YQ8svxO5JFtpgs2r8eub9kC0VoI7WpfYpn8b+7HPDVTRvXvVnDPrebGLpGpFx8s4ijptu yoeYo80mSf9t8nHXtkw+OvSwjGnDzpunmn4nnu+zu8sy/eAA11BAjyjdgVrW41kqw/Bv8d Znc3Z+5Hsfu0Xxi85CeHPqTArLGV59qsPKBbR705sTr0qrux8CCnYO3wp/iILA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032796; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=CbZD5YAz1U2bUJR5TF+9L+td/5lvXiG380O+v0PB9dc=; b=pQA0oqoNCOlShnR9P7QTjA6U+0IgQCZwfE2iPBC+TWe6Lfbg70ofwPWoy36bF+qYgoEFY+ nOt8S9RYmIMwHp+pRETC9HEQHkFFW8yuzH8wV+v/Ihy+RCrSt4nr+psxGfkdiZScycRKda zqmCBHA/cdgNiRnwKANAHZcouMRRs0zpSYmkZ9XQJsGxoOVFp+obP7oJOVpJAuuHtZliN8 Onrbvdc1SiN5o212kzb5L8GXntWkP+E3EnKV0RhyCZIgMNTwvH8fyu9kXJq77O97TDEYWe vEqmQhhT01U9XRa/C0fkbmTtYccNMq7Z0Mu20jbzie3cYNTJebHbG8MuSUftYg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyh5pdHzp3w for ; Tue, 09 Jun 2026 19:19:56 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3ebce by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:19:56 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: fef97a6889f9 - releng/15.0 - Add UPDATING entries and bump version List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/15.0 X-Git-Reftype: branch X-Git-Commit: fef97a6889f98be4fa9a565577067f20d1f642a9 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:19:56 +0000 Message-Id: <6a28675c.3ebce.4dda5d92@gitrepo.freebsd.org> The branch releng/15.0 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=fef97a6889f98be4fa9a565577067f20d1f642a9 commit fef97a6889f98be4fa9a565577067f20d1f642a9 Author: Mark Johnston AuthorDate: 2026-06-07 16:36:46 +0000 Commit: Mark Johnston CommitDate: 2026-06-08 19:52:11 +0000 Add UPDATING entries and bump version Approved by: so --- UPDATING | 44 ++++++++++++++++++++++++++++++++++++++++++++ sys/conf/newvers.sh | 2 +- 2 files changed, 45 insertions(+), 1 deletion(-) diff --git a/UPDATING b/UPDATING index abc517696265..fa9cc98d6227 100644 --- a/UPDATING +++ b/UPDATING @@ -12,6 +12,50 @@ Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before updating system packages and/or ports. +20260609: + 15.0-RELEASE-p10 EN-26:14.syslogd + EN-26:15.openssl + SA-26:25.thr + SA-26:26.ktls + SA-26:27.sound + SA-26:28.capsicum + SA-26:29.ip6_multicast + SA-26:30.linux + SA-26:31.arm64 + SA-26:32.elf + SA-26:33.unbound + SA-26:34.vt + SA-26:35.openssl + SA-26:36.ldns + + syslogd(8) memory leak in casper_ttymsg(). [EN-26:14.syslogd] + + Update OpenSSL to 3.0.20 and 3.5.6. [EN-26:15.openssl] + + Missing permission check in thr_kill2(2). [SA-26:25.thr] + + Arbitrary file overwrite via the KTLS receive path. [SA-26:26.ktls] + + Multiple vulnerabilities in the sound(4) mmap path. [SA-26:27.sound] + + sigqueue(2) missing capability mode restriction. [SA-26:28.capsicum] + + Use-after-free bug in the IPV6_MSFILTER socket option handler. [SA-26:29.ip6_multicast] + + Flaw in Linuxulator execution of setugid binaries. [SA-26:30.linux] + + Arm CPU errata may bypass page table permission changes. [SA-26:31.arm64] + + ASLR bypass for setuid executables via procctl(2). [SA-26:32.elf] + + Multiple vulnerabilities in unbound. [SA-26:33.unbound] + + Integer overflow in vt(4) CONS_HISTORY ioctl. [SA-26:34.vt] + + Multiple vulnerabilities in OpenSSL. [SA-26:35.openssl] + + Insufficient response validation in the ldns stub resolver. [SA-26:36.ldns] + 20260520: 15.0-RELEASE-p9 SA-26:18.setcred SA-26:19.file diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index 210c5ccf747a..a68e1021ff1b 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -51,7 +51,7 @@ TYPE="FreeBSD" REVISION="15.0" -BRANCH="RELEASE-p9" +BRANCH="RELEASE-p10" if [ -n "${BRANCH_OVERRIDE}" ]; then BRANCH=${BRANCH_OVERRIDE} fi From nobody Tue Jun 9 19:20:05 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyt1mkhz6gVbM for ; Tue, 09 Jun 2026 19:20:06 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdys2M9Sz3Qqq for ; Tue, 09 Jun 2026 19:20:05 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032805; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=CaMIyFVVo2YkHEcw5OXBHK1ABHTT3H2vI39FV35HjJc=; b=xgeicncgi+upBxB/t4kFOwruRjxNbvAgWdM5z3phXHW9oQ1wRBlQ8G7fRPXtTPFxKzFtR/ zrPTeww68+rslPTr3iH3BQU7AxiFRp/TsIcOPcX21pPq+CMtKN1RF8ctpWqsE5PGIj1coH CTYOAJZM6xeXwnAzLhLz7wh3woDhpF4jKAPZVh9ZFVzwsWq7f/4/jYI6iaTTEGhguWAQ/p DNohzGrukrdMnB7LWp1Q3iRObOW9snoDzHvgNDiOoEeTXeLHj06KZP7rUPrhR/9j/55r+v QcNmbr4G0C4GulWPnpo1zuhFt1Vs1xKV5+b6P4KUXc1lGwc7R63ONcV8V8vAeQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032805; a=rsa-sha256; cv=none; b=ANroyfmbJr2uUj0FlDDmZ8YYpUVCOGLsJ/KrmEuMzOMFm88CC0PgYSAaomLotUFCf1Jxzj 4FKGqAVTTux2YYhkCZNyRsYrUR7S7HfctAuXowUoZQkj9fliSuc4gJ6Jl4br+1PdDCyrhY pSrq9ffX6N9FOKBlyo/ZohgQBd4bzbpMI7nZSE/IGvPc0ALID1Qh94H9P5KGi99bL2rghq soQdq5YI5HYaTZ7MFwn6os06uthkscRWbXA0p8KsFeKvTKdK5YH95L7tz3e93UIylQUrd9 hmd+xxbTwLWTGMjU6hvsAFDfwtP9FNI5a2FSRANIOuFLoGNjWlrvjXLXw0NREw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032805; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=CaMIyFVVo2YkHEcw5OXBHK1ABHTT3H2vI39FV35HjJc=; b=RYOTV/cl/YbGhpJ6wOcTLL1NrRm/6AoUbLMQPvtzm3TsMC5eSwhbCYHvKMiBmk2YKrhwvE Zmhsxorfe3hCM5mleVMgrfqaHy9XYf1+hvZw7DfGWMDtLT4wXSICJZyptKBFDvB/QhQa9Y VISZ+NRvN++8IlGDQRUQIHGtChvp4bBWsnFj72EuODCa9YwjiKmqFvX8FEpP57Wmwv4IT8 6LSgthMmLTqnNlnRnXDuye/DWBXJ1fU4uKWgFZe6TzUXHx1jfMgOdNoYlb1fvyfwxhcn5F VSMPOxFIUfJdltztMGuxETBDO9dutfyEkcLe6Va/a4ag4ZKZ2ItMc9MN66W2Zw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdys1tgXznyC for ; Tue, 09 Jun 2026 19:20:05 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3e9ad by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:20:05 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 068168fefd4b - releng/15.1 - thr_kill2: Respect p_cansignal() List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/15.1 X-Git-Reftype: branch X-Git-Commit: 068168fefd4b6a8a53ab102d064614f82f764d36 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:20:05 +0000 Message-Id: <6a286765.3e9ad.637ed6f3@gitrepo.freebsd.org> The branch releng/15.1 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=068168fefd4b6a8a53ab102d064614f82f764d36 commit 068168fefd4b6a8a53ab102d064614f82f764d36 Author: Mark Johnston AuthorDate: 2026-05-25 15:12:57 +0000 Commit: Mark Johnston CommitDate: 2026-06-09 02:59:10 +0000 thr_kill2: Respect p_cansignal() Approved by: re (cperciva) Approved by: so Security: FreeBSD-SA-26:25.thr Security: CVE-2026-45256 Reported by: Igor Gabriel Sousa e Souza Reported by: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai Reviewed by: emaste, kib Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57237 --- sys/kern/kern_thr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/kern/kern_thr.c b/sys/kern/kern_thr.c index 4329959a2ef4..4a439eee0210 100644 --- a/sys/kern/kern_thr.c +++ b/sys/kern/kern_thr.c @@ -506,7 +506,7 @@ sys_thr_kill2(struct thread *td, struct thr_kill2_args *uap) p = ttd->td_proc; AUDIT_ARG_PROCESS(p); error = p_cansignal(td, p, uap->sig); - if (uap->sig == 0) + if (error != 0 || uap->sig == 0) ; else if (!_SIG_VALID(uap->sig)) error = EINVAL; From nobody Tue Jun 9 19:20:06 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyv2Dsrz6gVk5 for ; Tue, 09 Jun 2026 19:20:07 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdyt3lypz3QtS for ; Tue, 09 Jun 2026 19:20:06 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032806; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=kimhUAe08MaVnqpfCSOQu9Ki+7FksfIwrGJhYjXML8g=; b=hVf7qDGd1tqXW9lFfwmOYTrRUSDa62BVekRm3QpQhmcr412+TFJIZdpxlNIJgnl6QrqxfK yb79kWS55DwTO8IxpVDyv53Tyer+D8phrWV95DfbvoF74Lm6dLi0rh9I700atkodcIktQd 6SXegX09ZZby8b77QP2fQ1qf3Nag85AKpn0noCFEtdmDoLAAmG3VWidxOL3wVeChKSjMfU zuxMO9D4s20ph5T5IPGPdAu/Ud7UrmI/SxPAhOuMPib4p+vIk64DXkAGICYEUAMRq0SGqZ gVMdyKKrnZ7edu15jz+mK/QaxrSQXjqsT9tb7aTK897BRIuar///Es4b1YbUeQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032806; a=rsa-sha256; cv=none; b=ZRzigjTOtvo13E9wm7oJ1uB2V0dspGgcyY+vd48/CEx++gp9xe6UDnjZR+pLAcOs7k/igP oCiyp+2ElGOQ82wDwgeieEGPUTx81EjhqyrdbIJ+w1SOhlQAPDhqzb74QfyzK2V5inGttq q6SFyamt2cpY/lTU9S/S+A2iF5BoEydfbct7qKENPeC92m3VqS9k/+oCd3HPIH93/smVIE Etubw/DYlDfvaIfo3ov5rS+IeNfvmgdlgA/GM35mezuTI/vOujppEzkwkPJMaRcPodSVQe f6EemT1OD69Rgx0T17ITfsq7bd7M0dBDYMJZLXYsWF6PLFfkigyFnTI3Wfh3sw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032806; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=kimhUAe08MaVnqpfCSOQu9Ki+7FksfIwrGJhYjXML8g=; b=vQD8BLa8V1OVuGDYPzf3I42g1uVjavz9DeJNAUrwuUMsmehYoIbhFFWbP+05z6NqJ+RLFy TRsqwNQjHf9sj7hQRAoR4D67dhO5VKTl00L0NpJg2iyr1WT81g+LfHeQnTjTzCty28ynGb 7pgSTrzpR9UDY2yed8kt36q/hFvDfgg992uQsFAVYkwKXW6rNvSupSX0Ev6DATcI6Qen/I kgLoF11T1k/0U/xgwIMe4i/QTKw2T+5/YVnAjmRVk1MhC35ymO7dasjNjX38b+FoCeDExd jBDWZSz7TvUHxLUMvGYiAyJ8IoQkgwv/VSHjINbPFAYC/CJ0ehHci3TNFcnFKw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyt2HzCznwL for ; Tue, 09 Jun 2026 19:20:06 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3ebed by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:20:06 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: John Baldwin From: Mark Johnston Subject: git: 48c1c5e3c348 - releng/15.1 - ktls: Don't attempt to modify non-anonymous mbufs on the receive path List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/15.1 X-Git-Reftype: branch X-Git-Commit: 48c1c5e3c348d1953072faf98ecedd0ba96956dc Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:20:06 +0000 Message-Id: <6a286766.3ebed.44864ab7@gitrepo.freebsd.org> The branch releng/15.1 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=48c1c5e3c348d1953072faf98ecedd0ba96956dc commit 48c1c5e3c348d1953072faf98ecedd0ba96956dc Author: John Baldwin AuthorDate: 2026-06-03 23:22:00 +0000 Commit: Mark Johnston CommitDate: 2026-06-09 02:59:19 +0000 ktls: Don't attempt to modify non-anonymous mbufs on the receive path Normally, data processed on the KTLS receive path is contained in anonymous mbufs that can be modified in place. Either the data originates in receive buffers from a NIC driver, or for loopback connections the data is anonymous-backed mbufs created when writing to a socket. One potential source of non-anonymous mbufs are mbufs created by sendfile(2) which borrow the pages of the underlying file, either via M_EXTPG or EXT_SFBUF that are sent over a loopback connection. For a well-formed loopback TLS session, the sender should only use sendfile(2) if KTLS is enabled. If TLS is fully handled in userspace, the sender must use write(2) or send(2) which allocate anonymous mbufs. If KTLS transmit is enabled, then sendfile(2) on a loopback connection will always use crypto via OCF and will allocate anonymous pages to hold the encrypted data. However, if sendfile(2) is used to send file-backed data directly over a loopback connection where KTLS is not enabled on the sender side, the KTLS receive path can modify the file-backed pages in place overwriting the file's data. One potential fix would be to replace non-anonymous mbufs in a received TLS record with anonymous mbufs (e.g. via m_dup()) before passing the record to OCF. However, there is no legitimate use case for using sendfile(2) over a loopback TLS connection without using KTLS on the sender side, so instead simply fail decryption requests and close the connection if non-anonymous mbufs are encountered in the RX decryption path. Add a test for this that verifies that the original data backing the file descriptor used as the source for sendfile() is unchanged after being processed. Approved by: re (cperciva) Approved by: so Security: FreeBSD-SA-26:26.ktls Security: CVE-2026-45257 Co-authored-by: Drew Gallatin Sponsored by: Chelsio Communications Sponsored by: Netflix --- sys/kern/uipc_ktls.c | 17 +++++++-- sys/sys/ktls.h | 1 + tests/sys/kern/ktls_test.c | 93 ++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 108 insertions(+), 3 deletions(-) diff --git a/sys/kern/uipc_ktls.c b/sys/kern/uipc_ktls.c index 35009ad77722..5f7d061bfb55 100644 --- a/sys/kern/uipc_ktls.c +++ b/sys/kern/uipc_ktls.c @@ -2419,8 +2419,10 @@ tls13_find_record_type(struct ktls_session *tls, struct mbuf *m, int tls_len, * Check if a mbuf chain is fully decrypted at the given offset and * length. Returns KTLS_MBUF_CRYPTO_ST_DECRYPTED if all data is * decrypted. KTLS_MBUF_CRYPTO_ST_MIXED if there is a mix of encrypted - * and decrypted data. Else KTLS_MBUF_CRYPTO_ST_ENCRYPTED if all data - * is encrypted. + * and decrypted data. KTLS_MBUF_CRYPTO_ST_ENCRYPTED if all data is + * encrypted. KTLS_MBUF_CRYPTO_ST_SHAREDMBUF if any mbuf points at + * shared data that must not be modified in place (non-anonymous + * M_EXTPG or sendfile M_EXT buffers). */ ktls_mbuf_crypto_st_t ktls_mbuf_crypto_state(struct mbuf *mb, int offset, int len) @@ -2436,6 +2438,13 @@ ktls_mbuf_crypto_state(struct mbuf *mb, int offset, int len) offset += len; for (; mb != NULL; mb = mb->m_next) { + if ((mb->m_flags & M_EXTPG) != 0 && + (mb->m_epg_flags & EPG_FLAG_ANON) == 0) + return (KTLS_MBUF_CRYPTO_ST_SHAREDMBUF); + if ((mb->m_flags & M_EXT) != 0 && + mb->m_ext.ext_type == EXT_SFBUF) + return (KTLS_MBUF_CRYPTO_ST_SHAREDMBUF); + m_flags_ored |= mb->m_flags; m_flags_anded &= mb->m_flags; @@ -2636,9 +2645,11 @@ ktls_decrypt(struct socket *so) record_type = hdr->tls_type; } break; - default: + case KTLS_MBUF_CRYPTO_ST_SHAREDMBUF: error = EINVAL; break; + default: + __assert_unreachable(); } if (error) { counter_u64_add(ktls_offload_failed_crypto, 1); diff --git a/sys/sys/ktls.h b/sys/sys/ktls.h index 6c7e7d3c5ee3..fc9c0316654e 100644 --- a/sys/sys/ktls.h +++ b/sys/sys/ktls.h @@ -241,6 +241,7 @@ typedef enum { KTLS_MBUF_CRYPTO_ST_MIXED = 0, KTLS_MBUF_CRYPTO_ST_ENCRYPTED = 1, KTLS_MBUF_CRYPTO_ST_DECRYPTED = -1, + KTLS_MBUF_CRYPTO_ST_SHAREDMBUF = -2, } ktls_mbuf_crypto_st_t; void ktls_check_rx(struct sockbuf *sb); diff --git a/tests/sys/kern/ktls_test.c b/tests/sys/kern/ktls_test.c index 72497196b945..3970083e7f72 100644 --- a/tests/sys/kern/ktls_test.c +++ b/tests/sys/kern/ktls_test.c @@ -30,6 +30,7 @@ #include #include #include +#include #include #include #include @@ -2817,6 +2818,97 @@ ATF_TC_BODY(ktls_listening_socket, tc) ATF_REQUIRE(close(s) == 0); } +/* + * Verify that the KTLS receive path does not overwrite data belonging + * to a file whose payload is transmitted over a loopback connection + * via plain sendfile. + */ +ATF_TC_WITHOUT_HEAD(ktls_receive_loopback_sendfile); +ATF_TC_BODY(ktls_receive_loopback_sendfile, tc) +{ + struct tls_enable en; + struct msghdr msg; + struct sf_hdtr hdtr; + struct iovec iov[2]; + uint64_t seqno; + off_t sbytes; + char cbuf[CMSG_SPACE(sizeof(struct tls_get_record))]; + char *plaintext, *ciphertext, *outbuf; + void *p; + const size_t payload_len = PAGE_SIZE; + ssize_t rv; + size_t len; + int mode, shm, sockets[2]; + socklen_t slen; + + ATF_REQUIRE_KTLS(); + seqno = random(); + build_tls_enable(tc, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0, + TLS_MINOR_VER_TWO, seqno, &en); + + len = tls_header_len(&en) + payload_len + tls_trailer_len(&en); + plaintext = alloc_buffer(payload_len); + ciphertext = malloc(len); + ATF_REQUIRE_INTEQ(len, encrypt_tls_record(tc, &en, TLS_RLTYPE_APP, + seqno, plaintext, payload_len, ciphertext, len, 0)); + + ATF_REQUIRE((shm = shm_open(SHM_ANON, O_RDWR, 0600)) > 0); + ATF_REQUIRE_INTEQ(0, ftruncate(shm, payload_len)); + ATF_REQUIRE((p = mmap(NULL, payload_len, PROT_READ | PROT_WRITE, + MAP_SHARED, shm, 0)) != MAP_FAILED); + memcpy(p, ciphertext + tls_header_len(&en), payload_len); + + ATF_REQUIRE_MSG(socketpair_tcp(sockets), "failed to create sockets"); + ATF_REQUIRE(setsockopt(sockets[0], IPPROTO_TCP, TCP_RXTLS_ENABLE, &en, + sizeof(en)) == 0); + slen = sizeof(mode); + ATF_REQUIRE_INTEQ(0, getsockopt(sockets[0], IPPROTO_TCP, TCP_RXTLS_MODE, + &mode, &slen)); + ATF_REQUIRE_INTEQ(TCP_TLS_MODE_SW, mode); + + fd_set_blocking(sockets[0]); + fd_set_blocking(sockets[1]); + + iov[0].iov_base = ciphertext; + iov[0].iov_len = tls_header_len(&en); + iov[1].iov_base = ciphertext + tls_header_len(&en) + payload_len; + iov[1].iov_len = tls_trailer_len(&en); + hdtr.headers = iov; + hdtr.hdr_cnt = 1; + hdtr.trailers = iov + 1; + hdtr.trl_cnt = 1; + debug_hexdump(tc, p, payload_len, "shm buffer before"); + ATF_REQUIRE_INTEQ(0, sendfile(shm, sockets[1], 0, payload_len, &hdtr, + &sbytes, 0)); + ATF_REQUIRE_INTEQ(sbytes, len); + + outbuf = calloc(payload_len, 1); + + memset(&msg, 0, sizeof(msg)); + + msg.msg_control = cbuf; + msg.msg_controllen = sizeof(cbuf); + + iov[0].iov_base = outbuf; + iov[0].iov_len = payload_len; + msg.msg_iov = iov; + msg.msg_iovlen = 1; + + rv = recvmsg(sockets[0], &msg, 0); + if (rv >= 0) { + ATF_REQUIRE_INTEQ(payload_len, rv); + ATF_REQUIRE_INTEQ(0, memcmp(outbuf, plaintext, payload_len)); + } else + ATF_REQUIRE_ERRNO(EBADMSG, true); + + debug_hexdump(tc, p, payload_len, "shm buffer after"); + ATF_REQUIRE_INTEQ(0, memcmp(p, ciphertext + tls_header_len(&en), + payload_len)); + + close_sockets_ignore_errors(sockets); + (void)close(shm); +} + ATF_TP_ADD_TCS(tp) { /* Transmit tests */ @@ -2843,6 +2935,7 @@ ATF_TP_ADD_TCS(tp) /* Miscellaneous */ ATF_TP_ADD_TC(tp, ktls_sendto_baddst); ATF_TP_ADD_TC(tp, ktls_listening_socket); + ATF_TP_ADD_TC(tp, ktls_receive_loopback_sendfile); return (atf_no_error()); } From nobody Tue Jun 9 19:20:08 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyx1PdDz6gVhs for ; Tue, 09 Jun 2026 19:20:09 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdyw3Mrvz3QrB for ; Tue, 09 Jun 2026 19:20:08 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032808; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=nYEIqERvNLZZWSbs75nF5dUwfGce9hg616HZTewS8Oc=; b=N63j4eOjFwRpAMCO6j8ta+loK6xnohCFgoJmxOo6BrfA4pZfyD1SVvCvDJrtBRM0w5pYpY n1LR6sBYwZumBOTyIxz8xHGKIiBorWQ5ptx0nBLRKP7Ug7lcm1klkWIIeM7x/fBjWKboru aukHQMVapvNTpUMwqI4m+e4yWWWq3boLMjZZx2K4seXSeu1Zy46Bck4ljYnnJSbEJTPhGc Ms/Y4A6YEVbfSSHg5xITdNThTdMndKM8meGtoTlN4rMoLXKOxmRL00CTA2lxQ2Z+bN1d3C BpTU6d61uo46K+X2tlzwNMT+avp5lAktgrY0yu19WCr1OzkPw/uaTdx5phL+Pg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032808; a=rsa-sha256; cv=none; b=cDudqT7n+8YG234CSBAzd2zCERbfT4c6iSW5vcM/R3/jylA5t8ZI79xoRxeliggmn15EHZ hzkyZE+h4Mb7MPlmiPGIG+IUqOh8P+fqfUFOYiY02vxmvrAPxq73LRIdoY/+f51YYvkEfP HnI8g7Flcy+89803lX2ud53zwAfZi1s1A6fX/B+GAUfN3YMg7H80eSWQ8JfV5HyMxCB+Qt tjR1HlmNA/3FihgvlV2k7VtfgjFwReMJykcmlCYZiELQ/jEG0eFmOeK6u1Zc5hGV7OMuOc eMwg2LrDGkX2BISx51jP5/+NlcV2MW7oL43ck4TQcIBZ8pjTo5DK/FAFzFxiGA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032808; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=nYEIqERvNLZZWSbs75nF5dUwfGce9hg616HZTewS8Oc=; b=ZIc6VF4W5BOrpaxh1MOJh/Y/MlnzBMowBjFmXUQTqQhN1O6t5km6A9U/0XRT81yk6pTZ31 aBcKo4mn2plN/daL8l//B9sdO8sMKicWvUlAG90dV293wZOlpvv++J65PPG3/b8W9CXuKg tWZYH8mLyLX+5qEDU+ttgTMVaKuHwzPzlBVSYiFuDr/OCm9ZXlVaQVosO0l83t2vtlyE31 yxbFVvJTtYoWRZwEzh01AThGu+5HEH8jeX+66ZaUFGihE2WD24rLGRSdpr+BLClJX4rkNX Z/4WIVxeHRNTW4v69U8wPGs0E5tEekPvuDGV9B7qnT9YjczsCJ1qPsVdKyV3Yg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyw2zNpzp41 for ; Tue, 09 Jun 2026 19:20:08 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3ebf2 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:20:08 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: abc077216bac - releng/15.1 - sound: Fix software buffer lifetime issues List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/15.1 X-Git-Reftype: branch X-Git-Commit: abc077216bac75eaa8ab517721e585d7e61e2d4f Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:20:08 +0000 Message-Id: <6a286768.3ebf2.2a11514b@gitrepo.freebsd.org> The branch releng/15.1 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=abc077216bac75eaa8ab517721e585d7e61e2d4f commit abc077216bac75eaa8ab517721e585d7e61e2d4f Author: Mark Johnston AuthorDate: 2026-06-01 21:57:40 +0000 Commit: Mark Johnston CommitDate: 2026-06-09 02:59:34 +0000 sound: Fix software buffer lifetime issues The channel buffer mapped by dsp_mmap_single() may be freed when the device handle is closed, but the mapping persists beyond that, allowing userspace to read or write memory owned by a different consumer. Fix the problem by adding a reference counter to the sound buffer. Define pager ops for the VM object returned by dsp_mmap_single() and use them to manage the extra reference. Add a regression test. Approved by: re (cperciva) Approved by: so Security: FreeBSD-SA-26:27.sound Security: CVE-2026-49417 Reported by: Lexpl0it, 75Acol, Liyw979, Rob1n Reviewed by kib Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57393 --- sys/dev/sound/pcm/buffer.c | 38 ++++++++++++++++++-- sys/dev/sound/pcm/buffer.h | 4 +++ sys/dev/sound/pcm/dsp.c | 89 ++++++++++++++++++++++++++++++++++++++-------- tests/sys/sound/mmap.c | 60 +++++++++++++++++++++++++++++++ 4 files changed, 175 insertions(+), 16 deletions(-) diff --git a/sys/dev/sound/pcm/buffer.c b/sys/dev/sound/pcm/buffer.c index 0c574ae2908c..86278a46a731 100644 --- a/sys/dev/sound/pcm/buffer.c +++ b/sys/dev/sound/pcm/buffer.c @@ -36,6 +36,7 @@ #include "opt_snd.h" #endif +#include #include #include "feeder_if.h" @@ -50,6 +51,7 @@ sndbuf_create(struct pcm_channel *channel, const char *desc) struct snd_dbuf *b; b = malloc(sizeof(*b), M_DEVBUF, M_WAITOK | M_ZERO); + refcount_init(&b->refcount, 1); snprintf(b->name, SNDBUF_NAMELEN, "%s:%s", channel->name, desc); b->channel = channel; @@ -59,8 +61,30 @@ sndbuf_create(struct pcm_channel *channel, const char *desc) void sndbuf_destroy(struct snd_dbuf *b) { - sndbuf_free(b); - free(b, M_DEVBUF); + b->flags |= SNDBUF_F_DETACHED; + sndbuf_rele(b); +} + +void +sndbuf_ref(struct snd_dbuf *b) +{ + unsigned int count __diagused; + + CHN_LOCK(b->channel); + count = refcount_acquire(&b->refcount); + KASSERT(count > 0, ("sndbuf %p refcount 0", b)); + CHN_UNLOCK(b->channel); +} + +void +sndbuf_rele(struct snd_dbuf *b) +{ + if (refcount_release(&b->refcount)) { + sndbuf_free(b); + KASSERT(refcount_load(&b->refcount) == 0, + ("sndbuf %p still referenced", b)); + free(b, M_DEVBUF); + } } static void @@ -177,6 +201,11 @@ sndbuf_resize(struct snd_dbuf *b, unsigned int blkcnt, unsigned int blksz) if (bufsize > b->allocsize || bufsize < (b->allocsize >> SNDBUF_CACHE_SHIFT)) { + if (refcount_load(&b->refcount) > 1 || + (b->flags & SNDBUF_F_DETACHED) != 0) { + CHN_UNLOCK(b->channel); + return (EBUSY); + } allocsize = round_page(bufsize); CHN_UNLOCK(b->channel); tmpbuf = malloc(allocsize, M_DEVBUF, M_WAITOK); @@ -211,10 +240,15 @@ sndbuf_remalloc(struct snd_dbuf *b, unsigned int blkcnt, unsigned int blksz) if (blkcnt < 2 || blksz < 16) return EINVAL; + CHN_LOCKASSERT(b->channel); + bufsize = blksz * blkcnt; if (bufsize > b->allocsize || bufsize < (b->allocsize >> SNDBUF_CACHE_SHIFT)) { + if (refcount_load(&b->refcount) > 1 || + (b->flags & SNDBUF_F_DETACHED) != 0) + return (EBUSY); allocsize = round_page(bufsize); CHN_UNLOCK(b->channel); buf = malloc(allocsize, M_DEVBUF, M_WAITOK); diff --git a/sys/dev/sound/pcm/buffer.h b/sys/dev/sound/pcm/buffer.h index 371ba2dd94ce..fee41db2ff82 100644 --- a/sys/dev/sound/pcm/buffer.h +++ b/sys/dev/sound/pcm/buffer.h @@ -31,6 +31,7 @@ */ #define SNDBUF_F_MANAGED 0x00000001 +#define SNDBUF_F_DETACHED 0x00000002 #define SNDBUF_NAMELEN 48 @@ -53,6 +54,7 @@ struct snd_dbuf { bus_dma_tag_t dmatag; bus_addr_t buf_addr; int dmaflags; + unsigned int refcount; struct selinfo sel; struct pcm_channel *channel; char name[SNDBUF_NAMELEN]; @@ -60,6 +62,8 @@ struct snd_dbuf { struct snd_dbuf *sndbuf_create(struct pcm_channel *channel, const char *desc); void sndbuf_destroy(struct snd_dbuf *b); +void sndbuf_ref(struct snd_dbuf *b); +void sndbuf_rele(struct snd_dbuf *b); int sndbuf_alloc(struct snd_dbuf *b, bus_dma_tag_t dmatag, int dmaflags, unsigned int size); int sndbuf_setup(struct snd_dbuf *b, void *buf, unsigned int size); diff --git a/sys/dev/sound/pcm/dsp.c b/sys/dev/sound/pcm/dsp.c index 23b76ab4afac..147779ca9d1d 100644 --- a/sys/dev/sound/pcm/dsp.c +++ b/sys/dev/sound/pcm/dsp.c @@ -77,7 +77,6 @@ static d_read_t dsp_read; static d_write_t dsp_write; static d_ioctl_t dsp_ioctl; static d_poll_t dsp_poll; -static d_mmap_t dsp_mmap; static d_mmap_single_t dsp_mmap_single; static d_kqfilter_t dsp_kqfilter; @@ -89,7 +88,6 @@ struct cdevsw dsp_cdevsw = { .d_ioctl = dsp_ioctl, .d_poll = dsp_poll, .d_kqfilter = dsp_kqfilter, - .d_mmap = dsp_mmap, .d_mmap_single = dsp_mmap_single, .d_name = "dsp", }; @@ -1900,23 +1898,81 @@ dsp_poll(struct cdev *i_dev, int events, struct thread *td) return (ret); } +struct dsp_mmap_handle { + struct cdev *cdev; + struct snd_dbuf *buf; +}; + static int -dsp_mmap(struct cdev *i_dev, vm_ooffset_t offset, vm_paddr_t *paddr, - int nprot, vm_memattr_t *memattr) +dsp_dev_pager_ctor(void *handle, vm_ooffset_t size, vm_prot_t prot, + vm_ooffset_t foff, struct ucred *cred, u_short *color) { + struct dsp_mmap_handle *h = handle; - /* - * offset is in range due to checks in dsp_mmap_single(). - * XXX memattr is not honored. - */ - *paddr = vtophys(offset); + dev_ref(h->cdev); + sndbuf_ref(h->buf); return (0); } +static void +dsp_dev_pager_dtor(void *handle) +{ + struct dsp_mmap_handle *h = handle; + + sndbuf_rele(h->buf); + dev_rel(h->cdev); + free(h, M_DEVBUF); +} + +static int +dsp_dev_pager_fault(vm_object_t object, vm_ooffset_t offset, int prot, + vm_page_t *mres) +{ + struct dsp_mmap_handle *h = object->handle; + vm_page_t m; + uintptr_t addr; + vm_paddr_t paddr; + + addr = (uintptr_t)offset; + if (addr < (uintptr_t)h->buf->buf || + addr >= (uintptr_t)h->buf->buf + h->buf->allocsize) + return (VM_PAGER_ERROR); + paddr = vtophys((void *)addr); + + if (((*mres)->flags & PG_FICTITIOUS) != 0) { + m = *mres; + vm_page_updatefake(m, paddr, object->memattr); + } else { + VM_OBJECT_WUNLOCK(object); + m = vm_page_getfake(paddr, object->memattr); + VM_OBJECT_WLOCK(object); + vm_page_replace(m, object, (*mres)->pindex, *mres); + *mres = m; + } + m->valid = VM_PAGE_BITS_ALL; + return (VM_PAGER_OK); +} + +static void +dsp_dev_pager_path(void *handle, char *path, size_t len) +{ + struct dsp_mmap_handle *h = handle; + + dev_copyname(h->cdev, path, len); +} + +static const struct cdev_pager_ops dsp_dev_pager_ops = { + .cdev_pg_ctor = dsp_dev_pager_ctor, + .cdev_pg_dtor = dsp_dev_pager_dtor, + .cdev_pg_fault = dsp_dev_pager_fault, + .cdev_pg_path = dsp_dev_pager_path, +}; + static int -dsp_mmap_single(struct cdev *i_dev, vm_ooffset_t *offset, +dsp_mmap_single(struct cdev *cdev, vm_ooffset_t *offset, vm_size_t size, struct vm_object **object, int nprot) { + struct dsp_mmap_handle *handle; struct dsp_cdevpriv *priv; struct snddev_info *d; struct pcm_channel *wrch, *rdch, *c; @@ -1979,13 +2035,18 @@ dsp_mmap_single(struct cdev *i_dev, vm_ooffset_t *offset, *offset = (uintptr_t)sndbuf_getbufofs(c->bufsoft, *offset); dsp_unlock_chans(priv, FREAD | FWRITE); - *object = vm_pager_allocate(OBJT_DEVICE, i_dev, - size, nprot, *offset, curthread->td_ucred); + handle = malloc(sizeof(*handle), M_DEVBUF, M_WAITOK); + handle->cdev = cdev; + handle->buf = c->bufsoft; + *object = cdev_pager_allocate(handle, OBJT_DEVICE, &dsp_dev_pager_ops, + size, nprot, *offset, curthread->td_ucred); PCM_GIANT_LEAVE(d); + if (*object == NULL) { + free(handle, M_DEVBUF); + return (EINVAL); + } - if (*object == NULL) - return (EINVAL); return (0); } diff --git a/tests/sys/sound/mmap.c b/tests/sys/sound/mmap.c index 53594b7cc962..b44b16e7f312 100644 --- a/tests/sys/sound/mmap.c +++ b/tests/sys/sound/mmap.c @@ -4,12 +4,14 @@ * Copyright (c) 2026 The FreeBSD Foundation */ +#include #include #include #include #include #include +#include #include #define FMT_ERR(s) s ": %s", strerror(errno) @@ -43,9 +45,67 @@ ATF_TC_BODY(mmap_offset_overflow, tc) close(fd); } +/* + * Verify that a MAP_SHARED mapping of a DSP device's software buffer remains + * valid after the file descriptor is closed. + */ +ATF_TC(mmap_buffer_lifetime); +ATF_TC_HEAD(mmap_buffer_lifetime, tc) +{ + atf_tc_set_md_var(tc, "descr", "mmap data survives close()"); + atf_tc_set_md_var(tc, "require.kmods", "snd_dummy"); +} +ATF_TC_BODY(mmap_buffer_lifetime, tc) +{ + audio_buf_info abi; + uint8_t *buf; + size_t len; + int fd, arg; + + fd = open("/dev/dsp.dummy", O_RDWR); + ATF_REQUIRE_MSG(fd >= 0, FMT_ERR("open")); + + arg = (2 << 16) | 14; /* 2*16KB */ + ATF_REQUIRE_MSG(ioctl(fd, SNDCTL_DSP_SETFRAGMENT, &arg) == 0, + FMT_ERR("SNDCTL_DSP_SETFRAGMENT")); + ATF_REQUIRE_MSG(ioctl(fd, SNDCTL_DSP_GETOSPACE, &abi) == 0, + FMT_ERR("SNDCTL_DSP_GETOSPACE")); + + len = abi.bytes; + ATF_REQUIRE_MSG(len >= PAGE_SIZE, "buffer too small: %zu", len); + + buf = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); + ATF_REQUIRE_MSG(buf != MAP_FAILED, FMT_ERR("mmap")); + + for (size_t i = 0; i < len; i++) { + ATF_REQUIRE_MSG(buf[i] == 0, + "mmap data corrupted at offset %zu: want 0 got 0x%02x", + i, buf[i]); + } + + memset(buf, 0xa5, len); + for (size_t i = 0; i < len; i++) { + ATF_REQUIRE_MSG(buf[i] == 0xa5, + "mmap data corrupted at offset %zu: want 0xa5 got 0x%02x", + i, buf[i]); + } + + ATF_REQUIRE(close(fd) == 0); + + /* Closing the device causes the buffer to be reset. */ + for (size_t i = 0; i < len; i++) { + ATF_REQUIRE_MSG(buf[i] == 0 || buf[i] == 0xa5, + "mmap data corrupted at offset %zu: got 0x%02x", i, buf[i]); + } + memset(buf, 0xa5, len); + + ATF_REQUIRE(munmap(buf, len) == 0); +} + ATF_TP_ADD_TCS(tp) { ATF_TP_ADD_TC(tp, mmap_offset_overflow); + ATF_TP_ADD_TC(tp, mmap_buffer_lifetime); return (atf_no_error()); } From nobody Tue Jun 9 19:20:07 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyw1lHhz6gVdm for ; Tue, 09 Jun 2026 19:20:08 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdyv3MQSz3Qtf for ; Tue, 09 Jun 2026 19:20:07 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032807; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Bk40n8d92/sY2FrT8VY0MndABc4pZqeDr8IwQa78Ag8=; b=aus2T8fT9XGNIZaFh7QCrykFuZcMSgzt53oaOu2rBT3YSO++o0HpdLwFu0lmb5wb54LRpc xsv9M18V6UoeSAtxuCpeooOKWsNl3o/BURETn1QbmW508rO+ZJ9CxAHHiYYKDmDoE9sPt4 YUmy73nrBv5JftyhWBAbWFHanrPceR2YghdcOQyOMQZVo7kC/HHJnHyPsXngYAk7hH08UD m/S7iKW+nsTo9hjDs/KpFV5Oyw8Dsdyq2UasgRo/rYa/enzrP5Wi8M5OHZ51VIhvutFsgi yynNL5gpJHdGcj9U0yilOxV0IRObKnrmupwWXanyMCDaxDEp0t9GPBAJ+kZA4Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032807; a=rsa-sha256; cv=none; b=fbZnDwwNXlzWoTgbIOXBRURW1quu8isL7Ij0JaySW2FTGah9Yrst3Zq1XYyIN4BUz5Kwet gf+t4/oYo3NTCuCsWYDr5WT8MZbG20IRm2/EesyErgTe8RdG+VFsWfPpj+L3UOaFjnWK8S qY42Q3nKP7E5kk+r/3WZNG9OM6unB/fss4bFH3pCT8vi++FibZTLY9PtqpowIXF/vixmdx hrNXN4h5PQxC3GOZywP4P2RNpJxg+XaxTmj6NERAou894eHlSOQt6C/NNm7iNjKdAtLrPA V/qllaC8xGeL+h7QywxMwlk32Y84wyFMnH8pxLE69skngE3HtTysYkcsJVCqBA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032807; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Bk40n8d92/sY2FrT8VY0MndABc4pZqeDr8IwQa78Ag8=; b=QJMfiS6+5YdrqY51sQFdF5mXBEeVKul+rdAto5ZgZYXazFy+9i96EXPGA67iIRzQesCxgJ L/+jXFHrSn2hD+H8kvjSqhKOjBQiITXRWfwkQM/uRu9oJ/zIDcYP3PG/yDH85uNyAKM6c+ Muk85jz4lqObveXlrDtOp514bQWYG4e49oNKIaJuxeBP1O1GtZqDSatM5EE/gOcNe94w6L iSe0ZE3e6iQIENnYNMRbro2S/2WZM+jmdkvlYUnh4x1gtU5Duo90PhqffIkvxkk1GvNmYH ayCrlkkFnOgfHinyq0NPmZCg/8xsXMP+6JA82qhh3mGYUqQD/y/iNga7AG2r0w== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyv2fjSznGG for ; Tue, 09 Jun 2026 19:20:07 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3e86f by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:20:07 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Christos Margiolis From: Mark Johnston Subject: git: 513db24414f0 - releng/15.1 - sound: Check for offset overflow in dsp_mmap_single() List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/15.1 X-Git-Reftype: branch X-Git-Commit: 513db24414f0eae90c280b480b4453e9e4f04714 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:20:07 +0000 Message-Id: <6a286767.3e86f.3961bd12@gitrepo.freebsd.org> The branch releng/15.1 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=513db24414f0eae90c280b480b4453e9e4f04714 commit 513db24414f0eae90c280b480b4453e9e4f04714 Author: Christos Margiolis AuthorDate: 2026-05-27 15:50:33 +0000 Commit: Mark Johnston CommitDate: 2026-06-09 02:59:28 +0000 sound: Check for offset overflow in dsp_mmap_single() Approved by: re (cperciva) Approved by: so Security: FreeBSD-SA-26:27.sound Security: CVE-2026-45258 Reviewed by: markj Sponsored by: The FreeBSD Foundation --- sys/dev/sound/pcm/dsp.c | 3 +++ tests/sys/sound/Makefile | 1 + tests/sys/sound/mmap.c | 51 ++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 55 insertions(+) diff --git a/sys/dev/sound/pcm/dsp.c b/sys/dev/sound/pcm/dsp.c index 797bfba81023..23b76ab4afac 100644 --- a/sys/dev/sound/pcm/dsp.c +++ b/sys/dev/sound/pcm/dsp.c @@ -1922,6 +1922,9 @@ dsp_mmap_single(struct cdev *i_dev, vm_ooffset_t *offset, struct pcm_channel *wrch, *rdch, *c; int err; + if (*offset >= *offset + size) + return (EINVAL); + /* * Reject PROT_EXEC by default. It just doesn't makes sense. * Unfortunately, we have to give up this one due to linux_mmap diff --git a/tests/sys/sound/Makefile b/tests/sys/sound/Makefile index ab52a7aad386..f534a8cb17e5 100644 --- a/tests/sys/sound/Makefile +++ b/tests/sys/sound/Makefile @@ -2,6 +2,7 @@ PACKAGE= tests TESTSDIR= ${TESTSBASE}/sys/sound +ATF_TESTS_C+= mmap ATF_TESTS_C+= pcm_read_write ATF_TESTS_C+= polling ATF_TESTS_C+= sndstat diff --git a/tests/sys/sound/mmap.c b/tests/sys/sound/mmap.c new file mode 100644 index 000000000000..53594b7cc962 --- /dev/null +++ b/tests/sys/sound/mmap.c @@ -0,0 +1,51 @@ +/*- + * SPDX-License-Identifier: BSD-2-Clause + * + * Copyright (c) 2026 The FreeBSD Foundation + */ + +#include +#include + +#include +#include +#include +#include + +#define FMT_ERR(s) s ": %s", strerror(errno) + +ATF_TC(mmap_offset_overflow); +ATF_TC_HEAD(mmap_offset_overflow, tc) +{ + atf_tc_set_md_var(tc, "descr", "mmap offset overflow test"); + atf_tc_set_md_var(tc, "require.kmods", "snd_dummy"); +} + +ATF_TC_BODY(mmap_offset_overflow, tc) +{ + uint8_t *buf; + off_t off; + size_t len; + int fd; + + fd = open("/dev/dsp.dummy", O_RDWR); + ATF_REQUIRE_MSG(fd >= 0, FMT_ERR("open")); + + /* off + len will overflow and wrap back to 0. */ + off = 0xfffffffffffff000; + len = 0x1000; + + buf = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_SHARED, fd, off); + ATF_REQUIRE_MSG(buf == MAP_FAILED, FMT_ERR("mmap")); + + munmap(buf, len); + + close(fd); +} + +ATF_TP_ADD_TCS(tp) +{ + ATF_TP_ADD_TC(tp, mmap_offset_overflow); + + return (atf_no_error()); +} From nobody Tue Jun 9 19:20:11 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyz6yd3z6gVkB for ; Tue, 09 Jun 2026 19:20:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdyz4nHrz3QxN for ; Tue, 09 Jun 2026 19:20:11 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032811; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=xMaMPIFG/doTxT3pm07XzmYVtaB83fJMc//s7YX6wF0=; b=bXdf5Xx6qwWLszzWoEQCRjis1J285xr4AAIm9BvT3ZOoj+belgUl/zAc80jdAdTmg7cd+g C7aBRrv6mBrS3Ex1/L03UGVnfgGUYB6quhhD3uItSRkGWhNzWloWAkdkD7CU+V4qd6Hn88 hiJf6VGY+XG4/QzLeHdwlJzMbVkEafUDJf28fGLcj/qlC2CouYZBoRaJ/SvPOuluU8jrgd 3Grtehz7Qs9ctheIWvkFS0jZteTRw9lOyi5wiIffbzVTggmsl+2f1vlO11RLiNoCer5dPk ri3FZwkK7MMswmed3oxEb03KdmlElRjGkAssdn42TpS3Rv/92vqYnsHVePZvTg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032811; a=rsa-sha256; cv=none; b=bV4TqkgPGhuZFyhBXEdxSv03ftdqyYzo1FOeTdrBus9udDZLg4/p+YSlBxg1nk4cict41E 1UkTqwg8Yi56N17yoKBWwdfPZYSRwJS12QOVhjXAKO5og2d18IOVFX2vll7Es+tq1Fqzr+ vgdWxya30nK9gURonSYwNZW3/AbXbIh3essMoT1bAOqAfjWRtfRiXMYKI++lMdieyljKPk vsoTDbanQAr/NEt0DPVznIY6uAE1psBlMnVbsH290Er7ZPVEDmxCPbOzYaoiyVtynzVaOp QRCn61JFdgfSvS1nkIdRV2cBvhMkgl02vnXrvSkZPy/cmi03+s62sDmUHrnfFQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032811; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=xMaMPIFG/doTxT3pm07XzmYVtaB83fJMc//s7YX6wF0=; b=GGgNEXTzuSOmmXF/RZWxA+MvDBPkWa9wqJ2+fEXvhCyM/iUMfwI01SQlZJV0Q5L+lPNG7g rWEKbmr75ieEWFM54mn5mYBse8YQsrW5Zlvk9ySh9qdfnTx86Bm9uInC2q0O6qzPB41+tG 81JjzNRtOt5tVQTXFm4YBVfLNJ5N4GvWamNRb+z7wiyy5g4CTa/2HBSwCaPOplKUesVlUK jFz9AvciKvEQoS05rrxExj0hvW/33wNO0kIfqrf6zhNlC8FDZK1AILO9Cfe8YBwk3i32wt lugtJlSvfyLkPlez8W4dI0RFNA5YTxU4yjQMOL+Mq+tXX8bcoIUagBgE289ENw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyz43fXzp44 for ; Tue, 09 Jun 2026 19:20:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3f78c by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:20:11 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: a4d36c975be0 - releng/15.1 - linux: Correct the issetugid check in copyout_auxargs List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/15.1 X-Git-Reftype: branch X-Git-Commit: a4d36c975be0c066979471e5f8a6c729757ad0b0 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:20:11 +0000 Message-Id: <6a28676b.3f78c.5b52babe@gitrepo.freebsd.org> The branch releng/15.1 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=a4d36c975be0c066979471e5f8a6c729757ad0b0 commit a4d36c975be0c066979471e5f8a6c729757ad0b0 Author: Mark Johnston AuthorDate: 2026-05-29 21:41:35 +0000 Commit: Mark Johnston CommitDate: 2026-06-09 02:59:54 +0000 linux: Correct the issetugid check in copyout_auxargs The runtime linker in glibc relies on the AT_SECURE auxv entry to know whether the executable is set-ugid, if so then various dangerous functionality such as LD_PRELOAD is disabled. The check added in commit 669414e4fb74 failed to take into account the fact that during execve, P_SUGID may not yet be set for a set-ugid process. Correct the test. Approved by: re (cperciva) Approved by: so Security: FreeBSD-SA-26:30.linux Security: CVE-2026-49413 Reported by: Minseong Kim Fixes: 669414e4fb74 ("Implement AT_SECURE properly.") Reviewed by: kib Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57350 --- sys/compat/linux/linux_elf.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/sys/compat/linux/linux_elf.c b/sys/compat/linux/linux_elf.c index c9eb6aea8373..6c9f785c97e7 100644 --- a/sys/compat/linux/linux_elf.c +++ b/sys/compat/linux/linux_elf.c @@ -492,11 +492,9 @@ __linuxN(copyout_auxargs)(struct image_params *imgp, uintptr_t base) struct thread *td = curthread; Elf_Auxargs *args; Elf_Auxinfo *aarray, *pos; - struct proc *p; int error, issetugid; - p = imgp->proc; - issetugid = p->p_flag & P_SUGID ? 1 : 0; + issetugid = imgp->credential_setid ? 