Otherwise an unprivileged user can disable randomization of the base
address for PIEs even if they are setugid.
Add a regression test.
Approved by: so
Security: FreeBSD-SA-26:32.elf
Security: CVE-2026-49414
Reported by: David Berard
Reviewed by: kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57397
The channel buffer mapped by dsp_mmap_single() may be freed when the
device handle is closed, but the mapping persists beyond that, allowing
userspace to read or write memory owned by a different consumer.
Fix the problem by adding a reference counter to the sound buffer.
Define pager ops for the VM object returned by dsp_mmap_single() and use
them to manage the extra reference.
Add a regression test.
Approved by: so
Security: FreeBSD-SA-26:27.sound
Security: CVE-2026-49417
Reported by: Lexpl0it, 75Acol, Liyw979, Rob1n
Reviewed by kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57393
Normally, data processed on the KTLS receive path is contained in
anonymous mbufs that can be modified in place. Either the data
originates in receive buffers from a NIC driver, or for loopback
connections the data is anonymous-backed mbufs created when writing to
a socket. One potential source of non-anonymous mbufs are mbufs
created by sendfile(2) which borrow the pages of the underlying file,
either via M_EXTPG or EXT_SFBUF that are sent over a loopback
connection. For a well-formed loopback TLS session, the sender should
only use sendfile(2) if KTLS is enabled. If TLS is fully handled in
userspace, the sender must use write(2) or send(2) which allocate
anonymous mbufs. If KTLS transmit is enabled, then sendfile(2) on a
loopback connection will always use crypto via OCF and will allocate
anonymous pages to hold the encrypted data.
However, if sendfile(2) is used to send file-backed data directly over
a loopback connection where KTLS is not enabled on the sender side,
the KTLS receive path can modify the file-backed pages in place
overwriting the file's data. One potential fix would be to replace
non-anonymous mbufs in a received TLS record with anonymous mbufs
(e.g. via m_dup()) before passing the record to OCF. However, there
is no legitimate use case for using sendfile(2) over a loopback TLS
connection without using KTLS on the sender side, so instead simply
fail decryption requests and close the connection if non-anonymous
mbufs are encountered in the RX decryption path.
Add a test for this that verifies that the original data backing the
file descriptor used as the source for sendfile() is unchanged after
being processed.
Approved by: so
Security: FreeBSD-SA-26:26.ktls
Security: CVE-2026-45257
Co-authored-by: Drew Gallatin <gallatin@FreeBSD.org>
Sponsored by: Chelsio Communications
Sponsored by: Netflix
parse_rules() has been calling toast_rules() in case of a parse error in
order to deallocate the 'struct rule' objects it has constructed up to
that point.
toast_rules() would take a pointer to a full 'struct rules' object, and
besides freeing all 'struct rule' referenced by it, would also free the
holding 'struct rules' itself.
With the introduction of the "executable paths" feature, and the
embedding of 'struct rules' into 'struct conf', meaning that the
lifecycle for 'struct rules' was no longer independent, toast_rules()
was changed not to free the passed 'struct rules' (as it was a field of
a 'struct conf' object). Unfortunately, this change was not completed
with a reinitialization of the rules list head, so the 'struct conf'
object would continue to reference just-freed rules, which then would be
freed a second time on destruction of that container.
So, make toast_rules() re-initialize the rules list in 'struct rules',
which it logically has been having to do since not freeing the enclosing
'struct rules'. This alone is enough to fix the bug, but let's use the
occasion to change the contract of parse_rules() and bring its herald
comment up-to-date: On error, parse_rules() now simply leaves already
constructed 'struct rule' objects in 'conf'. The latter is eventually
destroyed and the rule objects reclaimed at that point.
Add a test trying to set an invalid rules configuration with the first
rule being valid and the second being invalid, which triggers the bug
(and an immediate panic() on an INVARIANTS kernel).
Reported by: impost0r(ret2plt) <impostor@ret2p.lt>
Reviewed by: markj
Fixes: 9818224174 ("MAC/do: Executable paths feature (GSoC 2025's final state)")
Sponsored by: The FreeBSD Foundation
Test that:
1. Concurrent changes to different parameters on the same jail are
independent/atomic.
