Commit Graph

310079 Commits

Author SHA1 Message Date
Ed Maste 6365c45d95 elf_common: Add FDO package metadata note type
Reviewed by:	fuz
Sponsored by:	The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57525
2026-06-10 11:45:34 -04:00
Enji Cooper 0881f6cf3f crypto/openssl: update artifacts to match 3.5.7 release
MFC after:	3 days
MFC with:	1523ccfd9
2026-06-10 08:32:35 -07:00
Enji Cooper 1523ccfd9c MFV: openssl 3.5.7
This change is a security release which resolves several issues with OpenSSL 3.5,
the highest severity issue being ranked "High". Users are strongly encouraged to
update to this release.

More information about the release (from a high level) can be found in
the release notes [1].

1. https://github.com/openssl/openssl/blob/openssl-3.5.7/NEWS.md

All conflicts were resolved with `--theirs`, taking the release diff
over the local diff; the conflicts occurred due to preemptive security
fixes applied by so@ in e508c343.

MFC after:	3 days (the important security issues have been
preemptively addressed)
Merge commit '3a71a35ad9dad0e5d2cad8efecc8ba9d57c42d43'

Conflicts:
	crypto/openssl/include/internal/quic_channel.h
	crypto/openssl/ssl/quic/quic_channel_local.h
	crypto/openssl/ssl/quic/quic_rx_depack.c
	crypto/openssl/test/cmsapitest.c
	crypto/openssl/test/evp_extra_test.c
2026-06-10 08:31:07 -07:00
Justin Hibbits 4bdcff5543 powerpc/booke: Add watchdog driver
The Book-E watchdog is effectively a state machine based around an AND
mask of the timebase register.  A single bit (0-63) is watched in the
timebase register, and when it transitions (by counting *or* by
programmatically setting) an exception is triggered.  The first
exception triggers a core interrupt.  The second is programmable.
In our case, we panic on the first and reset on second.
2026-06-10 10:04:41 -04:00
Justin Hibbits d08cb1dc17 watchdog: Fix a couple type issues
* Force the type of the literal `1` passed to nstosbt() to ensure it's a
  64-bit type (or larger).  Otherwise it gets inconveniently typed to
  int, resulting in truncation.
* Use `flsll()` when converting sbt to power-of-2-nanoseconds to fix
  32-bit compatibility.

PR:		292616
Obtained from:	Hewlett Packard Enterprise
Fixes:	26d6617f3 ("watchdog: Convert to using sbintime_t format")
MFC after:	3 days
2026-06-10 10:04:40 -04:00
John Baldwin 4d8fde8cff ppp: Reject FSM messages whose length is smaller than the message header
PR:		271843
Reported by:	Robert Morris <rtm@lcs.mit.edu>
Reviewed by:	des, emaste
Differential Revision:	https://reviews.freebsd.org/D57139
2026-06-10 09:44:10 -04:00
John Baldwin 7e971892df ppp: Permit CHAP challenges up to 255 bytes
RFC 1994 does not place any limit on the length of the value field in
challenge messages except that the length is a single octet which
bounds the maximum length to 255.

NB: I'm not sure why the local[] and peer[] arrays contain room for an
authentication name (AUTHLEN) in addition to a challenge value/response,
but I've just left that in place.

PR:		271955
Reported by:	Robert Morris <rtm@lcs.mit.edu>
Reviewed by:	des
Differential Revision:	https://reviews.freebsd.org/D57138
2026-06-10 09:44:10 -04:00
John Baldwin b5a8b933d4 ppp: Don't fetch a non-existent variadic argument
Only fetch the optional mode argument to ID0open to pass to open(2) if
O_CREAT is present in the flags argument.  It is UB to fetch an
argument that doesn't exist.  On CHERI this UB results in a fault.

Reviewed by:	brooks
Obtained from:	CheriBSD
Sponsored by:	AFRL, DARPA
Differential Revision:	https://reviews.freebsd.org/D57137
2026-06-10 09:44:10 -04:00
John Baldwin 0492dbe921 cd9660: Don't parse RRIP records whose length overflows the sector boundary
PR:		272896
Reported by:	Robert Morris <rtm@lcs.mit.edu>
Reviewed by:	des, emaste
Differential Revision:	https://reviews.freebsd.org/D57135
2026-06-10 09:44:10 -04:00
Kit Dallege ab8ceaaa86 hcreate(3): fix incorrect claim that hdestroy frees keys
The man page incorrectly stated that hdestroy() calls free(3) for
each comparison key. The implementation (hdestroy_r.c) only frees
the internal table structure, not the user-provided keys or data.
This matches POSIX, which says hdestroy "shall dispose of the
search table" without mentioning key deallocation.