1 : 0; args = imgp->auxargs; aarray = pos = malloc(LINUX_AT_COUNT * sizeof(*pos), M_TEMP, M_WAITOK | M_ZERO); From nobody Tue Jun 9 19:20:10 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyy73CTz6gVWs for ; Tue, 09 Jun 2026 19:20:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdyy487Tz3R7H for ; Tue, 09 Jun 2026 19:20:10 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032810; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=tvsRWg3t3HEdPvcELconrVNpOoNRmpZy11R6zCti5/E=; b=w1c0BqkcDnq1D+8+bxg48oAc7r8cXxVqtGAl6EV77bwhL/JdgttI+tgUxysD4JVYQn2lKZ jbctpoVpVcLVbnDiLUFT72bXdFFFObS0NXR2gwvLMlqf924I/VyWiLhNKxAfYys4cu9iWx lD0+xXHDPqN2rzXJnqSseJovUTCxyn6GkPH/VxeFSz+SBEdxC8D0xNt/B4M+DCaeR77oqd bCMgGubbtuR2fWEciD1XUwIQay0PA2ZcycGrzwmciYIi6Ven7OxrS7C/0OPj4AifARs5Mq 03ysy9sCmU/u1+ul4dY8G1jHkaE2WI7OGZVgT3lHHfAikn5Mf64+8WCy4zhWzQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032810; a=rsa-sha256; cv=none; b=Fzf7NHM/5B2mkQ2nD5mGx0XjnlDwAyKbxba+kcq4xyLYch8jEhYmQN230vmAxKyLAbMJVc 8R9fuh581Gg4VGRoqyfdUEZADQYOxXn7JhBYZpnxAOlmNV84lFsydq6DG4dQPax3APQb07 KPqPd1hM5zIt+9ONbqk9nZ1NbhtAcnnyGZFarUFc1B9CaTGvC+ImV2T796qSfof8ejZiLz pjBKnqHFDpIovR2q1TMJ6CbeuP1P5vV3u08pfuIr2xVwX7kHFiZIo6bnrFZ5kmsHLAtWXE wqIXO1stg326hyp8DzU5SOnlrOwhug1FsboeS5jHLdJetSwZx3nZOdyyqmcACw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032810; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=tvsRWg3t3HEdPvcELconrVNpOoNRmpZy11R6zCti5/E=; b=S9Fprw5da0Dmg6QMfjzYapmph95ODSm6pv8kYptlp4d/cQu5tAWx1kVgQpLglTKl41esj6 9p7UYvFoz0idC/1h6kX7RmnLZe7o4B1tGiwuI/Us+Vq5mpDXdsJl7L5Cl8MidVw4KDsfu3 mzlzzS9zYT8a2pJUwKouGSxmMTD8URT3e3U8esW55fB+Atd7yx82EFfvdFJ/tx1rrQuJie cUekui/SyJnOtN2Qbu9FoL+lwPn//TdkW32zMn5pas52KKk+POfxKC7HAz4qxxRSNe0lYe APogPVYb5GVRwjXTMlbqigtrBZYFCHannSywpEpyqABxim1z1pA/IMaaNUaCvQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyy3hqnzp42 for ; Tue, 09 Jun 2026 19:20:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3f52e by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:20:10 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 3d80e4aec3c1 - releng/15.1 - in6_mcast: Fix a race in in6p_set_source_filter() List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/15.1 X-Git-Reftype: branch X-Git-Commit: 3d80e4aec3c1656faace076ae2b1b9d97e4c0e89 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:20:10 +0000 Message-Id: <6a28676a.3f52e.607b0132@gitrepo.freebsd.org> The branch releng/15.1 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=3d80e4aec3c1656faace076ae2b1b9d97e4c0e89 commit 3d80e4aec3c1656faace076ae2b1b9d97e4c0e89 Author: Mark Johnston AuthorDate: 2026-05-29 20:12:24 +0000 Commit: Mark Johnston CommitDate: 2026-06-09 02:59:48 +0000 in6_mcast: Fix a race in in6p_set_source_filter() We drop the inpcb lock in order to copy in the source list, but this leaves a window where the multicast filter structure might be freed. This can be exploited to obtain root privileges. In the v4 code this race is mitigated by holding the global multicast lock across the gap. Restructure the code to copy in filters before doing anything else, so that there's no need to drop the inpcb lock and reason about the correctness of doing so. Do the same in the v4 code for consistency. Approved by: re (cperciva) Approved by: so Security: FreeBSD-SA-26:29.ip6_multicast Security: CVE-2026-49412 Reported by: Andrew Griffiths Reported by: Maik Münch Reviewed by: glebius Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57347 --- sys/netinet/in_mcast.c | 40 +++++++++++++++++----------------------- sys/netinet6/in6_mcast.c | 41 +++++++++++++++++++---------------------- 2 files changed, 36 insertions(+), 45 deletions(-) diff --git a/sys/netinet/in_mcast.c b/sys/netinet/in_mcast.c index 08c536bc71c0..502d41bbbf39 100644 --- a/sys/netinet/in_mcast.c +++ b/sys/netinet/in_mcast.c @@ -2524,6 +2524,7 @@ inp_set_source_filters(struct inpcb *inp, struct sockopt *sopt) { struct epoch_tracker et; struct __msfilterreq msfr; + struct sockaddr_storage *kss; sockunion_t *gsa; struct ifnet *ifp; struct in_mfilter *imf; @@ -2536,9 +2537,6 @@ inp_set_source_filters(struct inpcb *inp, struct sockopt *sopt) if (error) return (error); - if (msfr.msfr_nsrcs > in_mcast_maxsocksrc) - return (ENOBUFS); - if ((msfr.msfr_fmode != MCAST_EXCLUDE && msfr.msfr_fmode != MCAST_INCLUDE)) return (EINVAL); @@ -2551,13 +2549,24 @@ inp_set_source_filters(struct inpcb *inp, struct sockopt *sopt) if (!IN_MULTICAST(ntohl(gsa->sin.sin_addr.s_addr))) return (EINVAL); + if (msfr.msfr_nsrcs > in_mcast_maxsocksrc) + return (ENOBUFS); + kss = mallocarray(msfr.msfr_nsrcs, sizeof(struct sockaddr_storage), + M_TEMP, M_WAITOK); + error = copyin(msfr.msfr_srcs, kss, + sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs); + if (error) + goto out_inp_unlocked; + gsa->sin.sin_port = 0; /* ignore port */ NET_EPOCH_ENTER(et); ifp = ifnet_byindex(msfr.msfr_ifindex); NET_EPOCH_EXIT(et); /* XXXGL: unsafe ifp */ - if (ifp == NULL) - return (EADDRNOTAVAIL); + if (ifp == NULL) { + error = EADDRNOTAVAIL; + goto out_inp_unlocked; + } IN_MULTI_LOCK(); @@ -2589,25 +2598,9 @@ inp_set_source_filters(struct inpcb *inp, struct sockopt *sopt) if (msfr.msfr_nsrcs > 0) { struct in_msource *lims; struct sockaddr_in *psin; - struct sockaddr_storage *kss, *pkss; + struct sockaddr_storage *pkss; int i; - INP_WUNLOCK(inp); - - CTR2(KTR_IGMPV3, "%s: loading %lu source list entries", - __func__, (unsigned long)msfr.msfr_nsrcs); - kss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs, - M_TEMP, M_WAITOK); - error = copyin(msfr.msfr_srcs, kss, - sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs); - if (error) { - IN_MULTI_UNLOCK(); - free(kss, M_TEMP); - return (error); - } - - INP_WLOCK(inp); - /* * Mark all source filters as UNDEFINED at t1. * Restore new group filter mode, as imf_leave() @@ -2642,7 +2635,6 @@ inp_set_source_filters(struct inpcb *inp, struct sockopt *sopt) break; lims->imsl_st[1] = imf->imf_st[1]; } - free(kss, M_TEMP); } if (error) @@ -2679,6 +2671,8 @@ out_imf_rollback: out_inp_locked: INP_WUNLOCK(inp); IN_MULTI_UNLOCK(); +out_inp_unlocked: + free(kss, M_TEMP); return (error); } diff --git a/sys/netinet6/in6_mcast.c b/sys/netinet6/in6_mcast.c index a6186568ecb2..4ec9f36cd9ac 100644 --- a/sys/netinet6/in6_mcast.c +++ b/sys/netinet6/in6_mcast.c @@ -2489,6 +2489,7 @@ in6p_set_source_filters(struct inpcb *inp, struct sockopt *sopt) { struct __msfilterreq msfr; struct epoch_tracker et; + struct sockaddr_storage *kss; sockunion_t *gsa; struct ifnet *ifp; struct in6_mfilter *imf; @@ -2501,9 +2502,6 @@ in6p_set_source_filters(struct inpcb *inp, struct sockopt *sopt) if (error) return (error); - if (msfr.msfr_nsrcs > in6_mcast_maxsocksrc) - return (ENOBUFS); - if (msfr.msfr_fmode != MCAST_EXCLUDE && msfr.msfr_fmode != MCAST_INCLUDE) return (EINVAL); @@ -2516,19 +2514,31 @@ in6p_set_source_filters(struct inpcb *inp, struct sockopt *sopt) if (!IN6_IS_ADDR_MULTICAST(&gsa->sin6.sin6_addr)) return (EINVAL); + if (msfr.msfr_nsrcs > in6_mcast_maxsocksrc) + return (ENOBUFS); + kss = mallocarray(msfr.msfr_nsrcs, sizeof(struct sockaddr_storage), + M_TEMP, M_WAITOK); + error = copyin(msfr.msfr_srcs, kss, + sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs); + if (error) + goto out_in6p_unlocked; + gsa->sin6.sin6_port = 0; /* ignore port */ NET_EPOCH_ENTER(et); ifp = ifnet_byindex(msfr.msfr_ifindex); NET_EPOCH_EXIT(et); - if (ifp == NULL) - return (EADDRNOTAVAIL); + if (ifp == NULL) { + error = EADDRNOTAVAIL; + goto out_in6p_unlocked; + } (void)in6_setscope(&gsa->sin6.sin6_addr, ifp, NULL); /* * Take the INP write lock. * Check if this socket is a member of this group. */ + IN6_MULTI_LOCK(); imo = in6p_findmoptions(inp); imf = im6o_match_group(imo, ifp, &gsa->sa); if (imf == NULL) { @@ -2553,24 +2563,9 @@ in6p_set_source_filters(struct inpcb *inp, struct sockopt *sopt) if (msfr.msfr_nsrcs > 0) { struct in6_msource *lims; struct sockaddr_in6 *psin; - struct sockaddr_storage *kss, *pkss; + struct sockaddr_storage *pkss; int i; - INP_WUNLOCK(inp); - - CTR2(KTR_MLD, "%s: loading %lu source list entries", - __func__, (unsigned long)msfr.msfr_nsrcs); - kss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs, - M_TEMP, M_WAITOK); - error = copyin(msfr.msfr_srcs, kss, - sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs); - if (error) { - free(kss, M_TEMP); - return (error); - } - - INP_WLOCK(inp); - /* * Mark all source filters as UNDEFINED at t1. * Restore new group filter mode, as im6f_leave() @@ -2615,7 +2610,6 @@ in6p_set_source_filters(struct inpcb *inp, struct sockopt *sopt) break; lims->im6sl_st[1] = imf->im6f_st[1]; } - free(kss, M_TEMP); } if (error) @@ -2650,6 +2644,9 @@ out_im6f_rollback: out_in6p_locked: INP_WUNLOCK(inp); + IN6_MULTI_UNLOCK(); +out_in6p_unlocked: + free(kss, M_TEMP); return (error); } From nobody Tue Jun 9 19:20:09 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyy0Xxwz6gVXl for ; Tue, 09 Jun 2026 19:20:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdyx3pRDz3R5F for ; Tue, 09 Jun 2026 19:20:09 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032809; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=AKEdBhxi2x0Q3aNYv0jn4TxTq3TIoea+Q0Fb4RzkDaQ=; b=mOVqoQardHVK7Yp9ySwaED0qOuZnLc2NntEJg6Wtkkf3GxiD5+5EPHZv5ozVxL0vzviAqk LfdCOGgDsCLxA2unxNuUmTqmMUgig3/46rAQVLejYOg3V/3WwWYiRQ9CoDxZiG3LOeK8Ab y8YFdGn91aJS9eQ0eAOB2x2iIyoSP9LvyGsFdODT3Kbr4PaSfKSPUTTk6uAwKoDS1kCPCv ks6UYRRRQXmrXaJ3iY8HJdMP0M0s+f6Zm6fdN/5u7g2fSEVcLhlHhcwvuVbtRHPRF1ocU3 Xfi7OxU3Sjr5XourOgekp4d5DUv6EMI4fNUXtV4SSmjNKPseSioVaoe/1wKtKg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032809; a=rsa-sha256; cv=none; b=s+S4n2AHxCwRzjwAP2O+Kmwt/CHEvJPVR9xhRHMv/MoJqD3NYuUqGEaUIYNB/woS0CUjQV FhX2zPC9lNBmIXYJoH0dk+GYnrzUaYYccfzBHIcXHQFKR7afGwVOYMOt69y9crWc2SSvox XwUSFmzVO6KWwaBfgvg5KkE6aZoZI+iwV6+EKwHhw5HWlb0+NaVnGzJZpAVsoFS3/dEfcv DuSy59bIlOWtPaeQamvNXcrFJPIwyGXQgJ11pV/m6oqkEx6Ms+hlO4W9Bh7eHT5E2+mf4g uOduY7ED4G/AHWOLkCuHTutvojeg7F3IY+zrMavN/7LKSD9oQLmjikat3hbSHg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032809; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=AKEdBhxi2x0Q3aNYv0jn4TxTq3TIoea+Q0Fb4RzkDaQ=; b=FA1JlioU9Ax0oroWAhV9SVeqOiJMcqfKGFSADNW+EHK9kS1SDCAr7JI828QO6x3ddQ06Yn cb4XOnoNvus13F3I/tOD67KX1015wij2x3YpN0fL1EQWAfUDMIGU/Sdqd1dFbXDLUdHFNn P1TJTwRgxEB8Iy970oFaWNibE+vMMgH4+rG04J/lECmHlsHFLsoRtiT3/8RojE3+6NFzQr 8jC6+Bq2FMOCsJG+pW71asnLpB3pthxXRCdZ+o9M8cL0LrWkzo/lISTx4AZgNQdYdNqpiE /vDNePskY3Scg6nK7ydqVMu0RWP7LhN1PZ1gQFW3xKMNkm+NdYnXkIBBq2ArQw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdyx3M5pznGH for ; Tue, 09 Jun 2026 19:20:09 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3eb4f by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:20:09 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Ed Maste From: Mark Johnston Subject: git: 871d33e8a66a - releng/15.1 - sigqueue: In capability mode, only allow signalling self List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/15.1 X-Git-Reftype: branch X-Git-Commit: 871d33e8a66aec34cf680c016c86a2988e9894ae Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:20:09 +0000 Message-Id: <6a286769.3eb4f.555eba32@gitrepo.freebsd.org> The branch releng/15.1 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=871d33e8a66aec34cf680c016c86a2988e9894ae commit 871d33e8a66aec34cf680c016c86a2988e9894ae Author: Ed Maste AuthorDate: 2026-05-26 13:24:36 +0000 Commit: Mark Johnston CommitDate: 2026-06-09 02:59:42 +0000 sigqueue: In capability mode, only allow signalling self This is copied from the check in kern_kill. Approved by: re (cperciva) Approved by: so Security: FreeBSD-SA-26:28.capsicum Security: CVE-2026-45259 Reviewed by: markj, oshogbo Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57244 (cherry picked from commit b9d16b7fd2fa6bc4b3e8364804cbdc1b76ebe8a5) (cherry picked from commit defd9b86ef995ce70363eae9b323d616bda865be) --- sys/kern/kern_sig.c | 10 ++++++++++ tests/sys/capsicum/capmode.cc | 12 +++++++++--- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/sys/kern/kern_sig.c b/sys/kern/kern_sig.c index 9be7c82ee98b..e48997ed966a 100644 --- a/sys/kern/kern_sig.c +++ b/sys/kern/kern_sig.c @@ -2038,6 +2038,16 @@ kern_sigqueue(struct thread *td, pid_t pid, int signumf, union sigval *value) if (pid <= 0) return (EINVAL); + /* + * A process in capability mode can send signals only to itself. + */ + if (pid != td->td_proc->p_pid) { + if (CAP_TRACING(td)) + ktrcapfail(CAPFAIL_SIGNAL, &signum); + if (IN_CAPABILITY_MODE(td)) + return (ECAPMODE); + } + if ((signumf & __SIGQUEUE_TID) == 0) { if ((p = pfind_any(pid)) == NULL) return (ESRCH); diff --git a/tests/sys/capsicum/capmode.cc b/tests/sys/capsicum/capmode.cc index 5ff025290211..d2eb1e8633a8 100644 --- a/tests/sys/capsicum/capmode.cc +++ b/tests/sys/capsicum/capmode.cc @@ -746,8 +746,8 @@ FORK_TEST(Capmode, NewThread) { close(thread_pipe[1]); } -static volatile sig_atomic_t had_signal = 0; -static void handle_signal(int) { had_signal = 1; } +static volatile sig_atomic_t signal_cnt = 0; +static void handle_signal(int) { signal_cnt++; } FORK_TEST(Capmode, SelfKill) { pid_t me = getpid(); @@ -765,7 +765,13 @@ FORK_TEST(Capmode, SelfKill) { // Can only kill(2) to own pid. EXPECT_CAPMODE(kill(child, SIGUSR1)); EXPECT_OK(kill(me, SIGUSR1)); - EXPECT_EQ(1, had_signal); + EXPECT_EQ(1, signal_cnt); + + union sigval sv; + sv.sival_int = 0x1234; + EXPECT_CAPMODE(sigqueue(child, SIGUSR1, sv)); + EXPECT_OK(sigqueue(me, SIGUSR1, sv)); + EXPECT_EQ(2, signal_cnt); signal(SIGUSR1, original); } From nobody Tue Jun 9 19:20:12 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdz12T5Xz6gVXr for ; Tue, 09 Jun 2026 19:20:13 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdz057Cwz3Qrb for ; Tue, 09 Jun 2026 19:20:12 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032812; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=oQDiwBZQ2loEoJJtm8/Kvnt+7vrP8yI1S/TUhNZwRnk=; b=txnF9Gy3kpVa5jl5oscqIsiWi7YGunnR4RVFzsEJQ3aKE7Vi8YQ0fUjVbV2+nT/jCbXEXd 00osuhP5f3QkOjkPABbKZUyst2kyVYJrUzLtxSc6mqKSr/MzIHb4JmbzWW0FdQA7FaJBrk 47UZqBJP/vvqLfrUhYQ6q5bRS9kYZS0Csg8GnC8fHFEH39x4VSmsHzaNbtPIQNdvSel3QU CbtvPNP9LFzxU63SQphqxpmgf4z1Z1Cx5dj2kyo1ZE9mLuhbOixs0uYlNdcf1/uXA+2mCM Cfgd3l2+ULc/Ovdo9ElUc3Ap7j7ZpYweNuPAzSHGGYP/+vDwKL23y6YbQDVcyA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032812; a=rsa-sha256; cv=none; b=e3pvS/AOYf/Jk97ZR6jyu2Am13+uqqVa4DUQQqgSabg8mWBZD3uDwJyrt1l8v6nueHWgJj +P2MkqY0Da6fOtihZ2GeDeqF6iIZ4D0GQW19IK5VzDy1r0RMSr2Xf/I9N2hq/9/Z3ywV5E yeQC5lPi8ys20nWPg+d0weE3OV5xxN8TNwitBcIl07okbtsA79mJqrOmz4EdymJrcB7RTi uKPzeVMu5ct8vkX1JqRqLaYuWtECLtYlZypTplbmhWw7WbrG/msVhdML4ZJsk3E6QaEoPd 0J7321NZbUJ2kHfhTPRKOQ53D9u7VVt9tuhU/rhT/Ly5ZgMOHjQQLnJjAZSohw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032812; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=oQDiwBZQ2loEoJJtm8/Kvnt+7vrP8yI1S/TUhNZwRnk=; b=PwS24o6pgCtvtI8yPMtlIYt61dStwo47iKjGvJfD2oMo9vKa/U5cAuNoxtW3j9gWNvdhCU pH9B4Ayl14kNBlriAvb89mvDUPcjsoWIsU/Kvpo1uGo0f7/3ZB08nBA1XLZn/ItNEPkd5v qw7u9W54mSoJp9vkBmCRabXhj24MXTNYJA9VAUDuwN7VHVo7LOJGo1oUeYn+uDD4nM5BAe 8BVCT3NTslG9pblQteUJYvxSngS5XriL3/67vRz6/Ogdz04f6vIZenf4g7ST7zYxgNrCBP Ibf16cQ2H6YdNAAD9yb+c20snhLFQ6DIsrW8IfKIbt6SLPrPoOWfMDfmU4Ge6A== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdz04QHRznCt for ; Tue, 09 Jun 2026 19:20:12 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3e4c2 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:20:12 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Andrew Turner From: Mark Johnston Subject: git: 81435fc0882c - releng/15.1 - arm64: Workaround the following errata List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/15.1 X-Git-Reftype: branch X-Git-Commit: 81435fc0882c8c336f00d346bae04fdd3d5f65b5 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:20:12 +0000 Message-Id: <6a28676c.3e4c2.3bc8334@gitrepo.freebsd.org> The branch releng/15.1 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=81435fc0882c8c336f00d346bae04fdd3d5f65b5 commit 81435fc0882c8c336f00d346bae04fdd3d5f65b5 Author: Andrew Turner AuthorDate: 2026-05-28 09:25:30 +0000 Commit: Mark Johnston CommitDate: 2026-06-09 03:00:02 +0000 arm64: Workaround the following errata - ARM C1-Premium erratum 4193780 - ARM C1-Ultra erratum 4193780 - ARM Cortex-A76 erratum 4193800 - ARM Cortex-A76AE erratum 4193801 - ARM Cortex-A77 erratum 4193798 - ARM Cortex-A78 erratum 4193791 - ARM Cortex-A78AE erratum 4193793 - ARM Cortex-A78C erratum 4193794 - ARM Cortex-A710 erratum 4193788 - ARM Cortex-X1 erratum 4193791 - ARM Cortex-X1C erratum 4193792 - ARM Cortex-X2 erratum 4193788 - ARM Cortex-X3 erratum 4193786 - ARM Cortex-X4 erratum 4118414 - ARM Cortex-X925 erratum 4193781 - ARM Neoverse-N1 erratum 4193800 - ARM Neoverse-N2 erratum 4193789 - ARM Neoverse-V1 erratum 4193790 - ARM Neoverse-V2 erratum 4193787 - ARM Neoverse-V3 erratum 4193784 - ARM Neoverse-V3AE erratum 4193784 These are all variants on an erratum where TLBI+DSB instructions on one CPU may incorrectly complete early leading to stores to an updated address using an incorrect translation on another CPU. In all cases the workaround is to add a second TLBI+DSB. Approved by: re (cperciva) Approved by: so Security: FreeBSD-SA-26:31.arm64 Security: CVE-2025-10263 Sponsored by: Arm Ltd --- sys/arm64/arm64/pmap.c | 60 ++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 51 insertions(+), 9 deletions(-) diff --git a/sys/arm64/arm64/pmap.c b/sys/arm64/arm64/pmap.c index aa0b0e829f7a..12ab8750c77a 100644 --- a/sys/arm64/arm64/pmap.c +++ b/sys/arm64/arm64/pmap.c @@ -1743,20 +1743,62 @@ static cpu_feat_en pmap_multiple_tlbi_check(const struct cpu_feat *feat __unused, u_int midr) { /* - * Cortex-A55 erratum 2441007 (Cat B rare) + * ARM C1-Premium erratum 4193780 + * ARM C1-Ultra erratum 4193780 + * ARM Cortex-A76 erratum 4193800 + * ARM Cortex-A76AE erratum 4193801 + * ARM Cortex-A77 erratum 4193798 + * ARM Cortex-A78 erratum 4193791 + * ARM Cortex-A78AE erratum 4193793 + * ARM Cortex-A78C erratum 4193794 + * ARM Cortex-A710 erratum 4193788 + * ARM Cortex-X1 erratum 4193791 + * ARM Cortex-X1C erratum 4193792 + * ARM Cortex-X2 erratum 4193788 + * ARM Cortex-X3 erratum 4193786 + * ARM Cortex-X4 erratum 4118414 + * ARM Cortex-X925 erratum 4193781 + * ARM Neoverse-N1 erratum 4193800 + * ARM Neoverse-N2 erratum 4193789 + * ARM Neoverse-V1 erratum 4193790 + * ARM Neoverse-V2 erratum 4193787 + * ARM Neoverse-V3 erratum 4193784 + * ARM Neoverse-V3AE erratum 4193784 * Present in all revisions */ - if (CPU_IMPL(midr) == CPU_IMPL_ARM && - CPU_PART(midr) == CPU_PART_CORTEX_A55) - return (FEAT_DEFAULT_DISABLE); + if (CPU_IMPL(midr) == CPU_IMPL_ARM) { + switch(CPU_PART(midr)) { + case CPU_PART_C1_PREMIUM: + case CPU_PART_C1_ULTRA: + case CPU_PART_CORTEX_A76: + case CPU_PART_CORTEX_A76AE: + case CPU_PART_CORTEX_A77: + case CPU_PART_CORTEX_A78: + case CPU_PART_CORTEX_A78AE: + case CPU_PART_CORTEX_A78C: + case CPU_PART_CORTEX_A710: + case CPU_PART_CORTEX_X1: + case CPU_PART_CORTEX_X1C: + case CPU_PART_CORTEX_X2: + case CPU_PART_CORTEX_X3: + case CPU_PART_CORTEX_X4: + case CPU_PART_CORTEX_X925: + case CPU_PART_NEOVERSE_N1: + case CPU_PART_NEOVERSE_N2: + case CPU_PART_NEOVERSE_V1: + case CPU_PART_NEOVERSE_V2: + case CPU_PART_NEOVERSE_V3: + case CPU_PART_NEOVERSE_V3AE: + return (FEAT_DEFAULT_ENABLE); + } + } /* - * Cortex-A76 erratum 1286807 (Cat B rare) - * Present in r0p0 - r3p0 - * Fixed in r3p1 + * Cortex-A55 erratum 2441007 (Cat B rare) + * Present in all revisions */ - if (midr_check_var_part_range(midr, CPU_IMPL_ARM, CPU_PART_CORTEX_A76, - 0, 0, 3, 0)) + if (CPU_IMPL(midr) == CPU_IMPL_ARM && + CPU_PART(midr) == CPU_PART_CORTEX_A55) return (FEAT_DEFAULT_DISABLE); /* From nobody Tue Jun 9 19:20:13 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdz219C9z6gVjV for ; Tue, 09 Jun 2026 19:20:14 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdz15ZK7z3Qxp for ; Tue, 09 Jun 2026 19:20:13 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032813; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=jYRXdKXwB54N+yxwFC1dcjNrVfvwKqwlGsVI8Ak98rs=; b=UP+aU2N5uV2BsQDiOnmWf/qFtL2SwzJeOwCgY3mUI6t1scuaSBnZzmMFrt0v2v5RHfIjsz 8zasc2uUbaYgFR7pu/qdRSxmPzdj04x/Wp72x+AcRT8sGY5ZF0SoEP9Tc7d6k7NK3BY/C7 CxJM68EMsQJg8Y3j3lmxWdeDdi3JX6mgU3xoZGTybTjOguj6lhqCFiVBc22+JO/7Yd2u8X bomGvKVc1GVcNB5CMNF8PrMV/pb2OSew0kAnUmtU/tMI8n7xe04O2Prj779wB6mHEk6lG7 HE5wRRt9GLzOjFLto7OO7w0baNomqCcCvKpPmkrcKryVT6JBF6b0rAE0vWgqQg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032813; a=rsa-sha256; cv=none; b=b73217G+jbh1L0GdmiyrXpgLC5GTIp2F/ymAbL5zp/dY7GMaqfUIGEQqVwwkrm+Zkr6eLV disQydUZWbcXrl6+crRkcRzZ+SWtsfR2C42CrqAAXEWY+WPXFAf4hcLAlz4n7XIdVUprET DjhGQa2SDQZSf0Q96sZVHtypYIMf7UxRClkoPcodOn1EFOTTVjt7ZdU0htqtquEOUQAgi9 DNU/gp4oaoth///V2O97kq7O1bemYeJXQNm48l4t0xkL1gkN1E/EYv2iPW3tYXPLMGrMiM aIzkvyNWRXN6ZnVaKPjEJUh63+vGTZtcFfUhawSOATyj4TSGR8pY0/vlF6ySHg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032813; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=jYRXdKXwB54N+yxwFC1dcjNrVfvwKqwlGsVI8Ak98rs=; b=WNFt5doe4qqgko8gkqqoQAZcQauyqqEt5TALvN1Wic+cgVT+yp1Envji+/q7CWSjMKjPnM +6UJQFGom2t+LZKbusKZpbPQASQrKScfVX+hjYicrB7UOX9zKVUGrxefn/U31bZDP/0Iv+ u/rVY1BgIuHtSCeRA+zntZ+C/oMyR8DRFKJ4ucNXhxmgVEwN0/hcKIx+6cHV23Hw18SBMG zyMlVekSeTf9wPheIwy6dsWO48vc5Nft7/vNNcsk4wXHx6hJdDPT0BfgDMzU/KxSZN+Nuy WeHTSmTRxUPvtyE272O8KyJVT78fyYefbjhNcmcPDS0Um/cf0XWpMKrToMOWlw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdz14qNZznwS for ; Tue, 09 Jun 2026 19:20:13 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3e3e7 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:20:13 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 796579bcfbc4 - releng/15.1 - imgact_elf: Clear no-ASLR and -WXORX flags earlier for setugid images List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/15.1 X-Git-Reftype: branch X-Git-Commit: 796579bcfbc4451c618a973c52dada15b3f9928b Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:20:13 +0000 Message-Id: <6a28676d.3e3e7.57e4c96a@gitrepo.freebsd.org> The branch releng/15.1 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=796579bcfbc4451c618a973c52dada15b3f9928b commit 796579bcfbc4451c618a973c52dada15b3f9928b Author: Mark Johnston AuthorDate: 2026-06-02 20:29:00 +0000 Commit: Mark Johnston CommitDate: 2026-06-09 03:00:09 +0000 imgact_elf: Clear no-ASLR and -WXORX flags earlier for setugid images Otherwise an unprivileged user can disable randomization of the base address for PIEs even if they are setugid. Add a regression test. Approved by: re (cperciva) Approved by: so Security: FreeBSD-SA-26:32.elf Security: CVE-2026-49414 Reported by: David Berard Reviewed by: kib Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57397 --- sys/kern/imgact_elf.c | 55 ++++++++--------- tests/sys/kern/Makefile | 2 + tests/sys/kern/aslr.c | 157 ++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 187 insertions(+), 27 deletions(-) diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c index c91fd8089487..27b7b0da824e 100644 --- a/sys/kern/imgact_elf.c +++ b/sys/kern/imgact_elf.c @@ -1241,11 +1241,39 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *imgp) error = ENOEXEC; goto ret; } + + /* + * Avoid a possible deadlock if the current address space is destroyed + * and that address space maps the locked vnode. In the common case, + * the locked vnode's v_usecount is decremented but remains greater + * than zero. Consequently, the vnode lock is not needed by vrele(). + * However, in cases where the vnode lock is external, such as nullfs, + * v_usecount may become zero. + * + * The VV_TEXT flag prevents modifications to the executable while + * the vnode is unlocked. + */ + VOP_UNLOCK(imgp->vp); + + /* + * Decide whether to enable randomization of user mappings. First, + * reset user preferences for the setid binaries. Then, account for the + * support of randomization by the ABI, by user preferences, and make + * special treatment for PIE binaries. + */ + if (imgp->credential_setid) { + PROC_LOCK(imgp->proc); + imgp->proc->p_flag2 &= ~(P2_ASLR_ENABLE | P2_ASLR_DISABLE | + P2_WXORX_DISABLE | P2_WXORX_ENABLE_EXEC); + PROC_UNLOCK(imgp->proc); + } + sv = brand_info->sysvec; if (hdr->e_type == ET_DYN) { if ((brand_info->flags & BI_CAN_EXEC_DYN) == 0) { uprintf("Cannot execute shared object\n"); error = ENOEXEC; + (void)vn_lock(imgp->vp, LK_SHARED | LK_RETRY); goto ret; } /* @@ -1264,33 +1292,6 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *imgp) imgp->et_dyn_addr = __elfN(pie_base); } } - - /* - * Avoid a possible deadlock if the current address space is destroyed - * and that address space maps the locked vnode. In the common case, - * the locked vnode's v_usecount is decremented but remains greater - * than zero. Consequently, the vnode lock is not needed by vrele(). - * However, in cases where the vnode lock is external, such as nullfs, - * v_usecount may become zero. - * - * The VV_TEXT flag prevents modifications to the executable while - * the vnode is unlocked. - */ - VOP_UNLOCK(imgp->vp); - - /* - * Decide whether to enable randomization of user mappings. - * First, reset user preferences for the setid binaries. - * Then, account for the support of the randomization by the - * ABI, by user preferences, and make special treatment for - * PIE binaries. - */ - if (imgp->credential_setid) { - PROC_LOCK(imgp->proc); - imgp->proc->p_flag2 &= ~(P2_ASLR_ENABLE | P2_ASLR_DISABLE | - P2_WXORX_DISABLE | P2_WXORX_ENABLE_EXEC); - PROC_UNLOCK(imgp->proc); - } if ((sv->sv_flags & SV_ASLR) == 0 || (imgp->proc->p_flag2 & P2_ASLR_DISABLE) != 0 || (fctl0 & NT_FREEBSD_FCTL_ASLR_DISABLE) != 0) { diff --git a/tests/sys/kern/Makefile b/tests/sys/kern/Makefile index a704581ee449..599ccc6519e6 100644 --- a/tests/sys/kern/Makefile +++ b/tests/sys/kern/Makefile @@ -7,6 +7,7 @@ TESTSRC= ${SRCTOP}/contrib/netbsd-tests/kernel TESTSDIR= ${TESTSBASE}/sys/kern +ATF_TESTS_C+= aslr ATF_TESTS_C+= basic_signal ATF_TESTS_C+= copy_file_range .if ${MACHINE_ARCH} != "i386" && ${MACHINE_ARCH} != "powerpc" && \ @@ -88,6 +89,7 @@ PROGS+= coredump_phnum_helper PROGS+= pdeathsig_helper PROGS+= sendfile_helper +LIBADD.aslr+= util LIBADD.copy_file_range+= md LIBADD.jail_lookup_root+= jail util LIBADD.jaildesc+= pthread diff --git a/tests/sys/kern/aslr.c b/tests/sys/kern/aslr.c new file mode 100644 index 000000000000..13038054603c --- /dev/null +++ b/tests/sys/kern/aslr.c @@ -0,0 +1,157 @@ +/* + * Copyright (c) 2026 The FreeBSD Foundation + * + * This software was developed by Mark Johnston under sponsorship from the + * FreeBSD Foundation. + */ + +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include + +#include + +/* + * Spawn an unprivileged child with ASLR force-disabled, which then execs + * /sbin/ping (setuid root). + */ +static pid_t +spawn_ping(const atf_tc_t *tc) +{ + const char *user; + struct passwd *passwd; + pid_t child; + int arg, error; + + user = atf_tc_get_config_var(tc, "unprivileged_user"); + passwd = getpwnam(user); + ATF_REQUIRE(passwd != NULL); + + child = fork(); + ATF_REQUIRE(child >= 0); + if (child == 0) { + if (seteuid(passwd->pw_uid) != 0) + _exit(1); + + arg = PROC_ASLR_FORCE_DISABLE; + error = procctl(P_PID, getpid(), PROC_ASLR_CTL, &arg); + if (error != 0) + _exit(2); + + execl("/sbin/ping", "ping", "127.0.0.1", NULL); + _exit(127); + } + usleep(500000); /* XXX-MJ */ + + return (child); +} + +/* + * Return the base address of the first mapping backed by the specified + * executable in the given process, or 0 if not found. + */ +static uint64_t +text_base(pid_t pid, const char *path) +{ + struct kinfo_vmentry *vmmap; + uint64_t base; + int cnt; + + base = 0; + vmmap = kinfo_getvmmap(pid, &cnt); + if (vmmap == NULL) + return (0); + for (int i = 0; i < cnt; i++) { + if (vmmap[i].kve_type == KVME_TYPE_VNODE && + strcmp(vmmap[i].kve_path, path) == 0) { + base = vmmap[i].kve_start; + break; + } + } + free(vmmap); + return (base); +} + +/* + * Make sure that ASLR can't be disabled for a setuid executable by an + * unprivileged user. + */ +ATF_TC(aslr_setuid); +ATF_TC_HEAD(aslr_setuid, tc) +{ + atf_tc_set_md_var(tc, "require.user", "root"); + atf_tc_set_md_var(tc, "require.config", "unprivileged_user"); +} +ATF_TC_BODY(aslr_setuid, tc) +{ + struct stat sb; + uint64_t bases[5]; + pid_t child, pid; + int arg, error, st; + + if (!atf_tc_has_config_var(tc, "unprivileged_user")) + atf_tc_skip("unprivileged_user not set"); + + error = stat("/sbin/ping", &sb); + ATF_REQUIRE(error == 0); + ATF_REQUIRE_MSG(sb.st_uid == 0 && (sb.st_mode & S_ISUID) != 0, + "/sbin/ping is not setuid root"); + + child = spawn_ping(tc); + bases[0] = text_base(child, "/sbin/ping"); + ATF_REQUIRE_MSG(bases[0] != 0, + "failed to find /sbin/ping text segment"); + + arg = 0; + error = procctl(P_PID, child, PROC_ASLR_STATUS, &arg); + ATF_REQUIRE_MSG(error == 0, "procctl ASLR_STATUS failed: %s", + strerror(errno)); + ATF_REQUIRE_MSG((arg & PROC_ASLR_ACTIVE) != 0, + "ASLR is not active for setuid child"); + ATF_REQUIRE_MSG((arg & ~PROC_ASLR_ACTIVE) == PROC_ASLR_NOFORCE, + "expected NOFORCE for setuid child, got %d", + arg & ~PROC_ASLR_ACTIVE); + + error = kill(child, SIGTERM); + ATF_REQUIRE(error == 0); + pid = waitpid(child, &st, 0); + ATF_REQUIRE(pid == child); + ATF_REQUIRE(WIFSIGNALED(st) && WTERMSIG(st) == SIGTERM); + + for (size_t i = 1; i < nitems(bases); i++) { + child = spawn_ping(tc); + bases[i] = text_base(child, "/sbin/ping"); + ATF_REQUIRE_MSG(bases[i] != 0, + "failed to find /sbin/ping text segment"); + error = kill(child, SIGTERM); + ATF_REQUIRE(error == 0); + pid = waitpid(child, &st, 0); + ATF_REQUIRE(pid == child); + ATF_REQUIRE(WIFSIGNALED(st) && WTERMSIG(st) == SIGTERM); + } + + /* Verify that the text base is different across all runs. */ + for (size_t i = 0; i < nitems(bases); i++) { + for (size_t j = i + 1; j < nitems(bases); j++) { + ATF_REQUIRE_MSG(bases[i] != bases[j], + "ping text base collision 0x%jx", + (uintmax_t)bases[i]); + } + } +} + +ATF_TP_ADD_TCS(tp) +{ + ATF_TP_ADD_TC(tp, aslr_setuid); + + return (atf_no_error()); +} From nobody Tue Jun 9 19:20:14 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdz326X8z6gVXy for ; Tue, 09 Jun 2026 19:20:15 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdz25qlDz3R9t for ; Tue, 09 Jun 2026 19:20:14 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032814; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=s3Ab7Myl88cBW+gY4zi+MDlAIg0+en2kGH9A4CeBC10=; b=xbH8OivzpcgRlzmPV0GR6rALcAi1uGmVG7bjGcdb6AR6rfgV33b48e6dd3u6o1hcBnrKY2 kTKOYisme5DiskDxiokDGWHB8euNGUFx2dtOdLB87LPcDRy/vnnHmb4XjcwNmMWLshfboy B/8hEhjZ2PJ29ryXc2nVWY8x/EBY+QOCuwhIQK0j/VGccymFZbvwY7qtGpLMxkZsksLsac NKZd+0ft7t9rtgjC0B9g4aN3eRWmmMhsd7xJ9yYcpz/8+42MOe/UIpdAOWiFhc98P2nh+6 QduFxTUcBdhmN3tcpQf9WcZq0fnNMWm6wZedoSGQLstHc32ogl8586VHOGRZXA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032814; a=rsa-sha256; cv=none; b=jv9TPiYfGp1zcoK/bJMF6nFkVfhVQaAugpVXymn8p7GyM53aMtS5C/kGinVSyXjt42Y0ZE GgHJFHSMdI8YMMKAVmxz4LlRKP5HbPMziBWPff79/ZINvGh43Q36JVDjNoWMir3kAj9XBR OQRAoFkUFWZDlXTuMf9tMoWINFsJ6ECP8vBUbdXqdFfHZol/ZM2okTgJa8CrmP0a5zbQhh w6npkOKnKjlZqc+mpBzBj/eYbxfwhtcjYonCjPA+3E+ecyvLkr9T9/1VzPXUk7TNFtD2Ly sEMkCxjkP4nCJ2tJWfk7VftNr+/Qbi/9sPfGCnDX+mqZeCJI6YTxQ7wy0EBQKQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032814; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=s3Ab7Myl88cBW+gY4zi+MDlAIg0+en2kGH9A4CeBC10=; b=PzNdqxC+DPPBkkdEBMAhDJHRFPI6cpqeRYBLLttzjSjwGVZK8kz8Zwz660EwS/HZmVHIOR xo8P0F3erwCX0JxybQg2+uiCWvf0uhiyTCPpjNPJfCV3e5PmHZ7tVYHDwzS9aUcMrAmoCZ 0BHHX2mLM0Zi6dBLUqU0BIGKWg/weJDJmIuesjra88EUPD7YhnI3WAYcx05oFGfhpt5ihZ 4VztZYfqjiNCuOKSgDBe2jYG8EblXPqh1Lm/R5iwpJRCvbRF0w/qK7iAKEZx1uvujrfxQz cWkwbnuJa1W+clcNkhjuW+2cAewakLJyMT2pazrXPEMn7MpthufEgRq0nbsw/w== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdz25CtvznGK for ; Tue, 09 Jun 2026 19:20:14 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3d6e4 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:20:14 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Ed Maste From: Mark Johnston Subject: git: 8ed11b21e544 - releng/15.1 - vt: Avoid integer overflow in CONS_HISTORY ioctl List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/15.1 X-Git-Reftype: branch X-Git-Commit: 8ed11b21e54417a450c64914a3898ce75c243c7f Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:20:14 +0000 Message-Id: <6a28676e.3d6e4.7ec97a90@gitrepo.freebsd.org> The branch releng/15.1 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=8ed11b21e54417a450c64914a3898ce75c243c7f commit 8ed11b21e54417a450c64914a3898ce75c243c7f Author: Ed Maste AuthorDate: 2026-05-26 16:19:47 +0000 Commit: Mark Johnston CommitDate: 2026-06-09 03:00:15 +0000 vt: Avoid integer overflow in CONS_HISTORY ioctl Approved by: re (cperciva) Approved by: so Security: FreeBSD-SA-26:34.vt Security: CVE-2026-49416 Reviewed by: markj, vexeduxr Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57250 (cherry picked from commit 0ae946e7223df5ef3f7980af1d774d7f593f6421) (cherry picked from commit deaaddf1d3c4283649945553ad7e3208c8424308) --- sys/dev/vt/vt_buf.c | 9 ++++----- sys/dev/vt/vt_core.c | 6 ++++-- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/sys/dev/vt/vt_buf.c b/sys/dev/vt/vt_buf.c index e1e4ebc23491..43657fcecbdc 100644 --- a/sys/dev/vt/vt_buf.c +++ b/sys/dev/vt/vt_buf.c @@ -499,7 +499,6 @@ vtbuf_grow(struct vt_buf *vb, const term_pos_t *p, unsigned int history_size) { term_char_t *old, *new, **rows, **oldrows, **copyrows, *row, *oldrow; unsigned int w, h, c, r, old_history_size; - size_t bufsize, rowssize; int history_full; const teken_attr_t *a; term_char_t ch; @@ -510,10 +509,10 @@ vtbuf_grow(struct vt_buf *vb, const term_pos_t *p, unsigned int history_size) history_size = MAX(history_size, p->tp_row); /* Allocate new buffer. */ - bufsize = history_size * p->tp_col * sizeof(term_char_t); - new = malloc(bufsize, M_VTBUF, M_WAITOK | M_ZERO); - rowssize = history_size * sizeof(term_pos_t *); - rows = malloc(rowssize, M_VTBUF, M_WAITOK | M_ZERO); + new = mallocarray(history_size, p->tp_col * sizeof(term_char_t), + M_VTBUF, M_WAITOK | M_ZERO); + rows = mallocarray(history_size, sizeof(term_pos_t *), M_VTBUF, + M_WAITOK | M_ZERO); /* Toggle it. */ VTBUF_LOCK(vb); diff --git a/sys/dev/vt/vt_core.c b/sys/dev/vt/vt_core.c index 8360f0b80fb5..922b44028a23 100644 --- a/sys/dev/vt/vt_core.c +++ b/sys/dev/vt/vt_core.c @@ -40,6 +40,7 @@ #include #include #include +#include #include #include #include @@ -2798,8 +2799,9 @@ skip_thunk: /* XXX */ return (0); case CONS_HISTORY: - if (*(int *)data < 0) - return EINVAL; + if (*(int *)data < 0 || + *(int *)data > UINT_MAX / USHRT_MAX / sizeof(term_char_t)) + return (EINVAL); if (*(int *)data != vw->vw_buf.vb_history_size) vtbuf_sethistory_size(&vw->vw_buf, *(int *)data); return (0); From nobody Tue Jun 9 19:20:15 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdz40v6fz6gVbb for ; Tue, 09 Jun 2026 19:20:16 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdz36Yl9z3R6C for ; Tue, 09 Jun 2026 19:20:15 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032815; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=3jm+QYyNktDcvvpoZrCFe0IEviTi8P48ClZ1GCyibKc=; b=LEJJc0KOgiYDKxhgN8/l2jY6c4UrPacGHLjH27IcM37aD9bvbjj4mUrXC6wSlSiE9yqWk1 NGTTpnwBoaIi9HcIW62Kh0769H3+wzmeGokPDGT4VbOXRVun1Oy7YVPZQ6Mll5KJMYQy07 QDtjc5ZMPg0HUYJrJQQHx/vp7h1vaDxi1VqD2GqowdGVlFFJD3KxcfzJ57Vmt5DblZ7ujL jZZRxBeM2QjXq2k0GWfXBBlMKihYN4Lwn8+oZcREd7SD6zOjG5e60dQmGNb/MebDIoxLS2 Vp8tsEpmf7J4gGAnZ721dOfW7S3TgCojhogPY8KSt+gwc6FbI9J0Unb73GrQ8g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032815; a=rsa-sha256; cv=none; b=QGe9KU7y+HWXo8iLZVm0EoPktNJUKdWJCjm6EswjnoadCnY3HlyJdMu6bNs2LKmRFOvLqt JmX4v1k4A9gj9Ga4Sib6D4yY1CavgzJB8LuvhlGVfTn6gdv7G/nKC0/vpRYJ6t0vYXkRL/ pb+BMm/VhBOfJ51wfySVB7ow4kosUbohhjvqLUxlXvAil7G9Vjl4b9peAphhiQYcy9cT6v 83kEVTCsXQbwieHlsozr67b4IzMxvRCXQa5dz3blICwRb7ZNBnCGzkdhiKe6Pbhylo3+tp blHkTx+p4YfzlJwnuLOSEYe/plz9qjt7jhvGO98hhCnmaP9iNnbU2RHjR5+MEQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032815; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=3jm+QYyNktDcvvpoZrCFe0IEviTi8P48ClZ1GCyibKc=; b=tvu1FSxPIeQosN/YreAU2Ut7x7Tjux40Wmx/ITy3aZT60b5Xmfe7/0grMUfOiY+juKYzSs Lql5DGToKmuFf8986p94+xwhx9fCVEJWX/R1xXBEAs+TUr93IUYR++BCz0qbG2df6o0LMG 04u0BLy2L9cGd15S1rTc+pwnCVWyRCkNmPQewxPwjv9Ovd3tMQBgKTiq3etueTIi1NRcdw 5/B9PCSGNEe8meJakgj9DHP80mfG6qIxr4zOfsWbtSlD9xsD30qwYt6TpCtVBwr0/ua9ju dwNcn9CIw1xZ2oDdX8fhXQsGb2EjmA8n/LiRWK3iU2/mlPivDSK3PsLW4h+HBg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdz35qdtznwT for ; Tue, 09 Jun 2026 19:20:15 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3dae2 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:20:15 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Gordon Tetlow From: Mark Johnston Subject: git: 083bb80a125a - releng/15.1 - openssl: Fix multiple vulnerabilities List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/15.1 X-Git-Reftype: branch X-Git-Commit: 083bb80a125a5f61c07000e73d0ddb19dd248978 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:20:15 +0000 Message-Id: <6a28676f.3dae2.58a0c7bc@gitrepo.freebsd.org> The branch releng/15.1 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=083bb80a125a5f61c07000e73d0ddb19dd248978 commit 083bb80a125a5f61c07000e73d0ddb19dd248978 Author: Gordon Tetlow AuthorDate: 2026-04-29 08:23:24 +0000 Commit: Mark Johnston CommitDate: 2026-06-09 03:00:23 +0000 openssl: Fix multiple vulnerabilities This is a rollup commit from upstream to fix: Reject oversized inputs in ASN1_mbstring_ncopy() cms: kek_unwrap_key: Fix out-of-bounds read in check-byte validation cms: kek_unwrap_key: test for fix out-of-bounds read in check-byte validation Avoid length truncation in ASN1_STRING_set pkcs12: verify that the pbmac1 key length is safe Reject potentially forged encrypted CMS AuthEnvelopedData messages QUIC stack must limit the number of PATH_CHALLENGE frames processed in RX Fix NULL dereference in QUIC address validation Fix potential NULL dereference processing CMS PasswordRecipientInfo Fix potential NULL dereference in OSSL_CRMF_ENCRYPTEDVALUE_decrypt() Enforce implicit rejection for CMS/PKCS#7 decryption Use the correct issuer when validating rootCAKeyUpdate Match the local q DHX parameter against the peer's q Apply the buffered IV on the AES-OCB EVP_Cipher() path Fix handling of empty-ciphertext messages in AES-GCM-SIV and AES-SIV Fix possible use-after-free in OpenSSL PKCS7_verify() Approved by: re (cperciva) Approved by: so Obtained from: OpenSSL Security: FreeBSD-SA-26:35.openssl Security: CVE-2026-7383 Security: CVE-2026-9076 Security: CVE-2026-34180 Security: CVE-2026-34181 Security: CVE-2026-34182 Security: CVE-2026-34183 Security: CVE-2026-42764 Security: CVE-2026-42766 Security: CVE-2026-42767 Security: CVE-2026-42768 Security: CVE-2026-42769 Security: CVE-2026-42770 Security: CVE-2026-45445 Security: CVE-2026-45446 Security: CVE-2026-45447 --- crypto/openssl/crypto/asn1/a_mbstr.c | 31 ++++- crypto/openssl/crypto/asn1/tasn_dec.c | 24 ++-- crypto/openssl/crypto/cmp/cmp_genm.c | 6 +- crypto/openssl/crypto/cms/cms_enc.c | 10 +- crypto/openssl/crypto/cms/cms_env.c | 7 -- crypto/openssl/crypto/cms/cms_pwri.c | 13 +- crypto/openssl/crypto/crmf/crmf_lib.c | 10 +- crypto/openssl/crypto/pkcs12/p12_mutl.c | 8 +- crypto/openssl/crypto/pkcs7/pk7_doit.c | 7 -- crypto/openssl/crypto/pkcs7/pk7_smime.c | 9 +- crypto/openssl/doc/man3/CMS_decrypt.pod | 4 +- crypto/openssl/doc/man3/PKCS7_decrypt.pod | 10 +- crypto/openssl/include/internal/quic_cfq.h | 1 + crypto/openssl/include/internal/quic_channel.h | 1 + crypto/openssl/include/internal/quic_fifd.h | 1 + .../ciphers/cipher_aes_gcm_siv_hw.c | 27 ++-- .../implementations/ciphers/cipher_aes_ocb.c | 13 ++ .../implementations/ciphers/cipher_aes_siv.c | 3 + .../providers/implementations/exchange/dh_exch.c | 5 +- crypto/openssl/ssl/quic/quic_cfq.c | 15 +++ crypto/openssl/ssl/quic/quic_channel.c | 6 + crypto/openssl/ssl/quic/quic_channel_local.h | 39 ++++++ crypto/openssl/ssl/quic/quic_fifd.c | 43 +++++++ crypto/openssl/ssl/quic/quic_port.c | 6 +- crypto/openssl/ssl/quic/quic_rx_depack.c | 60 +++++---- crypto/openssl/ssl/quic/quic_txp.c | 2 + crypto/openssl/test/cmsapitest.c | 48 ++++++- crypto/openssl/test/evp_extra_test.c | 140 +++++++++++++++++++++ crypto/openssl/test/recipes/80-test_cmsapi.t | 3 +- .../80-test_cmsapi_data/cms_pwri_kek_oob.der | Bin 0 -> 193 bytes crypto/openssl/test/recipes/80-test_pkcs12.t | 13 +- .../pbmac1_256_256.bad-key-len.p12 | Bin 0 -> 2803 bytes .../pbmac1_256_256.good-shorter-key-len.p12 | Bin 0 -> 2803 bytes 33 files changed, 472 insertions(+), 93 deletions(-) diff --git a/crypto/openssl/crypto/asn1/a_mbstr.c b/crypto/openssl/crypto/asn1/a_mbstr.c index 2270e63d51d4..962e19b2ceaa 100644 --- a/crypto/openssl/crypto/asn1/a_mbstr.c +++ b/crypto/openssl/crypto/asn1/a_mbstr.c @@ -174,11 +174,27 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len, break; case MBSTRING_BMP: + if (nchar > INT_MAX / 2) { + ERR_raise(ERR_LIB_ASN1, ASN1_R_STRING_TOO_LONG); + if (free_out) { + ASN1_STRING_free(dest); + *out = NULL; + } + return -1; + } outlen = nchar << 1; cpyfunc = cpy_bmp; break; case MBSTRING_UNIV: + if (nchar > INT_MAX / 4) { + ERR_raise(ERR_LIB_ASN1, ASN1_R_STRING_TOO_LONG); + if (free_out) { + ASN1_STRING_free(dest); + *out = NULL; + } + return -1; + } outlen = nchar << 2; cpyfunc = cpy_univ; break; @@ -186,8 +202,11 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len, case MBSTRING_UTF8: outlen = 0; ret = traverse_string(in, len, inform, out_utf8, &outlen); - if (ret < 0) { - ERR_raise(ERR_LIB_ASN1, ASN1_R_INVALID_UTF8STRING); + if (ret < 0) { /* error already raised in out_utf8() */ + if (free_out) { + ASN1_STRING_free(dest); + *out = NULL; + } return -1; } cpyfunc = cpy_utf8; @@ -270,9 +289,15 @@ static int out_utf8(unsigned long value, void *arg) int *outlen, len; len = UTF8_putc(NULL, -1, value); - if (len <= 0) + if (len <= 0) { + ERR_raise(ERR_LIB_ASN1, ASN1_R_INVALID_UTF8STRING); return len; + } outlen = arg; + if (*outlen > INT_MAX - len) { + ERR_raise(ERR_LIB_ASN1, ASN1_R_STRING_TOO_LONG); + return -1; + } *outlen += len; return 1; } diff --git a/crypto/openssl/crypto/asn1/tasn_dec.c b/crypto/openssl/crypto/asn1/tasn_dec.c index 91c2e524f55b..e9532b9f48f7 100644 --- a/crypto/openssl/crypto/asn1/tasn_dec.c +++ b/crypto/openssl/crypto/asn1/tasn_dec.c @@ -54,7 +54,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx); -static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, +static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, long len, int utype, char *free_cont, const ASN1_ITEM *it); /* Table to convert tags to bit values, used for MSTRING type */ @@ -855,19 +855,24 @@ err: /* Translate ASN1 content octets into a structure */ -static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, +static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, long len, int utype, char *free_cont, const ASN1_ITEM *it) { ASN1_VALUE **opval = NULL; ASN1_STRING *stmp; ASN1_TYPE *typ = NULL; int ret = 0; + int ilen = (int)len; const ASN1_PRIMITIVE_FUNCS *pf; ASN1_INTEGER **tint; pf = it->funcs; - if (pf && pf->prim_c2i) - return pf->prim_c2i(pval, cont, len, utype, free_cont, it); + if (pf && pf->prim_c2i) { + if (len == (long)ilen) + return pf->prim_c2i(pval, cont, ilen, utype, free_cont, it); + ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG); + return 0; + } /* If ANY type clear type and set pointer to internal value */ if (it->utype == V_ASN1_ANY) { if (*pval == NULL) { @@ -885,7 +890,8 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, } switch (utype) { case V_ASN1_OBJECT: - if (!ossl_c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &cont, len)) + if (len != (long)ilen + || !ossl_c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &cont, ilen)) goto err; break; @@ -940,6 +946,10 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, case V_ASN1_SET: case V_ASN1_SEQUENCE: default: + if (len != (long)ilen) { + ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG); + goto err; + } if (utype == V_ASN1_BMPSTRING && (len & 1)) { ERR_raise(ERR_LIB_ASN1, ASN1_R_BMPSTRING_IS_WRONG_LENGTH); goto err; @@ -970,10 +980,10 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, } /* If we've already allocated a buffer use it */ if (*free_cont) { - ASN1_STRING_set0(stmp, (unsigned char *)cont /* UGLY CAST! */, len); + ASN1_STRING_set0(stmp, (unsigned char *)cont /* UGLY CAST! */, ilen); *free_cont = 0; } else { - if (!ASN1_STRING_set(stmp, cont, len)) { + if (!ASN1_STRING_set(stmp, cont, ilen)) { ERR_raise(ERR_LIB_ASN1, ERR_R_ASN1_LIB); ASN1_STRING_free(stmp); *pval = NULL; diff --git a/crypto/openssl/crypto/cmp/cmp_genm.c b/crypto/openssl/crypto/cmp/cmp_genm.c index bcc121f14695..ec1f03d20c1a 100644 --- a/crypto/openssl/crypto/cmp/cmp_genm.c +++ b/crypto/openssl/crypto/cmp/cmp_genm.c @@ -202,7 +202,7 @@ static int selfsigned_verify_cb(int ok, X509_STORE_CTX *store_ctx) for (i = 0; i < sk_X509_num(trust); i++) { issuer = sk_X509_value(trust, i); if ((*check_issued)(store_ctx, cert, issuer)) { - if (X509_add_cert(chain, cert, X509_ADD_FLAG_UP_REF)) + if (X509_add_cert(chain, issuer, X509_ADD_FLAG_UP_REF)) ok = 1; break; } @@ -235,6 +235,7 @@ static int verify_ss_cert(OSSL_LIB_CTX *libctx, const char *propq, if ((csc = X509_STORE_CTX_new_ex(libctx, propq)) == NULL || !X509_STORE_CTX_init(csc, ts, target, untrusted)) goto err; + X509_STORE_CTX_set_flags(csc, X509_V_FLAG_CHECK_SS_SIGNATURE); X509_STORE_CTX_set_verify_cb(csc, selfsigned_verify_cb); ok = X509_verify_cert(csc) > 0; @@ -253,7 +254,8 @@ verify_ss_cert_trans(OSSL_CMP_CTX *ctx, X509 *trusted /* may be NULL */, int res = 0; if (trusted != NULL) { - X509_VERIFY_PARAM *vpm = X509_STORE_get0_param(ts); + X509_VERIFY_PARAM *vpm = (ts == NULL) ? NULL + : X509_STORE_get0_param(ts); if ((ts = X509_STORE_new()) == NULL) return 0; diff --git a/crypto/openssl/crypto/cms/cms_enc.c b/crypto/openssl/crypto/cms/cms_enc.c index 08afb5ab114b..ba7082cebd72 100644 --- a/crypto/openssl/crypto/cms/cms_enc.c +++ b/crypto/openssl/crypto/cms/cms_enc.c @@ -109,13 +109,15 @@ BIO *ossl_cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec, goto err; } piv = aparams.iv; - if (ec->taglen > 0 - && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, - ec->taglen, ec->tag) - <= 0) { + + if (ec->taglen < 4 || ec->taglen > 16 + || EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, (int)ec->taglen, ec->tag) <= 0) { ERR_raise(ERR_LIB_CMS, CMS_R_CIPHER_AEAD_SET_TAG_ERROR); goto err; } + } else if (auth) { + ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM); + goto err; } } len = EVP_CIPHER_CTX_get_key_length(ctx); diff --git a/crypto/openssl/crypto/cms/cms_env.c b/crypto/openssl/crypto/cms/cms_env.c index 0828d157fad6..70dd59c06169 100644 --- a/crypto/openssl/crypto/cms/cms_env.c +++ b/crypto/openssl/crypto/cms/cms_env.c @@ -619,13 +619,6 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms, if (!ossl_cms_env_asn1_ctrl(ri, 1)) goto err; - if (EVP_PKEY_is_a(pkey, "RSA")) - /* upper layer CMS code incorrectly assumes that a successful RSA - * decryption means that the key matches ciphertext (which never - * was the case, implicit rejection or not), so to make it work - * disable implicit rejection for RSA keys */ - EVP_PKEY_CTX_ctrl_str(ktri->pctx, "rsa_pkcs1_implicit_rejection", "0"); - if (evp_pkey_decrypt_alloc(ktri->pctx, &ek, &eklen, fixlen, ktri->encryptedKey->data, ktri->encryptedKey->length) diff --git a/crypto/openssl/crypto/cms/cms_pwri.c b/crypto/openssl/crypto/cms/cms_pwri.c index d62dbbde881b..faf6a164669b 100644 --- a/crypto/openssl/crypto/cms/cms_pwri.c +++ b/crypto/openssl/crypto/cms/cms_pwri.c @@ -200,18 +200,18 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen, const unsigned char *in, size_t inlen, EVP_CIPHER_CTX *ctx) { - size_t blocklen = EVP_CIPHER_CTX_get_block_size(ctx); + int blocklen = EVP_CIPHER_CTX_get_block_size(ctx); unsigned char *tmp; int outl, rv = 0; - if (blocklen == 0) + if (blocklen < 4) return 0; - if (inlen < 2 * blocklen) { + if (inlen < 2 * (size_t)blocklen) { /* too small */ return 0; } - if (inlen % blocklen) { + if (inlen > INT_MAX || inlen % blocklen) { /* Invalid size */ return 0; } @@ -367,6 +367,11 @@ int ossl_cms_RecipientInfo_pwri_crypt(const CMS_ContentInfo *cms, /* Finish password based key derivation to setup key in "ctx" */ + if (algtmp == NULL) { + ERR_raise_data(ERR_LIB_CMS, CMS_R_INVALID_KEY_ENCRYPTION_PARAMETER, + "Missing KeyDerivationAlgorithm"); + goto err; + } if (!EVP_PBE_CipherInit_ex(algtmp->algorithm, (char *)pwri->pass, (int)pwri->passlen, algtmp->parameter, kekctx, en_de, diff --git a/crypto/openssl/crypto/crmf/crmf_lib.c b/crypto/openssl/crypto/crmf/crmf_lib.c index d5c8983b2fd4..34477d52662d 100644 --- a/crypto/openssl/crypto/crmf/crmf_lib.c +++ b/crypto/openssl/crypto/crmf/crmf_lib.c @@ -766,6 +766,7 @@ unsigned char *OSSL_CRMF_ENCRYPTEDVALUE_decrypt(const OSSL_CRMF_ENCRYPTEDVALUE * EVP_CIPHER *cipher = NULL; /* used cipher */ int cikeysize = 0; /* key size from cipher */ unsigned char *iv = NULL; /* initial vector for symmetric encryption */ + int iv_len; /* iv length */ unsigned char *out = NULL; /* decryption output buffer */ int n, ret = 0; EVP_PKEY_CTX *pkctx = NULL; /* private key context */ @@ -820,11 +821,12 @@ unsigned char *OSSL_CRMF_ENCRYPTEDVALUE_decrypt(const OSSL_CRMF_ENCRYPTEDVALUE * } else { goto end; } - if ((iv = OPENSSL_malloc(EVP_CIPHER_get_iv_length(cipher))) == NULL) + iv_len = EVP_CIPHER_get_iv_length(cipher); + if ((iv = OPENSSL_malloc(iv_len)) == NULL) goto end; - if (ASN1_TYPE_get_octetstring(enc->symmAlg->parameter, iv, - EVP_CIPHER_get_iv_length(cipher)) - != EVP_CIPHER_get_iv_length(cipher)) { + if (enc->symmAlg->parameter == NULL + || ASN1_TYPE_get_octetstring(enc->symmAlg->parameter, iv, iv_len) + != iv_len) { ERR_raise(ERR_LIB_CRMF, CRMF_R_MALFORMED_IV); goto end; } diff --git a/crypto/openssl/crypto/pkcs12/p12_mutl.c b/crypto/openssl/crypto/pkcs12/p12_mutl.c index 01956252df76..15072e12f26b 100644 --- a/crypto/openssl/crypto/pkcs12/p12_mutl.c +++ b/crypto/openssl/crypto/pkcs12/p12_mutl.c @@ -144,11 +144,13 @@ static int PBMAC1_PBKDF2_HMAC(OSSL_LIB_CTX *ctx, const char *propq, } pbkdf2_salt = pbkdf2_param->salt->value.octet_string; - /* RFC 9579 specifies missing key length as invalid */ + /* RFC 9879 specifies missing key length as invalid */ if (pbkdf2_param->keylength != NULL) keylen = ASN1_INTEGER_get(pbkdf2_param->keylength); - if (keylen <= 0 || keylen > EVP_MAX_MD_SIZE) { - ERR_raise(ERR_LIB_PKCS12, PKCS12_R_PARSE_ERROR); + /* RFC 9879 specifies too short key length as untrustworthy too */ + if (keylen < 20 || keylen > EVP_MAX_MD_SIZE) { + ERR_raise_data(ERR_LIB_PKCS12, PKCS12_R_PARSE_ERROR, + "Invalid Key length (%d is not in the range 20..64)", keylen); goto err; } diff --git a/crypto/openssl/crypto/pkcs7/pk7_doit.c b/crypto/openssl/crypto/pkcs7/pk7_doit.c index d6513cf3a379..1ec7895fc197 100644 --- a/crypto/openssl/crypto/pkcs7/pk7_doit.c +++ b/crypto/openssl/crypto/pkcs7/pk7_doit.c @@ -203,13 +203,6 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen, if (EVP_PKEY_decrypt_init(pctx) <= 0) goto err; - if (EVP_PKEY_is_a(pkey, "RSA")) - /* upper layer pkcs7 code incorrectly assumes that a successful RSA - * decryption means that the key matches ciphertext (which never - * was the case, implicit rejection or not), so to make it work - * disable implicit rejection for RSA keys */ - EVP_PKEY_CTX_ctrl_str(pctx, "rsa_pkcs1_implicit_rejection", "0"); - ret = evp_pkey_decrypt_alloc(pctx, &ek, &eklen, fixlen, ri->enc_key->data, ri->enc_key->length); if (ret <= 0) diff --git a/crypto/openssl/crypto/pkcs7/pk7_smime.c b/crypto/openssl/crypto/pkcs7/pk7_smime.c index 97f20058979f..dc003ee2affd 100644 --- a/crypto/openssl/crypto/pkcs7/pk7_smime.c +++ b/crypto/openssl/crypto/pkcs7/pk7_smime.c @@ -222,6 +222,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, int i, j = 0, k, ret = 0; BIO *p7bio = NULL; BIO *tmpout = NULL; + BIO *next = NULL; const PKCS7_CTX *p7_ctx; if (p7 == NULL) { @@ -352,9 +353,11 @@ err: BIO_free(tmpout); X509_STORE_CTX_free(cert_ctx); OPENSSL_free(buf); - if (indata != NULL) - BIO_pop(p7bio); - BIO_free_all(p7bio); + while (p7bio != NULL && p7bio != indata) { + next = BIO_pop(p7bio); + BIO_free(p7bio); + p7bio = next; + } sk_X509_free(signers); sk_X509_free(untrusted); return ret; diff --git a/crypto/openssl/doc/man3/CMS_decrypt.pod b/crypto/openssl/doc/man3/CMS_decrypt.pod index 121b74a30a10..66a94287b6f5 100644 --- a/crypto/openssl/doc/man3/CMS_decrypt.pod +++ b/crypto/openssl/doc/man3/CMS_decrypt.pod @@ -68,7 +68,7 @@ then the above behaviour is modified and an error B returned if no recipient encrypted key can be decrypted B generating a random content encryption key. Applications should use this flag with B especially in automated gateways as it can leave them -open to attack. +open to attack. See L for more details. It is possible to determine the correct recipient key by other means (for example looking them up in a database) and setting them in the CMS structure @@ -103,7 +103,7 @@ mentioned in CMS_verify() also applies to CMS_decrypt(). =head1 SEE ALSO -L, L +L, L, L =head1 HISTORY diff --git a/crypto/openssl/doc/man3/PKCS7_decrypt.pod b/crypto/openssl/doc/man3/PKCS7_decrypt.pod index aea15937ab86..cfb5b3f87376 100644 --- a/crypto/openssl/doc/man3/PKCS7_decrypt.pod +++ b/crypto/openssl/doc/man3/PKCS7_decrypt.pod @@ -22,6 +22,14 @@ B is an optional set of flags. Although the recipients certificate is not needed to decrypt the data it is needed to locate the appropriate (of possible several) recipients in the PKCS#7 structure. +When RSA PKCS#1 v1.5 Key Transport is in use, the invoked EVP_PKEY_decrypt() +will use implicit rejection mechanism. It always returns the result of RSA +decryption of the symmetric key to avoid Marvin attack. This result is +deterministic and can happen to match the symmetric cipher used for the content +encryption. In case when the certificate is not provided, the last +RecipientInfo producing the key looking valid will be used. It may cause +getting garbage content on decryption. + The following flags can be passed in the B parameter. If the B flag is set MIME headers for type B are deleted @@ -43,7 +51,7 @@ mentioned in PKCS7_sign() also applies to PKCS7_verify(). =head1 SEE ALSO -L, L +L, L, L =head1 COPYRIGHT diff --git a/crypto/openssl/include/internal/quic_cfq.h b/crypto/openssl/include/internal/quic_cfq.h index 0b2a3a4cb2d6..96c8d89eb600 100644 --- a/crypto/openssl/include/internal/quic_cfq.h +++ b/crypto/openssl/include/internal/quic_cfq.h @@ -149,6 +149,7 @@ QUIC_CFQ_ITEM *ossl_quic_cfq_get_priority_head(const QUIC_CFQ *cfq, QUIC_CFQ_ITEM *ossl_quic_cfq_item_get_priority_next(const QUIC_CFQ_ITEM *item, uint32_t pn_space); +int ossl_quic_cfq_discard_unreliable(QUIC_CFQ *cfq, QUIC_CFQ_ITEM *item); #endif #endif diff --git a/crypto/openssl/include/internal/quic_channel.h b/crypto/openssl/include/internal/quic_channel.h index b917b966abeb..cfaeab728178 100644 --- a/crypto/openssl/include/internal/quic_channel.h +++ b/crypto/openssl/include/internal/quic_channel.h @@ -468,6 +468,7 @@ int ossl_quic_bind_channel(QUIC_CHANNEL *ch, const BIO_ADDR *peer, const QUIC_CONN_ID *scid, const QUIC_CONN_ID *dcid, const QUIC_CONN_ID *odcid); +void ossl_ch_reset_rx_state(QUIC_CHANNEL *ch); #endif #endif diff --git a/crypto/openssl/include/internal/quic_fifd.h b/crypto/openssl/include/internal/quic_fifd.h index 4ea7a2e0d226..afa330cbc4a2 100644 --- a/crypto/openssl/include/internal/quic_fifd.h +++ b/crypto/openssl/include/internal/quic_fifd.h @@ -83,6 +83,7 @@ int ossl_quic_fifd_pkt_commit(QUIC_FIFD *fifd, QUIC_TXPIM_PKT *pkt); void ossl_quic_fifd_set_qlog_cb(QUIC_FIFD *fifd, QLOG *(*get_qlog_cb)(void *arg), void *arg); +void ossl_quic_fifd_pkt_discard_unreliable(QUIC_FIFD *fifd, QUIC_TXPIM_PKT *tpkt); #endif #endif diff --git a/crypto/openssl/providers/implementations/ciphers/cipher_aes_gcm_siv_hw.c b/crypto/openssl/providers/implementations/ciphers/cipher_aes_gcm_siv_hw.c index d0b6ae4b070d..5bdc567b4bb1 100644 --- a/crypto/openssl/providers/implementations/ciphers/cipher_aes_gcm_siv_hw.c +++ b/crypto/openssl/providers/implementations/ciphers/cipher_aes_gcm_siv_hw.c @@ -58,6 +58,9 @@ static int aes_gcm_siv_initkey(void *vctx) memset(&data, 0, sizeof(data)); memcpy(&data.block[sizeof(data.counter)], ctx->nonce, NONCE_SIZE); + ctx->generated_tag = 0; + memset(ctx->tag, 0, TAG_SIZE); + /* msg_auth_key is always 16 bytes in size, regardless of AES128/AES256 */ /* counter is stored little-endian */ for (i = 0; i < BLOCK_SIZE; i += 8) { @@ -134,17 +137,6 @@ static int aes_gcm_siv_aad(PROV_AES_GCM_SIV_CTX *ctx, return 1; } -static int aes_gcm_siv_finish(PROV_AES_GCM_SIV_CTX *ctx) -{ - int ret = 0; - - if (ctx->enc) - return ctx->generated_tag; - ret = !CRYPTO_memcmp(ctx->tag, ctx->user_tag, sizeof(ctx->tag)); - ret &= ctx->have_user_tag; - return ret; -} - static int aes_gcm_siv_encrypt(PROV_AES_GCM_SIV_CTX *ctx, const unsigned char *in, unsigned char *out, size_t len) { @@ -271,6 +263,19 @@ static int aes_gcm_siv_decrypt(PROV_AES_GCM_SIV_CTX *ctx, const unsigned char *i return !error; } +static int aes_gcm_siv_finish(PROV_AES_GCM_SIV_CTX *ctx) +{ + int ret = 0; + + if (ctx->enc) + return ctx->generated_tag; + if (!ctx->generated_tag) + aes_gcm_siv_decrypt(ctx, NULL, NULL, 0); + ret = !CRYPTO_memcmp(ctx->tag, ctx->user_tag, sizeof(ctx->tag)); + ret &= ctx->have_user_tag; + return ret; +} + static int aes_gcm_siv_cipher(void *vctx, unsigned char *out, const unsigned char *in, size_t len) { diff --git a/crypto/openssl/providers/implementations/ciphers/cipher_aes_ocb.c b/crypto/openssl/providers/implementations/ciphers/cipher_aes_ocb.c index b724c425e392..99254cb49a88 100644 --- a/crypto/openssl/providers/implementations/ciphers/cipher_aes_ocb.c +++ b/crypto/openssl/providers/implementations/ciphers/cipher_aes_ocb.c @@ -514,6 +514,19 @@ static int aes_ocb_cipher(void *vctx, unsigned char *out, size_t *outl, return 0; } + /* + * Mirror the streaming handler: refuse if the key has not been set, + * and push the buffered IV into the OCB context before any data is + * processed. Without this, CRYPTO_ocb128_encrypt/decrypt runs with + * Offset_0 = 0 regardless of the caller's IV -- catastrophic + * (key, nonce) reuse, and a subsequent EVP_*Final_ex() emits a tag + * that is a function of (key, iv) only. + */ + if (!ctx->key_set || !update_iv(ctx)) { + ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED); + return 0; + } + if (!aes_generic_ocb_cipher(ctx, in, out, inl)) { ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED); return 0; diff --git a/crypto/openssl/providers/implementations/ciphers/cipher_aes_siv.c b/crypto/openssl/providers/implementations/ciphers/cipher_aes_siv.c index 96f26757abe2..754e0757cda3 100644 --- a/crypto/openssl/providers/implementations/ciphers/cipher_aes_siv.c +++ b/crypto/openssl/providers/implementations/ciphers/cipher_aes_siv.c @@ -192,6 +192,7 @@ static int aes_siv_set_ctx_params(void *vctx, const OSSL_PARAM params[]) PROV_AES_SIV_CTX *ctx = (PROV_AES_SIV_CTX *)vctx; const OSSL_PARAM *p; unsigned int speed = 0; + SIV128_CONTEXT *sctx = &ctx->siv; if (ossl_param_is_empty(params)) return 1; @@ -226,6 +227,8 @@ static int aes_siv_set_ctx_params(void *vctx, const OSSL_PARAM params[]) if (keylen != ctx->keylen) return 0; } + sctx->final_ret = -1; + return 1; } diff --git a/crypto/openssl/providers/implementations/exchange/dh_exch.c b/crypto/openssl/providers/implementations/exchange/dh_exch.c index 94d4254ed5d2..2bfefc0aedf4 100644 --- a/crypto/openssl/providers/implementations/exchange/dh_exch.c +++ b/crypto/openssl/providers/implementations/exchange/dh_exch.c @@ -146,12 +146,15 @@ static int dh_init(void *vpdhctx, void *vdh, const OSSL_PARAM params[]) static int dh_match_params(DH *priv, DH *peer) { int ret; + int ignore_q = 1; FFC_PARAMS *dhparams_priv = ossl_dh_get0_params(priv); FFC_PARAMS *dhparams_peer = ossl_dh_get0_params(peer); + if (dhparams_priv != NULL && dhparams_priv->q != NULL) + ignore_q = 0; ret = dhparams_priv != NULL && dhparams_peer != NULL - && ossl_ffc_params_cmp(dhparams_priv, dhparams_peer, 1); + && ossl_ffc_params_cmp(dhparams_priv, dhparams_peer, ignore_q); if (!ret) ERR_raise(ERR_LIB_PROV, PROV_R_MISMATCHING_DOMAIN_PARAMETERS); return ret; diff --git a/crypto/openssl/ssl/quic/quic_cfq.c b/crypto/openssl/ssl/quic/quic_cfq.c index 3c59234ff0ff..16818e55f57d 100644 --- a/crypto/openssl/ssl/quic/quic_cfq.c +++ b/crypto/openssl/ssl/quic/quic_cfq.c @@ -7,6 +7,7 @@ * https://www.openssl.org/source/license.html */ +#include "internal/quic_channel.h" #include "internal/quic_cfq.h" #include "internal/numbers.h" @@ -307,6 +308,20 @@ void ossl_quic_cfq_mark_lost(QUIC_CFQ *cfq, QUIC_CFQ_ITEM *item, } } +int ossl_quic_cfq_discard_unreliable(QUIC_CFQ *cfq, QUIC_CFQ_ITEM *item) +{ + int discarded; + + if (ossl_quic_cfq_item_is_unreliable(item)) { + ossl_quic_cfq_release(cfq, item); + discarded = 1; + } else { + discarded = 0; + } + + return discarded; +} + /* * Releases a CFQ item. The item may be in either state (NEW or TX) prior to the * call. The QUIC_CFQ_ITEM pointer must not be used following this call. diff --git a/crypto/openssl/ssl/quic/quic_channel.c b/crypto/openssl/ssl/quic/quic_channel.c index 13692e5bd09e..5f81a8560d5f 100644 --- a/crypto/openssl/ssl/quic/quic_channel.c +++ b/crypto/openssl/ssl/quic/quic_channel.c @@ -2213,6 +2213,12 @@ static void ch_rx_check_forged_pkt_limit(QUIC_CHANNEL *ch) "forgery limit"); } +void ossl_ch_reset_rx_state(QUIC_CHANNEL *ch) +{ + ch->did_crypto_frame = 0; + ch->seen_path_challenge = 0; +} + /* Process queued incoming packets and handle frames, if any. */ static int ch_rx(QUIC_CHANNEL *ch, int channel_only, int *notify_other_threads) { diff --git a/crypto/openssl/ssl/quic/quic_channel_local.h b/crypto/openssl/ssl/quic/quic_channel_local.h index ae443fccca1e..e40b4901cbc7 100644 --- a/crypto/openssl/ssl/quic/quic_channel_local.h +++ b/crypto/openssl/ssl/quic/quic_channel_local.h @@ -12,6 +12,28 @@ #include "internal/quic_stream_map.h" #include "internal/quic_tls.h" +/* + * This is a part of PATH_CHALLENGE flood [1] mitigation. This limits the + * number of PATH_CHALLENGE frames QUIC stack is willing to process for + * connection. Local QUIC stack creates PATH_RESPONSE frame for PATH_CHALLENGE + * frame it receives from remote peer. The response frame is put Control Frame + * Queue waiting to be dispatched. The PATH_RESPONSE frame is removed from CFQ + * after it is dispatched. The QUIC_PATH_RESPONSE_QLEN limits the number of + * PATH_RESPONSE frames waiting to be dispatched. No new PATH_RESPONSE frames + * are inserted into CFQ if queue limit is exceeded. + * + * QUIC implementations use different limits for PATH_RESPONSE queue lengths: + * quic-go defines maxPathResponses as 256 + * quiche from cloadflare sets DEFAULT_MAX_PATH_CHALLENGE_RX_QUEUE_LEN to 3 + * t-quic from tencent chooses MAX_PATH_CHALS_RECV to be 8 + * + * OpenSSL here introduces QUIC_PATH_RESPONSE_QLEN as 32. + * + * [1] https://www.ietf.org/archive/id/draft-chen-quic-logical-vuln-mitigations-00.txt + * (section 4.2) + */ +#define QUIC_PATH_RESPONSE_QLEN 32 + /* * QUIC Channel Structure * ====================== @@ -457,6 +479,18 @@ struct quic_channel_st { /* Has qlog been requested? */ unsigned int is_tserver_ch : 1; + /* + * RFC 9000 Section 9.2.1 says: + * However, an endpoint SHOULD NOT send multiple + * PATH_CHALLENGE frames in a single packet. + * The counter here allows us to detect multiple presence + * of PATH_CHALLENGE frame in packet. We process only the + * first PATH_CHALLENGE frame found in packet. Remaining PATH_CHALLENGE + * frames are ignored. + * seen_path_challenge flag is always reset before + * ossl_quic_handle_frames() gets called. + */ + unsigned int seen_path_challenge : 1; /* Saved error stack in case permanent error was encountered */ ERR_STATE *err_state; @@ -467,6 +501,11 @@ struct quic_channel_st { /* Title for qlog purposes. We own this copy. */ char *qlog_title; + /* + * number of path responses waiting to be dispatched + * from control frame queue (CFQ) + */ + unsigned int path_response_limit; }; #endif diff --git a/crypto/openssl/ssl/quic/quic_fifd.c b/crypto/openssl/ssl/quic/quic_fifd.c index 03b8cebd3057..e80483b501d7 100644 --- a/crypto/openssl/ssl/quic/quic_fifd.c +++ b/crypto/openssl/ssl/quic/quic_fifd.c @@ -310,3 +310,46 @@ void ossl_quic_fifd_set_qlog_cb(QUIC_FIFD *fifd, QLOG *(*get_qlog_cb)(void *arg) fifd->get_qlog_cb = get_qlog_cb; fifd->get_qlog_cb_arg = get_qlog_cb_arg; } + +static void txpim_pkt_remove_cfq_item(QUIC_TXPIM_PKT *pkt, QUIC_CFQ_ITEM *cfq_item) +{ + QUIC_CFQ_ITEM *prev = cfq_item->pkt_prev; + + if (prev != NULL) { + prev->pkt_next = cfq_item->pkt_next; + } else { + pkt->retx_head = cfq_item->pkt_next; + } + + if (cfq_item->pkt_next != NULL) + cfq_item->pkt_next->pkt_prev = prev; + + cfq_item->pkt_prev = NULL; + cfq_item->pkt_next = NULL; +} + +void ossl_quic_fifd_pkt_discard_unreliable(QUIC_FIFD *fifd, QUIC_TXPIM_PKT *pkt) +{ + QUIC_CFQ_ITEM *cfq_item, *cfq_next; + + /* + * The packet has been written to network. We can discard frames we don't + * retransmit when loss is detected. + */ + cfq_item = pkt->retx_head; + while (cfq_item != NULL) { + /* + * Discarded items are moved to free list. If item + * got moved to free list we must also remove it from + * cfq list kept in pkt, so ACKM does not find it when + * receives an ACK for pkt. + */ + if (ossl_quic_cfq_discard_unreliable(fifd->cfq, cfq_item)) { + cfq_next = cfq_item->pkt_next; + txpim_pkt_remove_cfq_item(pkt, cfq_item); + cfq_item = cfq_next; + } else { + cfq_item = cfq_item->pkt_next; + } + } +} diff --git a/crypto/openssl/ssl/quic/quic_port.c b/crypto/openssl/ssl/quic/quic_port.c index 1e247e1ec624..dc79485b96a5 100644 --- a/crypto/openssl/ssl/quic/quic_port.c +++ b/crypto/openssl/ssl/quic/quic_port.c @@ -1666,8 +1666,10 @@ static void port_default_packet_handler(QUIC_URXE *e, void *arg, * forget qrx so channel can create a new one * with valid initial encryption level keys. */ - qrx_src = qrx; - qrx = NULL; + if (qrx != NULL) { + qrx_src = qrx; + qrx = NULL; + } } port_bind_channel(port, &e->peer, &scid, &hdr.dst_conn_id, diff --git a/crypto/openssl/ssl/quic/quic_rx_depack.c b/crypto/openssl/ssl/quic/quic_rx_depack.c index 786af9b4c221..1bdb43b7d639 100644 --- a/crypto/openssl/ssl/quic/quic_rx_depack.c +++ b/crypto/openssl/ssl/quic/quic_rx_depack.c @@ -931,6 +931,12 @@ static int depack_do_frame_retire_conn_id(PACKET *pkt, static void free_path_response(unsigned char *buf, size_t buf_len, void *arg) { + QUIC_CHANNEL *ch = (QUIC_CHANNEL *)arg; + + assert(ch->path_response_limit > 0); + + ch->path_response_limit--; + OPENSSL_free(buf); } @@ -951,33 +957,39 @@ static int depack_do_frame_path_challenge(PACKET *pkt, return 0; } - /* - * RFC 9000 s. 8.2.2: On receiving a PATH_CHALLENGE frame, an endpoint MUST - * respond by echoing the data contained in the PATH_CHALLENGE frame in a - * PATH_RESPONSE frame. - * - * TODO(QUIC FUTURE): We should try to avoid allocation here in the future. - */ - encoded_len = sizeof(uint64_t) + 1; - if ((encoded = OPENSSL_malloc(encoded_len)) == NULL) - goto err; + if (ch->seen_path_challenge == 0 + && ch->path_response_limit < QUIC_PATH_RESPONSE_QLEN) { + /* + * RFC 9000 s. 8.2.2: On receiving a PATH_CHALLENGE frame, an endpoint + * MUST respond by echoing the data contained in the PATH_CHALLENGE + * frame in a PATH_RESPONSE frame. + * + * TODO(QUIC FUTURE): We should try to avoid allocation here in the + * future. + */ + encoded_len = sizeof(uint64_t) + 1; + if ((encoded = OPENSSL_malloc(encoded_len)) == NULL) + goto err; - if (!WPACKET_init_static_len(&wpkt, encoded, encoded_len, 0)) - goto err; + if (!WPACKET_init_static_len(&wpkt, encoded, encoded_len, 0)) + goto err; - if (!ossl_quic_wire_encode_frame_path_response(&wpkt, frame_data)) { - WPACKET_cleanup(&wpkt); - goto err; - } + if (!ossl_quic_wire_encode_frame_path_response(&wpkt, frame_data)) { + WPACKET_cleanup(&wpkt); + goto err; + } - WPACKET_finish(&wpkt); + WPACKET_finish(&wpkt); - if (!ossl_quic_cfq_add_frame(ch->cfq, 0, QUIC_PN_SPACE_APP, - OSSL_QUIC_FRAME_TYPE_PATH_RESPONSE, - QUIC_CFQ_ITEM_FLAG_UNRELIABLE, - encoded, encoded_len, - free_path_response, NULL)) - goto err; + if (!ossl_quic_cfq_add_frame(ch->cfq, 0, QUIC_PN_SPACE_APP, + OSSL_QUIC_FRAME_TYPE_PATH_RESPONSE, + QUIC_CFQ_ITEM_FLAG_UNRELIABLE, + encoded, encoded_len, + free_path_response, ch)) + goto err; + ch->seen_path_challenge = 1; + ch->path_response_limit++; + } return 1; @@ -1432,7 +1444,7 @@ int ossl_quic_handle_frames(QUIC_CHANNEL *ch, OSSL_QRX_PKT *qpacket) if (ch == NULL) return 0; - ch->did_crypto_frame = 0; + ossl_ch_reset_rx_state(ch); /* Initialize |ackm_data| (and reinitialize |ok|)*/ memset(&ackm_data, 0, sizeof(ackm_data)); diff --git a/crypto/openssl/ssl/quic/quic_txp.c b/crypto/openssl/ssl/quic/quic_txp.c index 44aaad868d2f..b2565c1a9fee 100644 --- a/crypto/openssl/ssl/quic/quic_txp.c +++ b/crypto/openssl/ssl/quic/quic_txp.c @@ -3133,6 +3133,8 @@ static int txp_pkt_commit(OSSL_QUIC_TX_PACKETISER *txp, --probe_info->pto[pn_space]; } + ossl_quic_fifd_pkt_discard_unreliable(&txp->fifd, tpkt); + return rc; } diff --git a/crypto/openssl/test/cmsapitest.c b/crypto/openssl/test/cmsapitest.c index 0752d14df09c..d908bc6fc4c4 100644 --- a/crypto/openssl/test/cmsapitest.c +++ b/crypto/openssl/test/cmsapitest.c @@ -21,6 +21,7 @@ static X509 *cert = NULL; static EVP_PKEY *privkey = NULL; static char *derin = NULL; static char *too_long_iv_cms_in = NULL; +static char *pwri_kek_oob_der_in = NULL; static int test_encrypt_decrypt(const EVP_CIPHER *cipher) { @@ -512,7 +513,48 @@ end: return ret; } -OPT_TEST_DECLARE_USAGE("certfile privkeyfile derfile\n") +/* + * CMS EnvelopedData with a single PasswordRecipientInfo using + * id-alg-PWRI-KEK and an AES-128-CFB key encryption cipher + * (1-byte effective block size). The encryptedKey OCTET STRING is + * only two bytes long, so the wrapped key buffer is shorter than + * the seven octets read by the check-byte test in kek_unwrap_key(). + * Prior to CVE-2026-9076 this triggered an out-of-bounds heap read; + * CMS_decrypt() must now fail cleanly. + */ +static int test_pwri_kek_unwrap_short_encrypted_key(void) +{ + BIO *in = NULL; + CMS_ContentInfo *cms = NULL; + unsigned long err = 0; + int ret = 0; + + if (!TEST_ptr(in = BIO_new_file(pwri_kek_oob_der_in, "rb")) + || !TEST_ptr(cms = d2i_CMS_bio(in, NULL))) + goto end; + + /* + * The unwrap is attempted eagerly inside CMS_decrypt_set1_password(). + * It must fail cleanly (no OOB read) and report CMS_R_UNWRAP_FAILURE. + */ + if (!TEST_false(CMS_decrypt_set1_password(cms, + (unsigned char *)"password", -1))) + goto end; + + err = ERR_peek_last_error(); + if (!TEST_int_eq(ERR_GET_LIB(err), ERR_LIB_CMS) + || !TEST_int_eq(ERR_GET_REASON(err), CMS_R_UNWRAP_FAILURE)) + goto end; + + ERR_clear_error(); + ret = 1; +end: + CMS_ContentInfo_free(cms); + BIO_free(in); + return ret; +} + +OPT_TEST_DECLARE_USAGE("certfile privkeyfile derfile tooLongIVpem pwriKekOobDer\n") int setup_tests(void) { @@ -527,7 +569,8 @@ int setup_tests(void) if (!TEST_ptr(certin = test_get_argument(0)) || !TEST_ptr(privkeyin = test_get_argument(1)) || !TEST_ptr(derin = test_get_argument(2)) - || !TEST_ptr(too_long_iv_cms_in = test_get_argument(3))) + || !TEST_ptr(too_long_iv_cms_in = test_get_argument(3)) *** 236 LINES SKIPPED *** From nobody Tue Jun 9 19:20:16 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdz61Xf6z6gVkX for ; Tue, 09 Jun 2026 19:20:18 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdz46dDKz3R85 for ; Tue, 09 Jun 2026 19:20:16 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032817; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ZvfI0xWoW1EIevbuEcsoWHHhr3ZRA0J3JcbCIPJhicY=; b=D01JdqzYGcNCOaCrkbveIp+QehMae8pcBcE47phKTKfo0tVnqjE+g8fp+0p0RNmXLzhlcA 2xG8+IFeJEahICSmNDCv2NGXETlkXAnz6jW0Hzi1ouCngmMtPfPmoFcn/UP2TxB5O2Y5c4 sHFow5CBUCI0ecFhSMHDeVtB33sljW7a5nyeadFlfcd6t2CZUhkUrekeJ7Fuxvhr+7vYWl Zy4kWrZaFjT7v2Fuz8KvfU6/OnzApFcaJcYhAtpxoxmR4rw8p79CGHkV2qApox3XBcpkGs Afluyh0Fxl1CzP4bJbLwfZO0j0IPyWScg2li6xxHbL8RgmsS4Ox/N4mzMa6Jdg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032817; a=rsa-sha256; cv=none; b=Q6G7KKdKzUbGU49rEHoM4zhzWh7K/EicR4jI240/OfrG1MSZ+6DwXDHCI7GLZps6ObGziA eybITBDOrObBTlocgBQV9OBueT3nfECfaVvuqDEwLbEeu6+XTq0GM3fPdw0FtFlxzHu/yS h73WHmkAttpdw0kPIkVLW0et8pmLwr4KyDT0exCRTOXWrQmj7DC8MOxF0nLYp2dFJ2Cusl qZeSdkp8kDeG6FlBL3bPAxGx63fjBDUp7hdQxdhX7IpwNcTxouuKGHW/hbq/iRG1VqGZgF lpZKa4/t0e+OF19Ax9zqni2BVFpiFk89EISQd7N3nCT+1B6d2QbaO61/IT+P2g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032817; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ZvfI0xWoW1EIevbuEcsoWHHhr3ZRA0J3JcbCIPJhicY=; b=UtPo42pEUvmZMNtPkUurXKLQk+JfpHhOSqiHc7F3zQ5+70xhrGBCq1HrBoQ3aaDbMKZAEO tDDr+exuuHH93Qud8zDKwkyojHWcSGT+M/XbZW3adHmJnNsVKfokKUu7ADWPsjGQ892Fhk Z8R/ImxSdDtSpkVLaDzobLzR2DNNprToGQmJ6IIg7PhPAt49T7WMA5XPKm+tF455GqfRIm 2CTmDee438jW6NjEWH5yK8CKkeVfYxCnYoIXJOUVL7oOFK8dCltl/CQvxbgo0VsmyK8AWq 1LYKPTG77QDl6pubaq+a7x0VSMs2QEusfk0uQWRonVY/h+q3swKLd6fecgapjQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdz462N2znlB for ; Tue, 09 Jun 2026 19:20:16 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3e7b9 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:20:16 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Gordon Tetlow From: Mark Johnston Subject: git: 157d99d7ec9b - releng/15.1 - ldns: Fix query response validation List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/15.1 X-Git-Reftype: branch X-Git-Commit: 157d99d7ec9b168d41d4b16f23c09bd55c511aff Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:20:16 +0000 Message-Id: <6a286770.3e7b9.8634bca@gitrepo.freebsd.org> The branch releng/15.1 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=157d99d7ec9b168d41d4b16f23c09bd55c511aff commit 157d99d7ec9b168d41d4b16f23c09bd55c511aff Author: Gordon Tetlow AuthorDate: 2026-06-07 15:24:14 +0000 Commit: Mark Johnston CommitDate: 2026-06-09 03:00:29 +0000 ldns: Fix query response validation Approved by: re (cperciva) Approved by: so Security: FreeBSD-SA-26:36.ldns Security: CVE-2026-10846 --- contrib/ldns/error.c | 13 +++++++ contrib/ldns/ldns/error.h | 8 ++++- contrib/ldns/net.c | 92 +++++++++++++++++++++++++++++++++++++++++++++-- 3 files changed, 110 insertions(+), 3 deletions(-) diff --git a/contrib/ldns/error.c b/contrib/ldns/error.c index e3fd12112789..4fc05d6d0d8f 100644 --- a/contrib/ldns/error.c +++ b/contrib/ldns/error.c @@ -184,6 +184,19 @@ ldns_lookup_table ldns_error_str[] = { { LDNS_STATUS_INVALID_SVCPARAM_VALUE, "Invalid wireformat of a value " "in the ServiceParam rdata field of SVCB or HTTPS RR" }, + { LDNS_STATUS_NOT_EDE, + "The EDNS option is not an extended error code" }, + { LDNS_STATUS_EDE_OPTION_MALFORMED, + "The extended error code option is malformed, expected " + "at least 2 bytes of option data" }, + { LDNS_STATUS_EQUAL_RR, + "An identical RR already existed in the zone" }, + { LDNS_STATUS_ID_DID_NOT_MATCH, + "Response ID did not match the query ID" }, + { LDNS_STATUS_QDCOUNT_MUST_BE_ONE, + "The query section MUST contain exactly one question" }, + { LDNS_STATUS_QUERY_DID_NOT_MATCH, + "The question in the response did not match the query" }, { 0, NULL } }; diff --git a/contrib/ldns/ldns/error.h b/contrib/ldns/ldns/error.h index 2429b7703dfa..41d64cc0815f 100644 --- a/contrib/ldns/ldns/error.h +++ b/contrib/ldns/ldns/error.h @@ -141,7 +141,13 @@ enum ldns_enum_status { LDNS_STATUS_RESERVED_SVCPARAM_KEY, LDNS_STATUS_NO_SVCPARAM_VALUE_EXPECTED, LDNS_STATUS_SVCPARAM_KEY_MORE_THAN_ONCE, - LDNS_STATUS_INVALID_SVCPARAM_VALUE + LDNS_STATUS_INVALID_SVCPARAM_VALUE, + LDNS_STATUS_NOT_EDE, + LDNS_STATUS_EDE_OPTION_MALFORMED, + LDNS_STATUS_EQUAL_RR, + LDNS_STATUS_ID_DID_NOT_MATCH, + LDNS_STATUS_QDCOUNT_MUST_BE_ONE, + LDNS_STATUS_QUERY_DID_NOT_MATCH }; typedef enum ldns_enum_status ldns_status; diff --git a/contrib/ldns/net.c b/contrib/ldns/net.c index 57d4dff24dbe..215c0cac891c 100644 --- a/contrib/ldns/net.c +++ b/contrib/ldns/net.c @@ -441,6 +441,50 @@ ldns_udp_bgsend2(ldns_buffer *qbin, return ldns_udp_bgsend_from(qbin, to, tolen, NULL, 0, timeout); } +/** helper sockaddr compare function. returns -1, 0 or 1. */ +static int +ldns_sockaddr_cmp(const struct sockaddr_storage* addr1, socklen_t len1, + const struct sockaddr_storage* addr2, socklen_t len2) +{ + struct sockaddr_in* p1_in = (struct sockaddr_in*)addr1; + struct sockaddr_in* p2_in = (struct sockaddr_in*)addr2; + struct sockaddr_in6* p1_in6 = (struct sockaddr_in6*)addr1; + struct sockaddr_in6* p2_in6 = (struct sockaddr_in6*)addr2; + if(len1 < len2) + return -1; + if(len1 > len2) + return 1; + assert(len1 == len2); + if( p1_in->sin_family < p2_in->sin_family) + return -1; + if( p1_in->sin_family > p2_in->sin_family) + return 1; + assert( p1_in->sin_family == p2_in->sin_family ); + /* compare ip4 */ + if( p1_in->sin_family == AF_INET ) { + /* just order it, ntohs not required */ + if(p1_in->sin_port < p2_in->sin_port) + return -1; + if(p1_in->sin_port > p2_in->sin_port) + return 1; + assert(p1_in->sin_port == p2_in->sin_port); + return memcmp(&p1_in->sin_addr, &p2_in->sin_addr, + sizeof(p1_in->sin_addr)); + } else if (p1_in6->sin6_family == AF_INET6) { + /* just order it, ntohs not required */ + if(p1_in6->sin6_port < p2_in6->sin6_port) + return -1; + if(p1_in6->sin6_port > p2_in6->sin6_port) + return 1; + assert(p1_in6->sin6_port == p2_in6->sin6_port); + return memcmp(&p1_in6->sin6_addr, &p2_in6->sin6_addr, + sizeof(p1_in6->sin6_addr)); + } else { + /* eek unknown type, perform this comparison for sanity. */ + return memcmp(addr1, addr2, len1); + } +} + static ldns_status ldns_udp_send_from(uint8_t **result, ldns_buffer *qbin, const struct sockaddr_storage *to , socklen_t tolen, @@ -449,6 +493,8 @@ ldns_udp_send_from(uint8_t **result, ldns_buffer *qbin, { int sockfd; uint8_t *answer; + struct sockaddr_storage reply_addr; + socklen_t reply_addr_len; sockfd = ldns_udp_bgsend_from(qbin, to, tolen, from, fromlen, timeout); @@ -467,13 +513,21 @@ ldns_udp_send_from(uint8_t **result, ldns_buffer *qbin, * but returns a 'NETWORK_ERROR' much like a timeout. */ ldns_sock_nonblock(sockfd); - answer = ldns_udp_read_wire(sockfd, answer_size, NULL, NULL); + reply_addr_len = sizeof(reply_addr); + memset(&reply_addr, 0, reply_addr_len); + answer = ldns_udp_read_wire(sockfd, answer_size, &reply_addr, + &reply_addr_len); close_socket(sockfd); if (!answer) { /* oops */ return LDNS_STATUS_NETWORK_ERR; } + /* Check that the reply came from the to addr. */ + if(ldns_sockaddr_cmp(to, tolen, &reply_addr, reply_addr_len) != 0) { + free(answer); + return LDNS_STATUS_NETWORK_ERR; + } *result = answer; return LDNS_STATUS_OK; @@ -512,6 +566,10 @@ ldns_send_buffer(ldns_pkt **result, ldns_resolver *r, ldns_buffer *qb, ldns_rdf assert(r != NULL); + /* The query should at least have one question */ + if(ldns_buffer_limit(qb) < 6 || ldns_buffer_read_u16_at(qb, 4) != 1) + return LDNS_STATUS_QDCOUNT_MUST_BE_ONE; + status = LDNS_STATUS_OK; rtt = ldns_resolver_rtt(r); ns_array = ldns_resolver_nameservers(r); @@ -599,6 +657,16 @@ ldns_send_buffer(ldns_pkt **result, ldns_resolver *r, ldns_buffer *qb, ldns_rdf ldns_resolver_set_nameserver_rtt(r, i, LDNS_RESOLV_RTT_INF); status = send_status; } + if(reply_bytes && ldns_buffer_limit(qb) >= 2) { + uint16_t txid = ldns_buffer_read_u16_at(qb, 0); + if(reply_size < 2 || + ldns_read_uint16(reply_bytes) != txid) { + status = LDNS_STATUS_ID_DID_NOT_MATCH; + LDNS_FREE(reply_bytes); + reply_bytes = NULL; + reply_size = 0; + } + } /* obey the fail directive */ if (!reply_bytes) { @@ -608,7 +676,7 @@ ldns_send_buffer(ldns_pkt **result, ldns_resolver *r, ldns_buffer *qb, ldns_rdf LDNS_FREE(src); } LDNS_FREE(ns); - return LDNS_STATUS_ERR; + return status ? status : LDNS_STATUS_ERR; } else { LDNS_FREE(ns); continue; @@ -670,6 +738,26 @@ ldns_send_buffer(ldns_pkt **result, ldns_resolver *r, ldns_buffer *qb, ldns_rdf #endif /* HAVE_SSL */ LDNS_FREE(reply_bytes); + if (reply) { + ldns_pkt *query = NULL; + + if(ldns_pkt_qdcount(reply) != 1) { + status = LDNS_STATUS_QDCOUNT_MUST_BE_ONE; + ldns_pkt_free(reply); + reply = NULL; + + } else if(ldns_wire2pkt(&query + , ldns_buffer_begin(qb) + , ldns_buffer_position(qb)) != LDNS_STATUS_OK + || ldns_pkt_qdcount(query) != 1 + || ldns_rr_compare(ldns_rr_list_rr(ldns_pkt_question(query),0) + ,ldns_rr_list_rr(ldns_pkt_question(reply),0))){ + status = LDNS_STATUS_QUERY_DID_NOT_MATCH; + ldns_pkt_free(reply); + reply = NULL; + } + ldns_pkt_free(query); + } if (result) { *result = reply; } From nobody Tue Jun 9 19:20:17 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZdz66Vh7z6gVkZ for ; Tue, 09 Jun 2026 19:20:18 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZdz56sc3z3RGQ for ; Tue, 09 Jun 2026 19:20:17 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032818; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=MK65MHWkRRQtVQuRpEcgvTJVKa7iKIgkCkndILeSqdg=; b=ecbFM3cLAFJl5Fc/LCix2n9hPL0uRhJmhvIM34eFJ+p0VcRJy+yE3+gJ3qcjWtUpUYtj7t goFclfWi2REiGMhaqII582PLwIUI4pY5Nk3G6agG83rdVRhAW9cQWnFj4bGad/tq8RzqQ2 sAUTA+ARY048Ou0rUG2qX3qj/JQmhG705/mB18tJDdxsf72N6VFK39thvAEpyV0xWO8CJV oa+wDl1N9tv6xmTNC0M7XhUo6j+EKFv6p3jUqqvuk0GgEhTXIvHtg9u3BqtcBIrjlag97n WOPte5ime6SmH7TP+jFKTJe8nURB5Z7aVpvR92+HE5YJjBnmJEnHo00onYCI1Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781032818; a=rsa-sha256; cv=none; b=Gb/oTRkdNzoJUwRh8xsotwz81uNV31hmlvVFxUo1JYSdMlGSpa6i7sRLujmQtb7Jvrj5aP OMorrxz9YaAMnu2V0WCIxwq+rTI7Lx2S197mnL4rAZT/xY/ie2r/FhCne66OVi+gb2Xqya XNtFOWj8Q+7iENa/uxer6rd5h0Qxmq777UaUAC6Jy7+JS/6ounvpDj2DExvFkSAhIPsYTJ OOX0zvHVshfNeCmNPIpS9wcy79jzv8rNwsRlI8hJtyeRKwBN9KSY0uxA/TwHo1uz+7DPg2 dqoJ8Le0JUuFtGtOuKzoVyTo+0sHK5UP4UttG01gePaQraa0fPDtzZlPYwiMog== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781032818; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=MK65MHWkRRQtVQuRpEcgvTJVKa7iKIgkCkndILeSqdg=; b=SGsCUjKGSV6YYpeKS9ZiDL3QtK/VvfHn3IZqpVjGaA4D97Hdyq2SXCxuSxoBhhyf4dkAbF mBWplC+VtvSqJvBP/wZx1GxEPjcekzwm6Bv5qv/uEuWI1fQZQv9tQosJtAnBESlLPpNPb5 xl7dzpBQvQwVeXhcDm0hx7mBPdn6ZUyGYGqODebWOaVHDaTQRvvbH6pMYLlWnIgwjUhzqA AOd5W+bSgxNdhdnlfwLohgYJGk9brepFGRsaKCa+SE8XV5izZOK+d1OltK/ABhG6BiWPSq XiJaQDK7CiCnja//BxcWpA8UcB4ipDl7BnacqClT5O+o2h0RQWxxZht7X3QNtA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZdz56Mzbzp49 for ; Tue, 09 Jun 2026 19:20:17 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3fc36 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 