FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=releng%2F13.5 2026-03-26T01:31:01Z 2026-03-26T01:31:01Z Mark Johnston markj@FreeBSD.org 2026-03-25T02:16:23Z urn:sha1:5c4e558ab4fc9ab437e208ff9d7e70c923654a06 Approved by: so 2026-03-26T01:30:59Z Mark Johnston markj@FreeBSD.org 2026-03-24T02:12:42Z urn:sha1:c4f53a1adbd4d5209b45043d25e590f0c27b5314 svc_rpc_gss_validate() copies the input message into a stack buffer without ensuring that the buffer is large enough. Sure enough, oa_length may be up to 400 bytes, much larger than the provided space. This enables an unauthenticated user to trigger an overflow and obtain remote code execution. Add a runtime check which verifies that the copy won't overflow. Approved by: so Security: FreeBSD-SA-26:08.rpcsec_gss Security: CVE-2026-4747 Reported by: Nicholas Carlini <npc@anthropic.com> Reviewed by: rmacklem Fixes: a9148abd9da5d 2026-02-24T16:04:27Z Mark Johnston markj@FreeBSD.org 2026-02-24T15:58:22Z urn:sha1:9d3e842358b4b776a0e4bbab921695ac35f3baa3 Approved by: so 2026-02-24T16:03:49Z Mark Johnston markj@FreeBSD.org 2026-02-23T15:52:50Z urn:sha1:c2e2bfbd9e09026790deb5c930b6d48c042cdffe Approved by: so Security: FreeBSD-SA-26:05.route Security: CVE-2026-3038 Fixes: 92be2847e845 ("rtsock: Avoid copying uninitialized padding bytes") (cherry picked from commit f3be7df50f01d9a6ead9f27b55bb4dfd7dc4f9d2) (cherry picked from commit 8b476ffc4ea3f82f758714fee0289209bc980782) 2026-02-23T01:48:38Z Mark Johnston markj@FreeBSD.org 2025-06-25T12:50:50Z urn:sha1:933abe4a194056f659c175a19da9afc3b46e9ff1 Approved by: so Reported by: kib, kp Fixes: 350ba9672a7f ("unix: Set O_RESOLVE_BENEATH on fds transferred between jails") (cherry picked from commit 3ef39f58e5d63a78fd1c37e6c62d599bc68d5e1e) (cherry picked from commit 3b0f13ca60981186b1455d1e506ef4365054acc3) 2026-02-23T01:48:38Z Mark Johnston markj@FreeBSD.org 2025-06-24T20:05:37Z urn:sha1:e6b96891ef7c44b5413164a05a8c0a07eaaf59e3 If a pair of jails with different filesystem roots is able to exchange SCM_RIGHTS messages (e.g., using a unix socket in a shared nullfs mount), a process in one jail can open a directory outside of the root of the second jail and then pass the fd to that second jail, allowing the receiving process to escape the jail chroot. Address this using the new FD_RESOLVE_BENEATH flag. When externalizing an SCM_RIGHTS message into the receiving process, automatically set this flag on all new fds where a jail boundary is crossed. This ensures that the receiver cannot do more than access files underneath the directory; in particular, the received fd cannot be used to access vnodes not accessible by the sender. Approved by: so PR: 262179 Reviewed by: kib MFC after: 3 weeks Differential Revision: https://reviews.freebsd.org/D50371 (cherry picked from commit 350ba9672a7f4f16e30534a603df577dfd083b3f) (cherry picked from commit 73530e4c2ea92564e393e0497f13dfac251a41b7) 2026-02-23T01:48:38Z Mark Johnston markj@FreeBSD.org 2026-02-09T16:47:16Z urn:sha1:82cee749b5230ac906a30ad6bf5a0bababbe00e9 The O_RESOLVE_BENEATH openat(2) flag restricts name lookups such that they remain under the directory referenced by the dirfd. This commit introduces an implicit version of the flag, FD_RESOLVE_BENEATH, stored in the file descriptor entry. When the flag is set, any lookup relative to that fd automatically has O_RESOLVE_BENEATH semantics. Furthermore, the flag is sticky, meaning that it cannot be cleared, and it is copied by dup() and openat(). File descriptors with FD_RESOLVE_BENEATH set may not be passed to fchdir(2) or fchroot(2). Various fd lookup routines are modified to return fd flags to the caller. This flag will be used to address a case where jails with different root directories and the ability to pass SCM_RIGHTS messages across the jail boundary can transfer directory fds in such as way as to allow a filesystem escape. Approved by: so PR: 262180 Reviewed by: kib MFC after: 3 weeks Differential Revision: https://reviews.freebsd.org/D50371 (cherry picked from commit f35525ff2053e026a423e852136d73ed93c95803) (cherry picked from commit f7cbcb19a9ecf606172d6d6c472b5ba7130a398b) 2026-02-09T23:11:00Z Mark Johnston markj@FreeBSD.org 2025-05-20T20:19:30Z urn:sha1:0b18e4842c9df9caefac5f5d8fd8f4fbd5b29901 File descriptor lookup routines typically take a set of capsicum rights as input to the lookup, so that the fd's rights can be atomically checked. This set should be qualified with const. No functional change intended. Approved by: so Reviewed by: olce, oshogbo, brooks, kib MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D50419 (cherry picked from commit 5319cb21610ad947c56fd0cd4f18ef5b58bc8db7) (cherry picked from commit ecc1e61d31407680c9acee9c7adcf2ca2aa21432) 2026-01-27T16:55:52Z Mark Johnston markj@FreeBSD.org 2026-01-26T20:35:51Z urn:sha1:0e9fc21ec0a80eaf2514e9e7edab0860cb923198 Approved by: so 2026-01-27T16:55:52Z Konstantin Belousov kib@FreeBSD.org 2025-05-28T21:51:42Z urn:sha1:e91e8b785b8180dd4c879732b6f13a9b4e2e1c1d same as it is done for NDRESTART() Approved by: so Fixes: e05e33041c252 Reported and tested by: pho Reviewed by: markj Sponsored by: The FreeBSD Foundation (cherry picked from commit 58b2bd33aff71c0268d99d63e9c83f6544d3beb3) (cherry picked from commit 53963866f7088dd96f6d56169e6b4fb899277306)