Update the description to clarify that the caller is responsible
for freeing any memory associated with table entries.

PR: 291240
Signed-off-by: Kit Dallege <xaum.io@gmail.com>
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/2095
2026-06-10 06:35:05 -06:00
Kit Dallege 3a71a24bbe etherswitchcfg(8): document atu commands
Add documentation for the ATU (Address Translation Unit) commands
that were implemented but not documented in the man page:

- atu dump: display the MAC address table
- atu flush all: clear all dynamic ATU entries
- atu flush port <n>: clear ATU entries for a specific port

Also add atu to the SYNOPSIS section.

PR: 275413
Signed-off-by: Kit Dallege <xaum.io@gmail.com>
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/2096
2026-06-10 06:35:04 -06:00
Kit Dallege 473fa0f7a1 re(4): document jumbo frame support for 8168/8111 chips
The man page only mentioned jumbo frame support for the 8169, 8169S,
and 8110S chips. The 8168 and 8111 family also support jumbo frames,
with varying MTU limits depending on the chip revision (6K for C
variants, 9K for D and later). Update the documentation to reflect
the actual driver capabilities.

PR: 160399
Signed-off-by: Kit Dallege <xaum.io@gmail.com>
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/2097
2026-06-10 06:35:04 -06:00
Kit Dallege e7bdf44da7 bsdconfig(8): add missing vt(4) console commands
Add documentation for the vt_font, vt_keymap, vt_repeat, vt_saver,
vt_screenmap, and vt_ttys commands which are available at runtime
but were not listed in the man page.

Also clarify that the existing syscons_* commands are for the
syscons(4) console driver and remove stale commented-out entries.

PR: 291051
Signed-off-by: Kit Dallege <xaum.io@gmail.com>
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/2100
2026-06-10 06:35:04 -06:00
Kit Dallege f8c8875add diskless(8): remove references to deleted clone_root script
The clone_root script was removed from the tree in commit
7736786b08 but the diskless(8) man page still referenced it
in two places. Remove both references.

PR: 292231
Signed-off-by: Kit Dallege <xaum.io@gmail.com>
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/2101
2026-06-10 06:35:04 -06:00
Kit Dallege 05a02d395d mail(1): fix temporary file path in FILES section
The FILES section listed /tmp/R* but the source code uses
/tmp/mail.R* (e.g. mail.RsXXXXXXXXXX, mail.ReXXXXXXXXXX,
mail.RxXXXXXXXXXX) as the mkstemp template prefix.

PR: 289980
Signed-off-by: Kit Dallege <xaum.io@gmail.com>
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/2103
2026-06-10 06:35:04 -06:00
Kit Dallege 2c5fd7d9a7 cp(1): fix -P documentation to reflect it works without -R
Since commit 97e1303791, the -P flag works without -R as
required by POSIX. Update the man page to state that only -H
and -L are ignored without -R, while -P can be used independently.

PR: 289959
Signed-off-by: Kit Dallege <xaum.io@gmail.com>
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/2102
2026-06-10 06:35:03 -06:00
Kit Dallege 82780af43b du(1): document --si option
The --si option (human-readable output with SI units based on
powers of 1000) was implemented but missing from both the SYNOPSIS
and the options list.

PR: 265199
Signed-off-by: Kit Dallege <xaum.io@gmail.com>
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/2104
2026-06-10 06:35:03 -06:00
K Rin 2671607f1b libc/tests: Enable fpsetround_basic which was never triggered since ported.
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1656
2026-06-10 06:35:03 -06:00
K Rin 85e449cfcf libc/tests: copy ieeefp tests out from contrib/netbsd-tests and rename them as FreeBSD test convention.
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1656
2026-06-10 06:35:03 -06:00
K Rin ce08af6378 mac_portacl tests: rewrite the test program and test unspecific family.
Reviewed by: imp,emaste
Pull Request: https://github.com/freebsd/freebsd-src/pull/1659
2026-06-10 06:35:03 -06:00
K Rin 6b61852b4f mac_portacl: do not reject unspecific family directly
Reviewed by: imp,emaste
Pull Request: https://github.com/freebsd/freebsd-src/pull/1659
2026-06-10 06:35:02 -06:00
ykla 9a6a2e4b7d Warn if hostname is empty
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1700
2026-06-10 06:35:02 -06:00
Phil Krylov a62eaf71dd bsdinstall(8): Fix GPT label conflicts with disks not managed by us
Signed-off-by: Phil Krylov <phil@krylov.eu>
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1735
2026-06-10 06:35:02 -06:00
androvonx95 925f536824 improve renice user error messages
Improve error handling for invalid user names and UIDs in renice:
- Use warnx() and err() for consistent error reporting
- Set errno = EINVAL for invalid input
- Provide clearer error messages for invalid user names and UIDs
- Add test cases for invalid user input