19:20:17 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 328e16f66204 - releng/15.1 - Add UPDATING entries and bump version List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/15.1 X-Git-Reftype: branch X-Git-Commit: 328e16f6620420dd130da41b806e1419f5c2c679 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 19:20:17 +0000 Message-Id: <6a286771.3fc36.15c0cabb@gitrepo.freebsd.org> The branch releng/15.1 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=328e16f6620420dd130da41b806e1419f5c2c679 commit 328e16f6620420dd130da41b806e1419f5c2c679 Author: Mark Johnston AuthorDate: 2026-06-07 18:11:49 +0000 Commit: Mark Johnston CommitDate: 2026-06-09 03:00:35 +0000 Add UPDATING entries and bump version Approved by: re (cperciva) Approved by: so --- UPDATING | 41 +++++++++++++++++++++++++++++++++++++++++ sys/conf/newvers.sh | 2 +- 2 files changed, 42 insertions(+), 1 deletion(-) diff --git a/UPDATING b/UPDATING index 137d2aa78e6c..71c3944fafa7 100644 --- a/UPDATING +++ b/UPDATING @@ -12,6 +12,47 @@ Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before updating system packages and/or ports. +20260609: + 15.1-RC3-p1 EN-26:15.openssl + SA-26:25.thr + SA-26:26.ktls + SA-26:27.sound + SA-26:28.capsicum + SA-26:29.ip6_multicast + SA-26:30.linux + SA-26:31.arm64 + SA-26:32.elf + SA-26:33.unbound + SA-26:34.vt + SA-26:35.openssl + SA-26:36.ldns + + Update OpenSSL to 3.0.20 and 3.5.6. [EN-26:15.openssl] + + Missing permission check in thr_kill2(2). [SA-26:25.thr] + + Arbitrary file overwrite via the KTLS receive path. [SA-26:26.ktls] + + Multiple vulnerabilities in the sound(4) mmap path. [SA-26:27.sound] + + sigqueue(2) missing capability mode restriction. [SA-26:28.capsicum] + + Use-after-free bug in the IPV6_MSFILTER socket option handler. [SA-26:29.ip6_multicast] + + Flaw in Linuxulator execution of setugid binaries. [SA-26:30.linux] + + Arm CPU errata may bypass page table permission changes. [SA-26:31.arm64] + + ASLR bypass for setuid executables via procctl(2). [SA-26:32.elf] + + Multiple vulnerabilities in unbound. [SA-26:33.unbound] + + Integer overflow in vt(4) CONS_HISTORY ioctl. [SA-26:34.vt] + + Multiple vulnerabilities in OpenSSL. [SA-26:35.openssl] + + Insufficient response validation in the ldns stub resolver. [SA-26:36.ldns] + 20260512: "bsdinstall script" will now do a pkgbase installation by default. To revert to the legacy distset installation, set "DISTRIBUTIONS" in diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index 17d6f240b2ca..249ff1519aff 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -51,7 +51,7 @@ TYPE="FreeBSD" REVISION="15.1" -BRANCH="RC3" +BRANCH="RC3-p1" if [ -n "${BRANCH_OVERRIDE}" ]; then BRANCH=${BRANCH_OVERRIDE} fi From nobody Tue Jun 9 20:26:17 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZgRG1Zmlz6gbYJ for ; Tue, 09 Jun 2026 20:26:18 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZgRG0ZRWz40gL for ; Tue, 09 Jun 2026 20:26:18 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781036778; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=LnuHByvQMaQgU1UHdPuvvL6mjbRJy+N5a5QcV8XowQw=; b=R6wbcFv1MEvVniL9B6hk6I8/BkoWyrSLVGOycVKEkN27aFXMxNTD/oVgRvGGH++h0ld9yG TIQE5YQ5WMsz1sJMrCy5ID+2KCE1DcvFRbsHXk+y1DwLe2+2ZhZoOphk0Bs8N9xmzN3CZe Z7X0Dl2lpkMtwg/rq6je+E4WUqYaXh5azVJ3MUTNqqy+YL3fMps5j3j4BJq8kHVUVGv23c XdXXdsaQVourOr2FLZmPK2k1xIodahFWeDI8lcbIFEbWJ0kioveNY+oHNCRRusr65M7b6f j/7LIrEXw/FczjM0oqRcAbQ+a7dZAh7UkufwNf/jzBd00foE0o38iajOSFBU6g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781036778; a=rsa-sha256; cv=none; b=RRD3avzeWebt7FNsiBc5We3E/pEDPETKK59NZn+l7PDhhebg3HavYtWtzHpjzSB22DxOeN B04E6ugiMtDTy+pHV4tSEysOlG+MOjfcN1g5LgSCsFgXiKFb5EzxSu+szntjnUnZyD2nKS 1JAS1O39PFme1y1mOieH+MjCF5gx/TrVCwDiKag3mdjRRZ/oEGLHpSTxt44zTBGIksT+d7 EAA+9PsIVZ4VshMYVkYkua7+K9KqWjchFkcdBHPYsjp6JnAFaftlPDYnsTagbQKJOQt65z 6DYyxOLK9ZfwvO3nR7kjH0myI6Mh6558wPJTlCYTgMNOumAdRHmud/5Sr0lMVw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781036778; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=LnuHByvQMaQgU1UHdPuvvL6mjbRJy+N5a5QcV8XowQw=; b=W9zBwcUucZDFJ2g9Nud9DDDYeW3oAXgZ1wouwRkSIoK19oRJfCkJ3N8sn0655fPWs6u8pq uX5kkK1fDf0U3Ua05Tu0faGvzjFUuTFeDvPBxUkDwYPNYnGAmw65oqQMeioC13cbWe5BGt yHvy5ghA2Xr2vM0zFA+WD13Ff7507xQTTrZ5AbHR2/CrQ2b90FojdxEUTeOxINPCpZAUwA ZJGykijL2i1TWXEKaLEBc1evSB+IIhYpxL6sDLbMbOSxNwz7baeBURcAhfyfBKXwthJ1r0 dfMFHqWrcYyQ0v9/AkpS6oYPyWeO5DFlFvJl8ApDobrR43ODj/3i61wX2Pnh9A== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZgRF6yJLzqn2 for ; Tue, 09 Jun 2026 20:26:17 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 1de69 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 20:26:17 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Olivier Certner Subject: git: 7941d1863f0f - stable/15 - acpi: On /dev/power suspend, trigger userspace notifications List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: olce X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 7941d1863f0f6a394adc758af0836592f831a655 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 20:26:17 +0000 Message-Id: <6a2876e9.1de69.677c9f04@gitrepo.freebsd.org> The branch stable/15 has been updated by olce: URL: https://cgit.FreeBSD.org/src/commit/?id=7941d1863f0f6a394adc758af0836592f831a655 commit 7941d1863f0f6a394adc758af0836592f831a655 Author: Olivier Certner AuthorDate: 2026-05-25 16:01:10 +0000 Commit: Olivier Certner CommitDate: 2026-06-09 20:25:46 +0000 acpi: On /dev/power suspend, trigger userspace notifications On a suspend request via ioctl(), /dev/acpi (and compatible /dev/apm) both call acpi_ReqSleepState() instead of directly calling acpi_EnterSleepState(). The former does more checks, returns success if the machine is already suspending, and notifies user space (via devd(8)) about the impending suspend. In other words, it seems to have been designed for user consumption more than the latter function. So, use acpi_ReqSleepState() in place of acpi_EnterSleepState() in acpi_pm_func(), which is ultimately called by power_pm_suspend(), itself called by power_ioctl(). Other callers of power_pm_suspend() (such as the console drivers) are also user-facing facilities, so should also benefit from this change. Reviewed by: mhorne, imp Tested by: mhorne MFC after: 2 weeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57239 (cherry picked from commit 44eb2883134e465c28468213f79567c64fe26de1) --- sys/dev/acpica/acpi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/dev/acpica/acpi.c b/sys/dev/acpica/acpi.c index 3951d817f0e3..0d3f1abeebe6 100644 --- a/sys/dev/acpica/acpi.c +++ b/sys/dev/acpica/acpi.c @@ -4742,7 +4742,7 @@ acpi_pm_func(u_long cmd, void *arg, ...) goto out; } - if (ACPI_FAILURE(acpi_EnterSleepState(sc, acpi_state))) + if (ACPI_FAILURE(acpi_ReqSleepState(sc, acpi_state))) error = ENXIO; break; default: From nobody Tue Jun 9 20:26:19 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZgRH28fCz6gbnq for ; Tue, 09 Jun 2026 20:26:19 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZgRH0WGqz4116 for ; Tue, 09 Jun 2026 20:26:19 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781036779; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Ky5HZqaO5p7MWS0HZIdtcVyOqaAUG5y1iIvy1hNAIc8=; b=SRB0tEnT9ew0a2/nALvTrHY4lFJBLIILq58131hKq0AfS3t3Jzt3rj2jBPavc+HMpmJV2y zK6OtupbP5LQWTEd8lK32OVhEuaFnC2nJrHTp95SUxekRD+SIB9CxCkD43b9YWHzQsca4e 1NSYWGiLt0yMbKi+169XeE+AxLKREY7TOmaSAV3vMzC0Qx4MBp/XS7jgpGiEhuLTMdQ13U 3IUgDLN7nYV+HxJimux7xz6VUu1UfrA7N6T7j1P1lt1+xzTnxwhoT3uuT/9ReA8cF05SEP I4lJOTboRvMGWpKO3euaNkR9A+HfEmUOWNhedUUxQ8FPqAwSSlyyhN/FyfQAmw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781036779; a=rsa-sha256; cv=none; b=OU+rbSxGiNUIzH8yfohe+/jllX5wEi/9NY2G3LvDgy+yvEtz+X2GS88ySmJC8OQzCYtEdr qcG6JaTXb8I6lHfJf9+Oacc6pc6bNJ52D9AKcuLN5jw0kBNKHL2RXUwLT1lbt2rWlve0mk 9DsLlZMqR1KtiCraFAtXn1onQB/MiVq5bwwIk4X33QkNSLNSA6aj2Ue/U7ecP0KAZI8Iv2 3s7MbTqItNSkyK0mpt/Pia04uTDTLAE2oexQ3nqAUIcc8VCUNFIg6wGN2+BNXulOiPYC11 16C8mN7oYE7cmX6o94hmMe+4bU+tsRwWbGoxi1sIGDEkuOLxEdSQqeqt7TZ1cA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781036779; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Ky5HZqaO5p7MWS0HZIdtcVyOqaAUG5y1iIvy1hNAIc8=; b=qcDId2vvYxw6SL579RVYyFQ2y9vkOUURa8+1DAPMKutFBKsNvu+ywLpxh5P9Bb9gLVPTKP tzbs3mnwG3bHoE3GrlG/XgLyZ8z/AQ2Xo2CCHr1xikWPDLmPKSyAEig4erUUjYsXNBMiWQ EfMPAVzGEHpsm9NKMgRazBN5K8mSeW7BYtb6GtnfQpMebXYF4eIn18Bj0iIUAmDWq38c9K 7FscF3+3kbpOfcwkmP/wNlsHcr5n1B81WpanLWZdCWCfN9QZD0L8mJouNIgMv8Y9CEPNpo oGhmJAoTLCuYEsO8XOQxARpDpzgTb6rc77eK2w2OS7SD86eluAYI9Te8Cn4tsg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZgRH03bdzqn3 for ; Tue, 09 Jun 2026 20:26:19 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 1ed85 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 20:26:19 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Olivier Certner Subject: git: d5c5f2d08416 - stable/15 - MAC/do: Tests: Remove shebang lines List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: olce X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: d5c5f2d0841667b3ccc1a541f9581aa639971f97 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 20:26:19 +0000 Message-Id: <6a2876eb.1ed85.2e925dce@gitrepo.freebsd.org> The branch stable/15 has been updated by olce: URL: https://cgit.FreeBSD.org/src/commit/?id=d5c5f2d0841667b3ccc1a541f9581aa639971f97 commit d5c5f2d0841667b3ccc1a541f9581aa639971f97 Author: Olivier Certner AuthorDate: 2026-05-22 16:47:04 +0000 Commit: Olivier Certner CommitDate: 2026-06-09 20:25:51 +0000 MAC/do: Tests: Remove shebang lines They are automatically added by . Reviewed by: bapt MFC after: 3 days Sponsored by: The FreeBSD Foundation Pull Request: https://ron-dev.freebsd.org/FreeBSD/src/pulls/38 (cherry picked from commit 79a987aba154aca5965e4746ec5f867be8f22997) --- tests/sys/mac/do/invalid_configs.sh | 2 -- tests/sys/mac/do/valid_configs.sh | 2 -- 2 files changed, 4 deletions(-) diff --git a/tests/sys/mac/do/invalid_configs.sh b/tests/sys/mac/do/invalid_configs.sh index f24309cb2f3b..9758a0239082 100644 --- a/tests/sys/mac/do/invalid_configs.sh +++ b/tests/sys/mac/do/invalid_configs.sh @@ -1,5 +1,3 @@ -#!/usr/bin/env atf-sh -# # Copyright (c) 2026, The FreeBSD Foundation # # This software was developed by Olivier Certner at diff --git a/tests/sys/mac/do/valid_configs.sh b/tests/sys/mac/do/valid_configs.sh index bd5b53b5d5d8..be4e59ce54ca 100644 --- a/tests/sys/mac/do/valid_configs.sh +++ b/tests/sys/mac/do/valid_configs.sh @@ -1,5 +1,3 @@ -#!/usr/bin/env atf-sh -# # Copyright (c) 2026, The FreeBSD Foundation # # This software was developed by Olivier Certner at From nobody Tue Jun 9 20:26:20 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZgRJ2M2gz6gbnr for ; Tue, 09 Jun 2026 20:26:20 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZgRJ11TWz40Xh for ; Tue, 09 Jun 2026 20:26:20 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781036780; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=MrFcmG3T20Y2/vKJ4YZxWcwz1SZtc5EPiVsIaBCDTLA=; b=dYidyTPi+r16mleVUbpvNi++YB8ooVPrVBkE26QJ4hctiWfBhLWNGXYoo0is1fTeBtQ/ps kPyssbmdVG7DN5RNzj2lmAuXvC1YIstXQBaTg+tcL57i4qHyUV3b9WnU21fpHf2MXIe/GY YNJyYYj1kaYK4Hu5Wa+u5KaijeWHWniLzIpH7O2cHs9Z+3XhtBZvOv91s1c5mFp3Uk8XMM wAm/cHhleJbuI+k9CdKEQYsAzUaFSewg4zUSlyRRnRzdCTBhZnHp9b2Mbc54Gb4aiN6uJs ahnL8r8u7j67GLXet1t6fPllkAGEhDGN3rfFMuExsBFfLt7mPAEsVdgUnXgloQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781036780; a=rsa-sha256; cv=none; b=XdlZe7PJChw/mHZzqQ/gSuVmCnT7Svwz6ASM+K+ADcXbbx5CEmKBadQPfd6ZlLXlFDZVO8 Gg5qyCmb8ifHLR3Up5j5RDnv75WRoQnwQimcFYBDvAorYnwBJomOxwrSEq/0XlfJp3xZ8l LTM/dlmKfK8R2Ycbv+xZoj/3xq1eYhVmIR0resPkS5m0mACUfA3ys7Us/fdX5OjDEbKg7Q WKHrE+nNFpyOdWzOsvo/KGwiKE6kJbVka0WMmHIYGTCCXkCSw94Mlk1i1QB5o1M4Oje1LF rBu67lTdo8EkKZx+Fm+j49Lnq1M/6weG4alO/HQ+RGchNQOACZTvMLAupQJuXw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781036780; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=MrFcmG3T20Y2/vKJ4YZxWcwz1SZtc5EPiVsIaBCDTLA=; b=HsG2aJkOwgEA7zVkUvHwVmrCuTZ0DtVgv9Db2XQ4Nbc+Z8jwymoWkc8LW0jPtgNatw1K1L /noQT5XeN9Gwvp4tKUF/jf5GsQW58M9+ZgEFFrRy14n2/U+wfF+nYZxeE6iZP+URIETxRV bBCdNS6Azmy8ESN6ohlcRyP9lnsgqmFP8ajD1cPUHlg7MAK1JylRdb2T5cg0JuvpkjUc70 hO/1QGQM7ZwZ9i4MEGa+0Mx5ozp99NpdqGdjw5reuBa9Wwc1H7q6hImfx+y+6iDLouoIo3 s9xoE9n1RuwzEf7v9YDC+AoMb+MnAaFaUYm/ULrrUXdADYTwxQ4/7iy8ADgKFg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZgRJ0YqQzqMG for ; Tue, 09 Jun 2026 20:26:20 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 1e8c5 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 20:26:20 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Olivier Certner Subject: git: 472d977c2fde - stable/15 - MAC/do: Tests: Fix copyrights List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: olce X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 472d977c2fde4df13e871c54ae9db03f146a72a0 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 20:26:20 +0000 Message-Id: <6a2876ec.1e8c5.191e5409@gitrepo.freebsd.org> The branch stable/15 has been updated by olce: URL: https://cgit.FreeBSD.org/src/commit/?id=472d977c2fde4df13e871c54ae9db03f146a72a0 commit 472d977c2fde4df13e871c54ae9db03f146a72a0 Author: Olivier Certner AuthorDate: 2026-05-26 17:06:55 +0000 Commit: Olivier Certner CommitDate: 2026-06-09 20:25:52 +0000 MAC/do: Tests: Fix copyrights No comma needed after a single year. Add SPDX. Reviewed by: bapt MFC after: 3 days Sponsored by: The FreeBSD Foundation Pull Request: https://ron-dev.freebsd.org/FreeBSD/src/pulls/38 (cherry picked from commit b0c948fe92acc8bd295cc53584e25c082c749cd1) --- tests/sys/mac/do/common.sh | 3 ++- tests/sys/mac/do/invalid_configs.sh | 4 +++- tests/sys/mac/do/valid_configs.sh | 4 +++- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/tests/sys/mac/do/common.sh b/tests/sys/mac/do/common.sh index 88529adcc1f3..444a74b4c2ab 100644 --- a/tests/sys/mac/do/common.sh +++ b/tests/sys/mac/do/common.sh @@ -1,5 +1,6 @@ +# Copyright (c) 2026 The FreeBSD Foundation # -# Copyright (c) 2026, The FreeBSD Foundation +# SPDX-License-Identifier: BSD-2-Clause # # This software was developed by Olivier Certner at # Kumacom SARL under sponsorship from the FreeBSD Foundation. diff --git a/tests/sys/mac/do/invalid_configs.sh b/tests/sys/mac/do/invalid_configs.sh index 9758a0239082..848e2b5c9579 100644 --- a/tests/sys/mac/do/invalid_configs.sh +++ b/tests/sys/mac/do/invalid_configs.sh @@ -1,4 +1,6 @@ -# Copyright (c) 2026, The FreeBSD Foundation +# Copyright (c) 2026 The FreeBSD Foundation +# +# SPDX-License-Identifier: BSD-2-Clause # # This software was developed by Olivier Certner at # Kumacom SARL under sponsorship from the FreeBSD Foundation. diff --git a/tests/sys/mac/do/valid_configs.sh b/tests/sys/mac/do/valid_configs.sh index be4e59ce54ca..44cfd62acc6e 100644 --- a/tests/sys/mac/do/valid_configs.sh +++ b/tests/sys/mac/do/valid_configs.sh @@ -1,4 +1,6 @@ -# Copyright (c) 2026, The FreeBSD Foundation +# Copyright (c) 2026 The FreeBSD Foundation +# +# SPDX-License-Identifier: BSD-2-Clause # # This software was developed by Olivier Certner at # Kumacom SARL under sponsorship from the FreeBSD Foundation. From nobody Tue Jun 9 20:26:21 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZgRK5htdz6gbg8 for ; Tue, 09 Jun 2026 20:26:21 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZgRK3BDlz4118 for ; Tue, 09 Jun 2026 20:26:21 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781036781; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=TAAJ8CzEzsvVQ6H41xk5GHqDUtzklA/2zZ2U7nLMGVQ=; b=mzQselW89SLYguhoKlUheWNV9VTEEmy5pNLLaRCgEsPWQYe26eQSrAFAQ+/R5Ds7wEFhCE RFXJDt2QdvM/rHaHC90SkHp1EYRo2izfdMKPq6A3DY120Jf4wJKG3R3b8EEYok0+712laU 81S2olSMM/W4L9F1X6qZiylzFAkHdFtqtVoUsi5nSoARGkwOyOQUmS7f5E/27e+ZBb6f5y Sp0UHlPW4u2EZuopYz9Fe/HFYf2Z+/Ab7CA9CXlhFwAFpo+nVpMHHvmAULMKu6dqQAYMvx JTvSYO6n+t9Eh5W4GSlG4Anuvq5cfLvVQDHHRozx1TowdayeA5GyavKWRVsfGQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781036781; a=rsa-sha256; cv=none; b=UIxhdDtJpVZsZ/AAbKVpd3aE3+fiZTp4SuJdQs0mIsS5d+TqVAJ3qrM8vJKrJA05pUFLPE awwyM53kH6WVnIaY7ifARE1qRIT5BkDewzHd8Mrst0kJ3a3h/w96nhW5qbq2p1oA3N7ikE YGfDUaZ9GoSUUAgaLvWkCiHIbC6T6gYP/+KXHBsjSm1LySNKRmXXE7Mw7xNIU5rkfuT0M5 Ijou5bq4T28blfxIrEhD21VUfWMiwlr5vVzeAyv64PD9HJRAnPaFGTcPgOPUQUOeQdS4UE iDh9OEVyaaYEVkNa6nGz87u9CoeGRARqcWUi/fNIaV0h3pZlJJp6z01zWZPzkg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781036781; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=TAAJ8CzEzsvVQ6H41xk5GHqDUtzklA/2zZ2U7nLMGVQ=; b=qFFEVLIBQLfCDVTrBclhGCZB1TxW75jav1NhtsBBOq47x82JsF4AAjZXe1a9pmj57nFCIm nICf3DipnEgdJyIbIOYZriQ8EYCg43OOoel3qEj58YmMoLiXljJqsk8InzvN9IAR2YdSWn BLk0hEgWtUWhMUaOAk+3wbzQV939Yf2S9cOnVbBccV45nV7mSolir/OQVyF/FlwA7dzkeM zhigKQ7VKOLiK0oIDpbpYPCn83r59O+03XCtjBqwdztChPxBVE9QdKNthZJcL+GrvID/DK JlTTX9p3N6WwojCVugLdsKh4r834U9SaF7Hx9qecOHA1/iw2sobP+WCkYXDTHw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZgRK1HjxzqMH for ; Tue, 09 Jun 2026 20:26:21 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 1f2a8 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 20:26:21 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Olivier Certner Subject: git: f4b3983c817a - stable/15 - MAC/do: Tests: Declare required programs closer to use List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: olce X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: f4b3983c817a29d4b796ffe9ee301090a495127c Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 20:26:21 +0000 Message-Id: <6a2876ed.1f2a8.40929f60@gitrepo.freebsd.org> The branch stable/15 has been updated by olce: URL: https://cgit.FreeBSD.org/src/commit/?id=f4b3983c817a29d4b796ffe9ee301090a495127c commit f4b3983c817a29d4b796ffe9ee301090a495127c Author: Olivier Certner AuthorDate: 2026-05-22 14:19:57 +0000 Commit: Olivier Certner CommitDate: 2026-06-09 20:25:52 +0000 MAC/do: Tests: Declare required programs closer to use Reviewed by: bapt MFC after: 3 days Sponsored by: The FreeBSD Foundation Pull Request: https://ron-dev.freebsd.org/FreeBSD/src/pulls/38 (cherry picked from commit 6159187329b56a9b550db193796ae4d76c1a306c) --- tests/sys/mac/do/Makefile | 1 - tests/sys/mac/do/common.sh | 2 ++ 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/sys/mac/do/Makefile b/tests/sys/mac/do/Makefile index 980067ea56e6..bfca40efdc8d 100644 --- a/tests/sys/mac/do/Makefile +++ b/tests/sys/mac/do/Makefile @@ -9,6 +9,5 @@ ${PACKAGE}FILES+= common.sh TEST_METADATA+= execenv="jail" TEST_METADATA+= required_kmods="mac_do" TEST_METADATA+= required_user="root" -TEST_METADATA+= required_programs="sysctl" .include diff --git a/tests/sys/mac/do/common.sh b/tests/sys/mac/do/common.sh index 444a74b4c2ab..6c4b138bdac0 100644 --- a/tests/sys/mac/do/common.sh +++ b/tests/sys/mac/do/common.sh @@ -69,5 +69,7 @@ sysctl_set_and_check_fails_rules() sysctl_set_and_check_rules_common sysctl_set_and_check_fails "$value" } +atf_require_prog sysctl + # Do not pollute kernel logs with parse errors sysctl $PPE_KNOB=0 >/dev/null 2>&1 From nobody Tue Jun 9 20:26:22 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZgRL6Kcwz6gbp8 for ; Tue, 09 Jun 2026 20:26:22 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZgRL2tMhz40k5 for ; Tue, 09 Jun 2026 20:26:22 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781036782; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=cmJmXsuwUpwhrI0aCbt0JW8WAAoQQbeET6m2Cjz8mys=; b=WNBTzb8lQ56kVn4XQZglGXOS8gfz3EnvgTU3Dw1KIZkzhE3PxG5WTYdwc08eogqj+JdTx4 y7UvoCPkrMrPllkWIjzuhVg9/Vq/sbbprdlXUlGU98Is6ar+1gOsa2hq0HEujq+SBGw+es OxK165z/6shjkao9ikITWY3r+Px2vjDM5pi8MX07fk6XRlOEe0tKodu3At4i3VJbtuj4Ho wnA+8UE8XkEaTMPsNq7QRCV25nRzaMbGtNtmQMLgJH70RRvpsWgGEimYmLMk4DvviCLEZH jCVZkc/PxqQC3+Eo+2CMOStwJ1uSP5OADvGZjZYdkR9F97SGtQq26DOIqXKmOw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781036782; a=rsa-sha256; cv=none; b=uEa/NtzEbO5qNmdtLF8jxTM8cLWbYd3i5BWE6ewv1AyuwqMCL/p2iX7gwn83GNfu+y/daZ iBvPeMwVl7Mu4M7mzOWC0ZxfJCNkAFEtUPy+JTpy4ike3UqT53t0qucUGsYTZ2WWIaL3QA h4lArktSQsOJdH2/Lqu3yXyfZnIiOLjCnG2AG2sWgq8oSjTEWFaFi19+Y27wVZ2/Gc66f0 Xv1vv3nil2WeOZN0dOGl1D5XZMC9ONJRz/n8xkyrGaf1svjSCPp+LQhYP+bBwpWVFTUEGi CZh9cjQ0/ZXLlfbhL7xqOrFiUKVngNcR3f8movHoalyrAeaI3hzKYFrxs6a+fw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781036782; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=cmJmXsuwUpwhrI0aCbt0JW8WAAoQQbeET6m2Cjz8mys=; b=YdxoBhmUzIIYxATU07fPQkgRBy68zKit9P0grDT52qkgnQtO6FmtFMrY6kbmjn3eP/BFfv QUQyxEvsGIGmL3eiaT9qXq19tsTc8DbJc4eNf6KEmMxRwKBSOP0k6L6nGgx2O9+tGdMe7h iOfG5unOfol4nYhYRzJVi1Oc7/7DGWWpegFLcn0j/9YfDh8l2PxLxM0Xc5CFWuORtC4Emj 8yeNYAd/Hf3uXLo7OBmLDViJV3jzotIrn8kQLT8F7v5by3NHXWYq9wKcVl/NUNvS6qFyTP 4lTWkkPRHEYuklCl+u0T8QBZ5yacLguTxAPwfu7sKTEiNp0JM/M89MDht/Djmw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZgRL1sQhzqhY for ; Tue, 09 Jun 2026 20:26:22 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 1f20a by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 20:26:22 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Olivier Certner Subject: git: 73704144a09c - stable/15 - MAC/do: Tests: Quote the source directory List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: olce X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 73704144a09c0171bd1282b4e1fcc893314c7299 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 20:26:22 +0000 Message-Id: <6a2876ee.1f20a.4b9da386@gitrepo.freebsd.org> The branch stable/15 has been updated by olce: URL: https://cgit.FreeBSD.org/src/commit/?id=73704144a09c0171bd1282b4e1fcc893314c7299 commit 73704144a09c0171bd1282b4e1fcc893314c7299 Author: Olivier Certner AuthorDate: 2026-05-22 14:21:39 +0000 Commit: Olivier Certner CommitDate: 2026-06-09 20:25:52 +0000 MAC/do: Tests: Quote the source directory In a standard test suite installation, this is not necessary, but be bullet-proof to custom ones, however improbable. Reviewed by: bapt MFC after: 3 days Sponsored by: The FreeBSD Foundation Pull Request: https://ron-dev.freebsd.org/FreeBSD/src/pulls/38 (cherry picked from commit 33daea3f862d7fe996602756805a92a600356f94) --- tests/sys/mac/do/invalid_configs.sh | 2 +- tests/sys/mac/do/valid_configs.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/sys/mac/do/invalid_configs.sh b/tests/sys/mac/do/invalid_configs.sh index 848e2b5c9579..d1a9eb8c1e96 100644 --- a/tests/sys/mac/do/invalid_configs.sh +++ b/tests/sys/mac/do/invalid_configs.sh @@ -75,7 +75,7 @@ rules_wrong_separator_body() atf_init_test_cases() { - . $(atf_get_srcdir)/common.sh + . "$(atf_get_srcdir)"/common.sh atf_add_test_case rule_no_target_part atf_add_test_case rule_no_match_part diff --git a/tests/sys/mac/do/valid_configs.sh b/tests/sys/mac/do/valid_configs.sh index 44cfd62acc6e..fc1c9a370854 100644 --- a/tests/sys/mac/do/valid_configs.sh +++ b/tests/sys/mac/do/valid_configs.sh @@ -120,7 +120,7 @@ gid= 1001 >gid =5" atf_init_test_cases() { - . $(atf_get_srcdir)/common.sh + . "$(atf_get_srcdir)"/common.sh atf_add_test_case rule_uid_to_any atf_add_test_case rule_uid_to_uid From nobody Tue Jun 9 20:26:23 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZgRM5sQDz6gbYS for ; Tue, 09 Jun 2026 20:26:23 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZgRM2hCTz40yD for ; Tue, 09 Jun 2026 20:26:23 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781036783; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=xRp0WtzHfzlFrsfc/dH8FcKZM5B/8NiicWSGismTh+c=; b=mvt6z6i/RD/XHNDQYq9MouIfSlPWLpF2XsnK/sUu7ehLm5oe0E4Nubf2HZovJAJDo57TIX wfESMrlghdADpdn89/ZvI4cnxII7mPTe7iGQY/bXbdoBxk08I80KX8vobeqM/fmJ/Pi0fx zE8aBYtHt3zrHURDfOSlLc5UsK6oNx1q6fOKYHRn2TpLcTG6qoWxsZt8wsazsXtnVIpNCi mQvPfxqGTtgzrYmqSPVHHX6lA6XoHXCcFsqsWiheVI5v0MH/dmzt5IRWq34gU6ojh1sQGQ FDZhtP7f2lMMnQgrSQ+sqsYiHHq2BQ2d7RgsFJmd1aVQjWXzFlMPj3LaaKjXSA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781036783; a=rsa-sha256; cv=none; b=pQO1NvrRFedPCJN4iogcINHYriNT2sFcHgV8Av0Ilra/TK08aXluDH9kgy3SRifOxRYs/P s/o9MV3R4LBtlKHNhw7blt1VP5AytCfZ+pSEaqgMnRHRZhML8XBz9q3+kuUkzofkENvK3h 1eoKKXZKtG3ty/xZC2NzFQv77hydng3ArTnZnH456T1tcVkFvP2WtHmA/p8KYMFhXLQUIA j0kvehqaFWvsh7bm2u2Gx+6W3Toe02fDB5VGBs8wntmp3zTcSODqB24+Wwa84/ccO36Fyf fq3TyX2hjrt137JDqJ0PFAzOK0F4yZENCcAEGxZIrBwFECcFgNWARiO4nB53sA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781036783; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=xRp0WtzHfzlFrsfc/dH8FcKZM5B/8NiicWSGismTh+c=; b=jy9Rs9Sbk5EfSTaAP/stAFcR64BoZK3pmfTirn4imV+f+lh3nlHM0jXTTMStPnvyVJVybx JfImknz5CST0jNePIC4AJLONYBrJDESngluc46716CCLJeGZV3EBNIpJdrnePe6SzNoSYq 7BIo5jihJhj3VRfLSiyZYdkXhfrrFONfIS7uzHkX+JtB2QefPKDtZinOL+KzwVmIDjt1EI 4rBb2aROEdBa9QLPepF0CjJK3IkC0mW22G4Lat6XxWso/LP7pNrB+dhayHcxkqeTfErTL9 Jaak/HQodxBgfHVZm6HEFmDs46s72GYhZ0nFn1xGdApkHehP75x2ekg14FBSDw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZgRM2FFPzqkc for ; Tue, 09 Jun 2026 20:26:23 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 1f4b2 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 20:26:23 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Olivier Certner Subject: git: 8451c8ad420d - stable/15 - MAC/do: Clarify comments about flags attached per-ID or per-ID-type List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: olce X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 8451c8ad420d312dd58a55f09fa1fc78f636cd8f Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 20:26:23 +0000 Message-Id: <6a2876ef.1f4b2.59f756a4@gitrepo.freebsd.org> The branch stable/15 has been updated by olce: URL: https://cgit.FreeBSD.org/src/commit/?id=8451c8ad420d312dd58a55f09fa1fc78f636cd8f commit 8451c8ad420d312dd58a55f09fa1fc78f636cd8f Author: Olivier Certner AuthorDate: 2026-06-04 10:01:23 +0000 Commit: Olivier Certner CommitDate: 2026-06-09 20:25:52 +0000 MAC/do: Clarify comments about flags attached per-ID or per-ID-type No functional change. MFC after: 3 days Sponsored by: The FreeBSD Foundation (cherry picked from commit 0c2d64ce3da9c042da133c8b6d7391abb177f2c9) --- sys/security/mac_do/mac_do.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/sys/security/mac_do/mac_do.c b/sys/security/mac_do/mac_do.c index ba49da22ce67..790701e57e56 100644 --- a/sys/security/mac_do/mac_do.c +++ b/sys/security/mac_do/mac_do.c @@ -89,20 +89,22 @@ _Static_assert(sizeof(uid_t) == sizeof(u_int) && (uid_t)-1 >= 0 && * encoding for simplicity. * * There is currently room for "only" 16 bits. As these flags are purely - * internal, they can be renumbered and/or their type changed as needed. + * internal, they can be renumbered and/or the underlying type changed as + * needed. * * See also the check_*() functions below. */ typedef uint16_t flags_t; -/* (i,gid) Specification concerns primary groups. */ +/* (i,gid) Group can appear as a primary group. */ #define MDF_PRIMARY (1u << 0) -/* (i,gid) Specification concerns supplementary groups. */ +/* (i,gid) Group can appear as a supplementary group. */ #define MDF_SUPP_ALLOW (1u << 1) /* (i,gid) Group must appear as a supplementary group. */ #define MDF_SUPP_MUST (1u << 2) /* (i,gid) Group must not appear as a supplementary group. */ #define MDF_SUPP_DONT (1u << 3) +/* (i,gid) Mask to detect a supplementary group specification. */ #define MDF_SUPP_MASK (MDF_SUPP_ALLOW | MDF_SUPP_MUST | MDF_SUPP_DONT) #define MDF_ID_MASK (MDF_PRIMARY | MDF_SUPP_MASK) @@ -110,8 +112,8 @@ typedef uint16_t flags_t; * (t) All IDs allowed. * * For GIDs, MDF_ANY only concerns primary groups. The MDF_PRIMARY and - * MDF_SUPP_* flags never apply to MDF_ANY, but can be present if MDF_CURRENT is - * present also, as usual. + * MDF_SUPP_* flags do not apply to MDF_ANY, but can be present if MDF_CURRENT + * is present also, as for explicit IDs. */ #define MDF_ANY (1u << 8) /* (t) Current IDs allowed. */ From nobody Tue Jun 9 20:26:24 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZgRN5YpJz6gbgF for ; Tue, 09 Jun 2026 20:26:24 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZgRN3QFbz40kY for ; Tue, 09 Jun 2026 20:26:24 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781036784; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=uok40BSRW+EqExPW9ROgmVxfaypQIicFun9FD9Tk4T0=; b=cTOxvjwvPGahwtKUm1Xb95YU/LbQ+h8g0QLubL8KrJajBpY3frCrAhZIBMq42DwAkihr7K BvGPt6reAF7tRH3HMVjt8/iumevsEfDKVhevvM0sKvHaLkpnumWnorSwRq9/bB2Wnlhwvg GbT9lwFPWPsN6EdwWzhVv1J8QTCMVMTLnW0bakqX94kph84AqV8g44YL+gKeEskEGUlLol LYqp7XuGdJvqCk0DhAjabee6+Pqzx28VyhC7Q7c5W3E0JXOTuaXLdZztxvX6+pze1ocMkR nBe5l49IbLzwJuW3w5HZx44ym1IwS8IZxksxeyEiY8KwkUuQH0q4d8owmu1Q+Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781036784; a=rsa-sha256; cv=none; b=OoKMu3Yt6y5vXn1ZNCnHVPrOBsMKH3xmrgPEtv7lkfu/UscpNqYjBLPoCjqhNcS086tujt SZfP8nhtRzpokXgGYjcjn/PfVogqUtfbv0AvmNUsxiHXXQbrKEe07viDKdPVaNfKUg8nqJ mBtqXpt51QOpcrXy5qxkUknwM0OJqvQSwYvvxzWWLtV5TOBt29W4JrKeHwgHrc1qkugjC5 ns0XFNDc3j1VFHaXOmYJJI3a43HfcBlY7quK7WqLjJFWN2RImxB6cETfh2ozKlIrSWecP2 aylByz8yB2vTf8831cdhEHMhIF4oJuPir41rYOqgUEPBrpTt2EV94/X8RGoCIg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781036784; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=uok40BSRW+EqExPW9ROgmVxfaypQIicFun9FD9Tk4T0=; b=rkKYeJ3YhWRVHXRnCXKF3rxFTOuB73roiNKuVRKgGAEDswjHbWsf3HDphLwg+9uip2WCqw HvWTVwwgttuNwYvJSwPKGcB68j+/ius7M3rBBD5YsiSmvs0nfoeOXR0UNhvZt4PDtw5vQH hNQSRNKKczBOq/nEBLEZz6F25Sasw0ios5PhEMyLzWw7VZUbenXVcdoS8xnIqhNFPQIBZB lmmk3uDGdcTgNle8QQ+qP1v8RMUv8tiGTfCAMX9rV+IVIY3IGsPs+7ocCjo51iL6rYSR2Q F9rEJ0LYVQJfNu5Co3H/Lm8wvQWhjGYVMV7U/Y7ZeAtJaSA7kdB4Vwo3y1jvAA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZgRN2pWhzqMJ for ; Tue, 09 Jun 2026 20:26:24 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 1f9a1 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 20:26:24 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Olivier Certner Subject: git: 39d5cf05d406 - stable/15 - style.9: Fix a typo (missing word) List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: olce X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 39d5cf05d406f5ef57078d058819fb30cf644552 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 20:26:24 +0000 Message-Id: <6a2876f0.1f9a1.10a8f0e0@gitrepo.freebsd.org> The branch stable/15 has been updated by olce: URL: https://cgit.FreeBSD.org/src/commit/?id=39d5cf05d406f5ef57078d058819fb30cf644552 commit 39d5cf05d406f5ef57078d058819fb30cf644552 Author: Olivier Certner AuthorDate: 2026-06-01 07:23:08 +0000 Commit: Olivier Certner CommitDate: 2026-06-09 20:25:53 +0000 style.9: Fix a typo (missing word) Fixes: af2c7d9f6452 ("style.9: Encourage style changes when doing significant modifications") MFC after: 1 day Sponsored by: The FreeBSD Foundation (cherry picked from commit 1876f629b97608679f1bd71b9aa88a57b55c4574) --- share/man/man9/style.9 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/share/man/man9/style.9 b/share/man/man9/style.9 index 65636a8af828..e019a26d73a8 100644 --- a/share/man/man9/style.9 +++ b/share/man/man9/style.9 @@ -906,9 +906,9 @@ Their code is expected to at least be internally consistent with their style. Stylistic changes, including whitespace ones, complicate the work of downstream consumers and may impair developers' ability to trace the history of some changes. -Such standalone must be avoided, and should not span unrelated directories as -this increases the chances of conflicts when merging to stable and release -branches (MFCs). +Such standalone changes must be avoided, and should not span unrelated +directories as this increases the chances of conflicts when merging to stable +and release branches (MFCs). On the other hand, when a significant portion, usually about a half, of some logical unit of code, be it a function, group of functions, file or group of files, is going to be modified, developers are encouraged to amend the style of From nobody Tue Jun 9 20:26:25 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZgRP5SWHz6gbjK for ; Tue, 09 Jun 2026 20:26:25 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZgRP3vTWz40kl for ; Tue, 09 Jun 2026 20:26:25 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781036785; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=KZdvc37WMBh4EnT1I3MQsR3m/f4TdvPoP8zB73HOG7g=; b=J58DZxmD+osEHtfSTNjVi4E9AgOgR7eEilLpY4AwTHx8NxxJMSr77Pu11dKu7proUZxeyp lrQCiUJRnjQKspcRisP4yutejD4KoEw98KWJpIuD4+699XJEXyiYALfPDVJBwHq0iXpXx5 OMHLsnJi0S5YTJO9XD9FSvNFvbLgW2LIMzuZCOmgBu1UkTzWwE0TJZRwtL+Sy1ajToReVe EyZqWKTB+oGUK/REcxyIdegOKUV/6bOeHth+XJzY5ehwCATUJuL8fnfemZzR8z6f6eS+2O tN7aLAMw1Q8yxvDqZ2vdjQfwj5V19q/F62uqayvWDbLMtk0gzVywtdYNBV6/+w== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781036785; a=rsa-sha256; cv=none; b=lS/WoCh3WrXlvpkWegyeK/zrV3kgs8JNvykDeZC6sxtwBdHuwR6J1JIMwt5lEDUOXqFEeB rleQ+kmBREjeGVgIxrVK93BfEcwtRzXgrz+9JiWRGGAJXMXuyKldF2O+EhzfMNOvYa8pBy 1InJ5UVR0fsmXb9fEhK9ujb1P4iWhYyIGPTitmdANAINK6oJdC5r880FYlibpHe0zZKUzI OaAK8p2PHtC0zc3Msk9h8MI30UbF1A6YSXzq8YS4wt7QUnKzlhTXLGyA0c0AnGmE/zDRD7 VMiFyFsLIEyOGiIKrBM8A8IZRYv60PcuyFYyTnipm/zfISa9HSffgRwfSYDezQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781036785; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=KZdvc37WMBh4EnT1I3MQsR3m/f4TdvPoP8zB73HOG7g=; b=QGC5R9eT9+LMzsFBqBiNTs2+SnHUMDmrTrlb8wo4dmCirEGDaKTKeGADQ1XuVSoWDAYHgx w2w+2SSj1EvG9sbzfmia9iuip9YdokTZHwAyLzH/XagcRDDliEYPscxZdHA0iO3btwgIPh JbMWzb/joVTJfb0ULKFJEKbc3BJnMlHz4kLguTMYrIVodGaMra4q03w6b1a56711XicTmB hQbpQrceFmHbWpDflNDPcHDU2fQyk7eZzy9yi10EpV5Bat/Lhme5/2NBhj09XogP2MM/kV xtazNuKja1oFSgFXiSL3dha5NLHu4JerKKYYO6ZShJ2C8QY0lo3DuHNMbc5kGQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZgRP3RrdzqMK for ; Tue, 09 Jun 2026 20:26:25 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 1e1bd by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 20:26:25 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Olivier Certner Subject: git: 14d2a985274b - stable/15 - kern_prot.c: Belatedly add copyright List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: olce X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 14d2a985274ba1be3321ed3800d1b10d0fc78c34 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 20:26:25 +0000 Message-Id: <6a2876f1.1e1bd.3cb29263@gitrepo.freebsd.org> The branch stable/15 has been updated by olce: URL: https://cgit.FreeBSD.org/src/commit/?id=14d2a985274ba1be3321ed3800d1b10d0fc78c34 commit 14d2a985274ba1be3321ed3800d1b10d0fc78c34 Author: Olivier Certner AuthorDate: 2026-06-04 09:49:23 +0000 Commit: Olivier Certner CommitDate: 2026-06-09 20:25:53 +0000 kern_prot.c: Belatedly add copyright See the commit log for the why. MFC after: 3 days Sponsored by: The FreeBSD Foundation (cherry picked from commit 1c0e5c53ff1672a93fc42988020723bb6bc427c1) --- sys/kern/kern_prot.