AMD does not have a CPUID bit to indicate the lack of K8 PMCs. If all
other PMC features are not present we should test an event selector to
see if it stores and returns a value. If the VM is implemented
correctly, this should result in a #GP on the initial wrmsr_safe. Bhyve
and a few other VMs ignore writes, so I got one step further and test
that it retains the OS and USR bits.
Tested on Zen 5 native and a Zen 5 Bhyve virtual machine. This code
should not run on any recent hardware, except in a VM, as it checks that
the core counter extension is missing.
PR: 268943
Reported by: Sandipan Das, John F. Carr <jfc@mit.edu>
Reviewed by: mhorne, imp
Sponsored by: Netflix
MFC after: 1 week
Pull Request: https://github.com/freebsd/freebsd-src/pull/2272/changes
I've been the quasi-defacto component maintainer for OpenSSL since
14.0-RELEASE. Make it official via CODEOWNERS/MAINTAINERS.
The goal is to help guide those interested in making changes in this
space to solicit my input with the new vendor import process and
coordinate fixes with upstream until things are at a point where most of
this is automated a system of automated checks and balances to confirm
that the updates being made to the component help maintain a security
supply chain for this given component.
Thank you benl and jkim for your past efforts in this component area.
Hopefully I can do my part to help improve this critical space further
as you both did in your respective tenures.
MFC after: 3 days
This is a rollup commit from upstream to fix:
Reject oversized inputs in ASN1_mbstring_ncopy()
cms: kek_unwrap_key: Fix out-of-bounds read in check-byte validation
cms: kek_unwrap_key: test for fix out-of-bounds read in check-byte validation
Avoid length truncation in ASN1_STRING_set
pkcs12: verify that the pbmac1 key length is safe
Reject potentially forged encrypted CMS AuthEnvelopedData messages
QUIC stack must limit the number of PATH_CHALLENGE frames processed in RX
Fix NULL dereference in QUIC address validation
Fix potential NULL dereference processing CMS PasswordRecipientInfo
Fix potential NULL dereference in OSSL_CRMF_ENCRYPTEDVALUE_decrypt()
Enforce implicit rejection for CMS/PKCS#7 decryption
Use the correct issuer when validating rootCAKeyUpdate
Match the local q DHX parameter against the peer's q
Apply the buffered IV on the AES-OCB EVP_Cipher() path
Fix handling of empty-ciphertext messages in AES-GCM-SIV and AES-SIV
Fix possible use-after-free in OpenSSL PKCS7_verify()
Approved by: so
Obtained from: OpenSSL
Security: FreeBSD-SA-26:35.openssl
Security: CVE-2026-7383
Security: CVE-2026-9076
Security: CVE-2026-34180
Security: CVE-2026-34181
Security: CVE-2026-34182
Security: CVE-2026-34183
Security: CVE-2026-42764
Security: CVE-2026-42766
Security: CVE-2026-42767
Security: CVE-2026-42768
Security: CVE-2026-42769
Security: CVE-2026-42770
Security: CVE-2026-45445
Security: CVE-2026-45446
Security: CVE-2026-45447
Otherwise an unprivileged user can disable randomization of the base
address for PIEs even if they are setugid.
Add a regression test.
Approved by: so
Security: FreeBSD-SA-26:32.elf
Security: CVE-2026-49414
Reported by: David Berard
Reviewed by: kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57397
- ARM C1-Premium erratum 4193780
- ARM C1-Ultra erratum 4193780
- ARM Cortex-A76 erratum 4193800
- ARM Cortex-A76AE erratum 4193801
- ARM Cortex-A77 erratum 4193798
- ARM Cortex-A78 erratum 4193791
- ARM Cortex-A78AE erratum 4193793
- ARM Cortex-A78C erratum 4193794
- ARM Cortex-A710 erratum 4193788
- ARM Cortex-X1 erratum 4193791
- ARM Cortex-X1C erratum 4193792
- ARM Cortex-X2 erratum 4193788
- ARM Cortex-X3 erratum 4193786
- ARM Cortex-X4 erratum 4118414
- ARM Cortex-X925 erratum 4193781
- ARM Neoverse-N1 erratum 4193800
- ARM Neoverse-N2 erratum 4193789
- ARM Neoverse-V1 erratum 4193790
- ARM Neoverse-V2 erratum 4193787
- ARM Neoverse-V3 erratum 4193784
- ARM Neoverse-V3AE erratum 4193784
These are all variants on an erratum where TLBI+DSB instructions on
one CPU may incorrectly complete early leading to stores to an updated
address using an incorrect translation on another CPU.
In all cases the workaround is to add a second TLBI+DSB.