Signed-off-by: androvonx95 <androvonx95@tutamail.com>
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1768
2026-06-10 06:35:02 -06:00
Konstantin Belousov 9b48646ab3 kern_fork: guard against NULL newproc on the failure path
Reported and tested by:	pho
Fixes:	85a65e3930 ("proc: add tree ref count")
Sponsored by:	The FreeBSD Foundation
MFC after:	1 week
2026-06-10 14:37:23 +03:00
Konstantin Belousov 89fa97f0a7 compat32 wait4/6(2): only copy out when there is a pid to report
PR:	295965
Reported and tested by:	mandree
Reviewed by:	markj
Sponsored by:	The FreeBSD Foundation
MFC after:	1 week
Differential revision:	https://reviews.freebsd.org/D57513
2026-06-10 05:37:25 +03:00
Xin LI c85542b92a GCE: Apply public-image label on GCE images
Update the GCE image creation process to automatically apply the
'public-image=true' label when publishing new images. This aligns
with standard labeling expectations for images hosted in public
projects.

MFC after:	3 days
2026-06-09 19:33:12 -07:00
Chuck Tuffli 925ca9b835 linux: Add TCP_INFO support
Implement the getsockopt for TCP_INFO by mapping FreeBSD's version to
what Linux expects.

MFC after:	1 month
Relnotes:	yes
Reviewed by:	kib
Differential Revision:	https://reviews.freebsd.org/D55882
2026-06-09 17:23:24 -07:00
Faraz Vahedi 1c85c5eea0 loader.efi: Search boot device before foreign ZFS pools
When `boot_policy` is `RELAXED`, `find_currdev()` tried ZFS pools on every
disk before searching the boot ESP and sibling partitions. Booting install
media from USB could therefore select an installed ZFS root on internal
storage instead of the intended memstick UFS image.

Extract the boot-device partition walk into `try_boot_device_partitions()`
and run it before relaxed foreign-pool probing. The ZFS search order is
preserved; pools on the boot device are tried first, followed by pools on
other devices when `boot_policy` is `RELAXED` and the boot device yields
no bootable root.

Signed-off-by: Faraz Vahedi <kfv@kfv.io>
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/2239
2026-06-09 17:33:05 -06:00
Jamie Gritton b52dc20676 jail: Don't double-free the current prison in kern_jail_set/get
Reported by:	Yuxiang Yang, et al <yangyx22 at mails.tsinghua.edu.cn>
Discussed with:	markj
MFC after:	3 days
2026-06-09 15:31:40 -07:00
Konstantin Belousov 44970244e6 reap_kill_subtree_once: when proctree_lock is dropped, reaper might change
Recalculate it to iterate over the right set of processes.

Prevent reaper' struct proc reuse by holding the tree ref on it.
Since our reference is taken under the proctree lock and we know that
the process is reaper, it cannot go away.  The process hold count
(p_lock) cannot be used there because p_lock intent is prevent exit, but
reaper owns its reap-children until reaped itself, i.e. even a zombie
reaper is still on duty.

Reviewed by:	markj
Sponsored by:	The FreeBSD Foundation
MFC after:	1 week
Differential revision:	https://reviews.freebsd.org/D57492
2026-06-10 00:11:45 +03:00
Konstantin Belousov 85a65e3930 proc: add tree ref count
Owning the reference prevents reuse of the struct proc.

Reviewed by:	markj
Sponsored by:	The FreeBSD Foundation
MFC after:	1 week
Differential revision:	https://reviews.freebsd.org/D57492
2026-06-10 00:11:45 +03:00
Konstantin Belousov a248c5545f connectat(2): do not enable EMPTYPATH for AT_FDCWD
This restores existing error code for connect(2) over unix domain socket
when the empty string is specified as socket address.