2. Inheritance works.
3. Relaxing only parent jail rules does not leak to a subjail thanks to
sequential consistency.
4. Sysctl knobs and jail parameters stay consistent.
Some of these tests may be extended in the future with several layers of
jails (there is only a single subjail currently).
Reviewed by: bapt
MFC after: 1 month
Sponsored by: The FreeBSD Foundation
Pull Request: https://ron-dev.freebsd.org/FreeBSD/src/pulls/38
And also allow configuration of the mdo(1) executable path.
This commit only contains new or modified infrastructure. No functional
change intended at this point.
Reviewed by: bapt
MFC after: 1 month
Sponsored by: The FreeBSD Foundation
Pull Request: https://ron-dev.freebsd.org/FreeBSD/src/pulls/38
In a standard test suite installation, this is not necessary, but be
bullet-proof to custom ones, however improbable.
Reviewed by: bapt
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Pull Request: https://ron-dev.freebsd.org/FreeBSD/src/pulls/38
The ACL tests use UIDs and GIDs 41 through 49 and expect them to be
unassigned. Since GID 43 is now assigned to the audio group, some
tests have begun to fail.
While here, also fix a benign Perl syntax issue in the test runner.
MFC after: 1 week
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D57297
This is copied from the check in kern_kill.
Reviewed by: markj, oshogbo
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57244
This has been stable in my testing, and enabling parallelism speeds up
test runs considerably. In particular, with -v parallelism=16 in a
16-vcpu bhyve VM my test runs go from ~50m to ~40m; the exact numbers
depend on the kernel config in use.
Reviewed by: pouria
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D57094
Since we are sleeping for an indefinite period of time waiting
for the default route to appear, the expire times may be gone
past 1+ seconds, causing the Expire column to show <1800 or <600.
Fixes: f6bcc0925f
Reviewed by: pouria
Approved by: lwhsu (mentor)
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D56712
- Fix an off-by-one in the system call number check. A value of
SYS_MAXSYSCALL was permitted.
- Validate the system call number after we've dealt with
syscall(2)/__syscall(2), since they pass the syscall number as an
argument.
- When the syscall number is for syscall(2) or __syscall(2), we must
make sure that nargs > 0 to avoid an underflow when shifting arguments
down.
Add regression tests.
Approved by: so
Security: FreeBSD-SA-26:21.ptrace
Security: CVE-2026-45253
Fixes: 140ceb5d95 ("ptrace(2): add PT_SC_REMOTE remote syscall request")
Reported by: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai
Reviewed by: kib, emaste
Differential Revision: https://reviews.freebsd.org/D56978
The fuse protocol requires server to respond to LISTXATTR with a
NUL-terminated string. If they don't, report an error rather than
attempt to scan through uninitialized memory for a NUL.
Approved by: so
Security: FreeBSD-SA-26:20.fusefs
Security: CVE-2026-45252
admbugs: 1039
Reported by: Joshua Rogers
Sponsored by: ConnectWise
Otherwise they may be left on a freed selinfo list after the
corresponding jaildesc struct is freed. This can be exploited to
elevate privileges.
Remove the JDF_SELECTED micro-optimization. doselwakeup() is a no-op if
no one ever called selrecord() on the file description, so I see no
reason to complicate the code to avoid the call.
Add some regression tests.
Approved by: so
Security: FreeBSD-SA-26:19.file
Security: CVE-2026-45251
Fixes: 66d8ffe304 ("jaildesc: add kevent support")
Reviewed by: kib, jamie
Differential Revision: https://reviews.freebsd.org/D56945
Otherwise they are left on a freed list after procdesc_free() is called.
This can be exploited to elevate privileges.
Remove the PDF_SELECTED micro-optimization. doselwakeup() is a no-op if
no one ever called selrecord() on the file description, so I see no
reason to complicate the code to avoid the call.
Add some regression tests.
Approved by: so
Security: FreeBSD-SA-26:19.file
Security: CVE-2026-45251
Reported by: 75Acol, Lexpl0it, fcgboy, and robinzeng2015
Reviewed by: kib, oshogbo
Fixes: cfb5f76865 ("Add experimental support for process descriptors")
Differential Revision: https://reviews.freebsd.org/D56887
Make the behaviour similar for both IPv4 and IPv6. Also add
the corresponding tests.