Approved by: so
Security: FreeBSD-SA-26:31.arm64
Security: CVE-2025-10263
Sponsored by: Arm Ltd
The runtime linker in glibc relies on the AT_SECURE auxv entry to know
whether the executable is set-ugid, if so then various dangerous
functionality such as LD_PRELOAD is disabled.
The check added in commit 669414e4fb failed to take into account the
fact that during execve, P_SUGID may not yet be set for a set-ugid
process. Correct the test.
Approved by: so
Security: FreeBSD-SA-26:30.linux
Security: CVE-2026-49413
Reported by: Minseong Kim
Fixes: 669414e4fb ("Implement AT_SECURE properly.")
Reviewed by: kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57350
We drop the inpcb lock in order to copy in the source list, but this
leaves a window where the multicast filter structure might be freed.
This can be exploited to obtain root privileges.
In the v4 code this race is mitigated by holding the global multicast
lock across the gap.
Restructure the code to copy in filters before doing anything else, so
that there's no need to drop the inpcb lock and reason about the
correctness of doing so. Do the same in the v4 code for consistency.
Approved by: so
Security: FreeBSD-SA-26:29.ip6_multicast
Security: CVE-2026-49412
Reported by: Andrew Griffiths <andrew@calif.io>
Reported by: Maik Münch <maik@secfault-security.com>
Reviewed by: glebius
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57347
The channel buffer mapped by dsp_mmap_single() may be freed when the
device handle is closed, but the mapping persists beyond that, allowing
userspace to read or write memory owned by a different consumer.
Fix the problem by adding a reference counter to the sound buffer.
Define pager ops for the VM object returned by dsp_mmap_single() and use
them to manage the extra reference.
Add a regression test.
Approved by: so
Security: FreeBSD-SA-26:27.sound
Security: CVE-2026-49417
Reported by: Lexpl0it, 75Acol, Liyw979, Rob1n
Reviewed by kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57393
Normally, data processed on the KTLS receive path is contained in
anonymous mbufs that can be modified in place. Either the data
originates in receive buffers from a NIC driver, or for loopback
connections the data is anonymous-backed mbufs created when writing to
a socket. One potential source of non-anonymous mbufs are mbufs
created by sendfile(2) which borrow the pages of the underlying file,
either via M_EXTPG or EXT_SFBUF that are sent over a loopback
connection. For a well-formed loopback TLS session, the sender should
only use sendfile(2) if KTLS is enabled. If TLS is fully handled in
userspace, the sender must use write(2) or send(2) which allocate
anonymous mbufs. If KTLS transmit is enabled, then sendfile(2) on a
loopback connection will always use crypto via OCF and will allocate
anonymous pages to hold the encrypted data.
However, if sendfile(2) is used to send file-backed data directly over
a loopback connection where KTLS is not enabled on the sender side,
the KTLS receive path can modify the file-backed pages in place
overwriting the file's data. One potential fix would be to replace
non-anonymous mbufs in a received TLS record with anonymous mbufs
(e.g. via m_dup()) before passing the record to OCF. However, there
is no legitimate use case for using sendfile(2) over a loopback TLS
connection without using KTLS on the sender side, so instead simply
fail decryption requests and close the connection if non-anonymous
mbufs are encountered in the RX decryption path.
Add a test for this that verifies that the original data backing the
file descriptor used as the source for sendfile() is unchanged after
being processed.
Approved by: so
Security: FreeBSD-SA-26:26.ktls
Security: CVE-2026-45257
Co-authored-by: Drew Gallatin <gallatin@FreeBSD.org>
Sponsored by: Chelsio Communications
Sponsored by: Netflix
Approved by: so
Security: FreeBSD-SA-26:25.thr
Security: CVE-2026-45256
Reported by: Igor Gabriel Sousa e Souza
Reported by: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai
Reviewed by: emaste, kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57237
This is consistent with allow_read_dir and allow_ptrace.
PR: 293485
Fixes: c289291a67 ("tty: Add sysctl knob to globally disable TIOCSTI")
Sponsored by: The FreeBSD Foundation
Shell variable names cannot be safely quoted with shell_escape() —
only alphanumeric characters are valid. Add validation that set-name
only matches [a-zA-Z0-9]+; invalid values are rejected with a
warning and the rename is skipped entirely.
The hostname value was written inside double quotes in
/etc/rc.conf.d/hostname. POSIX shell performs command substitution
inside double quotes, so a hostname containing $() or backticks would
be executed when the file is sourced (e.g., by rc(8)).
Switch to using the existing shell_escape() helper, which wraps values
in single quotes. In POSIX shell, single-quoted strings are completely
literal — no expansion or substitution of any kind is performed.