Reported by:	eduardo
Reviewed by:	markj
Sponsored by:	The FreeBSD Foundation
MFC after:	1 week
Differential revision:	https://reviews.freebsd.org/D57509
2026-06-10 00:09:48 +03:00
Mark Johnston 6bd97b5f37 tests.7: Remove an unused configuration variable
No existing tests require it, and I cannot understand what kinds of test
scenarios are supposed to require it.  Just remove it.

While here, improve the documentation of test variables a bit.

Reviewed by:	ngie
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D56604
2026-06-09 21:00:23 +00:00
Ali Mashtizadeh dded0ab415 hwpmc: Disable AMD PMCs if in an unsupported VM
AMD does not have a CPUID bit to indicate the lack of K8 PMCs.  If all
other PMC features are not present we should test an event selector to
see if it stores and returns a value.  If the VM is implemented
correctly, this should result in a #GP on the initial wrmsr_safe.  Bhyve
and a few other VMs ignore writes, so I got one step further and test
that it retains the OS and USR bits.

Tested on Zen 5 native and a Zen 5 Bhyve virtual machine.  This code
should not run on any recent hardware, except in a VM, as it checks that
the core counter extension is missing.

PR:		268943
Reported by:	Sandipan Das, John F. Carr <jfc@mit.edu>
Reviewed by:	mhorne, imp
Sponsored by:	Netflix
MFC after:	1 week
Pull Request:	https://github.com/freebsd/freebsd-src/pull/2272/changes
2026-06-09 16:46:31 -03:00
Enji Cooper 8f9aabbdbc OpenSSL: update MAINTAINERS/CODEOWNERS
I've been the quasi-defacto component maintainer for OpenSSL since
14.0-RELEASE. Make it official via CODEOWNERS/MAINTAINERS.

The goal is to help guide those interested in making changes in this
space to solicit my input with the new vendor import process and
coordinate fixes with upstream until things are at a point where most of
this is automated a system of automated checks and balances to confirm
that the updates being made to the component help maintain a security
supply chain for this given component.

Thank you benl and jkim for your past efforts in this component area.
Hopefully I can do my part to help improve this critical space further
as you both did in your respective tenures.

MFC after:	3 days
2026-06-09 12:37:52 -07:00
Enji Cooper 3a71a35ad9 openssl: import 3.5.7
This change adds OpenSSL 3.5.7 from upstream [1].

The 3.5.7 artifact was been verified via PGP key [2] and by SHA256 checksum [3].

This change is a security release which resolves several issues with OpenSSL 3.5,
the highest severity issue being ranked "High". Users are strongly encouraged to
update to this release.

More information about the release (from a high level) can be found in
the release notes [4].

Updated via [5] with `update_openssl.sh 3.5.7`.

Approved by:	so (gordon; implicit)

1. https://github.com/openssl/openssl/releases/download/openssl-3.5.7/openssl-3.5.7.tar.gz
2. https://github.com/openssl/openssl/releases/download/openssl-3.5.7/openssl-3.5.7.tar.gz.asc
3. https://github.com/openssl/openssl/releases/download/openssl-3.5.7/openssl-3.5.7.tar.gz.sha256
4. https://github.com/openssl/openssl/blob/openssl-3.5.7/NEWS.md
5. https://codeberg.org/ngie/freebsd-powertools/src/branch/main/shell/update_openssl.sh (facdfe954)
2026-06-09 12:21:35 -07:00
Gordon Tetlow 980ba4177b ldns: Fix query response validation
Approved by:	so
Security:	FreeBSD-SA-26:36.ldns
Security:	CVE-2026-10846
2026-06-09 19:13:21 +00:00
Gordon Tetlow e508c3431d openssl: Fix multiple vulnerabilities
This is a rollup commit from upstream to fix:
  Reject oversized inputs in ASN1_mbstring_ncopy()
  cms: kek_unwrap_key: Fix out-of-bounds read in check-byte validation
  cms: kek_unwrap_key: test for fix out-of-bounds read in check-byte validation
  Avoid length truncation in ASN1_STRING_set
  pkcs12: verify that the pbmac1 key length is safe
  Reject potentially forged encrypted CMS AuthEnvelopedData messages
  QUIC stack must limit the number of PATH_CHALLENGE frames processed in RX
  Fix NULL dereference in QUIC address validation
  Fix potential NULL dereference processing CMS PasswordRecipientInfo
  Fix potential NULL dereference in OSSL_CRMF_ENCRYPTEDVALUE_decrypt()
  Enforce implicit rejection for CMS/PKCS#7 decryption
  Use the correct issuer when validating rootCAKeyUpdate
  Match the local q DHX parameter against the peer's q
  Apply the buffered IV on the AES-OCB EVP_Cipher() path
  Fix handling of empty-ciphertext messages in AES-GCM-SIV and AES-SIV
  Fix possible use-after-free in OpenSSL PKCS7_verify()

