FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=release%2F15.0.0-p8 2026-04-30T21:10:49Z 2026-04-30T21:10:49Z Mark Johnston markj@FreeBSD.org 2026-04-30T21:10:49Z urn:sha1:53054229dcb3cb994056da70b6c838c74ea3bb83 Approved by: so 2026-04-30T21:09:38Z Dag-Erling Smørgrav des@FreeBSD.org 2026-04-30T16:45:35Z urn:sha1:dc8762cfb6e2794ec10873263fa606ff969b1905 * Don't iterate over each string three times; once is enough. * Reject control characters (anything below space) in addition to the double quote and backslash. * If an unsafe character is encountered, discard the string instead of rejecting the entire lease. * If backslashes are encountered in the file name option, convert them to forward slashes instead of rejecting the option. * Tweak the warning messages a bit. Looking through the rest of the code, it seems to me that notes generally end with a period while warnings generally don't. Approved by: so Security: FreeBSD-EN-26:11.dhclient Fixes: 8008e4b88daf ("dhclient: Check for unexpected characters in some DHCP server options") PR: 294886 MFC after: 1 week Reviewed by: brooks, markj Differential Revision: https://reviews.freebsd.org/D56740 (cherry picked from commit 873a195ba63575e46686cfd6ea9670a0ca340fa0) (cherry picked from commit 252f603d1704044defb7695e707bc87c7f75483a) 2026-04-28T20:09:31Z Mark Johnston markj@FreeBSD.org 2026-04-28T20:09:31Z urn:sha1:bbfdabc12895ce2538444747684c6a4fe53298ba Approved by: so 2026-04-28T19:27:12Z Mariusz Zaborski oshogbo@FreeBSD.org 2026-04-28T14:36:09Z urn:sha1:b345e07c8d71e2c00cabe26ea2f96d65368aa1dd nvlist_check_header() validated nvlh_size for overflow before performing conversion. An mallicous user can set NV_FLAG_BIG_ENDIAN in the header and craft nvlh_size so that the orginall value passes the check, but after the conversion the sizeof(nvlist_header) + size can overflow. This can lead to a heap buffer overflow. Approved by: so Security: FreeBSD-SA-26:17.libnv Security: CVE-2026-35547 Fixes: 36fa90dbde0060aacb5677d0b113ee168e839071 Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D56342 2026-04-28T19:27:12Z Mariusz Zaborski oshogbo@FreeBSD.org 2026-04-28T14:35:10Z urn:sha1:7e4d5363ddced9578c42c46d8149e04aa1ab9fa8 The previous implementation used FD_SET() on a stack-allocated fd_set, which is an out-of-bounds write whenever the socket fd is >= FD_SETSIZE (1024). Approved by: so Security: FreeBSD-SA-26:16.libnv Security: CVE-2026-39457 Reported by: Joshua Rogers of AISLE Research Team (https://aisle.com/) Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D56689 2026-04-28T19:27:11Z Kristof Provost kp@FreeBSD.org 2026-04-26T09:34:55Z urn:sha1:c01d9bcf0cf683a0bd074383339980bcf3862be5 As per RFC5061 "4.2. New Parameter Types" the add/delete IP address parameters (0xc001, 0xc002) may not be present in an INIT or INIT-ACK chunk. They are only allowed to be present in an ASCONF chunk. This also prevents unbounded recursion while parsing an SCTP packet. Approved by: so Security: FreeBSD-SA-26:14.pf Security: CVE-2026-7164 PR: 294799 Reported by: Igor Gabriel Sousa e Souza Sponsored by: Orange Business Services 2026-04-28T19:27:11Z Mark Johnston markj@FreeBSD.org 2026-04-27T20:56:21Z urn:sha1:66d6c32ce7b84172e4c6069ce3acf8f5c422d1fa When the number of DHCP options exceeds a threshold, script_set_env() will reallocate the environment, stored as an array of pointers. The calculation of the array size failed to multiply by the pointer size, resulting in a smaller than expected buffer which admits out-of-bounds writes. Approved by: so Security: FreeBSD-SA-26:15.dhclient Security: CVE-2026-42511 Reported by: Joshua Rogers of AISLE Research Team (https://aisle.com/) 2026-04-28T19:27:11Z Mark Johnston markj@FreeBSD.org 2026-04-27T20:03:09Z urn:sha1:e7b4fb41aafaf6ccb4ff14684416223c1f6f92e8 Some options are written directly to the lease file, which may be parsed by subsequent dhclient invocations. We must make sure that a malicious server can't control the "medium" field of a lease definition, otherwise they can achieve RCE by injecting one into the lease file, whereupon it will be passed to dhclient-script, which passes it through eval. Approved by: so Security: FreeBSD-SA-26:12.dhclient Security: CVE-2026-42511 Reported by: Joshua Rogers of AISLE Research Team (https://aisle.com/) 2026-04-28T19:27:11Z Mark Johnston markj@FreeBSD.org 2026-04-22T17:58:35Z urn:sha1:934b48683c4f140cafd225518d9e056a00b46ee8 The buggy version allowed userspace to overflow the copy into adjacent execve KVA regions, which enables, among other things, injecting environment variables into privileged processes. Approved by: so Security: FreeBSD-SA-26:13.exec Security: CVE-2026-7270 Reported by: Ryan Austin of Calif.io Reviewed by: brooks, kib Fixes: f373437a01a3 ("Add helper functions to copy strings into struct image_args.") Differential Revision: https://reviews.freebsd.org/D56665 2026-04-28T19:26:02Z Kyle Evans kevans@FreeBSD.org 2026-04-20T20:18:17Z urn:sha1:182c59658218d9b0a889eaad56ad4c31d99323e9 AMD64 Architecture Programmer's Manual Volume 3 says the following: > ECX[15:0] contains a count of the number of sequential pages to > invalidate in addition to the original virtual address, starting from > the virtual address specified in rAX. A count of 0 invalidates a > single page. ECX[31]=0 indicates to increment the virtual address at > the 4K boundary. ECX[31]=1 indicates to increment the virtual address > at the 2M boundary. The maximum count supported is reported in > CPUID function 8000_0008h, EDX[15:0]. ECX[31] being what we call INVLPGB_2M_CNT, signaling to increment the VA by 2M. > This instruction invalidates the TLB entry or entries, regardless of > the page size (4 Kbytes, 2 Mbytes, 4 Mbytes, or 1 Gbyte). [...] Combined with this, my interpretation of the current code is: if <va> is aligned on a PDE boundary, we'll use INVLPGB_2M_CNT to try and invalidate <cnt> PDEs with a single call, but that only works if <va> is the start of at least <cnt> 2M pages. Otherwise, if <va> or any of the subsequent PDEs isn't actually a superpage, then we would actually only invalidate the *first* page within the PDE before skipping to the next PDE, leaving the remainder of the 4K pages in between as they were. The implication would seem to be that we would need to inspect the range that we're trying to invalidate if we're planning on using INVLPGB_2M_CNT at all, so this patch just simplifies it to a series of 4K invalidations. My gut feeling is that we likely still come out on top vs. the TLB shootdown we're avoiding. This seems to explain some issues we've seen lately with fdgrowtable() and kqueue on recent Zen4/Zen5 EPYC hardware, where we'd experience corruption that we can't explain. Approved by: so Security: FreeBSD-EN-26:10.amd64 PR: 293382 Reviewed by: alc, kib, markj (cherry picked from commit 1b8e5c02f5c07521129e06ff8ab7c660238fd75c) (cherry picked from commit 280cfe2264d7bf2199e5a41bdcbb9acb49d059c1)