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index b1e4b731145e..c8dc05f0ebbd 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -6,6 +6,11 @@ * (c) UNIX System Laboratories, Inc. * Copyright (c) 2000-2001 Robert N. M. Watson. * All rights reserved. + * Copyright (c) 2024-2025 The FreeBSD Foundation + * + * Portions of this software were developed by Olivier Certner + * at Kumacom SARL under sponsorship from the FreeBSD + * Foundation. * * All or some portions of this file are derived from material licensed * to the University of California by American Telephone and Telegraph From nobody Tue Jun 9 21:27:02 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZhnL6q9jz6ggg5 for ; Tue, 09 Jun 2026 21:27:02 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZhnL40t1z3C07 for ; Tue, 09 Jun 2026 21:27:02 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781040422; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=eccsamHMzHYAN93xZPjTWkE/PiN/trYKAmI1JsRBPL0=; b=vNbMui50v20qWAAJIRMk/Op4YUHrwVqMGDef+uYuvAsPTu0KV1M7pSL2hjYPERIhOljvv/ BNJe3q3eoee4xFSjhGWlIhN6dvhHe8psJrcTCkyFDVZv2gepR2jnrsrXA/pCUokwxappQ3 q7WUYYMBJDHB2PLUqi/m+u7VGG/8gPQotzVmGcMYVp42TXxtRhTp1gqsUOf4m1t84QtNXb ZXKhQ+h34WxCY+O2JuFvjn1ycBoeEHny311MoT8M8syaFilyX+7oUY9mcHJPG7YDcZx2Dc NyuQjp7FMkmSzC2VZcvx6GKiyaGyy+NesaIi5//EDXytH43Z1yCXMDoCnqY+nA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781040422; a=rsa-sha256; cv=none; b=MyhM6cfOpNgEg4PEyjf9NMSQVAmMmgumP6cSAmWZzZRvuQYH7o4OxbxyOpxYu5ppZAjj3A xKfKOJc9xFvkby7V3S7TDkVKgDaJbh/NMAqjL7PRbxmHKBjRPywkGfkp7iEQJPSWDD9a0C zwkWRtNsUaJiGoAytLu8BrsmHEbp7uhRHPAMlyEGq92CCUvSpx89+rpsZ0YOLoT4r0C0kK R6eeJbcrEKf+99xytX2IMIMtW/Z0QSdpxhOGFdu+FZAT13M23++UfL1I/SySidUvwi+w17 tyDyb7aEkU1PNKOzNstlYtulRHB+IzHPN3tE6jz+NGXPwNEsAKQ8776OGj51+w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781040422; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=eccsamHMzHYAN93xZPjTWkE/PiN/trYKAmI1JsRBPL0=; b=IClOCFDTmvMm5sdpOEAR+fSbCjEqVtjSoYqykYMpBxExX1MfkAb1uHZuSEwZGyalI0QOda R6CUMNhsk62zVlzV7dDyz3x+gTE90VT7uZG7BpLo4ED6PTuskGC7SV/F9Lh5fzu9HlHPEF x9z8ywLRJ4ymfp4KhrVCpkrmpboLAndrXf5VW7CSr+x9+vRO277LKT77HaW3iSjsQAy3AE ndkVJnCLaOV3mZ8Nobxh7YX5b52OqFhZ5UFQ7Yd7rtWJJjN45/KkAfZ8yHccEZdszbBnzi IM789KT0Jyo0AeoutY2Kdnp4Whq3tpzBaTa+uKcUWuYC+bOn3LXtuvEvnHZCYA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZhnL3QpPzs5v for ; Tue, 09 Jun 2026 21:27:02 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 24868 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 21:27:02 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kirk McKusick Subject: git: a64877b140fe - stable/15 - Avoid incorrect UFS1 timestamp corrections when system clock fails at boot. List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: mckusick X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: a64877b140fe0bf374cc96c95f374894c1627a32 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 21:27:02 +0000 Message-Id: <6a288526.24868.173d902d@gitrepo.freebsd.org> The branch stable/15 has been updated by mckusick: URL: https://cgit.FreeBSD.org/src/commit/?id=a64877b140fe0bf374cc96c95f374894c1627a32 commit a64877b140fe0bf374cc96c95f374894c1627a32 Author: Kirk McKusick AuthorDate: 2026-06-01 23:48:21 +0000 Commit: Kirk McKusick CommitDate: 2026-06-09 21:26:51 +0000 Avoid incorrect UFS1 timestamp corrections when system clock fails at boot. Git 1111a44301da - main - Defer the January 19, 2038 date limit in UFS1 file systems to February 7, 2106 - did so by changing the UFS1 32-bit signed timestamps to unsigned. With this change, time stamps from before January 1, 1970 went from being negative numbers to large positive numbers implying times in the future. When such a time stamp is encountered when an inode is read into memory or when it is encountered by fsck, its timestamp is replaced with the kernel's current time. Andre Albsmeier reported that he had a machine reboot after a power failure and the battery that maintained its real-time clock had died. The result was that the system booted with the time set to five years earlier (absent a real-time clock value, the boot ROM used the time that the boot ROM had last been updated). The net result was that fsck reset the time stamps of all files newer than five years old to the five year old time. Andres's original request was for a flag in the file system superblock to say that there are no timestamps from before 1970 in the file system, so there shouldn't be anything to fix because of the signed to unsigned switch. But this assumes that no one every does an rsync or extracts a tar file or restores a dump that introduces an incorrect time stamp on their system. So this approach was not taken. This change compares the system's version of the current time to the last modification time in the file system superblock. If the current time is earlier than that time then use the last modification time in the superblock as the value for the current time. There should be no files in the file system with times newer than the last modification time in the superblock. The superblock time stamp is updated in the in-memory superblock every time any change is made to anything in the file system. The superblock is written to the disk every 30 seconds, so it may be off by up to 30 seconds plus the time it sits in the disk cache waiting to be written if the system has an unclean shutdown (such as a power failure). Thus, the worst case scenario with this change is that files written in the last 30 seconds plus disk cache delay time before the crash may have their times adjusted back by up to 30 seconds plus the disk cache delay time. Requested by: Andre Albsmeier Approved by: kib Reviewed by: kib, imp, Andre Albsmeier Differential Revision: https://reviews.freebsd.org/D57371 Sponsored-by: Netflix (cherry picked from commit 553ef188f7ecc23a384bd7ef1f3d5015fb8661da) --- lib/libufs/inode.c | 17 +++++++++-------- sbin/fsck_ffs/inode.c | 3 ++- sys/ufs/ffs/ffs_vfsops.c | 7 ++++--- 3 files changed, 15 insertions(+), 12 deletions(-) diff --git a/lib/libufs/inode.c b/lib/libufs/inode.c index bc4d99c66203..a93e1b085342 100644 --- a/lib/libufs/inode.c +++ b/lib/libufs/inode.c @@ -57,7 +57,8 @@ getinode(struct uufsd *disk, union dinodep *dp, ino_t inum) ino_t min, max; caddr_t inoblock; struct fs *fs; - struct timespec now; + struct timespec time; + time_t now; ERROR(disk, NULL); @@ -70,10 +71,11 @@ getinode(struct uufsd *disk, union dinodep *dp, ino_t inum) min = disk->d_inomin; max = disk->d_inomax; - if (clock_gettime(CLOCK_REALTIME_FAST, &now) != 0) { - ERROR(disk, "cannot get current time of day"); - return (-1); - } + if (clock_gettime(CLOCK_REALTIME_FAST, &time) == 0 && + time.tv_sec > fs->fs_time) + now = time.tv_sec; + else + now = fs->fs_time; if (inum >= min && inum < max) goto gotit; bread(disk, fsbtodb(fs, ino_to_fsba(fs, inum)), inoblock, @@ -83,7 +85,7 @@ getinode(struct uufsd *disk, union dinodep *dp, ino_t inum) gotit: switch (disk->d_ufs) { case 1: disk->d_dp.dp1 = &((struct ufs1_dinode *)inoblock)[inum - min]; - if (ffs_oldfscompat_inode_read(fs, disk->d_dp, now.tv_sec)) + if (ffs_oldfscompat_inode_read(fs, disk->d_dp, now)) putinode(disk); if (dp != NULL) *dp = disk->d_dp; @@ -93,8 +95,7 @@ gotit: switch (disk->d_ufs) { if (dp != NULL) *dp = disk->d_dp; if (ffs_verify_dinode_ckhash(fs, disk->d_dp.dp2) == 0) { - if (ffs_oldfscompat_inode_read(fs, disk->d_dp, - now.tv_sec)) + if (ffs_oldfscompat_inode_read(fs, disk->d_dp, now)) putinode(disk); return (0); } diff --git a/sbin/fsck_ffs/inode.c b/sbin/fsck_ffs/inode.c index b30e3aa5068b..f8e32bf4b157 100644 --- a/sbin/fsck_ffs/inode.c +++ b/sbin/fsck_ffs/inode.c @@ -647,7 +647,8 @@ setinodebuf(int cg, ino_t inosused) * If for some reason getting the time fails, we will use * the last time that the superblock was updated. */ - if (clock_gettime(CLOCK_REALTIME_FAST, &time) == 0) + if (clock_gettime(CLOCK_REALTIME_FAST, &time) == 0 && + time.tv_sec > sblock.fs_time) now = time.tv_sec; else now = sblock.fs_time; diff --git a/sys/ufs/ffs/ffs_vfsops.c b/sys/ufs/ffs/ffs_vfsops.c index 75f5fe716c31..e3f9270c2f49 100644 --- a/sys/ufs/ffs/ffs_vfsops.c +++ b/sys/ufs/ffs/ffs_vfsops.c @@ -189,8 +189,10 @@ ffs_load_inode(struct buf *bp, struct inode *ip, struct fs *fs, ino_t ino) { struct ufs1_dinode *dip1; struct ufs2_dinode *dip2; + time_t now; int error; + now = time_second > fs->fs_time ? time_second : fs->fs_time; if (I_IS_UFS1(ip)) { dip1 = ip->i_din1; *dip1 = @@ -203,7 +205,7 @@ ffs_load_inode(struct buf *bp, struct inode *ip, struct fs *fs, ino_t ino) ip->i_gen = dip1->di_gen; ip->i_uid = dip1->di_uid; ip->i_gid = dip1->di_gid; - if (ffs_oldfscompat_inode_read(fs, ip->i_dp, time_second) && + if (ffs_oldfscompat_inode_read(fs, ip->i_dp, now) && fs->fs_ronly == 0) UFS_INODE_SET_FLAG(ip, IN_MODIFIED); return (0); @@ -225,8 +227,7 @@ ffs_load_inode(struct buf *bp, struct inode *ip, struct fs *fs, ino_t ino) ip->i_gen = dip2->di_gen; ip->i_uid = dip2->di_uid; ip->i_gid = dip2->di_gid; - if (ffs_oldfscompat_inode_read(fs, ip->i_dp, time_second) && - fs->fs_ronly == 0) + if (ffs_oldfscompat_inode_read(fs, ip->i_dp, now) && fs->fs_ronly == 0) UFS_INODE_SET_FLAG(ip, IN_MODIFIED); return (0); } From nobody Tue Jun 9 22:10:45 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZjlq0VJtz6gkfK; Tue, 09 Jun 2026 22:10:47 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZjlp6DyKz3GSR; Tue, 09 Jun 2026 22:10:46 +0000 (UTC) (envelope-from kevans@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781043046; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1Zy8VxcUwpq3Y/gmZaOIOjrB5X1ZvbuXkOATuLX05P8=; b=UFcSiHReQdqJWDPAl9Vgl+AhQfNWO8erXCbbRkbUb8p0IudElVAxvtuAeJRHrOKHDvIKV3 9981Z8QH1ptfyjcd71WX6w73OwOAseu9fgQ66pwscWQ3ef+YPSfvanFWD6SVqdJ801oE0m v2GOIpaxpS0nbtqzujx74R4dZIXpgb3FmtjHGAZ6EJZqHnggjdiTSUsBL7bZXLqv4sZxtb WdK1X49dKjHqR4CKhgI/KfWu545qOLV1e+DZBmL2M0NwxI7YmDCMuPJ27AtLeBm4exFEeA Mn7xh2DW+NEznm+Dnu3s8D0tgKhaU+3gWLJ2ZTkOqtBjFRexfxrnyq0ZX8o2Rw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781043046; a=rsa-sha256; cv=none; b=AXWiZhUwTM96/hDP760uFNkYuhnE395n1CBfoznh/JeTv95avJQvLKuEjV9Uj23gos7/3T 4xWbAOp/mqKvlVGUU6EnhlwgAqfxdgQMPIFCv61j7CLpqv5BOBR0ze6HRzEvivqj2C6b43 SALRRB8ifEKPDztbxu3VSOhpdW5Q9DtdS7a4zyCug6HhojFSH2xJW2RvF8oxpoQkoslwxy Oe/5sVBFozNrbth85OyxGihcu8XD3iiolfUT/eMvxUmgFtityrdsRqXvqPYE+4VZq6LhwN ZbwWKBGYtaNMzAhVlpr/M/ZtLj1H3ZD7CRI3RgaRNYwH35N/msr10/VC79E5mQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781043046; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1Zy8VxcUwpq3Y/gmZaOIOjrB5X1ZvbuXkOATuLX05P8=; b=pq30tOcFjmm1mZrXkiWoAaCnUy4s7+9KW2QweScxtHPXd7tnw2FExyRoos02VnIERMXZHG b58wH8S8IcP/FVU/8KqTA2T1ylsUKoKWSKe+JEwnURuBliioVOPXgvItiKmO1UXvX0OryT jQZGdbjJoXWo973kxqFzwe14A1GGSXE0Rsh8GW/xv6IyVrorMPYZU/LW4dvRpVjqIF31r8 1b2f6ttOnO7sfU/GHXM2cZcDJhQyqBKvVf2JSWXJff/GeVyuKk0trRsbT5ezy+aA7OT2ve bJqvk5MUcnhU/sUmOkFkhb94bwpLC/oICjT3PtoxnEZgwkcwEu2h7xGJZavKHQ== Received: from [10.9.4.95] (unknown [209.182.120.176]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: kevans/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4gZjlp332YznjS; Tue, 09 Jun 2026 22:10:46 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Message-ID: <6fd7b96b-c5c4-4987-8ca8-f227e1066c9f@FreeBSD.org> Date: Tue, 9 Jun 2026 17:10:45 -0500 List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: git: a64877b140fe - stable/15 - Avoid incorrect UFS1 timestamp corrections when system clock fails at boot. To: Kirk McKusick , src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org References: <6a288526.24868.173d902d@gitrepo.freebsd.org> Content-Language: en-US From: Kyle Evans In-Reply-To: <6a288526.24868.173d902d@gitrepo.freebsd.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 6/9/26 16:27, Kirk McKusick wrote: > The branch stable/15 has been updated by mckusick: > > URL: https://cgit.FreeBSD.org/src/commit/?id=a64877b140fe0bf374cc96c95f374894c1627a32 > > commit a64877b140fe0bf374cc96c95f374894c1627a32 > Author: Kirk McKusick > AuthorDate: 2026-06-01 23:48:21 +0000 > Commit: Kirk McKusick > CommitDate: 2026-06-09 21:26:51 +0000 > > Avoid incorrect UFS1 timestamp corrections when system clock fails at boot. > > Git 1111a44301da - main - Defer the January 19, 2038 date limit in > UFS1 file systems to February 7, 2106 - did so by changing the UFS1 > 32-bit signed timestamps to unsigned. With this change, time stamps > from before January 1, 1970 went from being negative numbers to > large positive numbers implying times in the future. When such a > time stamp is encountered when an inode is read into memory or when > it is encountered by fsck, its timestamp is replaced with the > kernel's current time. > > Andre Albsmeier reported that he had a machine reboot after a power > failure and the battery that maintained its real-time clock had > died. The result was that the system booted with the time set to > five years earlier (absent a real-time clock value, the boot ROM > used the time that the boot ROM had last been updated). The net > result was that fsck reset the time stamps of all files newer than > five years old to the five year old time. > > Andres's original request was for a flag in the file system superblock > to say that there are no timestamps from before 1970 in the file > system, so there shouldn't be anything to fix because of the signed > to unsigned switch. But this assumes that no one every does an rsync > or extracts a tar file or restores a dump that introduces an incorrect > time stamp on their system. So this approach was not taken. > > This change compares the system's version of the current time to > the last modification time in the file system superblock. If the > current time is earlier than that time then use the last modification > time in the superblock as the value for the current time. There > should be no files in the file system with times newer than the > last modification time in the superblock. > > The superblock time stamp is updated in the in-memory superblock > every time any change is made to anything in the file system. The > superblock is written to the disk every 30 seconds, so it may be > off by up to 30 seconds plus the time it sits in the disk cache > waiting to be written if the system has an unclean shutdown (such > as a power failure). Thus, the worst case scenario with this change > is that files written in the last 30 seconds plus disk cache delay > time before the crash may have their times adjusted back by up to > 30 seconds plus the disk cache delay time. > I have a related question that came up while I was working on a patch for ZFS[0] to set a mount-time for those of us with broken RTCs. The current version of mountroot[1] calls inittodr() *after* the root is mounted, which means that anything needing to pull a timestamp when the root is mounted gets a time <= 10 (probably 1). In ZFS, this results in an uberblock update that leaves a bogus timestamp around until another update occurs, and I'm not sure that that's really OK. I'm wondering if we should consider splitting inittodr() or something to try and read the RTC before we have a root, and 'fixing' the clock after root is mounted if we need a hint from the rootfs? I don't know if any of this matters for UFS. Thanks, Kyle Evans [0] https://github.com/openzfs/zfs/pull/18645 [1] https://cgit.freebsd.org/src/tree/sys/kern/vfs_mountroot.c?id=01c8e2e33df81b242d73a23de49a6b61f33c24c1#n1105 From nobody Wed Jun 10 00:31:55 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZmtg434Wz6h2FT for ; Wed, 10 Jun 2026 00:31:55 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZmtg1sb8z3WV0 for ; Wed, 10 Jun 2026 00:31:55 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781051515; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=FIX25PKAh1Xs7KFX/hIHSnX8ao6lhimDLAsttMHuOjM=; b=M0p3oZeeBR4sO5ot99JdtSjz4T2o2gfIDkwlKBm5uO1XUXDx943ihSOoMsWOdEBnJ2x/Wd bJ4VWpVm3wMHVFO0QCxHO7UJZx5SUHt0MS9aT8M/SnVFWztmNmll6QVloYo9r2bVuz+vuA uYArvzPyhhepW4qKRr512gIEinukOO926AntRHK8YwdbHbTZfIcs/T25YY4GNsIRifc9ha eY47zwEYcXQ3JSdcm/JVG0o7BII0BXiZz1bSym4gcuLQtTk12RMJglkBmt/7piKdQghxr8 1Geybm2BSbwFHvENYeiMpRhKEmF46KeOSkgoBvXWAi7lQiFbpK0sIKC5YeY5hw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781051515; a=rsa-sha256; cv=none; b=vsHmqKirH5ojgpvM2OWEd6OmbB1pR8rRo0Mfc0VkATP6x47bUwbPGemqHMJVfizo1jRhxH gTXzG0vycrKhA9yDQqcnRIVDDbhdhPN5YDTw9RwoWATq86NrNlM97iJg8tdVE/k7JxSeAZ oMxzesyjVOfeh198BciRAdAU3UHjnjDVfEabdi4O1MqtyH1dRDu57bnDY42GNeCokrWGgQ AsP4JVOqf6T4abAH4u7AFr6uBNc1oqY4fV0zkHN58JkyPi5zWWy+g2XlRL/mEYiVu7RWpQ 99+6/wxCFeTyD008WufXgycLDSJCEWqFPuQUT6HwJhKBBRotB2LVmj7xqn4/cA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781051515; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=FIX25PKAh1Xs7KFX/hIHSnX8ao6lhimDLAsttMHuOjM=; b=HqtomEhbh9zJNZBWYG11v7g5ZDdv+XjM5PFNnri7xKGGS8qFNU8joP+BpvtFjUEeimLvdd /Yvwut93lC6afhI5WJWng5LMKHORHNJvhXOxqbpDC2tXBpESS1OzTgk9lGXCt8yrsZS6K7 w2Mz7Nxq+PKL27XUWHnYBZ1dpsyx1+JVWXzpbZjxxFiYwWKS6mCpyAlPc2ef9BMzLtITmM 0p156TSG5daxONqi3qIXa0YqkQpuey+hv2NvZintOk9tC9BUIYEWHYKFLneySmZ59ORL4b m4HQI+iA5jX0Rgrhq2Ss0AkDmIpTfPpcTTvCXUk4r8yJg4Ojev6h+MbOzb+3bA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZmtg0yj1zy1Y for ; Wed, 10 Jun 2026 00:31:55 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3f04a by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 10 Jun 2026 00:31:55 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Philip Paeps Subject: git: 6aaa8b4e644f - Create tag release/15.0.0-p10 List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: philip X-Git-Repository: src X-Git-Refname: refs/tags/release/15.0.0-p10 X-Git-Reftype: annotated tag X-Git-Commit: 6aaa8b4e644fea7624377a92f0b492f915b62a70 Auto-Submitted: auto-generated Date: Wed, 10 Jun 2026 00:31:55 +0000 Message-Id: <6a28b07b.3f04a.8165f27@gitrepo.freebsd.org> The annotated tag release/15.0.0-p10 has been created by philip: URL: https://cgit.FreeBSD.org/src/tag/?h=release/15.0.0-p10 tag release/15.0.0-p10 Tagger: Philip Paeps TaggerDate: 2026-06-10 00:30:51 +0000 Tag FreeBSD 15.0-RELEASE-p10 commit fef97a6889f98be4fa9a565577067f20d1f642a9 Author: Mark Johnston AuthorDate: 2026-06-07 16:36:46 +0000 Commit: Mark Johnston CommitDate: 2026-06-08 19:52:11 +0000 Add UPDATING entries and bump version Approved by: so From nobody Wed Jun 10 00:35:38 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZmyy3cmgz6h266 for ; Wed, 10 Jun 2026 00:35:38 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZmyy1Z83z3YPJ for ; Wed, 10 Jun 2026 00:35:38 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781051738; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=X+rYT3/WfwdQG7fxvCQZOdQq8Vto4lWg2ennUXNfWpI=; b=w94R4ZrmylVePcD4D3k6a/SvdevoPoqvj6DzJpIWoSrBZ+Kz3btoPBiny6n/mVuua44ZIy hgLlnrEYXrUx4WlqJUqYkSK0/LZNSipCAFwl9fkvBdwThmaDd7Mt+Y+nMi1k9XXBHVFNMB hdy/VEijpOV4EtrTB3ncNVK0YIEgL4KDxQPffnpaEwzCVvFasmTZhu07mrEVczPA4aUZ/W M2NCk2MTHsNl+YxYPYHR/kmgU/1vocGeSOKaS4xSPfFzzOqPczVDBXg6YjXfEOb5AqcQKJ 28YX56qug7xMq9Y/2ToIb6ZGfORVPewiqm1R7lEI5Z6QX8HrZADxLcVE+dkuug== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781051738; a=rsa-sha256; cv=none; b=iX2f0a1toCHHlX0k5Nf+E7yfZbaW3OVbR2un5tFQjAWm7lCmUoI+3rtCzAkgmV/Hhbjx+X yjGYS4Cj87yQtI7z3MQhSepmDjDNPIfnIhHmEbfaScCzw0ZM7/vGSR9N8/bEWbVAPnIjyW rfMMxD4czvCgJP1+ZOM93fqPC94+eo/Mk37e8QdszSGApTPu9NK27xdjAk+zO+RBrdMPwo rTFEoeCIo4LG0/tasyfVi9KEvl4wR82qGDrg9xm1q/APh0kAANGAk3FLPy4nD8ekIn0zv/ ctgkJCENtuvCCaSbrQWcibJpQ8VOE0msC//P0huHdhNZSfS0RjEwmGa2Bl6k+w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781051738; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=X+rYT3/WfwdQG7fxvCQZOdQq8Vto4lWg2ennUXNfWpI=; b=Ckzg/GytpFuKXASz0hDOSWvWDTOVR4jN9jezOfPsG1lHz0LLtswq24NvkEdjK1oHFM7/c/ 0H/gYXl61MWsdRbveeQQXJAUghjUaw2fSHNKDSKaU0H5tGS2pJwD+NrnsuIBB93GsjB+Ec QEr0o8yxKT0v4OlmxSu1RmKkBoIlVfHZTPZaw0xNi645OMq6lFQB8BvZOTbDs4BY78cbf6 Zzr1pvwi0sCWlLiyrCxNpdiq+LfFK3QhHI3HUi6B9JCYU5F8X1Iz4gC1o4y2r0SMezPkvk E9wt0kSuexK43LtlcPTLPju5FOIAcl0xTvZ06Ke7OQ7Padvn63Zngxo5RFbrvw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZmyy0WyDzyBV for ; Wed, 10 Jun 2026 00:35:38 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 415b7 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 10 Jun 2026 00:35:38 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Philip Paeps Subject: git: 31f0504d8338 - Create tag release/14.4.0-p6 List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: philip X-Git-Repository: src X-Git-Refname: refs/tags/release/14.4.0-p6 X-Git-Reftype: annotated tag X-Git-Commit: 31f0504d833855657fa3839a97dcd884eb6b2ba2 Auto-Submitted: auto-generated Date: Wed, 10 Jun 2026 00:35:38 +0000 Message-Id: <6a28b15a.415b7.3a6f7d11@gitrepo.freebsd.org> The annotated tag release/14.4.0-p6 has been created by philip: URL: https://cgit.FreeBSD.org/src/tag/?h=release/14.4.0-p6 tag release/14.4.0-p6 Tagger: Philip Paeps TaggerDate: 2026-06-10 00:35:01 +0000 Tag FreeBSD 14.4-RELEASE-p6 commit 3d95ec87586781c366e6c01c6a40c3e80056d24b Author: Mark Johnston AuthorDate: 2026-06-07 16:55:09 +0000 Commit: Mark Johnston CommitDate: 2026-06-08 15:38:31 +0000 Add UPDATING entries and bump version Approved by: so From nobody Wed Jun 10 00:37:56 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZn1d1lfvz6h2nN for ; Wed, 10 Jun 2026 00:37:57 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZn1c6XFWz3YxZ for ; Wed, 10 Jun 2026 00:37:56 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781051877; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=4ET4DhHxcTJvH3g5NmOmuPcqEzf/CDkazOq0WW+wjj8=; b=iUmK+gGlRmsLcfUvthF4w8sNrUqNxbb3z0OSMceQoeH8Tf6SfKIknz+VrmFXidE7IuQn9X Gf9fHl9hv07qdXUobL5w1dYtiT/mnqQ5Sm85vosDuzxoldy1+z6eYyCde7CkCrXeISjByq kjGxcXXrSuL6AAdfrTqhgbkRzTEIpiFpAdnNS3JAy4MGD+PApdCunS28wPSXwcF3o2u9gV Qc5Y0tUf/lTOUKCa+ZWMPleCux/HstZVE6vqHA+CbuAU7kNIK+QKExR/0YJOCzCbe7fy+/ o/gA5Wc47cnTrKa4EFF50n0ti6Y6e0f10zjktLkRW0T2cWuPMzJzs2iTddfTeQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781051877; a=rsa-sha256; cv=none; b=XtyL+6SiGjIQp/xV7ikjrA8nrAMiYXlRd4aaWVvbDx0LFiwiIrlyXtyiUVrntk6bSDxALS SvpaR+g9XqOPKZXLv+GuaaEbjbVAjDBwbL4WcOTEBn35saojafG3RgS4b1RIRr5KCLbYB+ HCG7+lOqSHrZ5kuiBbh2yZzUrrZjpfeW4Y0gpzb+1CY8S0vRWTbKCpHHACoOvpqvGRxWgF Sir5it9MowET89Q9iV5ccwukZ9R1K7QviBvj9dqcEuRS8ve9nIv65tAlooYqWPd8WGTnqf fnB2eXABjWLKPrC1IvzSvBvS9MrKRcdu6M7Trx5E1qVGuZ4MRdU3aQODc8tX3g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781051877; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=4ET4DhHxcTJvH3g5NmOmuPcqEzf/CDkazOq0WW+wjj8=; b=gOVwjC52xLCP4ddXTBK0QbZGoEBiMP/7LTwWQL+67ZlRbHLztLkoqFSXxZ1n+5K9XJ18d8 GMg1jdZr46DWwB5vr1R9oXN1eUIkicI/N5ixHTJ9GDYPJRpq39OKWa5sWzlVUvAYBaRje/ N0kGJDeW4s5/u0Taic32kcU3FQvsREyndGDAr0fivHmRBFbgmDQOSnFzfXTqY45b/xWjHC sjAA72wq8B9n0iu+8Uli1v2i+r6EKoqXr3uKm2bGSH3/4lnzCRHaglR3lZxTmprWd3VVHs wvx/KADk+a/E1zt6ghpW/eExmOxf43vHRXxJGSOVwOpCJqc8/cd9uKmyqUXpng== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZn1c5N0Vzy1q for ; Wed, 10 Jun 2026 00:37:56 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 41468 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 10 Jun 2026 00:37:56 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Philip Paeps Subject: git: 640f3065c31d - Create tag release/14.3.0-p15 List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: philip X-Git-Repository: src X-Git-Refname: refs/tags/release/14.3.0-p15 X-Git-Reftype: annotated tag X-Git-Commit: 640f3065c31d07f0b4e3cfb2b07ceb782c2d0372 Auto-Submitted: auto-generated Date: Wed, 10 Jun 2026 00:37:56 +0000 Message-Id: <6a28b1e4.41468.7c026ece@gitrepo.freebsd.org> The annotated tag release/14.3.0-p15 has been created by philip: URL: https://cgit.FreeBSD.org/src/tag/?h=release/14.3.0-p15 tag release/14.3.0-p15 Tagger: Philip Paeps TaggerDate: 2026-06-10 00:37:01 +0000 Tag FreeBSD 14.3-RELEASE-p15 commit 0b1dfc94785e1ae263e9334a07fbe2a1ef98c0c9 Author: Mark Johnston AuthorDate: 2026-06-07 17:34:10 +0000 Commit: Mark Johnston CommitDate: 2026-06-08 15:24:16 +0000 Add UPDATING entries and bump version Approved by: so From nobody Wed Jun 10 03:41:55 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZs5x3Kbxz6gscs; Wed, 10 Jun 2026 03:41:57 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZs5x2fcjz3tr0; Wed, 10 Jun 2026 03:41:57 +0000 (UTC) (envelope-from kevans@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781062917; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ohwdrOzmA0Ld1t9WWbTh+W1/lsA3HJ5o+fF1HvzUq8I=; b=Mc88o6GhCBrIk0hGVW7hY2M5wUvkBRrI14x1UmjuC9nQhdMpPlyOuiWLZsHXChAsTqOoUn SmNkPbJtDWzm9905ndbpBa8AdGZ11IZX20Rp5k9mP3EvpHvkgdSUu55OsT9mFtKzFAXbjl 4QQo4JqGubbLPQ22CuOB25C+CYrAkfJURNyiH0NTeT5DaI48IpkVkxjC2DDqQ3DT8OtSYR w4HgsxIZN+2jtr3vP0apN5+n/rDj0vGEF4Nij5rPv4Qh6/CnL+SE/xZes16nLSqPFdZssm KlAQP0790D9t9+pOwxm751NxyDpElv5xeO2mBGvoFIrGza/jh8zIS8KsjpYCpw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781062917; a=rsa-sha256; cv=none; b=du+jeHs6S/i+mtdjW6Tn7jkOxo8m7Wc9QAkXjdLg4kRTWDNg/rgZw6c6IE07txAmQZ6Wb2 3aj//m3vsSaTgBbBkDF8frItWy7TKQBba5e9aMUUlSN8SMnkNuRfeoKNOL6IMIHG4dm+pR NSdjU9DBM7zR5G5XOAYFTapvNJ4tbQIVfRs5edLNFVRhcMD343XO4mgsKyrkqnba6+vxh7 SmypigtEjFxru5zCvHWlk8p8Ipx1a2Rbh1RJ/E9Z1S6wqgV7NevoD+VsUouYQXngOl3KBe v+atqMDg8oqDuK3B3fKx9Z8pb2C5/2k27uaApwlupa99uCUHE9bisj1hdSfevQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781062917; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ohwdrOzmA0Ld1t9WWbTh+W1/lsA3HJ5o+fF1HvzUq8I=; b=a/D7QK6ozC1OLIblhw4U6MqpSIhw4V5Jazv8WLkbiA7u8LM3gmdAhatoB8gwYyY4dNOba2 SXVGlUgOMmh7fcaH47TfMZzYAUrOUkNkb9N51BjsE6vVaAdFPHlcG+UOrqNg3h8LQxV2yZ jw8olE4PNdy07MQkxqSdbOtmfush0ShgUKyKKo3qOgEPO8yW9p8PYZlA12DdpL1FI8UAwl Dr7o8slnA+eeoyQ05GHSB1FIvgszoCQPfR+KTdy6XkNDsIGt9l7gCiVzdEYTWcBALwMkoa gyuPy7jLZ3CORqwV8OrzDYXMkBSW1llcNufgMl/1exTANUx0ZL7WO8Sljrk9UQ== Received: from [10.9.4.95] (unknown [209.182.120.176]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: kevans/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4gZs5w6L6bzvG9; Wed, 10 Jun 2026 03:41:56 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Message-ID: <52026aaf-6763-4d4a-8d5b-d9b0b4d29ea5@FreeBSD.org> Date: Tue, 9 Jun 2026 22:41:55 -0500 List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: git: a64877b140fe - stable/15 - Avoid incorrect UFS1 timestamp corrections when system clock fails at boot. To: Warner Losh Cc: Kirk McKusick , src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-branches@freebsd.org References: <6a288526.24868.173d902d@gitrepo.freebsd.org> <6fd7b96b-c5c4-4987-8ca8-f227e1066c9f@FreeBSD.org> Content-Language: en-US From: Kyle Evans In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit On 6/9/26 17:54, Warner Losh wrote: > > > On Tue, Jun 9, 2026 at 4:10 PM Kyle Evans > wrote: > > On 6/9/26 16:27, Kirk McKusick wrote: > > The branch stable/15 has been updated by mckusick: > > > > URL: https://cgit.FreeBSD.org/src/commit/?id=a64877b140fe0bf374cc96c95f374894c1627a32 > > > > commit a64877b140fe0bf374cc96c95f374894c1627a32 > > Author:     Kirk McKusick > > AuthorDate: 2026-06-01 23:48:21 +0000 > > Commit:     Kirk McKusick > > CommitDate: 2026-06-09 21:26:51 +0000 > > > >      Avoid incorrect UFS1 timestamp corrections when system clock fails at boot. > > > >      Git 1111a44301da - main - Defer the January 19, 2038 date limit in > >      UFS1 file systems to February 7, 2106 - did so by changing the UFS1 > >      32-bit signed timestamps to unsigned. With this change, time stamps > >      from before January 1, 1970 went from being negative numbers to > >      large positive numbers implying times in the future. When such a > >      time stamp is encountered when an inode is read into memory or when > >      it is encountered by fsck, its timestamp is replaced with the > >      kernel's current time. > > > >      Andre Albsmeier reported that he had a machine reboot after a power > >      failure and the battery that maintained its real-time clock had > >      died. The result was that the system booted with the time set to > >      five years earlier (absent a real-time clock value, the boot ROM > >      used the time that the boot ROM had last been updated). The net > >      result was that fsck reset the time stamps of all files newer than > >      five years old to the five year old time. > > > >      Andres's original request was for a flag in the file system superblock > >      to say that there are no timestamps from before 1970 in the file > >      system, so there shouldn't be anything to fix because of the signed > >      to unsigned switch. But this assumes that no one every does an rsync > >      or extracts a tar file or restores a dump that introduces an incorrect > >      time stamp on their system. So this approach was not taken. > > > >      This change compares the system's version of the current time to > >      the last modification time in the file system superblock. If the > >      current time is earlier than that time then use the last modification > >      time in the superblock as the value for the current time. There > >      should be no files in the file system with times newer than the > >      last modification time in the superblock. > > > >      The superblock time stamp is updated in the in-memory superblock > >      every time any change is made to anything in the file system. The > >      superblock is written to the disk every 30 seconds, so it may be > >      off by up to 30 seconds plus the time it sits in the disk cache > >      waiting to be written if the system has an unclean shutdown (such > >      as a power failure). Thus, the worst case scenario with this change > >      is that files written in the last 30 seconds plus disk cache delay > >      time before the crash may have their times adjusted back by up to > >      30 seconds plus the disk cache delay time. > > > I have a related question that came up while I was working on a patch for > ZFS[0] to set a mount-time for those of us with broken RTCs.  The current > version of mountroot[1] calls inittodr() *after* the root is mounted, which > means that anything needing to pull a timestamp when the root is mounted > gets a time <= 10 (probably 1). > > > We likely should do it both times. If it fails the first time, we'll call it a second > time after the mount with the superblock time. How we communicate time > that we think is approximately good or not... > > In ZFS, this results in an uberblock update that leaves a bogus timestamp > around until another update occurs, and I'm not sure that that's really OK. > I'm wondering if we should consider splitting inittodr() or something to > try and read the RTC before we have a root, and 'fixing' the clock after root > is mounted if we need a hint from the rootfs?  I don't know if any of this > matters for UFS. > > > Yes. I agree this is a good approach, but how does the rootfs code know that > the time is bogus and shouldn't be trusted. And how do they find out later once > time is believed to be good (ntpd, ad-hoc early-in-boot programs, etc). > That, I don't really know. One proposal I had for ZFS is that it shouldn't let the uberblock timestamps go backwards, or at least beyond a certain threshold -- if it tries to, we could just bump the timestamp by 1 from the recorded time so that our new uberblock is preferred and move on, knowing that inittodr() would likely prefer the notion of time we provide that was on disk. Any timestamps we try to pull from mountroot to ntpd/chrony/etc. would still be bogus, but a lot better than they are today for these systems. Having written that out, I think it's worth looking closer at that ub update and whether it gets persisted to disk. I'm specifically wondering if it's possible that we could needlessly lose writes as a consequence after an unclean shutdown even on systems with an RTC, since the clock isn't setup until after. Thanks, Kyle Evans From nobody Wed Jun 10 04:01:02 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZsWy31Qgz6gvDK for ; Wed, 10 Jun 2026 04:01:02 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZsWy2DNQz3w2q for ; Wed, 10 Jun 2026 04:01:02 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064062; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=j1JhmSHEIEWLbGlgsgAcQoBmH64X/4BtonGccZNHzJ8=; b=qiM/3m0q9tdndvzC4QBmbCqK09jbELH+mCAoL8EmjMtCEA87r3uUrk/V6xhDMAuH7SHHjR w83kHokcu2nuxRDx0KFct3P/ovBZNUAJ7dojwLm9gZiSwYog4jzTJpnl7Wra1oxJQ6VPaT KT+RENKuoi0gm23V+HvQ+IGIH7X68XOXj1oXTCva2uOscMKYYKl0HaWHuKxlJx9iCWxKuQ O4rbkPFWHUev2k9uMe1WxlPinGQzBz1rmMnrY/ggYb6nficKfnOfl6mXZxOPIFvnSxCpCO YzxzEPhE8YiDHpmHb8yPVVECip1l+xjiEoRn/7egwlnwLJOvWdiuVpcA5TvYvQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781064062; a=rsa-sha256; cv=none; b=iTdL/J/sqm9bK6PKJaU6E2P4VRjOl6yoULFbiRyZbEfEpWEva1SLz5uKCwkynAgvypBuEo 0s2lehtu5/G3QnjPC+1Mer4ExE8io0jDdnrz+2n2m1IY1NTiacpOb3LmzY0SB8FwiJfCPn rmqDV5DM91ZFeyKi17QBKQnf9tACpv4V9Yhu9Re2iKtYSZkGE99ak301ji8T3t1AwXiAK6 rVm8i2lu/C8Srmsh0lEuJ7OvY8yvijiT2sRpxCb1lSD8tCQ2MDJqz19b70ns0ueidH6Yha 41/s72bPVw+78HYBXYkSx2lu5mlC06O+cLGIfpkCIfJ52Ntqp9qpUzo5036YAA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064062; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=j1JhmSHEIEWLbGlgsgAcQoBmH64X/4BtonGccZNHzJ8=; b=f8MFRh0AQY2gE5QFqTpbvUv3p6NEJ+P5gLeyraeElV6mtY/3GtENcR4ghRg2Nazufc29ZN D3sb8xGXPos/75sMPlkFMOnqD4bh3XWPdK/WiWt9mKApl9aL2NTyX0e26HwNYVnBU/4LAR B+1Sz8MNHkTKu/nPl5bLK5eBtLcwrkkU7AT3z3x/3xWo9Tav890auO2g8gPRrqaozvzgTc f4Po7ryp6c/7YEF+0SRCbuzxtfOunmxBsJ4zflo08PDephSkdwmS/vI+F57UGDaS1GABEB gUYWcd0SQBNEHjlOdQc6VdtRdcrM0QEReIaqG1Sm1jCnD/FAGjoTEfPPJVk/lw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZsWy1jKxz1430 for ; Wed, 10 Jun 2026 04:01:02 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 26765 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 10 Jun 2026 04:01:02 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kyle Evans Subject: git: 3129ecee97c1 - stable/14 - ctld: kernel-sourced portal groups are not dummies List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 3129ecee97c1405fbb6eeab2e8b906b096eab1c9 Auto-Submitted: auto-generated Date: Wed, 10 Jun 2026 04:01:02 +0000 Message-Id: <6a28e17e.26765.1b8f5325@gitrepo.freebsd.org> The branch stable/14 has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=3129ecee97c1405fbb6eeab2e8b906b096eab1c9 commit 3129ecee97c1405fbb6eeab2e8b906b096eab1c9 Author: Kyle Evans AuthorDate: 2026-04-28 20:51:50 +0000 Commit: Kyle Evans CommitDate: 2026-06-10 04:00:45 +0000 ctld: kernel-sourced portal groups are not dummies The current and historical versions of ctld would flag our initial set of kernel ports as dummies, because their portal groups were empty since portals come from the configuration on-disk. As a result, we would never try to remove a kernel port at startup that didn't exist in the configuration (possibly a feature if you wanted concurrent ctld(8)), and we would always try to port->kernel_add() on ports in the configuration (even if they actually did have an existing kernel port). Flag these portal groups as kernel groups so that we avoid trying to add ports that already exist. It may be the case that the kernel_remove() loop in conf::apply() needs to do something other than the current `oldport->is_dummy()` to avoid removing ports that it isn't supposed to be managing, but that wuld also seem to apply to LUNs that would be removed today. Reviewed by: jhb (cherry picked from commit d9c0594191f5c45d7f3c737350321ee59bfce9bf) --- usr.sbin/ctld/ctld.cc | 9 +++++++++ usr.sbin/ctld/ctld.hh | 1 + usr.sbin/ctld/kernel.cc | 2 ++ 3 files changed, 12 insertions(+) diff --git a/usr.sbin/ctld/ctld.cc b/usr.sbin/ctld/ctld.cc index c44c3726e74e..05734cde5a49 100644 --- a/usr.sbin/ctld/ctld.cc +++ b/usr.sbin/ctld/ctld.cc @@ -1136,11 +1136,20 @@ port_delete(struct port *port) free(port); } +/* + * Foreign portal groups (which only redirect to other targets), and portal + * groups without any active portals are considered dummies and ports belonging + * to such groups are ignored. However, portal groups that exist in the kernel + * prior to ctld starting will contain real ports but no portals, so these are + * never considered dummies. + */ bool port_is_dummy(struct port *port) { if (port->p_portal_group) { + if (port->p_portal_group->pg_kernel) + return (false); if (port->p_portal_group->pg_foreign) return (true); if (TAILQ_EMPTY(&port->p_portal_group->pg_portals)) diff --git a/usr.sbin/ctld/ctld.hh b/usr.sbin/ctld/ctld.hh index b1757f98ac81..a132965cd235 100644 --- a/usr.sbin/ctld/ctld.hh +++ b/usr.sbin/ctld/ctld.hh @@ -117,6 +117,7 @@ struct portal_group { struct auth_group *pg_discovery_auth_group; int pg_discovery_filter; bool pg_foreign; + bool pg_kernel; bool pg_unassigned; TAILQ_HEAD(, portal) pg_portals; TAILQ_HEAD(, port) pg_ports; diff --git a/usr.sbin/ctld/kernel.cc b/usr.sbin/ctld/kernel.cc index fdd290988ce0..809205c176ed 100644 --- a/usr.sbin/ctld/kernel.cc +++ b/usr.sbin/ctld/kernel.cc @@ -577,6 +577,8 @@ retry_port: log_warnx("portal_group_new failed"); continue; } + + pg->pg_kernel = true; } pg->pg_tag = port->cfiscsi_portal_group_tag; cp = port_new(conf, targ, pg); From nobody Wed Jun 10 04:01:03 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZsWz4xC4z6gv7v for ; Wed, 10 Jun 2026 04:01:03 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZsWz2jmMz3w9G for ; Wed, 10 Jun 2026 04:01:03 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064063; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=gAEv4KKZUJZx8310mrYJoSbE50VCJwaICxfHMlpZk6M=; b=DDGHY1PyZN6r5YwKmILDbUZdY/ipgPIr8EgChau/YvMzDCUiWkC7Lqj2pK1KwMLLp3ZUdw E6uayzhD736MPoXPaGi0JJHY0tTO5uZL0mwkSicYCqThKPy87U64FO8G3sCawTZGDjCYgq B+8TjBKCHmD2HAzCJYQ0TjrA/l0MPagLNjg6aXXM4sf/SGTe20DWjXIE1PJcdm3EiQhyAn ZFu5CreCDKTp1gfeGvm09SKrjDRwaYPkCjGYUz3cuckgO4ZgSEGHFtxpqvWtRsTr3iZFW9 heNmpF6njwFwYpKN4dOM+J5tzzcirNFD+kmd83ECYOWpUuyrTfbM0uQAXYMHCA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781064063; a=rsa-sha256; cv=none; b=Z/b7AYHPKP1Rti0AidM5YvXlGFWkjk+ZrwEbNeCQEvlvYwe5lG7yyI3+oP7kpLjwm0A9ef 2E9vO8hcvouc3f6dc5Q8Xy4AB/Vo2r9ycUs/DzGUu+E3fD6FWP6MXIDIVAoTENZIc/FrhK yPK0ZrXSqSBxV5sjfjl+I+F04brmveKIpU9qXoIO9NSRdcpc+z+FrnLz5u8ryHImy8WlwM gkmDQq4aF2Blq1rU41qu1eo1e+QH0ivUoXQN0zc3ye5TMHJmNAZW7E97W/TdAkcISJhfcM +SbmzeWaRapjpuTLzq+rpGYCD/H5HaOLq0HhMeNhQJvANDBiCRli0DPmUGClbA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064063; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=gAEv4KKZUJZx8310mrYJoSbE50VCJwaICxfHMlpZk6M=; b=rVdUuukpMMyffzCtWfaKum8a9nu9ytzZItywcj0PR/z0F+JF2KZcY5v+rIrm1tk8lQrrsp Wa82RIC+Pf0MDuVBgrhH+S5tmNfaDnUIp6Yt5oIJKl9omiTDK/E904t83mL0cIklzEmWFU 6lJOFuJyH8zDBlM7eYEhn1VGF3QL9orFOAPOmRVO6kQd15VB7HievOB5EcC7niPK0EZCpW qRnRMtNN24oJejxwr3HMV7TyjVPlD0BJsb5VKum2U1zKBHyCIzxEJ+qlItUQZEck0tHlrL iiXcJASH9dby4THfFIpcODBbbgDv81YFojHEL43CwHYXlv70okuELbzZ0qWYYA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZsWz2DZGz14BL for ; Wed, 10 Jun 2026 04:01:03 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 26660 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 10 Jun 2026 04:01:03 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Chris Longros From: Kyle Evans Subject: git: 10b44bf791c9 - stable/14 - cron: log when a crontab path is too long List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 10b44bf791c9bb77dd2a9a2d9c510e671cefec50 Auto-Submitted: auto-generated Date: Wed, 10 Jun 2026 04:01:03 +0000 Message-Id: <6a28e17f.26660.3b74d926@gitrepo.freebsd.org> The branch stable/14 has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=10b44bf791c9bb77dd2a9a2d9c510e671cefec50 commit 10b44bf791c9bb77dd2a9a2d9c510e671cefec50 Author: Chris Longros AuthorDate: 2026-04-29 04:06:29 +0000 Commit: Kyle Evans CommitDate: 2026-06-10 04:00:46 +0000 cron: log when a crontab path is too long Log via syslog when snprintf truncates the crontab path, instead of silently skipping the entry. Signed-off-by: Christos Longros Reviewed by: bcr, kevans (cherry picked from commit 91bfba010bcda665cc24a76af631cc85fcb0c688) --- usr.sbin/cron/cron/cron.8 | 11 +++++++++-- usr.sbin/cron/cron/database.c | 6 ++++-- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/usr.sbin/cron/cron/cron.8 b/usr.sbin/cron/cron/cron.8 index 23a295393df5..f1a6a30d4cb5 100644 --- a/usr.sbin/cron/cron/cron.8 +++ b/usr.sbin/cron/cron/cron.8 @@ -19,7 +19,7 @@ .\" .\" $Id: cron.8,v 1.2 1998/08/14 00:32:36 vixie Exp $ .\" -.Dd January 20, 2026 +.Dd April 29, 2026 .Dt CRON 8 .Os .Sh NAME @@ -227,7 +227,14 @@ configuration file for .It Pa /usr/local/etc/cron.d Directory for third-party package provided crontab files. .It Pa /var/cron/tabs -Directory for personal crontab files +Directory for personal crontab files. +Internally the daemon constructs the relative path +.Pa tabs/ Ns Ar filename , +which must fit within +.Dv MAXNAMLEN +bytes; in practice this allows filenames up to 250 bytes. +Longer entries are skipped and a diagnostic is logged via +.Xr syslog 3 . .El .Sh SEE ALSO .Xr crontab 1 , diff --git a/usr.sbin/cron/cron/database.c b/usr.sbin/cron/cron/database.c index 35e5fad3524d..234b5ef7fdd6 100644 --- a/usr.sbin/cron/cron/database.c +++ b/usr.sbin/cron/cron/database.c @@ -166,8 +166,10 @@ load_database(cron_db *old_db) fname[sizeof(fname)-1] = '\0'; if (snprintf(tabname, sizeof tabname, CRON_TAB(fname)) - >= sizeof(tabname)) - continue; /* XXX log? */ + >= (int)sizeof(tabname)) { + log_it("CRON", getpid(), "TABNAME TOO LONG", fname); + continue; + } process_crontab(fname, fname, tabname, &statbuf, &new_db, old_db); From nobody Wed Jun 10 04:01:04 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZsX11LRCz6gvJq for ; Wed, 10 Jun 2026 04:01:05 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZsX03YWMz3w7G for ; Wed, 10 Jun 2026 04:01:04 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064064; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=nukpWKFxK4ULsvoA7u+X1PntHPu03EyGcCG9esIB9Jo=; b=PUEKrJ+v6aF16q+2t8EFW3noJv86r9gaMYsXUWsDuZfqIfP92aXK6N65Ns1WRSqYsWzMsf 9x/Gtt6+/l4GuKWGWyyLrx4W389l1uVkvaea4ivlf3sBhO0CyiQ9yteKBCROVq5tIlj3NN TGiHdN10PpHPMHDZDhsQAkkOCVcenshjevNKx4h1kO/IlLidRozgVIHNR+TMWRothm7Env ftojH0FX0Xt8SRZsmQjI48E78G26kFYMq2CcuoKno8W9mbp2Hf4douALx/2AJKAs1gKR9c OA/gmzwJhSO/cwVBm2qV1kxyLvHP/Rtes2BMQKZkIzOcHGgCIZhgfzA9xA6YJg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781064064; a=rsa-sha256; cv=none; b=WV4/kHudLbYgIXsasVkUp1IZQg+052t1VpnZpgSyVP2YDnsg45JdAYZJQzQOnrOYfR8gvV VaDpfM6iD0cORoRD1H7QbIls/iRIqQyBnkH0lsnvt0mXJCaZ5RaozlJ+NBvX7p1A1TafHF nO501bFjfFgijt3Lfjd2+4sf6dSfHsB48UStLIPhFmNY4NFco8Fk0tsSWzXuQ5fsTfNvVT QJ4UpPVBpn6EtsmbdzYiT1tXC3Ac7mUQYTXw4/CZ3B79CHHGfplBEDZmwuO2RTkHyVUO7l uknuj3lh9swHjq+UIbfkjCUEAnFoN9Qu1q6D0ylBwHqISyFSdSza8Reas52irw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064064; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=nukpWKFxK4ULsvoA7u+X1PntHPu03EyGcCG9esIB9Jo=; b=lazyOjURq8iRqSQOltzgSDIyhmvnxEAw+CLv7PGFukxAbGVCW0S6OrgUo3i+2MJwR7S+Tl hovtkJjso+A+MLsg2Ih/8tdWuGPHJZKZilKt4HI3hxscR8d7Vzrk/8fcaebfFELjWJBX18 V2LmjRio4imBaPAPZY6bEu8BPn985klPrQi3M4EC4YgJ9ylisX86+57CT6hGw/aYHjjU/y YWUbkZ9Nb7mgBl7lE1qLKdLKv7TbfC3IfLrhtgNNOIgobJ+jhfrKkEa7tKZ6YyRLakIson 2rcR5f2GOM2PjQDbtwLDuVh4f+8W9v+2i/HMBCqGfPShw5HxE5VExDxCSCFpsg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZsX031dSz13SJ for ; Wed, 10 Jun 2026 04:01:04 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 26769 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 10 Jun 2026 04:01:04 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kyle Evans Subject: git: 0de1f3a8aa7f - stable/14 - fexecve(2): call out a scenario where you want !O_EXEC List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 0de1f3a8aa7f5e99aa63bcd76dfa3fd7e017d295 Auto-Submitted: auto-generated Date: Wed, 10 Jun 2026 04:01:04 +0000 Message-Id: <6a28e180.26769.25413336@gitrepo.freebsd.org> The branch stable/14 has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=0de1f3a8aa7f5e99aa63bcd76dfa3fd7e017d295 commit 0de1f3a8aa7f5e99aa63bcd76dfa3fd7e017d295 Author: Kyle Evans AuthorDate: 2026-05-01 03:02:55 +0000 Commit: Kyle Evans CommitDate: 2026-06-10 04:00:46 +0000 fexecve(2): call out a scenario where you want !O_EXEC We note a reason why you might need it, but there's an equally important reason you may need to omit it: interpreted programs. Add a note accordingly, along with the workaround configuration if there's reason you can't help it. PR: 294780 Reviewed by: Jan Bramkamp , kib (cherry picked from commit 9c18d55a768a3e60ecaba1325e9a3e00a25dee26) --- lib/libc/sys/execve.2 | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/lib/libc/sys/execve.2 b/lib/libc/sys/execve.2 index ca5dbd09beee..22ffa268b220 100644 --- a/lib/libc/sys/execve.2 +++ b/lib/libc/sys/execve.2 @@ -27,7 +27,7 @@ .\" .\" @(#)execve.2 8.5 (Berkeley) 6/1/94 .