PR: 294733
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D56618
Check for alloction failure on `npt_alloc()` for RTA_MULTIPATH
attributes in `nlattr_get_multipath()`.
Also, add tests for maximum number of rtnexthop in rtnetlink.
Reported by: Joshua Rogers of AISLE Research Team
Reviewed by: markj
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D56954
The configured timeout of 30s is a bit too low for a couple of tests
which create 4+ VNET jails when running tests in parallel and with
kernel sanitizers enabled. There's no reason to have custom timeouts,
just use the default.
MFC after: 1 week
In Arm CCA we need to find all memory to protect it. This needs to find
all memory, ignoring any excluded memory to protect it from the host.
Add physmem_all that reads all physical memory regions.
Co-developed-by: Andrew Turner <andrew@> (writing tests & commit message)
Sponsored by: Arm Ltd
* do not require just only ip6 proto for flow-id opcode in ipfw(8).
ipv6-icmp, tcp, udp should be fine too.
* fix off-by-one bug leading to out-of-bounds read.
* apply IPV6_FLOWLABEL_MASK before comparison in flow6id_match(),
so flow-id opcode will match a specified flow label. No need to
take protocol version and traffic class into account.
* add the test to verify that opcode is working correctly.
Reviewed by: pouria
Obtained from: Yandex LLC
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D56869
The FreeBSD network stack, for better or worse, does not impose any
requirements on interface names. As such it's valid for an interface
name to start with a number (or indeed, be something like '⭐').
Allow this in pfctl, and add a test case for the specific case of
interface names starting with a number.
Note that we don't support UTF-8 names fully, so those may still fail.
PR: 295064
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
When dumping states optionally (at '-vv') also show the rule which
created the state. This can be helpful if the ruleset changed and we
want to know what rule created the state.
Sponsored by: Rubicon Communications, LLC ("Netgate")
We insert rules in pf_krule_global solely for the benefit of the
'keepcounters' feature. Failing to insert (beause the rule hash
collides, or an identical rule already exists) would be worse than
restoring counts to the wrong rule (or failing to restore them at all).
PR: 282863, 294860, 294859, 294858
MFC after: 3 days
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D56745
Gcc complained about the unused %0 asm argument.
Fixes: 2c2ec6bbc9 ("tests/sys/arch/amd64: add a program to check INT $0x80 behavior on amd64")
Reviewed by: kib, markj
Differential Revision: https://reviews.freebsd.org/D56781
- Set require.kmods instead of relying on ifconfig to load if_lagg.ko,
as this doesn't work when running within a jail.
- Simplify helper functions which create tap and lagg devices.
MFC after: 1 week
At least one of these tests changes the system clock, which potentially
interferes with concurrently running tests and causes them to fail.
MFC after: 1 week
For unicast tests, it is sufficient to use wait_for_carp() to verify
the setup is sane. Additional sanity checks are not necessarily
required but can serve purpose for redundancy.
For some unclear reason routed(8) is advertising route to carp BACKUP.
That makes the test flaky. Also routed(8) is marked deprecated and may
be removed from base in the future. Let's just add static route entry
manually for additional sanity checks.
Other noticeable changes:
1. Add atf_check to configuration steps to prevent potential failure
on setup. That helps diagnosing on failure.
2. Shorten the names of jails to improve readability.
3. Prefer `[ifconfig|route|sysctl] -j` over `jexec [ifconfig|route|sysctl]`
to make the lines shorter.
PR: 294817
Reviewed by: glebius (previous version), pouria, markj
Fixes: 93fbdef51a tests: carp: Update test case unicast_v4 to catch PR 284872
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D56761
The getgroups test is a NetBSD tests, so just apply our larger hammer
and disable the feature entirely. The audit test can take a more
surgical approach and use __ssp_real() appropriately, since it's a local
one.
PR: 294881
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D56735
Added tests:
* Test for creating multiple routes.
* Test for merge multiple nexthops into a single nexthop group.
* Test for nexthop expirations from a nexthop group.
Reviewed by: glebius
Differential Revision: https://reviews.freebsd.org/D56190