While the hostname is already validated to contain only
[a-zA-Z0-9.-], this change provides defense-in-depth so the output
format is safe regardless of future validation changes.
Reported by: Yazdan Soltani <yazdan.soltani@gmail.com>
If virtual_oss is not enabled when these rules run on startup, dmesg
will show the following messages:
Starting devd.
virtual_oss_cmd: Could not open control device: /dev/vdsp.ctl: No such file or directory
virtual_oss_cmd: Could not open control device: /dev/vdsp.ctl: No such file or directory
Reported by: olce, Mark Millard <marklmi@yahoo.com>
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Packets received with the following configuration are associated with
AXGE_RX_MII_ERR, which looks legit since there's no AXGE_RX_CRC_ERR
or AXGE_RX_DROP_PKT attached:
axge0: <ASIX Elec. Corp. AX88179, rev 2.10/1.00, addr 3> on usbus0
miibus0: <MII bus> on axge0
rgephy0: <RTL8169S/8110S/8211 1000BASE-T media interface> PHY 3 on miibus0
rgephy0: OUI 0x00e04c, model 0x0011, rev. 5
rgephy0: none, 10baseT, 10baseT-FDX, 10baseT-FDX-flow, 100baseTX, 100baseTX-FDX, 100baseTX-FDX-flow, 1000baseT-FDX, 1000baseT-FDX-master, 1000baseT-FDX-flow, 1000baseT-FDX-flow-master, auto, auto-flow
Without this, 'dhclient ue0' never gets valid lease as all the DHCP
replies are dropped by the driver.
This behaviour is align with the reference driver provided by the
vendor(ASIX_USB_NIC_Linux_Driver_Source_v3.5.0.tar.bz2).
MFC after: 2 weeks
C++ exposes cfenv functions via using ::func. Our name-mangling
mechanism rewrites all function calls causing symbols such as
std::feclearexcept to be transformed into std::__feclearexcept_int.
Since no such function exists, compilation fails.
The using ::feclearexpect declarations themselves are unaffected because
they are not function calls, which further exposes the mismatch
As a result, enable the fast path only for C and fall back to the slow
path in C++.
Reviewed by: kib
Fixes: 5bc64b7d41
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57450
This hasn't been used in a long time, and since I am shuffling around
the net80211 crypto API a bunch, let's just delete it instead of
leaving it here and trying to figure out how to support it if it's
used by userland somehow.
Reviewed by: guest-seuros
Differential Revision: https://reviews.freebsd.org/D57312
The IEEE80211_KEYBUF_SIZE and IEEE80211_MICBUF_SIZE are sprinkled
throughout the net80211 stack, ioctl API and drivers. This makes it
challenging to (eventually) up IEEE80211_KEYBUF_SIZE to support 256 /
384 bit encryption as, well, it'll break every single driver and the
ioctl API in doing so.
So as part of this, let's start to separate out the current key/mic
buffer size from what drivers and the ioctl layer are using.
Drivers especially shouldn't be using these definitions as their
key sizes are hardware / firmware API limits, not net80211 limits.
Ideally drivers would define their own key buffer / mic buffer
sizes and only copy in keys up to that length (and fail keys
that are too large) but the current net80211 API isn't there yet.
This doesn't yet change what defines / buffer sizes are used in the
ioctl layer. I'm going to plan out some subsequent work to
separate out those defines and ioctl APIs so they maintain using
the 128 bit key/mic buffer sizes and will copy them in/out of any
larger net80211 key buffer size in the future.
Differential Revision: https://reviews.freebsd.org/D54593
libalias maintains a global list of all libalias handles. The list was
updated without any locking, but nothing prevents updates from running
concurrently.
MFC after: 1 week
After commit 069a67374e, ip6_input() quickly rejects packets with
plen == 0, before ip6_input_hbh() is called. So, there is no need to
check this condition again in the helper function.
Reviewed by: pouria, zlei, tuexen
Differential Revision: https://reviews.freebsd.org/D57342
Rewrite the main loop to use ppoll() instead of just blocking on read,
blocking the signals we care about when we aren't polling.
I didn't bother replacing alarm() with setitimer(); the alarm code
is dead anyway since there is no way for max_idletime to acquire a
non-zero value.
While here, avoid leaking the pid file and trigger descriptors to the
log child.
PR: 295840
MFC after: 1 week
Sponsored by: Klara, Inc.
Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D57451
The Linux getsockopt did not check the size of the provided buffer when
copying out the value, leading to buffer overflows (e.g., for TCP_INFO).
Fix is to use the smaller of the option value size and the provided
buffer.