\" -.Dd January 26, 2022 +.Dd June 8, 2026 .Dt EXECVE 2 .Os .Sh NAME @@ -231,6 +231,17 @@ is to use the .Dv O_EXEC flag when opening .Fa fd . +Opening without +.Dv O_EXEC +may be necessary in the case of executing an interpreted program, as the +interpreter will not be able to acquire a descriptor to the script for reading +without mounting +.Xr fdescfs 4 +on +.Pa /dev/fd +with the +.Cm nodup +option. Note that the file to be executed can not be open for writing. .Sh RETURN VALUES As the From nobody Wed Jun 10 04:01:05 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZsX21qmTz6gvHY for ; Wed, 10 Jun 2026 04:01:06 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZsX14x4yz3w0Z for ; Wed, 10 Jun 2026 04:01:05 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064065; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=aFnQkW54pMVtWMcRhowHNK2MltFU4Zv9d9GHuopGals=; b=O/7AyAeiirhdSo0H5JF75bXnrP3Qikn0eRRW+r62GU5AVH3zyOIiWK7VDM0H0IunhwdRy8 gx/1sXXdgnMovPM+ff6YYZbQg26+3bOLGLiX2pKEoCo+puttv+yTBe6TXdFpHIJcYhn5aW Vw9CKmNLCdxa3jviV5cnMfe6tbnQZ/ayRH+bNogyldewKKhDyFSp7PjMP5thryKiTocQYE DC2XanX9yh3AKnvHSdBYHemB/4670QiZ1WTUfx/Z/x4Hyppqk9pc9x4idsZNN5G6PS0YcG 7r40mMBmvPVMb7d/d64wADb4G6ghR3aoj61nyKd7hiJnC2782nQ+TA/SjSde9g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781064065; a=rsa-sha256; cv=none; b=hx4gTeU9HBNL5E0sl71QEFu+ZpZ5O9O97RgkGgosDlOz5Gl8aCvEnFxR7lQT+7p82cOd86 6ioWXEWzovZ+1KyNK0tDUvAJQvQSnkNAbboglzpNmwwkFa1qYMxEPHA2FiOlBWUELbRCTQ aetmoFg/11WIaph3B6ljpNajXlKlwSlhRAZI7Xtws/fQsT/aSnDbvcUsnqLRYacyEkY5FB HNEFm9geA2oone7HleWnpZr1OJhJG+2HRenJl/iMBkyaxMighuR6IDwlgdVhBsAGCXNGRC YxIIArcz70BPqAT86eIttWzY7ZwWv1b0UurUGr6xYUHWUicT05oRRVPwXGS3Pw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064065; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=aFnQkW54pMVtWMcRhowHNK2MltFU4Zv9d9GHuopGals=; b=bPI1CEFOmvz9u4pHTHcZfruRYBZmo8SfgRMO43CPEcQ7KEeCbLLqtqV4S+ThKi8wLNj9tJ bnqceEJeJLP30KNmhrUutapG9F107X4njqSCGQoOoK2spJvYaENs6REB6ohZUvbdUnmPQq yuXr52wJV8pi1R5JS0T/jEejL53qyhAh/1WCjw9JStPGeQAq57cl/zToEbm1m5aOIMlQtX 1555SD0IjweqmTLXKyWnp8S0GqtX93duhSjEuqBWcc1J1lQwT2s+srDqY8+124sFUryiOL qj8/1CBsyqOcpOXMYkaRgbj+tT8XbexV5L/kCWyl/7qNiAd5YoKpBKboB8Q1Ow== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZsX13mTcz1435 for ; Wed, 10 Jun 2026 04:01:05 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 27a09 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 10 Jun 2026 04:01:05 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Jan Bramkamp From: Kyle Evans Subject: git: ee07da0c1e95 - stable/14 - jail: open the fstab files with fopen("re") List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: ee07da0c1e95d307d5120ac6a8a0ea5ccb88e61b Auto-Submitted: auto-generated Date: Wed, 10 Jun 2026 04:01:05 +0000 Message-Id: <6a28e181.27a09.4a956053@gitrepo.freebsd.org> The branch stable/14 has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=ee07da0c1e95d307d5120ac6a8a0ea5ccb88e61b commit ee07da0c1e95d307d5120ac6a8a0ea5ccb88e61b Author: Jan Bramkamp AuthorDate: 2026-05-06 23:28:53 +0000 Commit: Kyle Evans CommitDate: 2026-06-10 04:00:47 +0000 jail: open the fstab files with fopen("re") This protects against accidentally leaking them past fork()+exec() in future refactorings. PR: 295052 Reviewed by: kevans (cherry picked from commit 58811b0ae096c134af372bcf475aea1d8d0e3c08) --- usr.sbin/jail/config.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr.sbin/jail/config.c b/usr.sbin/jail/config.c index 5cf2e34a8340..e5aef24f6386 100644 --- a/usr.sbin/jail/config.c +++ b/usr.sbin/jail/config.c @@ -726,7 +726,7 @@ check_intparams(struct cfjail *j) TAILQ_FOREACH(s, &j->intparams[IP_MOUNT_FSTAB]->val, tq) { if (s->len == 0) continue; - f = fopen(s->s, "r"); + f = fopen(s->s, "re"); if (f == NULL) { jail_warnx(j, "mount.fstab: %s: %s", s->s, strerror(errno)); From nobody Wed Jun 10 04:01:07 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZsX41rC2z6gv4M for ; Wed, 10 Jun 2026 04:01:08 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZsX364Mmz3vxR for ; Wed, 10 Jun 2026 04:01:07 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064067; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=hX17wDD/B+ZUpRx6a2SLFbAY960AU2cExL+dV19kMUM=; b=hAjmuCp+6VTutouPqJet1iHdirN3wYOkRLngzmtE/STD+wBow16ticQ6/v//XJHU0vYBIg rbO7CiJ7h0DB2CJGn9hC43N/dVtswyzxx2h4kuWiQeBT2zj4hcFwrvvPJgFbJ1fFnUK0X8 i06hybBygg29LyKHQznqZTTKJGu/HLT6WI1Uu4/qK1C8o2bm+z0JzVMuMlu7u8Lt+Rar4c AV0iZFNkJ5l5cdzrJ4G+uuSd4e1iaXCKQXsd0bFXHbCGVA+fugIShJLQeBGJzIUgmBXT4R cF2fJ1jKfpN6NAI1Ce0lBYVCBeAYSoBrpCCqDdZd7X5Q3P8STzOqsHNFfiTWNQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781064067; a=rsa-sha256; cv=none; b=lTL3m2xVFMf5JP+1fz45JCi4hxNLeAMIxETUWa5a/z3yAXsTwNb95VOnQDZMm9U20vcj4k 3B/Cx7gG3QxkaIPOBqMOvq3m/EapiuUKR6cqz/pnO6iEu0u06L3mOjTn9Mjlw4zr2Z0JvM O0It6lfwK2cgqkhFwTkM2+kaNhrjl1xGPGhk0L18wsB/8NOWwCx85qfPMXux4hkWbqkPs1 aRsinhnuPhIwXovSlo2aAr6LindsE0tcVCZScLahsxJRkks2CJ7jLjd0j9N9i6K4xi4vfO 9g7u6rZTm/S3z6o4HYGb4r8O0DUrhcgoCJgKa5E8utAax2pUJ2DZpxGXchZhRw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064067; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=hX17wDD/B+ZUpRx6a2SLFbAY960AU2cExL+dV19kMUM=; b=v/hp2bMmEqg4p1KXBt379k1y1164FJR39JX2EdXKanmPWknT7y8WCpzjd98QBud/g35waU jDOFRo1HTaZvleYVnFf01vJ9aE72bzzlai5OWxzqugqMUSTqshO/Ihdzefzfpa5Y9Vmo3G uo/7J154eeB0Db7SAtT4qoqfZGtyzphnDLUVsnIsZPcUCo6TLD1K4xTHlEe5ioqujC9uqj +x5xypUX39HHcUvcQgrE7/38M93fmoc/tb5jWKqFVTruZ9FqbJ2IYBfGlJdXp01ih7KU7h iDLA1ztvVLlHxuwY3rAVbGZlsIk85yL9XLNRlamb/QtyNwc7Hn+OlS0tx+oJkg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZsX35KJMz1436 for ; Wed, 10 Jun 2026 04:01:07 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 25e67 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 10 Jun 2026 04:01:07 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kyle Evans Subject: git: 2db75e8df850 - stable/14 - linuxkpi: work with numpages > 1 in the set_pages_*() KPIs List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 2db75e8df85044a9865c62d44f4261041f2bbcbc Auto-Submitted: auto-generated Date: Wed, 10 Jun 2026 04:01:07 +0000 Message-Id: <6a28e183.25e67.19fe04ab@gitrepo.freebsd.org> The branch stable/14 has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=2db75e8df85044a9865c62d44f4261041f2bbcbc commit 2db75e8df85044a9865c62d44f4261041f2bbcbc Author: Kyle Evans AuthorDate: 2026-05-19 03:22:21 +0000 Commit: Kyle Evans CommitDate: 2026-06-10 04:00:47 +0000 linuxkpi: work with numpages > 1 in the set_pages_*() KPIs These calls are used for buddy pages at least in drm's ttm_pool, which leads to a panic when we invoke lowmem handlers and drm tries to shrink the pool. Cope with numpages > 1 by traversing the contiguous pages and executing the adjustment there, as well, as suggested by markj@. Previous versions have tried to use the corresponding `set_memory_*()` functions, but it is believed that not updating `md.pat_mode` breaks subsequent userspace mappings in ways that may result in things like screen tearing or other artifacts when running i915kms. This stabilized my amdgpu laptop running two VMs, chromium and a concurrent buildworld. Reviewed by: bz, markj (cherry picked from commit 67f7f2781daa9bd398b424ffe2bd0be67f37f03d) (cherry picked from commit 8dad29555a5807bf21941807752e1589e20312de) --- sys/compat/linuxkpi/common/include/asm/set_memory.h | 15 +++------------ sys/compat/linuxkpi/common/include/linux/page.h | 2 ++ sys/compat/linuxkpi/common/src/linux_page.c | 21 +++++++++++++++++++++ 3 files changed, 26 insertions(+), 12 deletions(-) diff --git a/sys/compat/linuxkpi/common/include/asm/set_memory.h b/sys/compat/linuxkpi/common/include/asm/set_memory.h index 1019aaf264a0..54a1311ef9a5 100644 --- a/sys/compat/linuxkpi/common/include/asm/set_memory.h +++ b/sys/compat/linuxkpi/common/include/asm/set_memory.h @@ -65,32 +65,23 @@ set_memory_wb(unsigned long addr, int numpages) static inline int set_pages_uc(struct page *page, int numpages) { - KASSERT(numpages == 1, ("%s: numpages %d", __func__, numpages)); - - pmap_page_set_memattr(page, VM_MEMATTR_UNCACHEABLE); - return (0); + return (lkpi_set_pages_attr(page, numpages, VM_MEMATTR_UNCACHEABLE)); } static inline int set_pages_wc(struct page *page, int numpages) { - KASSERT(numpages == 1, ("%s: numpages %d", __func__, numpages)); - #ifdef VM_MEMATTR_WRITE_COMBINING - pmap_page_set_memattr(page, VM_MEMATTR_WRITE_COMBINING); + return (lkpi_set_pages_attr(page, numpages, VM_MEMATTR_WRITE_COMBINING)); #else return (set_pages_uc(page, numpages)); #endif - return (0); } static inline int set_pages_wb(struct page *page, int numpages) { - KASSERT(numpages == 1, ("%s: numpages %d", __func__, numpages)); - - pmap_page_set_memattr(page, VM_MEMATTR_WRITE_BACK); - return (0); + return (lkpi_set_pages_attr(page, numpages, VM_MEMATTR_WRITE_BACK)); } static inline int diff --git a/sys/compat/linuxkpi/common/include/linux/page.h b/sys/compat/linuxkpi/common/include/linux/page.h index 37ab593a64e9..6f5f37d2fd0f 100644 --- a/sys/compat/linuxkpi/common/include/linux/page.h +++ b/sys/compat/linuxkpi/common/include/linux/page.h @@ -127,4 +127,6 @@ clflush_cache_range(void *addr, unsigned int size) } #endif +int lkpi_set_pages_attr(struct page *page, int numpages, vm_memattr_t ma); + #endif /* _LINUXKPI_LINUX_PAGE_H_ */ diff --git a/sys/compat/linuxkpi/common/src/linux_page.c b/sys/compat/linuxkpi/common/src/linux_page.c index 15b90eb3c470..3eb2fab03359 100644 --- a/sys/compat/linuxkpi/common/src/linux_page.c +++ b/sys/compat/linuxkpi/common/src/linux_page.c @@ -512,6 +512,27 @@ lkpi_arch_phys_wc_del(int reg) #endif } +int +lkpi_set_pages_attr(struct page *page, int numpages, vm_memattr_t ma) +{ + while (numpages-- > 0) { + /* + * pmap_page_set_memattr() would only update the DMAP mapping + * if it's a normal page, leaving the kernel map untouched. + */ + MPASS(page->object != kernel_object); + + /* + * pmap_page_set_memattr() sets page->md.pat_mode, which is + * crucial for future userspace mappings. + */ + pmap_page_set_memattr(page, ma); + page++; + } + + return (0); +} + /* * This is a highly simplified version of the Linux page_frag_cache. * We only support up-to 1 single page as fragment size and we will From nobody Wed Jun 10 04:01:06 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZsX33DT2z6gvDV for ; Wed, 10 Jun 2026 04:01:07 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZsX25CTZz3w5T for ; Wed, 10 Jun 2026 04:01:06 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064066; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=m4QIWrNqdh7rVjpPtVDKmiOTjCXSIJF5zbRIIjfgpKI=; b=BSAySFanwr1Iwjhs4LVnuTgBWVcPfSgGmbLw+1sqOlRANepDambMFHesXuZEiiDF1ZLP5P HeW5bRFlvyqAqW3v1bWFfk80wHM9u/JHOtlckTFFFwqGIw/NjYAuG1bHn+isj245/w0lqo nBFTAIz+t21WfmVYWZ/GmTxLh798ObPzBRBtNxWG/zi+sMuATygoVG+6sVjGfRYUsV172q efMheC3wH1xYMkdBaK2OgVWkfhCqT8wBv5CuuwixYnLYpUZSTOeCvhLSCpPwjT1k2HdvA4 8IXJqVO9MM/MvL4lj8B+AMQn5POcxany3xe/8sHdL3PmUc3kZvwJMVumDtDxAw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781064066; a=rsa-sha256; cv=none; b=BtANbizObM9+q3rBVwy2+PFqAE0EN27y8YSsjCP51LUut0ei5o8U/dEW2Vx2UvAQbbR/vR EdetiaajghmX6jUdrBE2b+w9E95KXMi8uYsQkS9s5+E9Biu7nMbPzaE4DZ+rCel992Uy4i It6QnA3kPz2jZa2Hdq/2WXDKkoN7L0Wx6u3WwP3N1GUZtefqox7VkiVgQh/xlb2+R5JhjC rwIVvKuQUt5TVgBrDOB1ejdUsOx35PZ1aYvKHwUQPPzLSkOvxmoB/b8+mw773wrZHQ0C8c WPB8DMn2jyRyre3u/UYzKb35Hks/Ol0Kz/a01YBF9IFOeEP08t6sOxKAY8JsmQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064066; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=m4QIWrNqdh7rVjpPtVDKmiOTjCXSIJF5zbRIIjfgpKI=; b=RW86HoG4Ou4ElzO599ksAkDPb81FZVM1QimDlljzDcnIR7koOoCHJ49nZN4XGvMZtbgCd8 7L7WXN3bTkNMm8cc7OR652vhMTkGTrkTTbhbvxqHUQZsvAsm161CBawobQYtxNsYsJOLGF WCiL7pBJgvMaSp5j6QQfcHubvcivsSUMe4qHTyP79IZQvJGf9M2le+6rERXgq0WBDehs2H 8ZdLneuXSbFEjGhh1dbwD7MgyXg7eY2F+3Sa55KkpCNlIdQSJ6BzqEcaU8DZhxhEtTeZJ1 n1ngWMViPpGJrkBv+oLK2jN1ZJ+Gj1lVlIO5gDkeHIHfAsVGUpJjBd/mp/o5fQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZsX24Xgxz14VG for ; Wed, 10 Jun 2026 04:01:06 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 2748e by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 10 Jun 2026 04:01:06 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Marek Zarychta From: Kyle Evans Subject: git: 87224fa65140 - stable/14 - devd: Use PF_LOCAL instead of PF_INET List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 87224fa6514063d6fc1505ec95498f50cf8802d8 Auto-Submitted: auto-generated Date: Wed, 10 Jun 2026 04:01:06 +0000 Message-Id: <6a28e182.2748e.1b0f82ca@gitrepo.freebsd.org> The branch stable/14 has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=87224fa6514063d6fc1505ec95498f50cf8802d8 commit 87224fa6514063d6fc1505ec95498f50cf8802d8 Author: Marek Zarychta AuthorDate: 2026-05-07 01:28:08 +0000 Commit: Kyle Evans CommitDate: 2026-06-10 04:00:47 +0000 devd: Use PF_LOCAL instead of PF_INET Avoid dependency on INET (IPv4) by using PF_LOCAL, allowing media check to work on systems without INET support. PR: 295045 Reviewed by: kevans (cherry picked from commit b2e4da0b53ad082768b8f6f83766e030fd00d02a) --- sbin/devd/devd.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sbin/devd/devd.cc b/sbin/devd/devd.cc index e4abf0e33fae..c00136a3f61b 100644 --- a/sbin/devd/devd.cc +++ b/sbin/devd/devd.cc @@ -370,7 +370,7 @@ media::do_match(config &c) retval = false; - s = socket(PF_INET, SOCK_DGRAM, 0); + s = socket(PF_LOCAL, SOCK_DGRAM, 0); if (s >= 0) { memset(&ifmr, 0, sizeof(ifmr)); strlcpy(ifmr.ifm_name, value.c_str(), sizeof(ifmr.ifm_name)); From nobody Wed Jun 10 04:01:08 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZsX52rLyz6gv4V for ; Wed, 10 Jun 2026 04:01:09 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZsX46FDZz3wB6 for ; Wed, 10 Jun 2026 04:01:08 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064068; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=WeyZLnWTj9b2BHquSH0NnFWjb4cod1+je4r+IMcdvmw=; b=WyMkRLoJXwCZWDEKD4A3bn7V5Yi2ym83eLPQOXYjl9tAUQ7KzDQ/nJkqHn13MiTsdeRTjb JLUCtPkEf9jDAzgzlkAs5T0+YmRt6YXUfkkUP3aYZOQkFprIGnj5MtnbXpGONhZT7KU90d UKjcxJhVDF6XWUj6HewCRSNmP5ZoZvnKk+KB0EjpNJGReok/B0MYrHim3HMSN9KCYngkOR vj7dK3bqlzYh41srnLq5xzYpgZEy9nKs04eNZ/L/pUrcw7bKJEo2QKP5U57bnhCqd9z9pr zg8/o/GHQH/EoUYpL2v0zUOUoAaRoQOxuwrxuSVFdbqrPcXvKWRucsCorJ/k6g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781064068; a=rsa-sha256; cv=none; b=WjSHc/hQQwkt9kQYzValwvR3VHE9g4qP1JEn+wP+oU0r8/GpT8goBnhELsQyr4ejSpom4H Hs3cuHYux5RD09oNqj5tLm2Y0MekERs5tEsrUjUVy6jsK2b2gpDK+oB6AuI8A3DnZ2nCBu zbGKoQ3NZ9XQgEQzmC7Q/Up/x/r6JoMIkGW+IMmv2TToi9OZ9C1xfVi7aXhvC4HBGLlTb8 CIZ5aZbuR7QtmtTj53EiwKJskC7UQdJTyDaIbmf6aPtk555CZe805NsIXRLNw/CYGGjKtw UbKlTukDsb83dq9kA8ESkZM4+osBEPPut1aaNOZsHpAKd+e/OvabH61VNirwmQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064068; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=WeyZLnWTj9b2BHquSH0NnFWjb4cod1+je4r+IMcdvmw=; b=soliEuY6kO63Q1Cyqdmupd/EG3E+XjhnCW1SZBDBVGGHhKtmlb+CFrPMKFjyhoGt9SfER8 M934h+ZfGMHElVwpy/37mKAgFStNmpNxgRJ2DIuXSmjqiwW1nMJllx09gMu81dX3x55a1o Pn1NF2On/Nv5f6ckf8meCzUdj3BfeXwCFrI/zQLivtUY4qNnbXQVJ9La4SOdzrjsXyH9SV dtrCclTEC1w8dmOqmS2KeyLfy5xjIjWjBg0B6ptoWk86lWPr4FP4AxpqwYLVRfepo7DSId XSlAHRgMNycT/OJ5/e5tob4K8pDiAzv1AZ2DRIk6VQzKlIxlXQ175K1eoWPeHg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZsX45qV0z14PK for ; Wed, 10 Jun 2026 04:01:08 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 27b9e by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 10 Jun 2026 04:01:08 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kyle Evans Subject: git: 800c4034d201 - stable/14 - kern: ofw: provide ofw_bus_destroy_iinfo to teardown interrupt-map List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 800c4034d201034345be462de6f2f9178971fd92 Auto-Submitted: auto-generated Date: Wed, 10 Jun 2026 04:01:08 +0000 Message-Id: <6a28e184.27b9e.4b268298@gitrepo.freebsd.org> The branch stable/14 has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=800c4034d201034345be462de6f2f9178971fd92 commit 800c4034d201034345be462de6f2f9178971fd92 Author: Kyle Evans AuthorDate: 2026-05-09 02:42:50 +0000 Commit: Kyle Evans CommitDate: 2026-06-10 04:00:48 +0000 kern: ofw: provide ofw_bus_destroy_iinfo to teardown interrupt-map For symmetry with ofw_bus_setup_iinfo, the next commits will use it to properly cleanup on failure in bcm2838_pci. Reviewed by: andrew (cherry picked from commit b230a7b9a52c0fc948f4f1dcd1225a94674073f6) --- sys/dev/ofw/ofw_bus_subr.c | 12 ++++++++++++ sys/dev/ofw/ofw_bus_subr.h | 1 + 2 files changed, 13 insertions(+) diff --git a/sys/dev/ofw/ofw_bus_subr.c b/sys/dev/ofw/ofw_bus_subr.c index a21c5fa2735b..adc5ccdf1869 100644 --- a/sys/dev/ofw/ofw_bus_subr.c +++ b/sys/dev/ofw/ofw_bus_subr.c @@ -349,6 +349,18 @@ ofw_bus_setup_iinfo(phandle_t node, struct ofw_bus_iinfo *ii, int intrsz) } } +void +ofw_bus_destroy_iinfo(struct ofw_bus_iinfo *ii) +{ + + if (ii->opi_imapsz > 0) { + OF_prop_free(ii->opi_imapmsk); + ii->opi_imapsz = 0; + } + + OF_prop_free(ii->opi_imap); +} + int ofw_bus_lookup_imap(phandle_t node, struct ofw_bus_iinfo *ii, void *reg, int regsz, void *pintr, int pintrsz, void *mintr, int mintrsz, diff --git a/sys/dev/ofw/ofw_bus_subr.h b/sys/dev/ofw/ofw_bus_subr.h index 1a33d7655f77..2e13f29a67f6 100644 --- a/sys/dev/ofw/ofw_bus_subr.h +++ b/sys/dev/ofw/ofw_bus_subr.h @@ -86,6 +86,7 @@ bus_get_device_path_t ofw_bus_gen_get_device_path; /* Routines for processing firmware interrupt maps */ void ofw_bus_setup_iinfo(phandle_t, struct ofw_bus_iinfo *, int); +void ofw_bus_destroy_iinfo(struct ofw_bus_iinfo *); int ofw_bus_lookup_imap(phandle_t, struct ofw_bus_iinfo *, void *, int, void *, int, void *, int, phandle_t *); int ofw_bus_search_intrmap(void *, int, void *, int, void *, int, void *, From nobody Wed Jun 10 04:01:09 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZsX63Drlz6gv4s for ; Wed, 10 Jun 2026 04:01:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZsX620BBz3w87 for ; Wed, 10 Jun 2026 04:01:10 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064070; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ssbL/A1jMOVS7Z+GuzWsMpIIutIy4hfrRhY16LIyuJo=; b=RC0Hh0160P4ri4x82nvhGD+1kUqCW6Q79N9txMDTmvZp7j47p594P0Ze0MHJiTee1N/4xc GIodMHiTI9tVX3dRwf/2M0H5ujxjVMf2jRE821lPYPDqw01I9XDLZY+SkdSnasSmugtiDN ynm3fcQoGvDEmKdGJ/Py9lnOJCdKwcB0dkzECCakb0trvjkQWXu1cbYSpGd37mxhLFlYWb U7NaUtHfG4LnF61FEVtQZeG46ka2K6odzW/0KLHSxyw3bCISi6uydZKZHOf+xyoa4RQgDX adR2dc/64127vqbWd5nH9KChUofrV0gfoxHhkyJwO77bzCinqU7EOSSjX3aUEg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781064070; a=rsa-sha256; cv=none; b=L46Vh/TDt1IAXcwcgcDuqEUyUL9YhzqBZ2EQW6ZCPTsL+vzqKDI7aq7PUlecoztVJ6DXx9 RxZRRTHrQeuMYT+lnv3/vlYL9zMKyPYOYw6K8toJrQIQC63u2zFT3M6NrQ+9AfWtyMI3tf NIJohgOTKjwOj9QFRTRAZ7F1TIn5zwpDi+XgsIR10oeZdkx03+5ah2AYXCbBgtKyDUrvNi fZv7QRg1PJsAc1jHeZEkaG1GKe3kzSa+56O92rVrBWjeDmfmy5geyJgobUu5q8afXfn7sI BD4QdRcmnf68bthzcrVVZT4GLR+ZDT2uuk3jXc2PuXvKGspYwd+W7Y2dPYNXkA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064070; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ssbL/A1jMOVS7Z+GuzWsMpIIutIy4hfrRhY16LIyuJo=; b=hIxDe8WO5KM1V2mN3/LuczXX2s38I8TNuGQBKOJ1OTrln2xx/yACqLlFd67u+aFUv56b5p A1qrN0ERAD/vimcAAOs5rRLeU5kxzynuBS53FDtxWCO5Ec4U53KGIMBjFr+qtAEvNLXLek Hgk/grswUjk9xO+1Th/X6imuMOvQcfZEialY2qSf2I7wJ2ETALskvOWSzYKY8eJase88st RXw9l1W09vikSX7nx0zpPLly8GrdjqpJrMDhp+3rWUD38T+FTH2vQT8qvrD+akI93le4Lj qK3QcpN9pdOS4d0BF5ot8Ps/42whq73QWGlMfkNUAeoKS2//o8rIcXofZnUVQQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZsX56Bl5z14PL for ; Wed, 10 Jun 2026 04:01:09 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 2645e by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 10 Jun 2026 04:01:09 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kyle Evans Subject: git: 1f7337264f7d - stable/14 - pci: pci_host_generic: provide cleanup methods outside of detach List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 1f7337264f7d03578f8f16dc84b1707639cc7116 Auto-Submitted: auto-generated Date: Wed, 10 Jun 2026 04:01:09 +0000 Message-Id: <6a28e185.2645e.63ef8b71@gitrepo.freebsd.org> The branch stable/14 has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=1f7337264f7d03578f8f16dc84b1707639cc7116 commit 1f7337264f7d03578f8f16dc84b1707639cc7116 Author: Kyle Evans AuthorDate: 2026-05-09 02:46:24 +0000 Commit: Kyle Evans CommitDate: 2026-06-10 04:00:48 +0000 pci: pci_host_generic: provide cleanup methods outside of detach If device_attach() fails, we're expected to actually cleanup after ourselves because device_detach() will not be called. Factor out the cleanup bits that don't rely on attach having actually succeeded so that we can cleanup properly in bcm2838_pci. Reviewed by: andrew, imp (cherry picked from commit 31a94ec32b53ebf6227bc868ce4f7aa07650680d) --- sys/dev/pci/pci_host_generic.c | 15 +++++++++++---- sys/dev/pci/pci_host_generic.h | 1 + sys/dev/pci/pci_host_generic_fdt.c | 19 +++++++++++++++++++ sys/dev/pci/pci_host_generic_fdt.h | 1 + 4 files changed, 32 insertions(+), 4 deletions(-) diff --git a/sys/dev/pci/pci_host_generic.c b/sys/dev/pci/pci_host_generic.c index 0fa663c12a56..600aa7bed7f9 100644 --- a/sys/dev/pci/pci_host_generic.c +++ b/sys/dev/pci/pci_host_generic.c @@ -250,15 +250,22 @@ err_resource: int pci_host_generic_core_detach(device_t dev) { - struct generic_pcie_core_softc *sc; - int error, rid, tuple; - - sc = device_get_softc(dev); + int error; error = bus_generic_detach(dev); if (error != 0) return (error); + return (pci_host_generic_core_free(dev)); +} + +int +pci_host_generic_core_free(device_t dev) +{ + struct generic_pcie_core_softc *sc; + int rid, tuple; + + sc = device_get_softc(dev); for (tuple = 0; tuple < MAX_RANGES_TUPLES; tuple++) { rid = sc->ranges[tuple].rid; if (sc->ranges[tuple].size == 0) { diff --git a/sys/dev/pci/pci_host_generic.h b/sys/dev/pci/pci_host_generic.h index 2d15f06890db..ad2b55c29a7f 100644 --- a/sys/dev/pci/pci_host_generic.h +++ b/sys/dev/pci/pci_host_generic.h @@ -94,6 +94,7 @@ DECLARE_CLASS(generic_pcie_core_driver); int pci_host_generic_core_attach(device_t); int pci_host_generic_core_detach(device_t); +int pci_host_generic_core_free(device_t); struct resource *pci_host_generic_core_alloc_resource(device_t, device_t, int, int *, rman_res_t, rman_res_t, rman_res_t, u_int); int pci_host_generic_core_release_resource(device_t, device_t, int, int, diff --git a/sys/dev/pci/pci_host_generic_fdt.c b/sys/dev/pci/pci_host_generic_fdt.c index 05e77f46032f..b0ae82a67292 100644 --- a/sys/dev/pci/pci_host_generic_fdt.c +++ b/sys/dev/pci/pci_host_generic_fdt.c @@ -104,6 +104,25 @@ generic_pcie_fdt_probe(device_t dev) return (ENXIO); } +void +pci_host_generic_destroy_fdt(device_t dev) +{ + struct generic_pcie_fdt_softc *sc; + struct pci_ofw_devinfo *di; + + sc = device_get_softc(dev); + while (!STAILQ_EMPTY(&sc->pci_ofw_devlist)) { + di = STAILQ_FIRST(&sc->pci_ofw_devlist); + STAILQ_REMOVE_HEAD(&sc->pci_ofw_devlist, pci_ofw_link); + + ofw_bus_gen_destroy_devinfo(&di->di_dinfo); + free(di, M_DEVBUF); + } + + ofw_bus_destroy_iinfo(&sc->pci_iinfo); + (void)pci_host_generic_core_free(dev); +} + int pci_host_generic_setup_fdt(device_t dev) { diff --git a/sys/dev/pci/pci_host_generic_fdt.h b/sys/dev/pci/pci_host_generic_fdt.h index cc6e575f6056..790f781b23f0 100644 --- a/sys/dev/pci/pci_host_generic_fdt.h +++ b/sys/dev/pci/pci_host_generic_fdt.h @@ -46,6 +46,7 @@ DECLARE_CLASS(generic_pcie_fdt_driver); struct resource *pci_host_generic_alloc_resource(device_t, device_t, int, int *, rman_res_t, rman_res_t, rman_res_t, u_int); int pci_host_generic_setup_fdt(device_t); +void pci_host_generic_destroy_fdt(device_t); int pci_host_generic_fdt_attach(device_t); int generic_pcie_get_id(device_t, device_t, enum pci_id_type, uintptr_t *); From nobody Wed Jun 10 04:01:09 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZsX63FLwz6gv4v for ; Wed, 10 Jun 2026 04:01:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZsX56HzHz3wGc for ; Wed, 10 Jun 2026 04:01:09 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064069; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ZOw81gdieOO+3Q2tdRBNJ78ti7ubUtrt6rMF1E030vM=; b=SsQI0xlX03IYff4LBQkz0kYf5EHif2kw3MuUq3vPOqI8yh2GVeyFXvIaVmV+TcK08bz1Kb 19UoETZ3elIASX7a+ykS952UqwBr8OHB/r8m3CIUEftPlgGE94+o8dVWJZGCtSlsWE/LDJ zd24vFTps5BRu2G5fOuaM6BT1mQ+jg0ts/syhBaR+vvFzdYGLZQU1JCSXx6qkwui25PNxl UMbQHfYUuXgvTgw89HQcjzDjdzVzn2WXzRvZjCH/HtpB9Zsg8+0QHM/nWjTzhxw7U4icsY PVLqIblhs82ogUiyQe4ycL3FqV+seCjA7mb/BIPFWG88pIebKwDfl1hCOCA66Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781064069; a=rsa-sha256; cv=none; b=oxEqokJVdJI6+nrJx9iAXhY3F3X2tPMYXSjcvhKdzFyJiV8ijwkJBVov8i25icu2LNHZjO 6JbqZFtr6TP9ukflUimjS0u+JqjNrFFl9vspBpOG+zIaCurU2fKVIWitwAWhbxVKEcHfjR I40wTL7qWw84MonCnJZCTQYqvkmQRta8CjKfVDJiaHjy4RLtTJeD87PZUdxOkc0JzFtPYJ S4yJd54Im6jbfpVxmnXEw0ofN1wgWed8uw34G6sZD5iqNH6IROVnCNtSYZGXE42N9ns4Pm 4hkHmEMcTsCEqJCRNw/C5hYrK1hpizWkE2mneDNiap562DhWfKEx7GRA3e84XQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064069; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ZOw81gdieOO+3Q2tdRBNJ78ti7ubUtrt6rMF1E030vM=; b=ECGW/y4zXD8qm/o+EjbQZHzKlud0mSAlERZp1EP8NZe92eJrwX2IEEKKdTz//M5SKqgxBK PESlIuFR5hFGUwzNHWKItI42UIuCdWnpNBLRXf6gCZbs2+PmYBWYpsBXnDO12AzzI918M+ ZVPxfCKduHnivqtB+/8lxx/TWemkNpxsBNOtBaE2CHvN3YK1qYror96hOhnF70R8b64Uxp 4ZPYvoJUyujJTfm5Q73wYhaP59jH6XMXNcT1YuwizzHuMcQbbkKijA7ThYJIGHH74N9/mD tmQeXYWkgpFh4SEQdX1iavTzfUZAhLHH3Jy81ddaWAVHpw+C9Dz1h5EcJ/gC9A== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZsX55rzqz13hk for ; Wed, 10 Jun 2026 04:01:09 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 27f04 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 10 Jun 2026 04:01:09 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kyle Evans Subject: git: 4a56809bb9eb - stable/15 - ctld: kernel-sourced portal groups are not dummies List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 4a56809bb9eb59084025af83b5e3fe4e4478f143 Auto-Submitted: auto-generated Date: Wed, 10 Jun 2026 04:01:09 +0000 Message-Id: <6a28e185.27f04.7ba781d0@gitrepo.freebsd.org> The branch stable/15 has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=4a56809bb9eb59084025af83b5e3fe4e4478f143 commit 4a56809bb9eb59084025af83b5e3fe4e4478f143 Author: Kyle Evans AuthorDate: 2026-04-28 20:51:50 +0000 Commit: Kyle Evans CommitDate: 2026-06-10 04:00:35 +0000 ctld: kernel-sourced portal groups are not dummies The current and historical versions of ctld would flag our initial set of kernel ports as dummies, because their portal groups were empty since portals come from the configuration on-disk. As a result, we would never try to remove a kernel port at startup that didn't exist in the configuration (possibly a feature if you wanted concurrent ctld(8)), and we would always try to port->kernel_add() on ports in the configuration (even if they actually did have an existing kernel port). Flag these portal groups as kernel groups so that we avoid trying to add ports that already exist. It may be the case that the kernel_remove() loop in conf::apply() needs to do something other than the current `oldport->is_dummy()` to avoid removing ports that it isn't supposed to be managing, but that wuld also seem to apply to LUNs that would be removed today. Reviewed by: jhb (cherry picked from commit d9c0594191f5c45d7f3c737350321ee59bfce9bf) --- usr.sbin/ctld/ctld.cc | 15 +++++++++++++++ usr.sbin/ctld/ctld.hh | 2 ++ usr.sbin/ctld/kernel.cc | 4 ++++ 3 files changed, 21 insertions(+) diff --git a/usr.sbin/ctld/ctld.cc b/usr.sbin/ctld/ctld.cc index 331c029e282e..6ec64cc253d6 100644 --- a/usr.sbin/ctld/ctld.cc +++ b/usr.sbin/ctld/ctld.cc @@ -591,9 +591,18 @@ conf::find_transport_group(std::string_view name) return (it->second.get()); } +/* + * Foreign portal groups (which only redirect to other targets), and portal + * groups without any active portals are considered dummies and ports belonging + * to such groups are ignored. However, portal groups that exist in the kernel + * prior to ctld starting will contain real ports but no portals, so these are + * never considered dummies. + */ bool portal_group::is_dummy() const { + if (pg_kernel) + return (false); if (pg_foreign) return (true); if (pg_portals.empty()) @@ -710,6 +719,12 @@ portal_group::set_foreign() pg_foreign = true; } +void +portal_group::set_kernel() +{ + pg_kernel = true; +} + bool portal_group::set_offload(const char *offload) { diff --git a/usr.sbin/ctld/ctld.hh b/usr.sbin/ctld/ctld.hh index 3bf18f6a32c0..2e1ee7869ceb 100644 --- a/usr.sbin/ctld/ctld.hh +++ b/usr.sbin/ctld/ctld.hh @@ -220,6 +220,7 @@ struct portal_group { bool set_dscp(u_int dscp); virtual bool set_filter(const char *str) = 0; void set_foreign(); + void set_kernel(); bool set_offload(const char *offload); bool set_pcp(u_int pcp); bool set_redirection(const char *addr); @@ -248,6 +249,7 @@ protected: enum discovery_filter pg_discovery_filter = discovery_filter::UNKNOWN; bool pg_foreign = false; + bool pg_kernel = false; bool pg_assigned = false; std::list pg_portals; std::unordered_map pg_ports; diff --git a/usr.sbin/ctld/kernel.cc b/usr.sbin/ctld/kernel.cc index f2bdf53bd3ee..d1210079ca1a 100644 --- a/usr.sbin/ctld/kernel.cc +++ b/usr.sbin/ctld/kernel.cc @@ -483,6 +483,8 @@ add_iscsi_port(struct kports &kports, struct conf *conf, log_warnx("Failed to add portal-group \"%s\"", pg_name); return; } + + pg->set_kernel(); } pg->set_tag(port.cfiscsi_portal_group_tag); if (!conf->add_port(targ, pg, port.port_id)) { @@ -520,6 +522,8 @@ add_nvmf_port(struct conf *conf, const struct cctl_port &port, tg_name); return; } + + pg->set_kernel(); } pg->set_tag(port.portid); if (!conf->add_port(targ, pg, port.port_id)) { From nobody Wed Jun 10 04:01:10 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZsX72KgZz6gvX7 for ; Wed, 10 Jun 2026 04:01:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZsX66y4Lz3wGk for ; Wed, 10 Jun 2026 04:01:10 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064071; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=QF8lLSfRPZvN9j7j0gqtfuKXzFN+eJYq1UwaqmRAEVM=; b=t0mfoNiZRz+Pnjivf6N1VHCG9TSHVFgZzwDSs3yGe5cI91ei4B1n5VyNeS8UOyp5bN03NX Q+p6AhJ9zCUwgfjSgdTpl1jqYti26zze+HsWw2BcFX2Ya8WVer9KDhRZzzZ31iHWrGnCVG LjfxeyzG25Ef7YoGXoX8SISWrDt3v0fCPZMg9nDQNVcib/Ww07KPxBbYlw8B/CBzEcIRzb ux7dE3MhgLdw8jjmcE9rFGDKYWWs9r1i7D0CQZ3r58i4lA2J238QEPtHoykqDs0sTf8ieK NYIg7ZckFGUFLV9+HgaPcd5OddZ9qqgPlXCnlwKHiDQaUh98HSWRMOMm27347g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781064071; a=rsa-sha256; cv=none; b=lUnIPKPkxsPvzuWOsII5t207Em027Y46XTkgqbS6lLX90IvXICGUx6fwrzxjg+zy6Y8Q+t GRe8kJiJ7WljkPuvZtK4em4n8fXz558vXutb1LP8eIog5i2zf4gtz1K9kr8NVydvuiTmgw N+xIspIxt2l05oTh56F21CRfUuiybjeXnxobVMJtpDfsrxTn/+dCpJEmU7jKBUEDjK9HM/ HeNRKo5QehZMRo9T237Z9b0PkoVe+rtw6d/aIwDh2JJm77HM+ndeh/UwS0zY+I9NW35Ma4 jBQMWPzKJCRxpqSJ+Y+vBUfv3jOUjLVWpZk31mKsmYjWRzZZvmoHD5pO1zgEmA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064071; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=QF8lLSfRPZvN9j7j0gqtfuKXzFN+eJYq1UwaqmRAEVM=; b=EJUqgvs6OnjBuhEG5CwB3V4ysfJbYZf7zurybP9VoOVbiBeh+UcJ+Bmog/cbHIUpHQ3O9b L6tERYWLpw0WFFFct9dQ9iEha3puq7b2JgbY6K8lL+WYgFa+IhL1y86MOcjwH7FbpTKnvj uWU0bElhbe36z/b6N3wfF2ogXP4wTdCBT6t2OL/CKLk31FaoozNSOkTrzKfrjuLv2Lir+R n+mzL9n3lUBm+z/V+i0yBln9UyJSveQMweNzW3D99mU24slHd9Jf5jeCwyVYjEcEp4EIl1 0msif67Nuw+5V208tGKsSF7XCbVTnLz8PhUHiXszMbouS5KmBEL7Aaar0AMOug== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZsX66WBcz143B for ; Wed, 10 Jun 2026 04:01:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 264d0 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 10 Jun 2026 04:01:10 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Chris Longros From: Kyle Evans Subject: git: 2edb8d4f60cd - stable/15 - cron: log when a crontab path is too long List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 2edb8d4f60cd66979c0b8a76c2ccbc33dac462ad Auto-Submitted: auto-generated Date: Wed, 10 Jun 2026 04:01:10 +0000 Message-Id: <6a28e186.264d0.44a55788@gitrepo.freebsd.org> The branch stable/15 has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=2edb8d4f60cd66979c0b8a76c2ccbc33dac462ad commit 2edb8d4f60cd66979c0b8a76c2ccbc33dac462ad Author: Chris Longros AuthorDate: 2026-04-29 04:06:29 +0000 Commit: Kyle Evans CommitDate: 2026-06-10 04:00:35 +0000 cron: log when a crontab path is too long Log via syslog when snprintf truncates the crontab path, instead of silently skipping the entry. Signed-off-by: Christos Longros Reviewed by: bcr, kevans (cherry picked from commit 91bfba010bcda665cc24a76af631cc85fcb0c688) --- usr.sbin/cron/cron/cron.8 | 11 +++++++++-- usr.sbin/cron/cron/database.c | 6 ++++-- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/usr.sbin/cron/cron/cron.8 b/usr.sbin/cron/cron/cron.8 index 23a295393df5..f1a6a30d4cb5 100644 --- a/usr.sbin/cron/cron/cron.8 +++ b/usr.sbin/cron/cron/cron.8 @@ -19,7 +19,7 @@ .\" .\" $Id: cron.8,v 1.2 1998/08/14 00:32:36 vixie Exp $ .\" -.Dd January 20, 2026 +.Dd April 29, 2026 .Dt CRON 8 .Os .Sh NAME @@ -227,7 +227,14 @@ configuration file for .It Pa /usr/local/etc/cron.d Directory for third-party package provided crontab files. .It Pa /var/cron/tabs -Directory for personal crontab files +Directory for personal crontab files. +Internally the daemon constructs the relative path +.Pa tabs/ Ns Ar filename , +which must fit within +.Dv MAXNAMLEN +bytes; in practice this allows filenames up to 250 bytes. +Longer entries are skipped and a diagnostic is logged via +.Xr syslog 3 . .El .Sh SEE ALSO .Xr crontab 1 , diff --git a/usr.sbin/cron/cron/database.c b/usr.sbin/cron/cron/database.c index 35e5fad3524d..234b5ef7fdd6 100644 --- a/usr.sbin/cron/cron/database.c +++ b/usr.sbin/cron/cron/database.c @@ -166,8 +166,10 @@ load_database(cron_db *old_db) fname[sizeof(fname)-1] = '\0'; if (snprintf(tabname, sizeof tabname, CRON_TAB(fname)) - >= sizeof(tabname)) - continue; /* XXX log? */ + >= (int)sizeof(tabname)) { + log_it("CRON", getpid(), "TABNAME TOO LONG", fname); + continue; + } process_crontab(fname, fname, tabname, &statbuf, &new_db, old_db); From nobody Wed Jun 10 04:01:11 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZsX83Tn6z6gv5m for ; Wed, 10 Jun 2026 04:01:12 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZsX80HqGz3wBq for ; Wed, 10 Jun 2026 04:01:12 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064072; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=zckJBWbMqahYmX9hWz/xf8OHOw+H5dpyu3EmcV3JCBc=; b=WpG0Q7wS01mbFFXy0uiOnYE/dtUHEBfyeLOjS/+Cw5TJigBPwZIZfuBg/fYKruWqW1fHUh ruU9bO91U2Oc+vABhfb3R6s5XPAomFCaiI4xCzQoic3E7woDLLVoH+0A1UWiRD9SjPmCGT nO4tryWYEbiW/5hxll3RT3HxrFC60oBA52l4syWHNxfaJolXn8eRcDjGzkfjF3KDtm7KRd CvRkmpPUz62PrGNVZ9qDA7F4zJK0dCoYUb9ZTpBpWy//6C27nY2zJtI9y/yCuEv+BOed+p RqqUXGey2EtS/VJYM+VrRaOz5coq8JMg6qkWnoCaNGBuOlo4OoQZIKDXNNd70Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781064072; a=rsa-sha256; cv=none; b=VTLMekowmWwRPQKDeVq5PnXC5MCsJ1IJ6ZBpVN1LmtDPdB3Qm42Fv13ODEkgLnPRxxse9o gazD0aqLfz+YlCTmMUbr9bYxlP6su0v4cO5xUAfK/LZ2F1xrZmLLkPwTwr8GdK90Xcv1hg xqWkAr0w5CheRdjLgM+NrMRnmkmFoHgZVhHeIiB0htvZNx+mHXEOXGq9V64zdpGu4fM29r xImLJNJqzvbHvD4T/NrQpctGcJ3Qwcq3qAS9TCMBvpUsPng/j/5xa/kCjxkjmBuQ4RM7WR pE11shk80tOEvrXrXUS76iGoG2yBo8DPxKdp4SRQD/RR36NaSROLhuX8ufcXXQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064072; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=zckJBWbMqahYmX9hWz/xf8OHOw+H5dpyu3EmcV3JCBc=; b=MzRFJs7ILWcqURGhWIlm0gDUhmoeAGOyfFx59ZzSnpu5f027ClKBk1gJ9rsW2ZwIbOPQ6n rOxXPGfqVEJjKzZsi2kVEe0H0LzR219srPnbzmtiZ6U+S5iHSNeshseZJDW+tiiWC0DSuz mTGioTNFvqgRrgrSvrdo49xqvW3sZSDiYUMnSDzyBcRFy3c/3NaSAsQ9fzBlk29xKut4KH JXcKDw2BUEFYBS80L/qEfwnB2+Gcwr2imFgc3J0t4BROEGQAdNWpn+CNLpPj1hUE1F1tvo Xm3HYmCD5ibxGQoKPtGuYdkV+J0bKNR3+06R/hpu68XfeQESPjJu76SadjvFxg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZsX76tWgz14dj for ; Wed, 10 Jun 2026 04:01:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 27a0e by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 10 Jun 2026 04:01:11 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kyle Evans Subject: git: bddfcbd9bbc6 - stable/14 - lualoader: add be-list and be-switch commands List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: bddfcbd9bbc68fe11ce53954b7f82584cd5ee40b Auto-Submitted: auto-generated Date: Wed, 10 Jun 2026 04:01:11 +0000 Message-Id: <6a28e187.27a0e.37b163a6@gitrepo.freebsd.org> The branch stable/14 has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=bddfcbd9bbc68fe11ce53954b7f82584cd5ee40b commit bddfcbd9bbc68fe11ce53954b7f82584cd5ee40b Author: Kyle Evans AuthorDate: 2026-06-04 13:57:16 +0000 Commit: Kyle Evans CommitDate: 2026-06-10 04:00:49 +0000 lualoader: add be-list and be-switch commands This is useful for driving BE changes from the loader command prompt, rather than having to use the menu. Note that the active carousel in the boot environment carousel doesn't currently reflect a switch in boot environments done this way- I'm considering this only a minor bug, as you probably can't or won't go back to the menu if you're using these commands. Reviewed by: imp (previous version) (cherry picked from commit c7ff706b31c22f10c2403869c46b443448da3e08) --- stand/lua/cli.lua | 23 +++++++++++++++++++++++ stand/lua/core.lua | 43 +++++++++++++++++++++++++++++++++++++++++++ stand/lua/core.lua.8 | 17 ++++++++++++++++- stand/lua/menu.lua | 7 +------ stand/man/loader.8 | 15 ++++++++++++++- 5 files changed, 97 insertions(+), 8 deletions(-) diff --git a/stand/lua/cli.lua b/stand/lua/cli.lua index 6832da0a31a5..a405baba9468 100644 --- a/stand/lua/cli.lua +++ b/stand/lua/cli.lua @@ -172,6 +172,29 @@ cli["disable-module"] = function(...) setModule(argv[1], false) end +cli['be-list'] = function(...) + local _, argv = cli.arguments(...) + if #argv ~= 0 then + print("usage error: be-list") + return + end + + for _, bootenv in core.bootenvIter() do + print(bootenv) + end +end + +cli['be-switch'] = function(...) + local _, argv = cli.arguments(...) + if #argv == 0 then + print("usage error: be-switch beName") + return + end + + local env = argv[1] + core.switchBE(env) +end + cli["toggle-module"] = function(...) local _, argv = cli.arguments(...) if #argv == 0 then diff --git a/stand/lua/core.lua b/stand/lua/core.lua index 4091f446e1f1..16825d560094 100644 --- a/stand/lua/core.lua +++ b/stand/lua/core.lua @@ -312,6 +312,21 @@ function core.bootenvFilter(func) return oldf end +function core.bootenvIter() + local envs = core.bootenvList() + + if #envs ~= 0 then + local root = "zfs:" .. loader.getenv("zfs_be_root") .. "/" + + for idx, bespec in ipairs(envs) do + bespec = bespec:gsub("^" .. root, "") + envs[idx] = bespec + end + end + + return next, envs, nil +end + function core.bootenvList() local bootenv_count = tonumber(loader.getenv(bootenv_list .. "_count")) local bootenvs = {} @@ -565,6 +580,34 @@ function core.nextConsoleChoice() end end +function core.switchBE(env) + -- This branch will most likely be taken by the switch-be CLI command, + -- not by the menu. We could do some more validation that it's a valid + -- BE and let the user fully specify a zfs:be/dataset to avoid the + -- validation, but this isn't done at the moment. + if not env:match("^zfs:") then + local root = loader.getenv("zfs_be_root") + + if not root then + print("ZFS BE root not available -- no action taken") + return + end + + if not env:match("^" .. root) then + env = "zfs:" .. root .. "/" .. env + else + env = "zfs:" .. env + end + end + + loader.setenv("vfs.root.mountfrom", env) + loader.setenv("currdev", env .. ":") + config.reload() + if loader.getenv("kernelname") ~= nil then + loader.perform("unload") + end +end + -- The graphical-enabled loaders have unicode drawing character support. The -- text-only ones do not. We check the old and new bindings for term_drawrect as -- a proxy for unicode support, which will work on older boot loaders as well diff --git a/stand/lua/core.lua.8 b/stand/lua/core.lua.8 index 325320b2fce8..5cb2b46bd9d1 100644 --- a/stand/lua/core.lua.8 +++ b/stand/lua/core.lua.8 @@ -24,7 +24,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd April 8, 2026 +.Dd June 4, 2026 .Dt CORE.LUA 8 .Os .Sh NAME @@ -175,6 +175,12 @@ returns true, then the boot environment is retained in the list. Otherwise, the boot environment is hidden. The old filter, if any, is returned to allow the caller to compose a filter on top of another filter. +.It Fn core.bootenvIter +Returns an iterator over the known boot environment list. +The returned boot environment names do not include the boot environmnt root, +which would need to be added back on from the +.Ev zfs_be_root +environment variable. .It Fn core.bootenvList Returns a table of boot environments, or an empty table. These will be picked up using the @@ -229,6 +235,15 @@ If there are no elements, this returns nil and nil. If there is one element, this returns the front element and an empty table. This will not operate on truly associative tables; numeric indices are required. +.It Fn core.switchBE beName +Switch to the requested +.Fa beName . +It may be either be formatted as a fully-qualified loader dataset path +.Dq zfs:pool/ROOT/beName , +or like one of +.Dq pool/ROOT/beName +or +.Dq beName . .It Fn core.loaderTooOld Returns true if the loader is too old. Specifically, this means, is the loader old enough to require one or more diff --git a/stand/lua/menu.lua b/stand/lua/menu.lua index 2d92be3b7c6e..a5491aca3560 100644 --- a/stand/lua/menu.lua +++ b/stand/lua/menu.lua @@ -53,12 +53,7 @@ local function OnOff(str, value) end local function bootenvSet(env) - loader.setenv("vfs.root.mountfrom", env) - loader.setenv("currdev", env .. ":") - config.reload() - if loader.getenv("kernelname") ~= nil then - loader.perform("unload") - end + core.switchBE(env) end local function multiUserPrompt() diff --git a/stand/man/loader.8 b/stand/man/loader.8 index 484e0a7b300c..e35414049e23 100644 --- a/stand/man/loader.8 +++ b/stand/man/loader.8 @@ -26,7 +26,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd November 14, 2025 +.Dd June 4, 2026 .Dt LOADER 8 .Os .Sh NAME @@ -97,6 +97,19 @@ and .Pp .Bl -tag -width indent -compact .