Approved by:	so
Obtained from:	OpenSSL
Security:	FreeBSD-SA-26:35.openssl
Security:	CVE-2026-7383
Security:	CVE-2026-9076
Security:	CVE-2026-34180
Security:	CVE-2026-34181
Security:	CVE-2026-34182
Security:	CVE-2026-34183
Security:	CVE-2026-42764
Security:	CVE-2026-42766
Security:	CVE-2026-42767
Security:	CVE-2026-42768
Security:	CVE-2026-42769
Security:	CVE-2026-42770
Security:	CVE-2026-45445
Security:	CVE-2026-45446
Security:	CVE-2026-45447
2026-06-09 19:13:21 +00:00
Mark Johnston ebb0ea9f4f imgact_elf: Clear no-ASLR and -WXORX flags earlier for setugid images
Otherwise an unprivileged user can disable randomization of the base
address for PIEs even if they are setugid.

Add a regression test.

Approved by:	so
Security:	FreeBSD-SA-26:32.elf
Security:	CVE-2026-49414
Reported by:	David Berard
Reviewed by:	kib
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D57397
2026-06-09 19:13:21 +00:00
Andrew Turner 9c0a62df50 arm64: Workaround the following errata
- ARM C1-Premium erratum 4193780
 - ARM C1-Ultra erratum 4193780
 - ARM Cortex-A76 erratum 4193800
 - ARM Cortex-A76AE erratum 4193801
 - ARM Cortex-A77 erratum 4193798
 - ARM Cortex-A78 erratum 4193791
 - ARM Cortex-A78AE erratum 4193793
 - ARM Cortex-A78C erratum 4193794
 - ARM Cortex-A710 erratum 4193788
 - ARM Cortex-X1 erratum 4193791
 - ARM Cortex-X1C erratum 4193792
 - ARM Cortex-X2 erratum 4193788
 - ARM Cortex-X3 erratum 4193786
 - ARM Cortex-X4 erratum 4118414
 - ARM Cortex-X925 erratum 4193781
 - ARM Neoverse-N1 erratum 4193800
 - ARM Neoverse-N2 erratum 4193789
 - ARM Neoverse-V1 erratum 4193790
 - ARM Neoverse-V2 erratum 4193787
 - ARM Neoverse-V3 erratum 4193784
 - ARM Neoverse-V3AE erratum 4193784

These are all variants on an erratum where TLBI+DSB instructions on
one CPU may incorrectly complete early leading to stores to an updated
address using an incorrect translation on another CPU.

In all cases the workaround is to add a second TLBI+DSB.

Approved by:	so
Security:	FreeBSD-SA-26:31.arm64
Security:	CVE-2025-10263
Sponsored by:	Arm Ltd
2026-06-09 19:13:21 +00:00
Mark Johnston d39be1b1b5 linux: Correct the issetugid check in copyout_auxargs
The runtime linker in glibc relies on the AT_SECURE auxv entry to know
whether the executable is set-ugid, if so then various dangerous
functionality such as LD_PRELOAD is disabled.

The check added in commit 669414e4fb failed to take into account the
fact that during execve, P_SUGID may not yet be set for a set-ugid
process.  Correct the test.

Approved by:	so
Security:	FreeBSD-SA-26:30.linux
Security:	CVE-2026-49413
Reported by:	Minseong Kim
Fixes:		669414e4fb ("Implement AT_SECURE properly.")
Reviewed by:	kib
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D57350
2026-06-09 19:13:21 +00:00
Mark Johnston 1bac7df1ba in6_mcast: Fix a race in in6p_set_source_filter()
We drop the inpcb lock in order to copy in the source list, but this
leaves a window where the multicast filter structure might be freed.
This can be exploited to obtain root privileges.

In the v4 code this race is mitigated by holding the global multicast
lock across the gap.

Restructure the code to copy in filters before doing anything else, so
that there's no need to drop the inpcb lock and reason about the
correctness of doing so.  Do the same in the v4 code for consistency.