MFC after: 1 month
Relnotes: yes
Reviewed by: kib, markj
Differential Revision: https://reviews.freebsd.org/D55881
Currently, 'write_files' does not create parent directories, and
'runcmd' cannot be used here, since those scripts run after the files
have been written. The only workaround is to create the files in an
existing directory, such as '/root' or '/tmp', and then move those
files using 'runcmd', but this is cumbersome when there are many files,
even if they are small.
With this change, nuageinit now creates the parent directories for each
file using the path field, which mimics the same behavior as in
cloud-init.
Permissions and ownership can also be configured using 'runcmd'.
Reviewed by: bapt@
Approved by: bapt@
Differential Revision: https://reviews.freebsd.org/D57395
Discarding m_free's return value will result in an mbuf leak if the mbuf
was in a chain.
In general we should use m_freem if the mbuf may be in a chain, or
assert that the return was NULL. There will not be a chain here due to
m_megapullup, so add an assert.
Reviewed by: ae
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57479
The remote syscall is executed in the context where debugger owns a
p_lock hold on the target. Due to this, exit1() waiting for p_lock
going to zero, never happen.
Postpone the exit1() call to ast then, saving the provided rval and
signo in the struct proc. Mark the async-exiting proc with the new
p_flag P_ASYNC_EXIT.
While p_xexit can be reused, p_xsig can be only set by actual exit1(),
otherwise it breaks the ptrace mechanism. Allocate a dedicated p_asig
for it.
Reviewed by: markj
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D57482
nlmsghdr::nlmsg_len and nl_buf::offset are u_int. Make msglen match.
Reviewed by: pouria, glebius
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57474
Althought non-compliant, there are binaries which have the phdrs placed
unaligned in the image. Since we have the code to allocate memory for
off-page phdrs, the same code path can be used to handle unaligned
phdrs.
Relax the requirement for both the activated image and interpreter.
PR: 295629
Reviewed by: emaste, markj, olce
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D57498
Two bugs in the firewire bus layer that affect all consumers (
if_fwip, sbp):
watchdog_clock was a static local in firewire_watchdog(), shared across
all firewire_comm instances. With two controllers (e.g. built-in +
Thunderbolt Display), both advance the same counter, so the second
controller's 15-second boot-time timeout guard expires prematurely.
fw_tl2xfer() released tlabel_lock before returning the xfer pointer.
Reviewed by: zlei, adrian
Differential Revision: https://reviews.freebsd.org/D57496
If a name token contains trailing garbage, error out from
krb5_gss_import_name() instead of crashing the process with an
assertion failure.
Commit message details obtained from upstream commit.
Obtained from: upstream commit 07818f1fd
Reported by: Aisle Research (Ze Sheng, Dmitrijs Trizna,
Luigino Camastra, Guido Vranken) to krb5-bugs
MFC after: 3 days
krb5 1.22.1 erroneously removed a check from get_negTokenResp() for
successful decoding of the mechListMIC field. Restore the check to
prevent a null pointer dereference.
Commit message details obtained from upstream commit.
Obtained from: Upstream commit 4ae75cded
MFC after: 3 days
A PPTP client sending a specially crafted PPTP message with a length
smaller than the already processed fixed header can panic the system.
This resultes in a negative remaining length (a large unsigned 16-bit
number).
Reported by: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li,
and Ke Xu from Tsinghua University using GLM-5.1 from
Z.ai
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D57383
When we undefer a packet (when the peer acks the state) it's possible
that we don't find a corresponding pfsync_deferral. We panic here, but
that's actually something that can happen in normal operation:
- if we have too many deferred packets already (in pfsync_defer())
- if the deferral timed out (in pfsync_defer_tmo())
Remove this panic and document the scenarios where it might occur.
MFC after: 2 weeks
Sponsored by: Orange Business Services
We have to switch back to the previous rule once the temporary
build fix has been replaced with a permanent fix.
PR: 295823
See also: 4996ebdb72
Reported by: siva
MFC after: 1 week
Add C23 sized deallocation entry points as thin wrappers around free(3).
Implementations may ignore size and alignment hints, so behaviour stays
correct for existing allocations without validating caller metadata yet.
When jemalloc is updated to 5.3.1, rewire these to je_free_sized() and
je_free_aligned_sized() so deallocation can use the allocator's sized
deallocation (free_sized for fast paths and free_aligned_sized for
correct aligned hints.)
Please note this change satisfies the standard interface only. Both
functions should be delegated to jemalloc after the upgrade so callers
get the intended allocator behaviour; until then, hints are unused and
neither sized nor aligned-sized deallocation optimizations apply.
Signed-off-by: Faraz Vahedi <kfv@kfv.io>
Reviewed by: fuz
Pull Request: https://github.com/freebsd/freebsd-src/pull/2201
MFC after: 1 month