\" sort the following entries according to the second field +.It Ic be-list +Lists the boot environments that are visible to +.Nm . +The listed names may be used directly with +.Ic be-switch . +.It Ic be-switch Ar beName +Switch to the +.Ar beName +boot environment. +The +.Nm +configuration will be reloaded from the new root, and any previously loaded +kernel and modules will be immediately unloaded. .It Ic boot-conf Load the .Nm From nobody Wed Jun 10 04:01:11 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZsX83Rp3z6gvHs for ; Wed, 10 Jun 2026 04:01:12 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZsX80rJ2z3wFB for ; Wed, 10 Jun 2026 04:01:12 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064072; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=BSFguV6Tm064NtEG3uEiaL7fesz/Z86Za38lrvgDdN0=; b=UktGk3Yzo7S/3+1+6XkSlRAqDAEuHohKK3QeQiV5lDFkKU+foDPG7+rSky21a+DUoSJVgu xPv2kNf8GYgr/iMkb4i1sfG1K45Qwp6WNjE9PvUdepG70k5Lql/cEEGfTdU9n7irbxvWMM YxxQOfc0HaSN0LgknPmWewfk0rmIbVIhMMjZZ/GrYFaNPTcK/TEE+biDIeSw09RXPEaer8 TwiyfkP+TpA5IvPJFK657k6bCbwFm6MgURJkSahgrCv0jEIU583QcqA4ztUGKSkR4ZOMj0 aoRrTIxWJD4ak5Z7Dmu6Fm0Ba83gZxdLBWfRFphx+gg3g0ntRM4bM5h+eunfog== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781064072; a=rsa-sha256; cv=none; b=UekQxlQgOlTVcfeKw3QAx/y8xjmkFXGiWX4ntcz7cgFTishb2oo2H3oEqAypzJ1KtqRdHC Vf2FPzwTQET+UCDWh1DnDZeTKJ7cu13PLmQ3Pi6gzVTyXOlehJJYqysRNSYybOpU7aRUES MCTKTE1a6MGPljWnSIFo2XYnEgPWoWohfXTni0+oKkMPQZzM2bNIiKuM14K01xvsDrqNcI eRb/yg7HghqdFxLEMzOPLUQz9v9LRY/mpGhsBSM0JqKAuvqxwlS6L2s9hkoPKdThug5DHi qNFdOeYHOMGbHoS1VxR8Bt0qvXzkc3v5q/Db7VqJEl7806VhDUxzBEBrJjhN6g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064072; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=BSFguV6Tm064NtEG3uEiaL7fesz/Z86Za38lrvgDdN0=; b=comdgh1LrL19bwCfDCuivUoJ6KQyZylhrRL4xbiB16vNzGb0kZzNR8I7rRhPLbtqK4zNbO y4PaA0C5GlMK3DP7xmdxC1Yp6tszUIWQDHOsZCOuZ9WcURkfI3TaftVUj9PLj2PBexKeV4 i2A95rFjSL/svwIwGJm+Yyq7a28OIeYrnw6/cOI0EkrHS8Vm3mHgI4gecwm9usVZlZks/+ 0WSkqnfysuyKZq0KndbMRe8LjpgneygR78eTZnZksIwr9aCA/09DRK7dA0ZadObBwqA9Jj yP2xP+vCnOWG4Q2SJ3VwBERqCVWaRBbNkTh1bqWcNAWCY/nuFm30s0cc0XlgXw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZsX76r4tz143L for ; Wed, 10 Jun 2026 04:01:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 25e6b by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 10 Jun 2026 04:01:11 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kyle Evans Subject: git: 52e2e6bfc31a - stable/15 - ssp: fix our gets_s implementation under _FORTIFY_SOURCE List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 52e2e6bfc31a54e53109978434bc8c43005aa367 Auto-Submitted: auto-generated Date: Wed, 10 Jun 2026 04:01:11 +0000 Message-Id: <6a28e187.25e6b.65fd6282@gitrepo.freebsd.org> The branch stable/15 has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=52e2e6bfc31a54e53109978434bc8c43005aa367 commit 52e2e6bfc31a54e53109978434bc8c43005aa367 Author: Kyle Evans AuthorDate: 2026-05-01 02:57:51 +0000 Commit: Kyle Evans CommitDate: 2026-06-10 04:00:35 +0000 ssp: fix our gets_s implementation under _FORTIFY_SOURCE Annex K specifies an interface for handling constraint violations from gets_s, but we previously broke this for some classes of get_s misuse. Provide a more nuanced version that tries to dodge errors that would trigger a constraint handler while still providing value. Notably, we don't want to trigger a failure unless the passed-in length reasonably fits within an RSIZE_MAX, because gets_s will immediately call larger lengths bogus and fail. PR: 294881 Reviewed by: markj (cherry picked from commit d98f4f0698ef0c5178882c544b4c38542d4780f0) --- include/ssp/stdio.h | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/include/ssp/stdio.h b/include/ssp/stdio.h index 630683951e4b..17bda8d3ee2d 100644 --- a/include/ssp/stdio.h +++ b/include/ssp/stdio.h @@ -36,6 +36,10 @@ #include +#if __SSP_FORTIFY_LEVEL > 0 && __EXT1_VISIBLE +#include +#endif + __BEGIN_DECLS #if __SSP_FORTIFY_LEVEL > 0 #if __POSIX_VISIBLE @@ -51,7 +55,31 @@ __ssp_redirect(size_t, fread, (void *__restrict __buf, size_t __len, __ssp_redirect(size_t, fread_unlocked, (void *__restrict __buf, size_t __len, size_t __nmemb, FILE *__restrict __fp), (__buf, __len, __nmemb, __fp)); #if __EXT1_VISIBLE -__ssp_redirect(char *, gets_s, (char *__buf, rsize_t __len), (__buf, __len)); +__ssp_redirect_raw_impl(char *, gets_s, gets_s, + (char *buf, rsize_t len)) +{ + char *retbuf; + size_t bufsz; + int need_fail = 0; + + /* + * If we would have overwritten our buffer, we want to fail the check + * only if these arguments wouldn't have triggered a constraint + * violation. + */ + bufsz = __ssp_bos(buf); + if (bufsz != (size_t)-1 && (size_t)len > bufsz) { + if (len <= RSIZE_MAX) + __chk_fail(); + need_fail = 1; + } + + retbuf = __ssp_real(gets_s)(buf, len); + if (need_fail && retbuf != NULL) + __chk_fail(); + return (retbuf); +} + #endif /* __EXT1_VISIBLE */ __ssp_redirect_raw(char *, tmpnam, tmpnam, (char *__buf), (__buf), 1, __ssp_bos, L_tmpnam); From nobody Wed Jun 10 04:01:10 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZsX751W3z6gv8S for ; Wed, 10 Jun 2026 04:01:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZsX72bT9z3vy0 for ; Wed, 10 Jun 2026 04:01:11 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064071; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=CR9mSDgO7eyEr0N+5kN/G0CTZi1gL5VtxxPz8wj0br8=; b=b7B0Fl/UR51PTkn4GJ0xY00vnrq2sW3buwXKKPqDp+OWcCadi9FmJM6pXlCqZfPwdiuX3R p+aHpCyGBFQSn/XRsw3CSMuSu+TrToCfiDaBdaTuWw1e7yqwGtaVyYaYMfqfqCbXzHPBox ++vn3UzSLRpq0seHvTW20QB3iRRwEdNe2lbM74VJ9KB6rFBMPhDqID2WmVQmbtvz+OscV0 JDK5np/r1elr9DTgvh0SI9ydRmCnzc2r8i1ds4X4XLg1azwHbCyE2zdKBkzBy5uJCC+TgW 6qjZUlfPNgw0PGFGDYYACp0yshNQxSFOHVRPqIhNcTL6TPeLVsD8Sd989U0rDA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781064071; a=rsa-sha256; cv=none; b=dC0lKxB3WYzYTfuyYGpULbsHqqEBdCEsnHuwpWVxPbTt4WKK1NkrelVPLwuHIodWcr1lC6 Exbz7s7kYQAjJadQ8E16fiom9lAEvNE2qWmlGdTn28FjfA6qB48HoG9O7x6SnU51ujIlOA HvbxMr1vygmZRB8Q2Q5lHgh+A0MOYGhnIwo1ddQc70fEgJC25Qom8NR45ynfWNxei0rWsl LL/owrlF0x+LIp+XCpY5tSd7+z/GNUdgWqQER3YMt0TLd5MvEl/tx8e6i4wbPEPohq1ikS LRRYQtnMRfKoBJHFt9/Li4Dh1smsTgpIUVfJvpGM7l/UdAC3bQLZ1bqRFGV/ag== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064071; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=CR9mSDgO7eyEr0N+5kN/G0CTZi1gL5VtxxPz8wj0br8=; b=M58Vsn+swYk/e1FCE7dKkgQomsovF1CkOBj38pBV+ntgpE4lpE1QK5mxCr3CuYMgpLOydf nSJ/Tme8M211UTNz0QWMyFjGuG8yHRPy+VZ5JQbCUUpW7mpq0IjUk+0fHfWHZ8RGUeuhoi KMPJRjXPPHTCKNicj1o2Xucxb6A/VGvBVocoqMJai4EOUjSw4JfLs3ujW+TxQ0Ip3DHCqf MsVKgutIkSKXbHidid+VAAguX1y+IMDn+/7VfHhBIYmJizm51pLkLDKNG8PQK7kECE/XZc j8qMMgfMbdCFyI9RJwv4kbW8YODcBrHrsHduM1jQx5739V2nCKAeIhZBvY10iQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZsX66YHGz143C for ; Wed, 10 Jun 2026 04:01:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 2676d by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 10 Jun 2026 04:01:10 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kyle Evans Subject: git: f25b4d986c94 - stable/14 - pci: bcm2838: cleanup on attach failure to fix devmatch panic List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: f25b4d986c949b3e0c0e20fe5cbcc42f0f004243 Auto-Submitted: auto-generated Date: Wed, 10 Jun 2026 04:01:10 +0000 Message-Id: <6a28e186.2676d.1397815@gitrepo.freebsd.org> The branch stable/14 has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=f25b4d986c949b3e0c0e20fe5cbcc42f0f004243 commit f25b4d986c949b3e0c0e20fe5cbcc42f0f004243 Author: Kyle Evans AuthorDate: 2026-05-09 02:49:35 +0000 Commit: Kyle Evans CommitDate: 2026-06-10 04:00:49 +0000 pci: bcm2838: cleanup on attach failure to fix devmatch panic Specifically on the RPi CM4, we currently don't set the controller up right and it never moves into the ready state (we don't observe the link active bit). Failure to cleanup here actually results in a panic not long after, due to a use-after-free in the rman bits. Further down in pci_host_generic, we have some rman stashed in the softc that are initialized and placed onto the rman tailq, then the softc is later freed without an rman_fini() to pull them off of the tailq properly. Note that PCIe on this board won't come up at boot without something plugged in, so it currently can't be booted with an empty slot with the intent to hotplug a supported card. Some issues with controller startup have been observed with Broadcom NICs in the wild, but no problems have been observed with other NICs and a variety of different PCIe cards. Shout-out to Vince for the extensive debugging and analysis to arrive at this conclusion. Reviewed by: andrew, imp (cherry picked from commit a05af6ddf9016e4ea4f0b361aa674e7ece6fe7ec) --- sys/arm/broadcom/bcm2835/bcm2838_pci.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/sys/arm/broadcom/bcm2835/bcm2838_pci.c b/sys/arm/broadcom/bcm2835/bcm2838_pci.c index fb3e8df783c2..a6619f4f9112 100644 --- a/sys/arm/broadcom/bcm2835/bcm2838_pci.c +++ b/sys/arm/broadcom/bcm2835/bcm2838_pci.c @@ -647,7 +647,7 @@ bcm_pcib_attach(device_t dev) error = bcm_pcib_check_ranges(dev); if (error != 0) - return (error); + goto failed; mtx_init(&sc->config_mtx, "bcm_pcib: config_mtx", NULL, MTX_DEF); @@ -681,7 +681,8 @@ bcm_pcib_attach(device_t dev) if (tries > 100) { device_printf(dev, "error: controller failed to start.\n"); - return (ENXIO); + error = ENXIO; + goto failed; } DELAY(1000); @@ -691,7 +692,8 @@ bcm_pcib_attach(device_t dev) if (!link_state) { device_printf(dev, "error: controller started but link is not " "up.\n"); - return (ENXIO); + error = ENXIO; + goto failed; } if (bootverbose) device_printf(dev, "note: reported link speed is %s.\n", @@ -742,11 +744,14 @@ bcm_pcib_attach(device_t dev) /* Configure interrupts. */ error = bcm_pcib_msi_attach(dev); if (error != 0) - return (error); + goto failed; /* Done. */ device_add_child(dev, "pci", -1); return (bus_generic_attach(dev)); +failed: + pci_host_generic_destroy_fdt(dev); + return (error); } /* From nobody Wed Jun 10 04:01:14 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZsXB4w9Jz6gvHv for ; Wed, 10 Jun 2026 04:01:14 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZsXB1Fg4z3wQ1 for ; Wed, 10 Jun 2026 04:01:14 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064074; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=x52N+jwXXC+bw98BIgFKxovGlfoSsPvX2tox5fBN/y0=; b=YMmDUVfZhGH1aQGl0oRl9oNsy2Fea2kRADc0qIiXg2+80ZN4GwFWitZDFYDugt+T45McBM cBcQj0bjrL+fCJXGTh3t+KFv14jIeijZfeQBzycMCJUuKWowxKRLuJkecNfvweoe4soL0K aiWOffCGmin3Kjjkt/oOMpqIMq4iwJnXC0PKgA6kDB3lfVwQR1czic0RhbHxpWY0+VlgDL W6PxZ4dYZ1ucW2mb205LeHiiYy6fKihROVHLlJiQRz2DZP7ek/WM7xL9zJMT9H5k0h/vb4 sFDInydgpowYvT3XTFdPudpffGadVnkcWWPPWzRQrEAA2YnQXrzvjjGCcfnjKw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781064074; a=rsa-sha256; cv=none; b=VhlGbv7vWCTnlaxqwo3zpoHThZvuWKNzqQxqRE4H0cpY8b4EOf69gWlqjZrkPnK3/7M0Ib bhBLkm/QjunCcf1FbLqKKpCGmLr76FvVV27WeUvn80haCHU5DwZm0c7LzJpbZNicJF9+2r DQxQ4SqJlkasSxIRBA5dtbOzCYKX36JkvnjwnoolU12sfDcCt4iblE0GN2McN5VPtL3J6P QjBK9YWzMHAMwWhO9JpedGRX0bsREJ2bP2QxJyHl21bgZEdhXh6QAExiqSt1NWwf+tAjR2 pIz9tCm7Acn75F0Y9aBMXNh4OOjipmPB62iB80m+6udJKL411LLYkXDg8cpSAQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064074; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=x52N+jwXXC+bw98BIgFKxovGlfoSsPvX2tox5fBN/y0=; b=ylF1LUgPAUiSJMRnHbPx0HKMno9cDF7qwudk67eOXXKOz1zhKCmbxifmPoWVe0G/QBGLkt qqL4r8m4VWGaXipGa02gikrzkLolzlrf5b8o/7NBp6k3yVEl3Gco1lbdsIH6OX+7Y/iaOH JA7a7nF5ndxazpvtLI2Su5tw/Yvm9lqrJj2apFUnlhdg+uHaNJ7DWbIXf4Vs9PWrBniQZV T2yCzJaWoGXhxD+5QRRb4AMAFKO9GjtaH7ArmYmen3hG6smgWko+IBqLHjmAOnNNfyDOyt adBGdgrlvoeQga6u0xOa+ihyhkY7m9FrjkGRPhtES4Nlaw0L5YPGhjLr+jv08w== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZsXB0d1Tz14Bp for ; Wed, 10 Jun 2026 04:01:14 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 27f0a by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 10 Jun 2026 04:01:14 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Jan Bramkamp From: Kyle Evans Subject: git: a03b45d38f8f - stable/15 - jail: open the fstab files with fopen("re") List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: a03b45d38f8fc312a7a86c3ac2e4bdcbbad9f4d3 Auto-Submitted: auto-generated Date: Wed, 10 Jun 2026 04:01:14 +0000 Message-Id: <6a28e18a.27f0a.50e0b629@gitrepo.freebsd.org> The branch stable/15 has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=a03b45d38f8fc312a7a86c3ac2e4bdcbbad9f4d3 commit a03b45d38f8fc312a7a86c3ac2e4bdcbbad9f4d3 Author: Jan Bramkamp AuthorDate: 2026-05-06 23:28:53 +0000 Commit: Kyle Evans CommitDate: 2026-06-10 04:00:36 +0000 jail: open the fstab files with fopen("re") This protects against accidentally leaking them past fork()+exec() in future refactorings. PR: 295052 Reviewed by: kevans (cherry picked from commit 58811b0ae096c134af372bcf475aea1d8d0e3c08) --- usr.sbin/jail/config.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr.sbin/jail/config.c b/usr.sbin/jail/config.c index f1e2da215790..188f48732561 100644 --- a/usr.sbin/jail/config.c +++ b/usr.sbin/jail/config.c @@ -726,7 +726,7 @@ check_intparams(struct cfjail *j) TAILQ_FOREACH(s, &j->intparams[IP_MOUNT_FSTAB]->val, tq) { if (s->len == 0) continue; - f = fopen(s->s, "r"); + f = fopen(s->s, "re"); if (f == NULL) { jail_warnx(j, "mount.fstab: %s: %s", s->s, strerror(errno)); From nobody Wed Jun 10 04:01:13 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZsX92L0Zz6gv8F for ; Wed, 10 Jun 2026 04:01:13 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZsX90YGjz3w8b for ; Wed, 10 Jun 2026 04:01:13 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064073; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Z8po+mgQdZR+TxkhJ3J11CspPwlDX7/cCkvKV7kKvgw=; b=Ls26iibkRXoMAKtJgwm+/ZZ+gTdKCKNfm2Hqf7vtP1LI6RRoeK5dzlmL29x+0LcPsx3eQ7 yIyRanJ2B0HPIkUua4zZ0uYiXziZGeqU6ntx2qjW/1/yYKjX1XEYT6BChWE4WHOnr6z7Q0 qrlIavemuTs66ijChK/LuV76RU+ZoW4A8DecreRTDVwAwbZX4yA+/nC9IBrcR3eqdITRA+ yu3NTd4OGTAl1FkeUuft56FhWZhXkAs657zpu5HR6mGSpd3xwOxft7GKtDEzJL3E/NtbZw sfqZLzNpOkQtRJWcb7J0y0po9hH/q8yb6bPdY3jjl9rOotsYE66OMrbukUt0OQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781064073; a=rsa-sha256; cv=none; b=yp0yWfsBEQ3i/uIm78IlXZx36B9/T2pbxfY2shQ+9sp2Rx+5Q6SMIvA6nijCTIWMwk+eEt TSx3h/JKpMfV3zoLU4ZKvQQeKedjyIt/5LO+iXW3S0uCOe9wXmfjveUwlutBErfHssLSPR kzq3lkxi+epBkGc3u32yr3wX7Zdm9oaRlJZv3XLkBhOP0ULtfFE362o4MilBEGO12zEtdE stBjG0EO3+oet0A/JDb9Bx3QtETnELJzhpJObOv9a2MJ2L9hiJTj2O6rZqx9WT/G6ykuZs iN+mu8S2HkIbZgRCi2GsdF6YXlnLmM5UWxcCyRH1ZX4YzzFiHCdpxNDAZcoYjQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064073; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Z8po+mgQdZR+TxkhJ3J11CspPwlDX7/cCkvKV7kKvgw=; b=qyuNTMgepB7ypmRCfTy0YuWcCUQxfTyX5SdPKAvFsuotfP8KloPHwpgjr7EsiS19x5tFB0 xhsDEkEdoSFljFQlrqKmBPCMsttLUbnWowTtq7zi/2HtImVnzvQ8/yySm+H3NotryRd5OU r8wikQwER398OE0LvDWHm4ol4oyMRnGnn8AwjQumA7JPo7OpEzv+G16s7h9ywxnckz2t36 G7MuCIcHwDFHz1VULmB+dX/RHxEQCM0Xip7iQim9b6xuhzf8z5qB/pKXGEG/Sznd8hBIS8 9m/7UUcXtkfP4kZQC1Y5C0Tw3fqy7k6MhAkPNiGVtvyvdevA9etBZGC5YHu+Ww== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZsX903LCz14MF for ; Wed, 10 Jun 2026 04:01:13 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 27493 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 10 Jun 2026 04:01:13 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kyle Evans Subject: git: dc0cc22a8981 - stable/15 - fexecve(2): call out a scenario where you want !O_EXEC List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: dc0cc22a898198a21bd58109351d2c2b2ec5410f Auto-Submitted: auto-generated Date: Wed, 10 Jun 2026 04:01:13 +0000 Message-Id: <6a28e189.27493.430f9de9@gitrepo.freebsd.org> The branch stable/15 has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=dc0cc22a898198a21bd58109351d2c2b2ec5410f commit dc0cc22a898198a21bd58109351d2c2b2ec5410f Author: Kyle Evans AuthorDate: 2026-05-01 03:02:55 +0000 Commit: Kyle Evans CommitDate: 2026-06-10 04:00:36 +0000 fexecve(2): call out a scenario where you want !O_EXEC We note a reason why you might need it, but there's an equally important reason you may need to omit it: interpreted programs. Add a note accordingly, along with the workaround configuration if there's reason you can't help it. PR: 294780 Reviewed by: Jan Bramkamp , kib (cherry picked from commit 9c18d55a768a3e60ecaba1325e9a3e00a25dee26) --- lib/libsys/execve.2 | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/lib/libsys/execve.2 b/lib/libsys/execve.2 index dc85b9321e48..5562e198239a 100644 --- a/lib/libsys/execve.2 +++ b/lib/libsys/execve.2 @@ -25,7 +25,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd July 02, 2025 +.Dd April 29, 2026 .Dt EXECVE 2 .Os .Sh NAME @@ -232,6 +232,17 @@ is to use the .Dv O_EXEC flag when opening .Fa fd . +Opening without +.Dv O_EXEC +may be necessary in the case of executing an interpreted program, as the +interpreter will not be able to acquire a descriptor to the script for reading +without mounting +.Xr fdescfs 4 +on +.Pa /dev/fd +with the +.Cm nodup +option. Note that the file to be executed can not be open for writing. .Sh RETURN VALUES As the From nobody Wed Jun 10 04:01:15 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZsXC5m9dz6gvDr for ; Wed, 10 Jun 2026 04:01:15 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZsXC1q9lz3wFn for ; Wed, 10 Jun 2026 04:01:15 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064075; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=CxTvV18aE6hluraIjfscvr8MT7nMEdyRqakUJNdkGv0=; b=tcNt3HHmrs9JBu56AUzOxWl+RP/hHG+w6KaEzvGztys2hBGHAMLBRXcUu3qWylDnNIgBXF CzW8JxXYVsxSxsfqKDkdKXiMLwQ9Sy8p2q0AMsmK+tmx35x0g4hPcetqTbxjFAdzFFK23t ML+IeI8mAqNkveOc3gSNOsLar0o2Wm9pw01lAV/E8xb3LQ0TA7sFg6jrJIqmEsMn2lPuWA 9SKoFD/2NZFiGXttyp/0OgKkTmY16k5xuG9uDNScH8oinLONjmdHF09omAQLfsY/EVtH10 ePLZoEWZ7Fmh/41cMJyiCuHLJMA7gCX1P4UdWMrbtcYe4UOG4jGJliJjZHtzDg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781064075; a=rsa-sha256; cv=none; b=ljzVrcy1LNZGy4jeytf/Zj7R0Mpihkq48Gfh9IBgL+eLTNE+a1B7clAlVw7CZiuZgEWeKf ABfNrAY2EBswyCMbwGj+u0HLQ0zRYiXsOKksRVIQic1E3sCwVIwUCLucZsmHxrh0eeoy5N RrF2RZL8KvjaqheTXwEcjrRqim98QcppmiQ9WJNLJ4nNuT6UTe5Ju6QNKHyZBj1IcNn3lm klt7w+PVdxIUCX288icJUHY0qAtlQ10GwRO4HgVMfdnS1SHJ9VsQ4VPOMvEmwbOwg7PQz9 DBGRKEckEFljxg4H1lwdE81K0UISaNS2sl3rrtplmO1XYVAqhTtVLzKMAzzPJQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064075; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=CxTvV18aE6hluraIjfscvr8MT7nMEdyRqakUJNdkGv0=; b=urJvlPoB1f2txg8Kvva7d5IO+E6B2vQvvU8VfW+KrY3eJ9osxJNNSCaUiTRTKs/iiC71kJ a5rgU50ZlOUn5Ozd3gfxqnINys33/nBgrY8fC0rD9kTGj/6jlkKtbUYIQmhyuNaCKAx2T0 H/TUax+67zEKK0iUAQueJnXThPaIEN08dGINtTy6zAU/UPQ3Q22rP+U6EgR8LOwsRdMF+q 4xDDKYmv/mXY4UbZOYALUH+31X63tq0yUioNn6xIDqWWwoXq6zlqqdZ4nax51VQc4j6jEe vpGetS3YTepK6mLGPTNw2nwOjaaYVxFJRxqOVkCFUIK/i/AZGVS37JGuO2IO5g== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZsXC1GNKz14St for ; Wed, 10 Jun 2026 04:01:15 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 258f0 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 10 Jun 2026 04:01:15 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Marek Zarychta From: Kyle Evans Subject: git: b575dac3e415 - stable/15 - devd: Use PF_LOCAL instead of PF_INET List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: b575dac3e415ceee136ed77be25e04e3bfce73ce Auto-Submitted: auto-generated Date: Wed, 10 Jun 2026 04:01:15 +0000 Message-Id: <6a28e18b.258f0.5189fb05@gitrepo.freebsd.org> The branch stable/15 has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=b575dac3e415ceee136ed77be25e04e3bfce73ce commit b575dac3e415ceee136ed77be25e04e3bfce73ce Author: Marek Zarychta AuthorDate: 2026-05-07 01:28:08 +0000 Commit: Kyle Evans CommitDate: 2026-06-10 04:00:36 +0000 devd: Use PF_LOCAL instead of PF_INET Avoid dependency on INET (IPv4) by using PF_LOCAL, allowing media check to work on systems without INET support. PR: 295045 Reviewed by: kevans (cherry picked from commit b2e4da0b53ad082768b8f6f83766e030fd00d02a) --- sbin/devd/devd.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sbin/devd/devd.cc b/sbin/devd/devd.cc index 1ff405244cde..7bd7f650c843 100644 --- a/sbin/devd/devd.cc +++ b/sbin/devd/devd.cc @@ -369,7 +369,7 @@ media::do_match(config &c) retval = false; - s = socket(PF_INET, SOCK_DGRAM, 0); + s = socket(PF_LOCAL, SOCK_DGRAM, 0); if (s >= 0) { memset(&ifmr, 0, sizeof(ifmr)); strlcpy(ifmr.ifm_name, value.c_str(), sizeof(ifmr.ifm_name)); From nobody Wed Jun 10 04:01:16 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZsXD4ztzz6gvXm for ; Wed, 10 Jun 2026 04:01:16 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZsXD2K4Fz3wN5 for ; Wed, 10 Jun 2026 04:01:16 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064076; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ZULIPO0IbnQCz/jgcHVeULelrmKLmPR+7RN9OrZhnrs=; b=g8F9w2K8KfAjxOmO6Gz0PFeV/tfkuDyN4t7BEa5tRT5jtDSIgVOjRW2GtDl/R9OONJCDBB FRKMXuf4ml9SeRFNkbZwSEvP3LZz0HTohT6mnW7ZmhL1osMxbnXBo+cj356bJxs3zICZav wBm5h0FC2G8DsEJx3AZFz21onhArLEcrVx4qR7Csz1xu77lDBCgMC+c2Ro1eOyJm28G9og bXEN1uvy9V6qEm44d7UcSXDgLdeHJ1OSFTkFyURZ+WmM3xoDjS+CIBwe6DAedooRyb+7ho L+ECDm5u0muukultSgeYhRwcnTBp1wveFv07eBD0EXAXbm5kRssdpmi2Xq2DIQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781064076; a=rsa-sha256; cv=none; b=mE1x9qchxcrh/1s/bWMut5GbiFpTGcgtS7Q9QQDBmYQ1Hpgw57mXbBS3sh12QWu2OcaYmN mlQj1JEFcF9S5JVFSGwVtzv0EDWaQGpZ6Ae0tUVsnrtnDZModnOq2lVeLcbRaLevvYiVIT rgyshZiN/jId4+2N5ml8h91HqgOiw+PRu7FgblLORO1mA1vnMlDd4jCd/aR5O1LpWrLcQ0 GPUy7/K83cCzXixydEDx7EtrSWycFSsZL6P63rMCSgfJUHqCbig3dhzNkcLD0sf6iKTGqf AiNoyn1Er0DLIhlZWy/wZzZY7YgzVgdzzs3zVHQEFQG+LtdK3DMmXU4hVqbXjw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064076; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ZULIPO0IbnQCz/jgcHVeULelrmKLmPR+7RN9OrZhnrs=; b=CISVhBmunwsfrUgTv0trWG4NnIhvj7lc8zn02+lFrTWoJRE7jY4abDc3Qd+JhpQu8w6J6t gjreF7KgBPk3r7TSyeRjp+0gC0bQUr0YT0LoSEIn4fFlWb9qBT0ueVPQwifWylSDenef1Y Y+UHqsnq1wvBCq1CL8dGGKtUZ836RzRFXaZ+VrNX3ER+GqAQ9G5wWko3sHyPBkPanI4z6K CS5HeFRaog/U1ha67hE8i6xVdoQuuuMAiXhN+YYCpIC7KN9g5q/IhbYivPr2JDVWBQKjmp 8Age9EEugNs414bLsytKEAyeUDzWrzXho0uLcMbkbr2naYYKlCsvO4HeuYow6g== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZsXD1pfvz14hF for ; Wed, 10 Jun 2026 04:01:16 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 258f5 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 10 Jun 2026 04:01:16 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kyle Evans Subject: git: 92a2764ba175 - stable/15 - linuxkpi: work with numpages > 1 in the set_pages_*() KPIs List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 92a2764ba175e5af550d96a4b509d7776c6dffa6 Auto-Submitted: auto-generated Date: Wed, 10 Jun 2026 04:01:16 +0000 Message-Id: <6a28e18c.258f5.2a285432@gitrepo.freebsd.org> The branch stable/15 has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=92a2764ba175e5af550d96a4b509d7776c6dffa6 commit 92a2764ba175e5af550d96a4b509d7776c6dffa6 Author: Kyle Evans AuthorDate: 2026-05-19 03:22:21 +0000 Commit: Kyle Evans CommitDate: 2026-06-10 04:00:37 +0000 linuxkpi: work with numpages > 1 in the set_pages_*() KPIs These calls are used for buddy pages at least in drm's ttm_pool, which leads to a panic when we invoke lowmem handlers and drm tries to shrink the pool. Cope with numpages > 1 by traversing the contiguous pages and executing the adjustment there, as well, as suggested by markj@. Previous versions have tried to use the corresponding `set_memory_*()` functions, but it is believed that not updating `md.pat_mode` breaks subsequent userspace mappings in ways that may result in things like screen tearing or other artifacts when running i915kms. This stabilized my amdgpu laptop running two VMs, chromium and a concurrent buildworld. Reviewed by: bz, markj (cherry picked from commit 67f7f2781daa9bd398b424ffe2bd0be67f37f03d) (cherry picked from commit 8dad29555a5807bf21941807752e1589e20312de) --- sys/compat/linuxkpi/common/include/asm/set_memory.h | 15 +++------------ sys/compat/linuxkpi/common/include/linux/page.h | 2 ++ sys/compat/linuxkpi/common/src/linux_page.c | 21 +++++++++++++++++++++ 3 files changed, 26 insertions(+), 12 deletions(-) diff --git a/sys/compat/linuxkpi/common/include/asm/set_memory.h b/sys/compat/linuxkpi/common/include/asm/set_memory.h index 1019aaf264a0..54a1311ef9a5 100644 --- a/sys/compat/linuxkpi/common/include/asm/set_memory.h +++ b/sys/compat/linuxkpi/common/include/asm/set_memory.h @@ -65,32 +65,23 @@ set_memory_wb(unsigned long addr, int numpages) static inline int set_pages_uc(struct page *page, int numpages) { - KASSERT(numpages == 1, ("%s: numpages %d", __func__, numpages)); - - pmap_page_set_memattr(page, VM_MEMATTR_UNCACHEABLE); - return (0); + return (lkpi_set_pages_attr(page, numpages, VM_MEMATTR_UNCACHEABLE)); } static inline int set_pages_wc(struct page *page, int numpages) { - KASSERT(numpages == 1, ("%s: numpages %d", __func__, numpages)); - #ifdef VM_MEMATTR_WRITE_COMBINING - pmap_page_set_memattr(page, VM_MEMATTR_WRITE_COMBINING); + return (lkpi_set_pages_attr(page, numpages, VM_MEMATTR_WRITE_COMBINING)); #else return (set_pages_uc(page, numpages)); #endif - return (0); } static inline int set_pages_wb(struct page *page, int numpages) { - KASSERT(numpages == 1, ("%s: numpages %d", __func__, numpages)); - - pmap_page_set_memattr(page, VM_MEMATTR_WRITE_BACK); - return (0); + return (lkpi_set_pages_attr(page, numpages, VM_MEMATTR_WRITE_BACK)); } static inline int diff --git a/sys/compat/linuxkpi/common/include/linux/page.h b/sys/compat/linuxkpi/common/include/linux/page.h index 37ab593a64e9..6f5f37d2fd0f 100644 --- a/sys/compat/linuxkpi/common/include/linux/page.h +++ b/sys/compat/linuxkpi/common/include/linux/page.h @@ -127,4 +127,6 @@ clflush_cache_range(void *addr, unsigned int size) } #endif +int lkpi_set_pages_attr(struct page *page, int numpages, vm_memattr_t ma); + #endif /* _LINUXKPI_LINUX_PAGE_H_ */ diff --git a/sys/compat/linuxkpi/common/src/linux_page.c b/sys/compat/linuxkpi/common/src/linux_page.c index d8b65a12dc67..f562bd5e0dbd 100644 --- a/sys/compat/linuxkpi/common/src/linux_page.c +++ b/sys/compat/linuxkpi/common/src/linux_page.c @@ -710,6 +710,27 @@ lkpi_arch_phys_wc_del(int reg) #endif } +int +lkpi_set_pages_attr(struct page *page, int numpages, vm_memattr_t ma) +{ + while (numpages-- > 0) { + /* + * pmap_page_set_memattr() would only update the DMAP mapping + * if it's a normal page, leaving the kernel map untouched. + */ + MPASS(page->object != kernel_object); + + /* + * pmap_page_set_memattr() sets page->md.pat_mode, which is + * crucial for future userspace mappings. + */ + pmap_page_set_memattr(page, ma); + page++; + } + + return (0); +} + /* * This is a highly simplified version of the Linux page_frag_cache. * We only support up-to 1 single page as fragment size and we will From nobody Wed Jun 10 04:01:18 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZsXG6qYyz6gvkc for ; Wed, 10 Jun 2026 04:01:18 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZsXG3qyVz3wbj for ; Wed, 10 Jun 2026 04:01:18 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064078; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=TI+t30Vho13brqVy4EHLFiuzuwpDAA2WkoBQKFs9m2A=; b=RdOHCFvQ5klpvu2Ls+w9+6YIfLpGV37j+qJWq+7UWrANjlXogvF55cB57X/nAV4lNEDZ/C O0HyJNYTsWuzOtTFLYi+oJW7BQeIrzYIN7WJQyXQ6zQ7YtjaD0QqlJi5Pi7rEqBMWcv8fx yFrW4hVyWr9DJXeOnULFjlynx0Wh+QNqGVTTocmjdKkoEyQmAvzCIhuYgKv+RaDGfKFqMF 9ySBlCshBtpqIaXvlBqXOQLq9rOfxFiT1udeP0poTvdNDK4c2CeLR3VYByFLK3cMUKtTZs aGDUhO7WZaVyvbXzn5xb3/SyjC3SloI9vNMy9rno0ttbX99YtmmeXfFjRsftLQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781064078; a=rsa-sha256; cv=none; b=wRvq6qQKN1oT0oS4E+ltAYAG/bZ/tqF4od+Jc4dc9GDTQpTDfFcchYs8av756ck2CdZ32m 4Lb1a5sG2qnUwQb2fYWlwWxp3WbhBzOUlORSyw4GQ2iY54u8bGy7KIpMUGIramWL6O0TQc b5bvf2Y+4DfcetYdezPwKrnvtWEYVC18Wks07i2MEnRmlN1gX1ag9o6fLohOyqWGd8mkjr f2ygO8ws9TTsq08r6c2W5aIKZKlMHU2NdsTV4JZEPC1cK9wI4W16YCdxxV91fW+Bwvc4Q8 7Bknfh1X3YXhgnISbNqjNoDPoXElxOno0uXdHjcRXdt6UN3p07kAE3Ot4PfuEQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064078; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=TI+t30Vho13brqVy4EHLFiuzuwpDAA2WkoBQKFs9m2A=; b=JbGMWyhNAKhmOm+p2rkAiioRY8OkI7NSr0iR0B0drKyucNkDuzWkRGB6SK8IzvizMlixgT Knvind0XU03ueBBP4SjXQtj2xD0B0uiNQwZjSWM/PencW62v3gQGzjRscOiVuhPsfavoO4 MkFGyOc8gjTvrnvAUgY7Bc7p9kf62XWQzudMCItv97bXcsc6EPhLJbIUXlw1bJQSzIhErI j+KFYCe9DR1TPpF/6E/mz+8W5Lwu6g1UDK4lYLqw7QVY+C0Ea+sqEB6QbHeGhYzxN/92rD AmN4h3eFxKaRtBTjva2z9iyKcB1ynXTzTgf4CzRktnbJqkuFuUgFcezccY3NyA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZsXG37ghz14hG for ; Wed, 10 Jun 2026 04:01:18 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 27e8b by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 10 Jun 2026 04:01:18 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kyle Evans Subject: git: dc7494fb32df - stable/15 - pci: pci_host_generic: provide cleanup methods outside of detach List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: dc7494fb32df309092a2f2f3e62c221f8c41551c Auto-Submitted: auto-generated Date: Wed, 10 Jun 2026 04:01:18 +0000 Message-Id: <6a28e18e.27e8b.37f9fa9e@gitrepo.freebsd.org> The branch stable/15 has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=dc7494fb32df309092a2f2f3e62c221f8c41551c commit dc7494fb32df309092a2f2f3e62c221f8c41551c Author: Kyle Evans AuthorDate: 2026-05-09 02:46:24 +0000 Commit: Kyle Evans CommitDate: 2026-06-10 04:00:38 +0000 pci: pci_host_generic: provide cleanup methods outside of detach If device_attach() fails, we're expected to actually cleanup after ourselves because device_detach() will not be called. Factor out the cleanup bits that don't rely on attach having actually succeeded so that we can cleanup properly in bcm2838_pci. Reviewed by: andrew, imp (cherry picked from commit 31a94ec32b53ebf6227bc868ce4f7aa07650680d) --- sys/dev/pci/pci_host_generic.c | 15 +++++++++++---- sys/dev/pci/pci_host_generic.h | 1 + sys/dev/pci/pci_host_generic_fdt.c | 19 +++++++++++++++++++ sys/dev/pci/pci_host_generic_fdt.h | 1 + 4 files changed, 32 insertions(+), 4 deletions(-) diff --git a/sys/dev/pci/pci_host_generic.c b/sys/dev/pci/pci_host_generic.c index 49b131cd2299..d7854671bfd7 100644 --- a/sys/dev/pci/pci_host_generic.c +++ b/sys/dev/pci/pci_host_generic.c @@ -250,15 +250,22 @@ err_resource: int pci_host_generic_core_detach(device_t dev) { - struct generic_pcie_core_softc *sc; - int error, rid, tuple; - - sc = device_get_softc(dev); + int error; error = bus_generic_detach(dev); if (error != 0) return (error); + return (pci_host_generic_core_free(dev)); +} + +int +pci_host_generic_core_free(device_t dev) +{ + struct generic_pcie_core_softc *sc; + int rid, tuple; + + sc = device_get_softc(dev); for (tuple = 0; tuple < MAX_RANGES_TUPLES; tuple++) { rid = sc->ranges[tuple].rid; if (sc->ranges[tuple].size == 0) { diff --git a/sys/dev/pci/pci_host_generic.h b/sys/dev/pci/pci_host_generic.h index 6579cd0918c4..73314e2feccd 100644 --- a/sys/dev/pci/pci_host_generic.h +++ b/sys/dev/pci/pci_host_generic.h @@ -94,6 +94,7 @@ DECLARE_CLASS(generic_pcie_core_driver); int pci_host_generic_core_attach(device_t); int pci_host_generic_core_detach(device_t); +int pci_host_generic_core_free(device_t); struct resource *pci_host_generic_core_alloc_resource(device_t, device_t, int, int *, rman_res_t, rman_res_t, rman_res_t, u_int); int pci_host_generic_core_release_resource(device_t, device_t, diff --git a/sys/dev/pci/pci_host_generic_fdt.c b/sys/dev/pci/pci_host_generic_fdt.c index ffe63b82a234..c6b9371698b6 100644 --- a/sys/dev/pci/pci_host_generic_fdt.c +++ b/sys/dev/pci/pci_host_generic_fdt.c @@ -104,6 +104,25 @@ generic_pcie_fdt_probe(device_t dev) return (ENXIO); } +void +pci_host_generic_destroy_fdt(device_t dev) +{ + struct generic_pcie_fdt_softc *sc; + struct pci_ofw_devinfo *di; + + sc = device_get_softc(dev); + while (!STAILQ_EMPTY(&sc->pci_ofw_devlist)) { + di = STAILQ_FIRST(&sc->pci_ofw_devlist); + STAILQ_REMOVE_HEAD(&sc->pci_ofw_devlist, pci_ofw_link); + + ofw_bus_gen_destroy_devinfo(&di->di_dinfo); + free(di, M_DEVBUF); + } + + ofw_bus_destroy_iinfo(&sc->pci_iinfo); + (void)pci_host_generic_core_free(dev); +} + int pci_host_generic_setup_fdt(device_t dev) { diff --git a/sys/dev/pci/pci_host_generic_fdt.h b/sys/dev/pci/pci_host_generic_fdt.h index cc6e575f6056..790f781b23f0 100644 --- a/sys/dev/pci/pci_host_generic_fdt.h +++ b/sys/dev/pci/pci_host_generic_fdt.h @@ -46,6 +46,7 @@ DECLARE_CLASS(generic_pcie_fdt_driver); struct resource *pci_host_generic_alloc_resource(device_t, device_t, int, int *, rman_res_t, rman_res_t, rman_res_t, u_int); int pci_host_generic_setup_fdt(device_t); +void pci_host_generic_destroy_fdt(device_t); int pci_host_generic_fdt_attach(device_t); int generic_pcie_get_id(device_t, device_t, enum pci_id_type, uintptr_t *); From nobody Wed Jun 10 04:01:17 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZsXF4QvRz6gvdt for ; Wed, 10 Jun 2026 04:01:17 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZsXF2mQ9z3wHm for ; Wed, 10 Jun 2026 04:01:17 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064077; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=PmoosWzOOGKDttX00zsJcp2tFzrmy/bNi0N62JkgB80=; b=BoE6gNpUg7ch1RTJc9w89Bq7t7IU8EMZ3xTa7N3mySOZCm6XrY7uSIAFLIK1tDoPcIaGVq IPjejHKEwF/wZuGvxHFxLizO7VDKgCS1xgYG4QO19Dt6ZvHI92Zd5j6fiipIOqrSJbLoLW GOWAtIx0URw8M4bYDJsXf1Or/j1bewwOxTmQS/nmq3qct+HZBuYCNmFcFUvqyxoKCN8id9 z3kPs3XSUtyBbJ4892pyN/CuEGrScwIMLQwh2d8AZAhXob+cjQ7Fv+40ObrjOAd205ciQD YZMj6TFo3/VJO2tb5tBPICK7RbWL3BWtItP6rSUxRmCfd3Y3r452wti9YPv90A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781064077; a=rsa-sha256; cv=none; b=Qx2FCZL20Q3QDB15bmrGDClataODVuyHPraUBYx0N8yS4NFKTOhdaei1xVxB/MNWATtsmR 4qrOKeqHw4320Cn4sqXxkt7NEPWNGbw1WEBqH8Z7wk4ucEZkxegun8Pk5ySqiSK7JYICQq V2w+T9WR/VO2xcVDcBHzPvNN2DfZUVLCdvYCOMi4LifobCc49+tORMRpPR6RxyCnb/bahs EUiiZx0JjIYH7uR0Tp9uhuj+uXhPmNebFSmGt7a52PGMeA+eplCdCS9NXta9CzL7rtD9ot uwVS9TH1QlpvGlxOstL9IGgFNNDa9W84ebkhGfbrfRDDKuK9rSIhwiDE5XmN9g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064077; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=PmoosWzOOGKDttX00zsJcp2tFzrmy/bNi0N62JkgB80=; b=jm352aQZ06V1gRotz7cyuE5QZRJJ8LVUNS5OvSy6q4F0NLwXSX3UhC8eU0IElBMnA7hcMK N2azLwwrQI6f34yBt5NI9WIVtqkHYSxdJW6MfWgCBL/pCWIW/x0EgiDvthj7Pe2QkJHR0M YRFqrx/8nm4z0VfWSgCdBsuMJCLtC3F6UTuO3YafH4ipYabx4HQb422dydu6B/N0UapOEg PIuV0Xv5JB4cGDoE3BDs04ncx4UxnUx2ZC3dSxe+70wdF0xRBfKkNQZGStQ7zGBV4PoMta LC7FQNrHrIflr7v+D8uEiMTJPgbexivObhy6Oi7YrVxszZR83hj4/hD7YgXqZw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZsXF2L3Lz14Pg for ; Wed, 10 Jun 2026 04:01:17 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 2733e by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 10 Jun 2026 04:01:17 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kyle Evans Subject: git: a53d4b5b2a08 - stable/15 - kern: ofw: provide ofw_bus_destroy_iinfo to teardown interrupt-map List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: a53d4b5b2a08e4de390f9800d69367078b8affcf Auto-Submitted: auto-generated Date: Wed, 10 Jun 2026 04:01:17 +0000 Message-Id: <6a28e18d.2733e.51898d05@gitrepo.freebsd.org> The branch stable/15 has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=a53d4b5b2a08e4de390f9800d69367078b8affcf commit a53d4b5b2a08e4de390f9800d69367078b8affcf Author: Kyle Evans AuthorDate: 2026-05-09 02:42:50 +0000 Commit: Kyle Evans CommitDate: 2026-06-10 04:00:37 +0000 kern: ofw: provide ofw_bus_destroy_iinfo to teardown interrupt-map For symmetry with ofw_bus_setup_iinfo, the next commits will use it to properly cleanup on failure in bcm2838_pci. Reviewed by: andrew (cherry picked from commit b230a7b9a52c0fc948f4f1dcd1225a94674073f6) --- sys/dev/ofw/ofw_bus_subr.c | 12 ++++++++++++ sys/dev/ofw/ofw_bus_subr.h | 1 + 2 files changed, 13 insertions(+) diff --git a/sys/dev/ofw/ofw_bus_subr.c b/sys/dev/ofw/ofw_bus_subr.c index b99d784929bc..8e7c60cdb98d 100644 --- a/sys/dev/ofw/ofw_bus_subr.c +++ b/sys/dev/ofw/ofw_bus_subr.c @@ -349,6 +349,18 @@ ofw_bus_setup_iinfo(phandle_t node, struct ofw_bus_iinfo *ii, int intrsz) } } +void +ofw_bus_destroy_iinfo(struct ofw_bus_iinfo *ii) +{ + + if (ii->opi_imapsz > 0) { + OF_prop_free(ii->opi_imapmsk); + ii->opi_imapsz = 0; + } + + OF_prop_free(ii->opi_imap); +} + int ofw_bus_lookup_imap(phandle_t node, struct ofw_bus_iinfo *ii, void *reg, int regsz, void *pintr, int pintrsz, void *mintr, int mintrsz, diff --git a/sys/dev/ofw/ofw_bus_subr.h b/sys/dev/ofw/ofw_bus_subr.h index 1a33d7655f77..2e13f29a67f6 100644 --- a/sys/dev/ofw/ofw_bus_subr.h +++ b/sys/dev/ofw/ofw_bus_subr.h @@ -86,6 +86,7 @@ bus_get_device_path_t ofw_bus_gen_get_device_path; /* Routines for processing firmware interrupt maps */ void ofw_bus_setup_iinfo(phandle_t, struct ofw_bus_iinfo *, int); +void ofw_bus_destroy_iinfo(struct ofw_bus_iinfo *); int ofw_bus_lookup_imap(phandle_t, struct ofw_bus_iinfo *, void *, int, void *, int, void *, int, phandle_t *); int ofw_bus_search_intrmap(void *, int, void *, int, void *, int, void *, From nobody Wed Jun 10 04:01:19 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZsXH5pvzz6gvkg for ; Wed, 10 Jun 2026 04:01:19 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZsXH4CF2z3wTq for ; Wed, 10 Jun 2026 04:01:19 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064079; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=0cUGSKJUtJaEJrb5jxv7OmBjCWawgJVC3TR8PazW//U=; b=e1mnHgBCjSAu2bLYeklN+xlPsjQeVFFWG2ZHoq0ZcFjAhZFMLicaF4vK4IiDa5XV/eVcl5 k5gSbqfj2pagixKYH5FvP8mF3q8VW55zLZawvf1hOnMNYoLdhrogPAvPeQR5sV+Ib85Y87 vxMiEFx9loWY/FnPJyB4Dn7SHE92IIXqUwsd2VxSj6xZDaIR/i56fCzotAF6IzepkyGBj7 wwz9yS9hfrQci31vh07ykHbzYumc59eZf4AQZbjGoQc6fRmY4kwPCZrHjZBdoUH8hmR56e /a44gTGhit44owR1I6/v/SGZ1d4n3w+NwM84un9cNMjsgOlDpLpulA+4WWmnyQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781064079; a=rsa-sha256; cv=none; b=LeKZMT40fDESecBh9zqEECb2KatqbfTe3ewmr0Wwep2F2d17mDDLUj/Wz2cKwuqA0d2tri fV9XipsZKIvjNEqbL3VMVW/wwc7yCpEvlcR0OA2m/PlDxfPfAtvfCMIOWccn1fCh4Fj61n wu75RQJnRZewqM6cX/Ojg1q0KJs/Ayp16Krjv3djtfw8jKsflgvUAzEDX6hXPm8jXRR64T zgZAGRtDkmj/GtFs7hRrdhZZOephZcCaTPxmH3LTjBdNUpvos4l3jtJcK6QjunZckdxhMv Z+fgMIe+PQ6vdCNTDxxRFz1jGhajycpavKPU4xjzKZE5WccwcKlybs2rsREwqg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064079; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=0cUGSKJUtJaEJrb5jxv7OmBjCWawgJVC3TR8PazW//U=; b=tsVyB4dm3Nd3zwNVzZs4rjaHlvf9tlCY4PSOiD3gEXsaZMG6I1Rn6G0fLAdM34KqUCmad8 x0qu8plQjjgNSWemjNeuW2oy9XG7bNGnFV/18r7xlB+TeTpGi7HJjitFgpGR0Pi7ka/hxN OaAEtO4cT4UslId54jy+GxsOjuUaFKcbbs3OG/Ub8B29RZmkjkf0c/ThB8TtVHLqASEKdn eLU1VZAtUWXA5tQRPzbzxmawEsU8xonq2WJXT7F7tgIMhHSwG1iil60jegF9OE+M/55lit Z27q6hZyVaTOddtighoHGTq8DHntBQX71Ape9wBGpB0aIpzK7nDUmloKirUV/A== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZsXH3ltYz14Bt for ; Wed, 10 Jun 2026 04:01:19 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 26462 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 10 Jun 2026 04:01:19 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kyle Evans Subject: git: 76720b010873 - stable/15 - pci: bcm2838: cleanup on attach failure to fix devmatch panic List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 76720b010873f350b94231c5380e2d19b8839795 Auto-Submitted: auto-generated Date: Wed, 10 Jun 2026 04:01:19 +0000 Message-Id: <6a28e18f.26462.29018d5e@gitrepo.freebsd.org> The branch stable/15 has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=76720b010873f350b94231c5380e2d19b8839795 commit 76720b010873f350b94231c5380e2d19b8839795 Author: Kyle Evans AuthorDate: 2026-05-09 02:49:35 +0000 Commit: Kyle Evans CommitDate: 2026-06-10 04:00:38 +0000 pci: bcm2838: cleanup on attach failure to fix devmatch panic Specifically on the RPi CM4, we currently don't set the controller up right and it never moves into the ready state (we don't observe the link active bit). Failure to cleanup here actually results in a panic not long after, due to a use-after-free in the rman bits. Further down in pci_host_generic, we have some rman stashed in the softc that are initialized and placed onto the rman tailq, then the softc is later freed without an rman_fini() to pull them off of the tailq properly. Note that PCIe on this board won't come up at boot without something plugged in, so it currently can't be booted with an empty slot with the intent to hotplug a supported card. Some issues with controller startup have been observed with Broadcom NICs in the wild, but no problems have been observed with other NICs and a variety of different PCIe cards. Shout-out to Vince for the extensive debugging and analysis to arrive at this conclusion. Reviewed by: andrew, imp (cherry picked from commit a05af6ddf9016e4ea4f0b361aa674e7ece6fe7ec) --- sys/arm/broadcom/bcm2835/bcm2838_pci.