Approved by:	so
Security:	FreeBSD-SA-26:29.ip6_multicast
Security:	CVE-2026-49412
Reported by:	Andrew Griffiths <andrew@calif.io>
Reported by:	Maik Münch <maik@secfault-security.com>
Reviewed by:	glebius
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D57347
2026-06-09 19:13:21 +00:00
Mark Johnston 1b775b9ea4 sound: Fix software buffer lifetime issues
The channel buffer mapped by dsp_mmap_single() may be freed when the
device handle is closed, but the mapping persists beyond that, allowing
userspace to read or write memory owned by a different consumer.

Fix the problem by adding a reference counter to the sound buffer.
Define pager ops for the VM object returned by dsp_mmap_single() and use
them to manage the extra reference.

Add a regression test.

Approved by:	so
Security:	FreeBSD-SA-26:27.sound
Security:	CVE-2026-49417
Reported by:	Lexpl0it, 75Acol, Liyw979, Rob1n
Reviewed by	kib
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D57393
2026-06-09 19:13:21 +00:00
Christos Margiolis 1bb8212df1 sound: Check for offset overflow in dsp_mmap_single()
Approved by:	so
Security:	FreeBSD-SA-26:27.sound
Security:	CVE-2026-45258
Reviewed by:	markj
Sponsored by:	The FreeBSD Foundation
2026-06-09 19:13:21 +00:00
John Baldwin 3444414cb4 ktls: Don't attempt to modify non-anonymous mbufs on the receive path
Normally, data processed on the KTLS receive path is contained in
anonymous mbufs that can be modified in place.  Either the data
originates in receive buffers from a NIC driver, or for loopback
connections the data is anonymous-backed mbufs created when writing to
a socket.  One potential source of non-anonymous mbufs are mbufs
created by sendfile(2) which borrow the pages of the underlying file,
either via M_EXTPG or EXT_SFBUF that are sent over a loopback
connection.  For a well-formed loopback TLS session, the sender should
only use sendfile(2) if KTLS is enabled.  If TLS is fully handled in
userspace, the sender must use write(2) or send(2) which allocate
anonymous mbufs.  If KTLS transmit is enabled, then sendfile(2) on a
loopback connection will always use crypto via OCF and will allocate
anonymous pages to hold the encrypted data.

However, if sendfile(2) is used to send file-backed data directly over
a loopback connection where KTLS is not enabled on the sender side,
the KTLS receive path can modify the file-backed pages in place
overwriting the file's data.  One potential fix would be to replace
non-anonymous mbufs in a received TLS record with anonymous mbufs
(e.g. via m_dup()) before passing the record to OCF.  However, there
is no legitimate use case for using sendfile(2) over a loopback TLS
connection without using KTLS on the sender side, so instead simply
fail decryption requests and close the connection if non-anonymous
mbufs are encountered in the RX decryption path.

Add a test for this that verifies that the original data backing the
file descriptor used as the source for sendfile() is unchanged after
being processed.

Approved by:	so
Security:	FreeBSD-SA-26:26.ktls
Security:	CVE-2026-45257
Co-authored-by:	Drew Gallatin <gallatin@FreeBSD.org>
Sponsored by:	Chelsio Communications
Sponsored by:	Netflix
2026-06-09 19:13:21 +00:00
Mark Johnston bf1e2c0797 thr_kill2: Respect p_cansignal()
Approved by:	so
Security:	FreeBSD-SA-26:25.thr
Security:	CVE-2026-45256
Reported by:	Igor Gabriel Sousa e Souza
Reported by:	Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai
Reviewed by:	emaste, kib
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D57237
2026-06-09 19:13:21 +00:00
Ed Maste c94b8eee5b vt: Rename sysctl to security.bsd.allow_tiocsti
This is consistent with allow_read_dir and allow_ptrace.

PR: 293485
Fixes: c289291a67 ("tty: Add sysctl knob to globally disable TIOCSTI")
Sponsored by: The FreeBSD Foundation
2026-06-09 14:27:56 -04:00
Ed Maste c289291a67 tty: Add sysctl knob to globally disable TIOCSTI
Reviewed by:	markj
Sponsored by:	The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57233
2026-06-09 12:38:54 -04:00
Baptiste Daroussin 13fb6dbc73 nuageinit: validate set-name to prevent shell injection in variable names
Shell variable names cannot be safely quoted with shell_escape() —
only alphanumeric characters are valid. Add validation that set-name
only matches [a-zA-Z0-9]+; invalid values are rejected with a
warning and the rename is skipped entirely.
2026-06-09 18:04:25 +02:00