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/sys/arm/broadcom/bcm2835/bcm2838_pci.c b/sys/arm/broadcom/bcm2835/bcm2838_pci.c index 2b2ad1e3bdf8..80a7516f5331 100644 --- a/sys/arm/broadcom/bcm2835/bcm2838_pci.c +++ b/sys/arm/broadcom/bcm2835/bcm2838_pci.c @@ -646,7 +646,7 @@ bcm_pcib_attach(device_t dev) error = bcm_pcib_check_ranges(dev); if (error != 0) - return (error); + goto failed; mtx_init(&sc->config_mtx, "bcm_pcib: config_mtx", NULL, MTX_DEF); @@ -680,7 +680,8 @@ bcm_pcib_attach(device_t dev) if (tries > 100) { device_printf(dev, "error: controller failed to start.\n"); - return (ENXIO); + error = ENXIO; + goto failed; } DELAY(1000); @@ -690,7 +691,8 @@ bcm_pcib_attach(device_t dev) if (!link_state) { device_printf(dev, "error: controller started but link is not " "up.\n"); - return (ENXIO); + error = ENXIO; + goto failed; } if (bootverbose) device_printf(dev, "note: reported link speed is %s.\n", @@ -741,12 +743,15 @@ bcm_pcib_attach(device_t dev) /* Configure interrupts. */ error = bcm_pcib_msi_attach(dev); if (error != 0) - return (error); + goto failed; /* Done. */ device_add_child(dev, "pci", DEVICE_UNIT_ANY); bus_attach_children(dev); return (0); +failed: + pci_host_generic_destroy_fdt(dev); + return (error); } /* From nobody Wed Jun 10 04:01:20 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZsXK1XX8z6gv6g for ; Wed, 10 Jun 2026 04:01:21 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZsXJ55Srz3wWf for ; Wed, 10 Jun 2026 04:01:20 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064080; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=lVexW/GRmnZDUFjRfjj1VwDZW6GJ8icQDhWZlkyZNZg=; b=WAhvBSW4YIBEhp7wZbr65J/udZhcEBIF7HvEpJhmolfnwpFNWHKoLUgw/NoGQT6fkP86xM n2YGqRwUKLEry1AC2M0Nnme1hkRW5DIWTf8dNf+fgHGrw/hRNb3djMxPdnDKUP4OiRwBlW o0lyImu0qajzhgMVGpOeI68f8/+TRqgIpdvI4e8Axm/eBIhnlJLxxRYGPEuO9/n51kj6/a Xhc2UnApK4lDBC3BhrKsLy6q4U9+1hgNz7QXJBAMve/Hiu9mUm0wjab6fbEGXYc5G236Tv JeC0572U0cqUMYPVMZStbt+U0KKDZh4KJ51HfTeWTH/xPnuG9Va/0T4DDpzEmA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781064080; a=rsa-sha256; cv=none; b=aFZnZQ2pJicqsViaNZqh3Dga6vTfhDCqz0v5GrKRHHmPFekFESakDJ2a+hbrmzdIkhF0qM MoDlhmIxthAp2G4FuFpoB+fqT9iKXnKAbcPNR3OcIn3gKaCRGRdc7iwoNGzmsd4khAeKua 13MR7r8Sa5+SBWfFSuSYI28+FCwYdN7A/yMGFQKyQyD5R0in367Os2sFE0WjTUBmQ+6bl7 bAGr1uYJGzlNa8QU8lA1yT9bdb3Ol+kKSC7saiC5rK287457cLrLopKfdS4mpCTuc/BHWW /JqjGoHFbrCMvxJxLazfQIN7m0+q0+oNmXucFTbsVs0zVGpFgJsWbY0NvycRqA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064080; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=lVexW/GRmnZDUFjRfjj1VwDZW6GJ8icQDhWZlkyZNZg=; b=uzIdGNdAwinEgXRF2vtXE8dDqM6un1AeCvCsKrDb+O6wig4bZeZVzldezk/7sXE1KW6/P/ ZrNkmmS8YBXsvV9qZ4GFOHigq/9eJZD8HCr2/yQtex1O+P+v9IZi/q7oilZoU0FR4lHh0o keo2Ph0cskh2te36Fys7WL0n7qbbq0emlFUu5nXT/XfgiAaRKDxlvk6gwRGc95yuadzCBw EK4R1XkPKqmh/69viqrRkrCjsGTPOafeMRM3QpLC5clp3K9W016lyMxVLaTE5OwSHgfyVV kn7qiDRBh72XgobVaCUVza+AV8nJdmsZsfXDRcf57UFbwUMuG3dqvWLkxZUDKw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZsXJ4X8Wz14MK for ; Wed, 10 Jun 2026 04:01:20 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 27497 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 10 Jun 2026 04:01:20 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kyle Evans Subject: git: f77062f506f7 - stable/15 - lualoader: add be-list and be-switch commands List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: f77062f506f7bc752316da35e8d7da9a1ddb0d91 Auto-Submitted: auto-generated Date: Wed, 10 Jun 2026 04:01:20 +0000 Message-Id: <6a28e190.27497.1dff56e2@gitrepo.freebsd.org> The branch stable/15 has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=f77062f506f7bc752316da35e8d7da9a1ddb0d91 commit f77062f506f7bc752316da35e8d7da9a1ddb0d91 Author: Kyle Evans AuthorDate: 2026-06-04 13:57:16 +0000 Commit: Kyle Evans CommitDate: 2026-06-10 04:00:39 +0000 lualoader: add be-list and be-switch commands This is useful for driving BE changes from the loader command prompt, rather than having to use the menu. Note that the active carousel in the boot environment carousel doesn't currently reflect a switch in boot environments done this way- I'm considering this only a minor bug, as you probably can't or won't go back to the menu if you're using these commands. Reviewed by: imp (previous version) (cherry picked from commit c7ff706b31c22f10c2403869c46b443448da3e08) --- stand/lua/cli.lua | 23 +++++++++++++++++++++++ stand/lua/core.lua | 43 +++++++++++++++++++++++++++++++++++++++++++ stand/lua/core.lua.8 | 17 ++++++++++++++++- stand/lua/menu.lua | 7 +------ stand/man/loader.8 | 15 ++++++++++++++- 5 files changed, 97 insertions(+), 8 deletions(-) diff --git a/stand/lua/cli.lua b/stand/lua/cli.lua index 6832da0a31a5..a405baba9468 100644 --- a/stand/lua/cli.lua +++ b/stand/lua/cli.lua @@ -172,6 +172,29 @@ cli["disable-module"] = function(...) setModule(argv[1], false) end +cli['be-list'] = function(...) + local _, argv = cli.arguments(...) + if #argv ~= 0 then + print("usage error: be-list") + return + end + + for _, bootenv in core.bootenvIter() do + print(bootenv) + end +end + +cli['be-switch'] = function(...) + local _, argv = cli.arguments(...) + if #argv == 0 then + print("usage error: be-switch beName") + return + end + + local env = argv[1] + core.switchBE(env) +end + cli["toggle-module"] = function(...) local _, argv = cli.arguments(...) if #argv == 0 then diff --git a/stand/lua/core.lua b/stand/lua/core.lua index c276f61e5904..687376cbc40f 100644 --- a/stand/lua/core.lua +++ b/stand/lua/core.lua @@ -314,6 +314,21 @@ function core.bootenvFilter(func) return oldf end +function core.bootenvIter() + local envs = core.bootenvList() + + if #envs ~= 0 then + local root = "zfs:" .. loader.getenv("zfs_be_root") .. "/" + + for idx, bespec in ipairs(envs) do + bespec = bespec:gsub("^" .. root, "") + envs[idx] = bespec + end + end + + return next, envs, nil +end + function core.bootenvList() local bootenv_count = tonumber(loader.getenv(bootenv_list .. "_count")) local bootenvs = {} @@ -567,6 +582,34 @@ function core.nextConsoleChoice() end end +function core.switchBE(env) + -- This branch will most likely be taken by the switch-be CLI command, + -- not by the menu. We could do some more validation that it's a valid + -- BE and let the user fully specify a zfs:be/dataset to avoid the + -- validation, but this isn't done at the moment. + if not env:match("^zfs:") then + local root = loader.getenv("zfs_be_root") + + if not root then + print("ZFS BE root not available -- no action taken") + return + end + + if not env:match("^" .. root) then + env = "zfs:" .. root .. "/" .. env + else + env = "zfs:" .. env + end + end + + loader.setenv("vfs.root.mountfrom", env) + loader.setenv("currdev", env .. ":") + config.reload() + if loader.getenv("kernelname") ~= nil then + loader.perform("unload") + end +end + -- The graphical-enabled loaders have unicode drawing character support. The -- text-only ones do not. We check the old and new bindings for term_drawrect as -- a proxy for unicode support, which will work on older boot loaders as well diff --git a/stand/lua/core.lua.8 b/stand/lua/core.lua.8 index 325320b2fce8..5cb2b46bd9d1 100644 --- a/stand/lua/core.lua.8 +++ b/stand/lua/core.lua.8 @@ -24,7 +24,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd April 8, 2026 +.Dd June 4, 2026 .Dt CORE.LUA 8 .Os .Sh NAME @@ -175,6 +175,12 @@ returns true, then the boot environment is retained in the list. Otherwise, the boot environment is hidden. The old filter, if any, is returned to allow the caller to compose a filter on top of another filter. +.It Fn core.bootenvIter +Returns an iterator over the known boot environment list. +The returned boot environment names do not include the boot environmnt root, +which would need to be added back on from the +.Ev zfs_be_root +environment variable. .It Fn core.bootenvList Returns a table of boot environments, or an empty table. These will be picked up using the @@ -229,6 +235,15 @@ If there are no elements, this returns nil and nil. If there is one element, this returns the front element and an empty table. This will not operate on truly associative tables; numeric indices are required. +.It Fn core.switchBE beName +Switch to the requested +.Fa beName . +It may be either be formatted as a fully-qualified loader dataset path +.Dq zfs:pool/ROOT/beName , +or like one of +.Dq pool/ROOT/beName +or +.Dq beName . .It Fn core.loaderTooOld Returns true if the loader is too old. Specifically, this means, is the loader old enough to require one or more diff --git a/stand/lua/menu.lua b/stand/lua/menu.lua index fb0645eb46ba..fb2603eb4b4c 100644 --- a/stand/lua/menu.lua +++ b/stand/lua/menu.lua @@ -53,12 +53,7 @@ local function OnOff(str, value) end local function bootenvSet(env) - loader.setenv("vfs.root.mountfrom", env) - loader.setenv("currdev", env .. ":") - config.reload() - if loader.getenv("kernelname") ~= nil then - loader.perform("unload") - end + core.switchBE(env) end local function multiUserPrompt() diff --git a/stand/man/loader.8 b/stand/man/loader.8 index 484e0a7b300c..e35414049e23 100644 --- a/stand/man/loader.8 +++ b/stand/man/loader.8 @@ -26,7 +26,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd November 14, 2025 +.Dd June 4, 2026 .Dt LOADER 8 .Os .Sh NAME @@ -97,6 +97,19 @@ and .Pp .Bl -tag -width indent -compact .\" sort the following entries according to the second field +.It Ic be-list +Lists the boot environments that are visible to +.Nm . +The listed names may be used directly with +.Ic be-switch . +.It Ic be-switch Ar beName +Switch to the +.Ar beName +boot environment. +The +.Nm +configuration will be reloaded from the new root, and any previously loaded +kernel and modules will be immediately unloaded. .It Ic boot-conf Load the .Nm From nobody Wed Jun 10 07:49:19 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZybM4GQ8z6hJV7 for ; Wed, 10 Jun 2026 07:49:19 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZybM3TSkz3RPG for ; Wed, 10 Jun 2026 07:49:19 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781077759; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=nFTjraTsF9tNoU7ojFGzClX7P84FcyKy/thSvvnmUgI=; b=k/kHcV5ntfBZkQeSu4U+vaC1iX9v9yidgR46K8E/vpZjGvF95qYxB5UeAqZd6/eS6mfCzD syhTV+UP3l2rZ742AjG3gbme8hDa/Dr9r1EdMp316f6BRLBqMe9jTh139nRwx0VAc+cIXA +tr2HHvXcIRfbIji8sHANnDOjNqDzrF+Gjthdq14Dk9yLI+ehhMQ4GKZb/bPrNu10SnzNa P2Kdm41sG9AD8zBH2NDRqM81iqp3WzSEafl74QNGRXHJPu4VtN3cFy/rILu0nXsSUx2GqM 5lmtZTqhB6MEyrIzO+UZhvwpvnneXv1sL4DpUzry2WebiOi6FrmCcAWD8D3CCg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781077759; a=rsa-sha256; cv=none; b=euSNUwQLsU3WO3bBPsoYTd9ONQmjwAUuzHu7FE/ZR/uTmv91w1nywmeW7DPxyRScNf9F5L DPXcQKdPaCw85KOVEFLzuB8kP+3G//DViftGs2E241DjwdncpKWrYMKra3MBzYRbiSql3e PTh7Fpq5xy7Iyoh+oUlb4r47fWANBP8N9pgWJnn612Gc4OkeIxP3/1B2OMc+vMx70MRKb9 e2+SR642xCxqzwf03YDAUi/8ev2F/pO6lwbMder1dWcm5CufEGH0Ew7jA3ZVdlwOrpuQAM rRK1IDRFCtGA1nfU8QyshYuTECkwfonSFV4YzLACNq1HUNcgQKGfkpdqG+ebkw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781077759; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=nFTjraTsF9tNoU7ojFGzClX7P84FcyKy/thSvvnmUgI=; b=UmVNCflFkQlABe0L0tuVksoR24EXFjPPQYvJBOEKqHLgu1N4a66TZZdir5ju/CeiAW2maZ Jz95xlNT5/6apeacC6byGHciLeVOsDoftgVMTUR5obHsvoodOTwEy7iZE4eYRyqw3KRWse SKw4RVDDR570Nt7Dose9ote6tinyeVgc9igmtPVSNUjsB7mHuy++2X8Nt4mex+wlHW5zxd BH1clwokjKuKOeasH7xTfhi0WGEGjQZ5G9D85m5voW25L97pVE8p1ng0uBZlkTmdgtUnkd 79BhNzVqRnOZezuS2YuKzA+gj6meKFb+ic5AlKLcJ0QvWS5GZhMJbTP69mKNDw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZybM2tMHz1BB0 for ; Wed, 10 Jun 2026 07:49:19 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 45539 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 10 Jun 2026 07:49:19 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: b0f75189f6cb - stable/15 - pfdenied: fix checking root anchor List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: b0f75189f6cbaf288173d679b6600e3250c07c3d Auto-Submitted: auto-generated Date: Wed, 10 Jun 2026 07:49:19 +0000 Message-Id: <6a2916ff.45539.3bf753c7@gitrepo.freebsd.org> The branch stable/15 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=b0f75189f6cbaf288173d679b6600e3250c07c3d commit b0f75189f6cbaf288173d679b6600e3250c07c3d Author: Kristof Provost AuthorDate: 2026-06-03 08:49:31 +0000 Commit: Kristof Provost CommitDate: 2026-06-10 07:47:49 +0000 pfdenied: fix checking root anchor pfctl doesn't like empty anchors (-a ''), but we can specify the root anchor as '/' too, so do that instead. PR: 295324 Tested by: Paweł Krawczyk MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 3d9cd10b2857ee7a9ec1b04457d9ec44f614d32c) --- usr.sbin/periodic/etc/security/520.pfdenied | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr.sbin/periodic/etc/security/520.pfdenied b/usr.sbin/periodic/etc/security/520.pfdenied index d87dfa0ae64c..a3cddf30d726 100755 --- a/usr.sbin/periodic/etc/security/520.pfdenied +++ b/usr.sbin/periodic/etc/security/520.pfdenied @@ -41,7 +41,7 @@ rc=0 if check_yesno_period security_status_pfdenied_enable then TMP=`mktemp -t security` - for _a in "" $(pfctl -a "blacklistd" -sA 2>/dev/null) $(pfctl -a "blocklistd" -sA 2>/dev/null) ${security_status_pfdenied_additionalanchors} + for _a in "/" $(pfctl -a "blacklistd" -sA 2>/dev/null) $(pfctl -a "blocklistd" -sA 2>/dev/null) ${security_status_pfdenied_additionalanchors} do pfctl -a "${_a}" -sr -v -z 2>/dev/null | \ nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP} From nobody Wed Jun 10 07:49:23 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZybS0rBzz6hJZS for ; Wed, 10 Jun 2026 07:49:24 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZybR4jp6z3RQr for ; Wed, 10 Jun 2026 07:49:23 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781077763; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=rfQyoByLYfw2GOMSWrlPrXmSKg0XEqPwu1V6qbPydKQ=; b=lvh8J0KjDmmCrecDV30roLfhn40fLYyXMIIzd3Fj8vudAz9s4JMmSIshfZUjHIRzPHQbrq b5OZ0J0iADqYUHhHZ0VGwWEEoHlCvRzSGeASdTj5gBO9t+Ak447K5UIKMmz+UB+DESqpR3 MwOM5dNS9CFDHN7GEs5oiFS9+DsDy2TODGEkd9pxna9XA6y/fiSREZO0E27cnk6wSYvtim 0fHMc3PF5VhGa74rgkjy3+JHnrWuS0vyQ3yEh5USLOAjO6MHEeT9zSUdGAkni7svHmZBhS HNIWWZE4XQC5zXkJWw/q7qwdJ9aO2yeQyXxIu2I6YUYtfBxvmJKm5gon9FZkNw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781077763; a=rsa-sha256; cv=none; b=xV2aOrJGnqx6y5TRgcCmHpzpiJeJKdRJNTImD3TFt2H16qt0GMiGZRnVeCpnGtmT3YlICP +oMphdc0w8N5GDt9bUdHmazkWvGvDWdBuVDCJYqUh5CFc6Sp2gHmd7gybiA7V/dLo2QxsD rwq4Ygpf70BqXU+qRy5FEjLjRODjUB3aDBZTzWRee+8VGMKJJOJqZJKMbkOeerhXPlwTQK OUSVTZNBa6OpkDSqCzGwLyUkEgglAT50zCCnHsvRcksDyOMiDUpBJLmtk43o5iBnhlaCeB LBcAScLBAcNHxVvTKGhYj5eCDorbN1h5UjhGYvwkpJ1d2f8PHJdksjh8R8Fx1A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781077763; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=rfQyoByLYfw2GOMSWrlPrXmSKg0XEqPwu1V6qbPydKQ=; b=Wne+ryOr4ooqpKaSm+tlzDHcaBI7QEauZdhsjaVzF3fiyYgYFve8ufHubVitX7r6ows9j3 6ND084uen2Ldsqp+D8l4BQSTLtZvErInQynRCLQeMA+charXZbd1b8qjbgfdOMgjlAkeBA 1Jt23QsnxhZ7y8T4VhaqeEV2s2URWvnSdl2oCls/2YKmCi/paBqRxofwCgyJy7Sbl/vVfc sblJjvPVbu4o/+mfW/xW0HiXruiTvsKUkhIWvEYxPAQfk6pDryAkkTSh0ntDpD0wGWlyI/ zER/5uPP00RCDEP5vNKfdA+EYNOoBmrdFLBWpNigViY1/DTNNEpNDVhfWAEPIg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZybR3yCCz19j2 for ; Wed, 10 Jun 2026 07:49:23 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 468a3 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 10 Jun 2026 07:49:23 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: 4df539cc3864 - stable/14 - pfdenied: fix checking root anchor List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 4df539cc3864f45e980774ac77238e0781b930d7 Auto-Submitted: auto-generated Date: Wed, 10 Jun 2026 07:49:23 +0000 Message-Id: <6a291703.468a3.67bfa4fd@gitrepo.freebsd.org> The branch stable/14 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=4df539cc3864f45e980774ac77238e0781b930d7 commit 4df539cc3864f45e980774ac77238e0781b930d7 Author: Kristof Provost AuthorDate: 2026-06-03 08:49:31 +0000 Commit: Kristof Provost CommitDate: 2026-06-10 07:49:01 +0000 pfdenied: fix checking root anchor pfctl doesn't like empty anchors (-a ''), but we can specify the root anchor as '/' too, so do that instead. PR: 295324 Tested by: Paweł Krawczyk MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 3d9cd10b2857ee7a9ec1b04457d9ec44f614d32c) --- usr.sbin/periodic/etc/security/520.pfdenied | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr.sbin/periodic/etc/security/520.pfdenied b/usr.sbin/periodic/etc/security/520.pfdenied index 9852936257bc..ddf32e5a34b4 100755 --- a/usr.sbin/periodic/etc/security/520.pfdenied +++ b/usr.sbin/periodic/etc/security/520.pfdenied @@ -41,7 +41,7 @@ rc=0 if check_yesno_period security_status_pfdenied_enable then TMP=`mktemp -t security` - for _a in "" $(pfctl -a "blacklistd" -sA 2>/dev/null) ${security_status_pfdenied_additionalanchors} + for _a in "/" $(pfctl -a "blacklistd" -sA 2>/dev/null) ${security_status_pfdenied_additionalanchors} do pfctl -a "${_a}" -sr -v -z 2>/dev/null | \ nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP} From nobody Wed Jun 10 13:44:59 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gb6Tl5B94z6gRbP for ; Wed, 10 Jun 2026 13:44:59 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gb6Tl1JjKz3M1f for ; Wed, 10 Jun 2026 13:44:59 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781099099; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=OO/J885mRLwDk1/M/YVRlpOcRnFgez+yTQnk8SGkK30=; b=YjvoY26c66tw8r7xlXb9CwmNgmMV6edZYEGvDTKSdKdk6BCRK4qdWam9E1Xifm3HotB8c+ SLcT04kP3vE8o7Lfp4M4uVtzWdFQsCA5XMG/ImxRTYQ8U+dS+DjT9MBxiGirHIidhGCKOz q6YvyD6jlCafS9lDlwVVH1FblbEFnEUWt+8fyMz9LJHIOKnYMzDL9Pm01v5r8d3w8vqjdf hIp7BzzTAs11gO3sNXOWHtGgQJbeaDURnNEEKaoeNHqvomrbHp1bcZkIBzhVRstr/fM9hc AR/KYKcG0OkAyr+qZo8e2fVv4ewILe5AIrPgI2z+AL71RvnRg6HfnHrrY1y3EA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781099099; a=rsa-sha256; cv=none; b=l5v4CVhAj2blOWrKLjbVtwZyNHNc1wrkmWxEkLkruSKpy8LIRlJPJ3eMmj9CHS1GkWbSgP X6ZqmTfrxjl9eD03dUMGiMjnN0+BGUUD30TPoUUD2uGAz5fxkNY6xGckURjNry+ryIpIz1 s5zR5NIcY3Osm5gDaJ1nzo/8dO5wR+/CCD7Sr5wgybo6XlbWGlUcHCElEItdFCfJG31QyY 8tLLfR4kqlJNlQgzCx/7Vlf5oDioMK1g/b1CBBlAQPKikRO5nFNO1Z4fYJmMSf6CovlJ0Z RogvG4fFkd7UKFN2LwzSHyVA4d2re5EpJmRx4GR7ozKTeOXgKvGXi6rGksBlVQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781099099; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=OO/J885mRLwDk1/M/YVRlpOcRnFgez+yTQnk8SGkK30=; b=aFx6r1ccrat7WDdGt8br22mSiOa13yqCnD1qpxuFzuBM5yd/0fo3u2wAP0nLLG/DyJGZSJ esQz+L+d4iQyw826+wPic/X/TytEKNO9Pca7KPnmG00MIewH+Ew1UpOMFm90usF2SeU2E1 hiBb3xCtby2VKt+lkspHz0GasxRqD0xIxzxmPTOYR4I1htHZmyvfn5iNFR0onmFvUkql/1 ZqEnlX0xsFdqzqD2bXAZjp3IoVrLx1XFY2BAH+/BkfxSrqYC33uYgn+Xlk/s17B02ZuSsY 99d4hGS5AE8cY9clq9ldhuiekzok97+6EWjj0v6ipLtqefuCpxjaIkdt3Br57A== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gb6Tl0tSnz1Mbn for ; Wed, 10 Jun 2026 13:44:59 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 1e00b by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 10 Jun 2026 13:44:59 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: 88534471b32c - stable/15 - xinstall: Add test for -d -s not allowed together List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 88534471b32cb7f57bafac2d215c05d5e7dabda0 Auto-Submitted: auto-generated Date: Wed, 10 Jun 2026 13:44:59 +0000 Message-Id: <6a296a5b.1e00b.5071d72d@gitrepo.freebsd.org> The branch stable/15 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=88534471b32cb7f57bafac2d215c05d5e7dabda0 commit 88534471b32cb7f57bafac2d215c05d5e7dabda0 Author: Ed Maste AuthorDate: 2026-06-03 14:13:45 +0000 Commit: Ed Maste CommitDate: 2026-06-10 13:43:59 +0000 xinstall: Add test for -d -s not allowed together Reviewed by: des Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57403 (cherry picked from commit 4908bea5b7f5de70032e201e718958ef40bc3b03) --- usr.bin/xinstall/tests/install_test.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/usr.bin/xinstall/tests/install_test.sh b/usr.bin/xinstall/tests/install_test.sh index 3cea648aa805..6b091f26b377 100755 --- a/usr.bin/xinstall/tests/install_test.sh +++ b/usr.bin/xinstall/tests/install_test.sh @@ -25,6 +25,12 @@ # # +atf_test_case incompatible_opts +incompatible_opts_body() { + atf_check -s not-exit:0 -e match:"specified together" \ + install -s -d dir1 +} + atf_test_case copy_to_empty copy_to_empty_body() { printf 'test\n123\r456\r\n789\0z' >testf @@ -549,6 +555,7 @@ digest_body() { } atf_init_test_cases() { + atf_add_test_case incompatible_opts atf_add_test_case copy_to_empty atf_add_test_case copy_to_nonexistent atf_add_test_case copy_to_nonexistent_dir From nobody Wed Jun 10 13:45:00 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gb6Tm6CTxz6gRd7 for ; Wed, 10 Jun 2026 13:45:00 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gb6Tm2Dwcz3M66 for ; Wed, 10 Jun 2026 13:45:00 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781099100; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=gAcl7Pw7l5VYRaoLGnDXXtsqcGoZw0t34WxKPUcTyo0=; b=lPjvFGdqKwgQglvWam65rXe1E6HsbIVViVnb/eruw7xt2r1ZQpV7IsBDTcy/3Sza+UeW8j gOQkxHQMaq3f98fwQKjapYZ9G6G9VhsjMC2nf1gCdpykYN2IIOWgv5ehIDVRWx9xRqvEjg gF9Q5zw7JKoF79hsuUmloN8lz6j0ldfbrZ21rigxhfuDpiLCyX4h9cAwL5l9faV42Jst/G g9q9DG4iFxnSmm/Cxvmh4Uanni/Hj65kFFGR7Gv8NSuHvAwWJsoGif39eITMiv2lU4oyW2 dzD5E+tD2s7QMETO5xkFcWB/pPdL8n+nXVelAdqVE92KFMAVKoeIozdTlXqz5w== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781099100; a=rsa-sha256; cv=none; b=rb9nYP0Ymoqb4ShJLzJcYxfIZmnzcCdm3Ynycen1TSGW37jozYI1ESEmmfHz2k9L3alDI0 PFGXY2sF8JzIr/rUIMVVCCdVwjrzdLrvMuApg4L9IF/CEi9TiTXAYZaFuic8M84lQIxGy5 Y794NlUJNeAntYd8i/8UWHNMtmt66NMwafFLLBJhlrSn5/oRS/IlKSl7Rr+AgPjbiKO5e3 0Po9UnoEl54BdyJMFW1hj6geH6Vus32ABoqrg3exOrFCnMcS8oBpDeyshhtmHGaAv0EkKA Is474rDu3x1cNlUriekUK/aPOmiMxI3igpdBVtQ9hrVzZQ/y3u+nOgSVSfHyAg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781099100; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=gAcl7Pw7l5VYRaoLGnDXXtsqcGoZw0t34WxKPUcTyo0=; b=NfJhzVTbTNBiK/50CET81XHT6SgSVrBN8pndqm4yaOwVSfgChdu6lnDFMwc6ygUWIp4Q6t 7LnBzHSFSk31QsJeLgK1pPlzTlDoGWS2pYzLMP8A5EnmqGOSBzp0qTEOGwgzt4ucoufsZd uZgyIVCoaTC1vpBQqlbxUXWAoFpRgOpKjXyVzet7Ad7iyrTURrt1XkcjhQW0hF0h8f/w19 zzq2SHAkwMwCMkG/xPcKOYb7787qnxTCH0+vd3LBvcXpD6jmxW83e5QIPqoNCBC6yKgc/B ei88q3AoS2oLCGQXbaRPigkzcclt3yjzEELUXhRglvAcou9Bm/J8YWnSEG/DnA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gb6Tm1h86z1Mf4 for ; Wed, 10 Jun 2026 13:45:00 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 1d7a3 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 10 Jun 2026 13:45:00 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: 4b570289f0cc - stable/15 - xinstall: Do not allow -l and -s together List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 4b570289f0ccccdd35a47e62fec95835842c26fb Auto-Submitted: auto-generated Date: Wed, 10 Jun 2026 13:45:00 +0000 Message-Id: <6a296a5c.1d7a3.4659b1ff@gitrepo.freebsd.org> The branch stable/15 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=4b570289f0ccccdd35a47e62fec95835842c26fb commit 4b570289f0ccccdd35a47e62fec95835842c26fb Author: Ed Maste AuthorDate: 2026-06-03 01:27:54 +0000 Commit: Ed Maste CommitDate: 2026-06-10 13:43:59 +0000 xinstall: Do not allow -l and -s together Cannot strip the target if creating a link. Reviewed by: des Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57398 (cherry picked from commit 521afce6a859c1d7ac9674e8f21ff45418becaf5) --- usr.bin/xinstall/tests/install_test.sh | 3 +++ usr.bin/xinstall/xinstall.c | 6 ++++++ 2 files changed, 9 insertions(+) diff --git a/usr.bin/xinstall/tests/install_test.sh b/usr.bin/xinstall/tests/install_test.sh index 6b091f26b377..377920200490 100755 --- a/usr.bin/xinstall/tests/install_test.sh +++ b/usr.bin/xinstall/tests/install_test.sh @@ -27,8 +27,11 @@ atf_test_case incompatible_opts incompatible_opts_body() { + printf 'test\n123\r456\r\n789\0z' >testf atf_check -s not-exit:0 -e match:"specified together" \ install -s -d dir1 + atf_check -s not-exit:0 -e match:"specified together" \ + install -s -l s testf copyf } atf_test_case copy_to_empty diff --git a/usr.bin/xinstall/xinstall.c b/usr.bin/xinstall/xinstall.c index 1aed8c1b24e4..c5acd536ef64 100644 --- a/usr.bin/xinstall/xinstall.c +++ b/usr.bin/xinstall/xinstall.c @@ -283,6 +283,12 @@ main(int argc, char *argv[]) usage(); } + /* Cannot strip if creating a link. */ + if (dostrip && dolink) { + warnx("-l and -s may not be specified together"); + usage(); + } + /* * Default permissions based on whether we're a directory or not, since * an +X may mean that we need to set the execute bit. From nobody Wed Jun 10 13:45:01 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gb6Tp1C2yz6gRd8 for ; Wed, 10 Jun 2026 13:45:02 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gb6Tn33h8z3LsB for ; Wed, 10 Jun 2026 13:45:01 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781099101; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=HiynjSiLa80z57EcVyw6Rk34DLRU02tD0C6cBQNqHDM=; b=jnxNSndi6uNfFhLue5bwI/uLpzVFpKf8nehz6Svn9B1AmYU4iWrkSlXXbPB59RNnpRyWnq etbogtyHWAhtFzjcp9nevr6EQZI5hXiLclVZrprXsFYHeHKYT0rZHMGbYn+YRyFrTBSrra CVLcYDbHuD2CZ4zSNOaoyEcOpdeKVZUbynI3Q9zQjtac3z3HZaAl+BFwBxmOeRsBeWpOP7 ul6BWwokX2vN5EOdFUwcqcS/VdFXIy1obRap2X8F5xiDyVyO+WlpN4p8EPYeRJtoE5BYfr IgHjMbvlsDcZAW6ajfGW7Xt6nBqEpb0aSuuWrfuOcg34iB+b+yCoE6WC/jSqug== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781099101; a=rsa-sha256; cv=none; b=Bo7RrDNJ75hWBg48UP7DaAfUXoZrehFBED5sA4ZNzCOTu3ASroxnOQat/yREHqj0sLsPnl iXIZBa/hKVwl++nHX0uQW7ZTgojt4hk/tviHdEQUzugWBLB9ScFRqFWNOY03/lwLsprK2s SHSJ6M6V25n24N2SlYZCdbQpVC+xjAL+2ALdWbFqrCHZQeAY3Nq3+8NbDotWDCAkx8DD+S MLzBM2nR0tZcld/ex1QYDyhYfFjhkGExd89Y+oI6PY7tH6p0SrxzWZq5OZmaD55lLI6TGq uZujPeS5lNx4u9eIiBBVeG76iPZ6x4BPXPgDiE0taNqwTELybd3rQbs0qyiKHA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781099101; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=HiynjSiLa80z57EcVyw6Rk34DLRU02tD0C6cBQNqHDM=; b=CPNGY98AJS4mRiE2MSN2xItnO/Sgy7NYoyCA3KqJasBOdSr+NEMXcA+MnDs6+k3G+0wEOu +6rvEuv1ux+oj0/GDuQSR3rklEFV8itzh0BlNgltfeUii56b9OtIg8eS3Vz+rMLBipwE66 qp45r9M2o4uijPvvy/ZlvvaCVtxmMgpR6No31ICcCWRUSzP8qCcv9znX2dqCnxoE/PXDmy B5/h7eQpECKUDuVJPNUdMmC0dcflPDU6HO8qJCFwDq5F9V1wXsno0Su9aHlAll4yl8Qd1q sP57/4ChkiazVMUbsaLmM0mEbLtW7RQEGwOo3cTFmefpmyuhcDymP9Ml4ZMwxg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gb6Tn2RvQz1LvG for ; Wed, 10 Jun 2026 13:45:01 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 1c85d by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 10 Jun 2026 13:45:01 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: 5ccda2174f70 - stable/15 - install.1: Document options incompatible with -s List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 5ccda2174f70968f61fe19dfee04041a2b743edb Auto-Submitted: auto-generated Date: Wed, 10 Jun 2026 13:45:01 +0000 Message-Id: <6a296a5d.1c85d.7252be37@gitrepo.freebsd.org> The branch stable/15 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=5ccda2174f70968f61fe19dfee04041a2b743edb commit 5ccda2174f70968f61fe19dfee04041a2b743edb Author: Ed Maste AuthorDate: 2026-06-03 15:35:59 +0000 Commit: Ed Maste CommitDate: 2026-06-10 13:43:59 +0000 install.1: Document options incompatible with -s Reported by: des Reviewed by: ziaee Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57409 (cherry picked from commit b49021b49a78ca6a9e3a1a59c5aa6f2fec503afb) --- usr.bin/xinstall/install.1 | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/usr.bin/xinstall/install.1 b/usr.bin/xinstall/install.1 index c923321f20fe..2120706e271e 100644 --- a/usr.bin/xinstall/install.1 +++ b/usr.bin/xinstall/install.1 @@ -25,7 +25,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd April 16, 2024 +.Dd June 3, 2026 .Dt INSTALL 1 .Os .Sh NAME @@ -248,6 +248,10 @@ number of systems and binary types. See below for how .Nm can be instructed to use another program to strip binaries. +This option is incompatible with +.Fl d +and +.Fl l . .It Fl T Ar tags Specify the .Xr mtree 8 From nobody Wed Jun 10 13:45:02 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gb6Tp5ZbNz6gRYg for ; Wed, 10 Jun 2026 13:45:02 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gb6Tp3NhMz3LsN for ; Wed, 10 Jun 2026 13:45:02 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781099102; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=IB+wkreouw4n/M5HDFKYsQ6hQQfsVcnrXJJKa94bK/c=; b=XLVJrJ9zZN4HnpUiMC04b0ibeNz16czVNNkTBLt0Eq5Hq2uGFQSWCScZSRb1aBoxWeqJ8q VBWpgbQrhVC40MKAtSk/iTul2dwwzezsV8MZj9ec/ZUWHjn5ymDuwG3wkNM+wfSYwFco/i l89vXKGwAoeXXTUDV4ei9/uJc6mDK5iDcOohrr/FqH2+BQeO69y3A/0+ZIL/U1+6kPqDxH QFk0I7ZJonzWFU426QVm2hOgpu2wKVGsIO+hmkrMMrrdCMT3rPbxTQwEkJPZtS6gJICt5K PjsA72L2y3+UBU62La+oLY171+cdqEOts/UJ5CA1pCzh7wYQQ7411o1AOe7R2g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781099102; a=rsa-sha256; cv=none; b=rjae6va/s6qKo/QoqB0EsmweaAjrfbCc9skofvfVFGxWQuH/WRN/AsYgDd8h35fYtNbxL1 75Zqz7Lhl6Lz3Kse2UvLy0jLHSk1kcL0E9rvad5caAUanFf8sRI36JkFLKego9qmDsu6Kz ISnyPzpszBnYxNwZayaIhCfldedJQycOmucIp4Ltbf/NmUF9w9YAvJO1sc2HcxvArzCx28 ckVLYBrCnx2M3eAQIgtzW60Zns60WiDrJ75uPWq9lIqlD6c8UUDnJDGDBQ0xuDQcjVoO5E o+IqKuNmgPVoidlcE+CmmoW0bIOgt4cRgu924Kzfpj4KHGFNS9MQu6T7daSTmg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781099102; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=IB+wkreouw4n/M5HDFKYsQ6hQQfsVcnrXJJKa94bK/c=; b=lCa4aDcFi1rGAI5qSwXkeXXPJgwzM3nsQvtiDm7qU35zwgFZsLBgqLwxT9u8K2Rnrq82Of k/k2Ac6zSRWR/BJnFtpfWJ+2sCFgLmgKjbnkngtsGVCh5JalyBAovqnclGpgrnM6bjEJTD yZGViQLTFmG/5vh9VkaCFONUMN24fn+J22bmqGMVb17SrDocn+cXaKVHtYx+SZOgGHP5QF OpNMLQMqG5FxF88nb+soppp6zEyntdOk5BCI7tSZbUgEfxhNUke63Ujv6FnsyFejOxg6nc MBN37feCC2e6y+FTxvkGkQXoOVIAopbsTfV/ZqSTtTuF5ETR2H8s3WiCT7QiRQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gb6Tp2n6vz1MYV for ; Wed, 10 Jun 2026 13:45:02 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 1e17e by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 10 Jun 2026 13:45:02 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: 166532ee0c1e - stable/15 - install.1: Convert link flags to a table List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 166532ee0c1e740dbbad331ae4d03710f0d86cac Auto-Submitted: auto-generated Date: Wed, 10 Jun 2026 13:45:02 +0000 Message-Id: <6a296a5e.1e17e.394aa147@gitrepo.freebsd.org> The branch stable/15 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=166532ee0c1e740dbbad331ae4d03710f0d86cac commit 166532ee0c1e740dbbad331ae4d03710f0d86cac Author: Ed Maste AuthorDate: 2026-06-03 17:50:51 +0000 Commit: Ed Maste CommitDate: 2026-06-10 13:43:59 +0000 install.1: Convert link flags to a table The five link flags get lost in prose. Reviewed by: ziaee Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57418 (cherry picked from commit 248dd56d2dea03e4723e8225b890d02fcc10973f) --- usr.bin/xinstall/install.1 | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/usr.bin/xinstall/install.1 b/usr.bin/xinstall/install.1 index 2120706e271e..c6a55632891c 100644 --- a/usr.bin/xinstall/install.1 +++ b/usr.bin/xinstall/install.1 @@ -174,16 +174,19 @@ argument. Valid .Ar linkflags are: -.Ar a -(absolute), -.Ar r -(relative), -.Ar h -(hard), -.Ar s -(symbolic), -.Ar m -(mixed). +.Bl -tag -width a -offset indent +.It Sy a +absolute +.It Sy r +relative +.It Sy h +hard +.It Sy s +symbolic +.It Sy m +mixed +.El +.Pp Absolute and relative have effect only for symbolic links. Mixed links are hard links for files on the same filesystem, symbolic otherwise. From nobody Wed Jun 10 13:52:06 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gb6dz01dsz6gSZQ for ; Wed, 10 Jun 2026 13:52:07 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gb6dy4g4rz3Npp for ; Wed, 10 Jun 2026 13:52:06 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781099526; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=GGfUQKbKvf7XLBNpPBE5T/NW+xyiXxuZWHa7/nzxd94=; b=p+EqObyLeBT9kW8BCIhrA2qXOYqSY9BRzDs/2gffiujNxTZHKvq0zh1UfTDinwvOiYssNT qFY/tAXyOzGEj1UFSt3jEAHEtdhYKhxi6wP8BiMsoUE1ZYmbHQfbZ5HYHXXIrIGaDv1r+o yctZ3mhpsSYIpXCtQG/eEKqhJr14mEpEQMxx6zZ/qJ7hbyseoxqGhCfykGCsl2vMM5SBtx m5cSs2Rt6nJi68L0lU00csKxzYXr8OeNgeKUIJoc2++1xr+oXDUf4u8slcNtOxZZu8hUK9 OtxQF5YEuqayWcQIWm8GMkqy5fmdWFCJfLNtBdA9dbz9/28kY8JzCouCm7ddKQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781099526; a=rsa-sha256; cv=none; b=NgXQ6mCRStTBtZvTn8C3ylzhyOLb8xc367o+JaP7RaYmsl+AlYy8urti05iYcsxKWHmu2q lig9r0W2HssTQl/BBQo+t+U95lvRoERz+VOKnhjbOXDE6bUSFSXTAVbOW5fkm5ti+dBSLY YHNgC3zSNEOLzerTh94J0W5UulF75/Ab0uMuKuMsq7+Fk+HL5v3MFonqYznNDQUlD0rG1v PwlQ/8tlu469+ikiwWP/2MeD6GkuOmQNM0Ifo86HhW8Rk4CeUWo9KVZJWjBsgkoEvChCCD FlQLL7yIEkREBKW4fTjFztZhGledzdieRAuR2w/OyM9HYTkSZwGcro5Mb06usA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781099526; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=GGfUQKbKvf7XLBNpPBE5T/NW+xyiXxuZWHa7/nzxd94=; b=gsnds7B7kRzMUMwMl4fsVnwYp4c4uybLTwplDuNB41Dk8POEpvHn0Bc+vzJ982QxYiG4Fs E/tIyTCS97t7G5SyksLmPa6veIPkfHubXwJlTawbY+YvCy7AjZepoBNrS/nUy8U4tS3zNU /lgQdXDmCkRuTbrHRUF7/sxeAcPlNZg9XmM1cb75MOSJzNCZAq25MwiHu3cXwUZsf/Thqc Hwdn/9YbVxlIRvtWApcAboxY8Wy/pvfvHS0HOnPX++I25d09ImahZU442vzp+j68SPUctk 7ACu5fJVvMs3VjYR933Co+8is/SjJN53yOt9yNLBFo9PNpn/BKaibPgX1dysuA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gb6dy3gxVz1McJ for ; Wed, 10 Jun 2026 13:52:06 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 1e72e by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 10 Jun 2026 13:52:06 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: f2f67df8c92b - stable/15 - mii: Fix SMSC name List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: f2f67df8c92b51d0bff9c226755cd31c8d685573 Auto-Submitted: auto-generated Date: Wed, 10 Jun 2026 13:52:06 +0000 Message-Id: <6a296c06.1e72e.4979c2ab@gitrepo.freebsd.org> The branch stable/15 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=f2f67df8c92b51d0bff9c226755cd31c8d685573 commit f2f67df8c92b51d0bff9c226755cd31c8d685573 Author: Ed Maste AuthorDate: 2026-05-04 23:13:44 +0000 Commit: Ed Maste CommitDate: 2026-06-10 13:44:00 +0000 mii: Fix SMSC name The LAN8700 / LAN8710 PHYs were Standard Microsystems Corporation (SMSC) parts. I presume SMC was chosen as an abbreviation, but the company always used SMSC as its short name. SMSC was acquired by Microchip in 2012. I kept the pre-acquisition name, as NetBSD (from where we obtained miidevs) uses SMSC. Reviewed by: adrian Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D56819 (cherry picked from commit 89c883c09ab5e0fdca7ac5dfe74fcc46b7669eb5) --- sys/dev/mii/miidevs | 8 ++++---- sys/dev/mii/smscphy.c | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/sys/dev/mii/miidevs b/sys/dev/mii/miidevs index 5c10fd0f0224..ca4b061a13ee 100644 --- a/sys/dev/mii/miidevs +++ b/sys/dev/mii/miidevs @@ -72,7 +72,7 @@ oui RDC 0x00d02d RDC Semiconductor oui REALTEK 0x00e04c RealTek Semicondctor oui SEEQ 0x00a07d Seeq Technology oui SIS 0x00e006 Silicon Integrated Systems -oui SMC 0x00800f SMC +oui SMSC 0x00800f Microchip (formerly SMSC) oui TI 0x080028 Texas Instruments oui TSC 0x00c039 TDK Semiconductor oui VITESSE 0x0001c1 Vitesse Semiconductor @@ -361,6 +361,6 @@ model xxVITESSE VSC8514 0x0027 Vitesse VSC8514 10/100/1000TX PHY /* XaQti Corp. PHYs */ model xxXAQTI XMACII 0x0000 XaQti Corp. XMAC II gigabit interface -/* SMC */ -model SMC LAN8710A 0x000F SMC LAN8710A 10/100 interface -model SMC LAN8700 0x000C SMC LAN8700 10/100 interface +/* Microchip (formerly SMSC) */ +model SMSC LAN8710A 0x000F Microchip LAN8710A 10/100 interface +model SMSC LAN8700 0x000C Microchip LAN8700 10/100 interface diff --git a/sys/dev/mii/smscphy.c b/sys/dev/mii/smscphy.c index 4e0d3cd3e18e..d578242f5a61 100644 --- a/sys/dev/mii/smscphy.c +++ b/sys/dev/mii/smscphy.c @@ -74,8 +74,8 @@ static driver_t smscphy_driver = { DRIVER_MODULE(smscphy, miibus, smscphy_driver, 0, 0); static const struct mii_phydesc smscphys[] = { - MII_PHY_DESC(SMC, LAN8710A), - MII_PHY_DESC(SMC, LAN8700), + MII_PHY_DESC(SMSC, LAN8710A), + MII_PHY_DESC(SMSC, LAN8700), MII_PHY_END }; From nobody Wed Jun 10 14:24:48 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gb7Mn5m3Jz6gWgW for ; Wed, 10 Jun 2026 14:24:53 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gb7Mn3hF5z3Ts4 for ; Wed, 10 Jun 2026 14:24:53 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781101493; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=g5EqOqlNUaUPEYFHGc8KtqTLr3oKjNcT8Hr0Wk3bDjE=; b=WXMSK4KRkyUbMvobu2Ohw/0P9NDEI9PJ9ZlA5VMByH3t6WPdTdWYpsPA09wo8q/Qt0bXIe hQzDXkUF/JNWCn/19z42DWliVr2zUrxJ4fpqC24ckQxGzsvOwSPLaLxOeqFV8VwuZP6m7r iwTMFdfOJz5pFkBtjKlX+hTQxKvvtCuUgLwUJxxYGd/uxKNTcA0Ps7DU6YmRmq4DwHO4nd 7OJ5DvD68xUhpDVc5uUHt/kzPCw4BXrhx84M9Kf/oW/RWpXeKPEqXbO6KS2vSJo1XpgV4R jv+d7PZTrAMpnCkZY9rqRPU8fVJZyOmbxj1esSwWntmAqFDHYCbBiC7j6bgYWQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781101493; a=rsa-sha256; cv=none; b=TXUDhjsoBdku2rOVRKYSpErYHgAhVQ0JirjQgO8+2146Y57ypLHR/7duPZtTe9AwF3ZqVa edq4BBO2RRt2UJdgYMJlA1thS1li8T9827iNt49ZQODSLRQii1bAjs/hc5Emj9cxao9Szg 8SKsU+FfedTduFCD5bBIdoYGk8FkKZWc4j7cNsnTKXDP+3D2EBrdM8tRGxI6XH9ZjxBOpj VodAFsr9Ce1pf2LhcsRHd3FJEF7/JB9YC8h5H3JAgDOfUC2h5qgBi2oMrURxeagrKEJAYz /Efi5nd65tTMENSVJ3g+h1tSAVsjBy6tVuJGBn3iKHpcURwxT0sPZohZQntmSA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781101493; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=g5EqOqlNUaUPEYFHGc8KtqTLr3oKjNcT8Hr0Wk3bDjE=; b=Tqob2Y/wCqniHEp0HwoIt3KOql1Bk9I9fyt3Vy0JXWlhMQSrJU3aq23pBAmEJe6rwVnDxW nFNjFupTLg07bnenurb39Fx4DyEtYSN7NN9kGrB0fB8dRqKdUPZ+9WPdqhYEGeDgJZB8p6 yOjCUfaVArWwCY8DyjTq/IOwcfj1VvfVySv/pAVZ5mUCQ3a4+oUErHZEj54U5YOp4NfG9J yFKzzyv1vKxBMGOKJZ28sKdVFJpD4AyWUkd/hO83GlU1umhil82ujHWQblfbvRNJ/cfKyd FgudSyLABxqxcGpYGHtsr9hcmBziJu0PKU6NzceJf2edsjEZtmYv990/XXmssg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gb7Mn38sYz1NjL for ; Wed, 10 Jun 2026 14:24:53 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 22540 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 10 Jun 2026 14:24:48 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Sourojeet A From: Ed Maste Subject: git: b203a374f87d - stable/15 - linuxkpi: Make pm_qos.h self-contained List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: b203a374f87d9e89ff41d04f2e2467a9412d5caa Auto-Submitted: auto-generated Date: Wed, 10 Jun 2026 14:24:48 +0000 Message-Id: <6a2973b0.22540.27188016@gitrepo.freebsd.org> The branch stable/15 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=b203a374f87d9e89ff41d04f2e2467a9412d5caa commit b203a374f87d9e89ff41d04f2e2467a9412d5caa Author: Sourojeet A AuthorDate: 2026-06-03 21:58:53 +0000 Commit: Ed Maste CommitDate: 2026-06-10 13:44:00 +0000 linuxkpi: Make pm_qos.h self-contained Include for `false`. This is needed by amdgpu somewhere between Linux 6.12 and 6.15. Reviewed by: Minsoo Choo , bz Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57415 (cherry picked from commit 67df313015906d84d90df8e37795885e81cf8da5) --- sys/compat/linuxkpi/common/include/linux/pm_qos.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sys/compat/linuxkpi/common/include/linux/pm_qos.h b/sys/compat/linuxkpi/common/include/linux/pm_qos.h index 47c41a819ba8..97d16369a704 100644 --- a/sys/compat/linuxkpi/common/include/linux/pm_qos.h +++ b/sys/compat/linuxkpi/common/include/linux/pm_qos.h @@ -28,6 +28,8 @@ #ifndef _LINUXKPI_LINUX_PM_QOS_H #define _LINUXKPI_LINUX_PM_QOS_H +#include + #define PM_QOS_DEFAULT_VALUE (-1) struct pm_qos_request {