FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=releng%2F14.3 2026-04-30T21:21:34Z 2026-04-30T21:21:34Z Mark Johnston markj@FreeBSD.org 2026-04-30T21:12:58Z urn:sha1:4f4b48e8a5478657f343953ef30ce992f2a6b68f Approved by: so 2026-04-28T20:33:05Z Mark Johnston markj@FreeBSD.org 2026-04-28T20:29:58Z urn:sha1:31900fbe281f595718d20c0aa26b10ab2efa138d Approved by: so 2026-04-28T20:33:04Z Mariusz Zaborski oshogbo@FreeBSD.org 2026-04-28T14:36:09Z urn:sha1:aa15809f85deef33167bf74f82144d714a884548 nvlist_check_header() validated nvlh_size for overflow before performing conversion. An mallicous user can set NV_FLAG_BIG_ENDIAN in the header and craft nvlh_size so that the orginall value passes the check, but after the conversion the sizeof(nvlist_header) + size can overflow. This can lead to a heap buffer overflow. Approved by: so Security: FreeBSD-SA-26:17.libnv Security: CVE-2026-35547 Fixes: 36fa90dbde0060aacb5677d0b113ee168e839071 Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D56342 2026-04-28T20:33:04Z Mariusz Zaborski oshogbo@FreeBSD.org 2024-08-29T13:46:01Z urn:sha1:0963be1dbf8886423c0c4efade79661989db9a77 Approved by: so Differential Revision: https://reviews.freebsd.org/D46131 (cherry picked from commit 241a7ddd7112982ed41ccdd047c1dad59ee0256e) 2026-04-28T20:33:04Z Mark Johnston markj@FreeBSD.org 2026-04-22T17:58:35Z urn:sha1:f04c40607b8fb38720d57631c674f07d4207c976 The buggy version allowed userspace to overflow the copy into adjacent execve KVA regions, which enables, among other things, injecting environment variables into privileged processes. Approved by: so Security: FreeBSD-SA-26:13.exec Security: CVE-2026-7270 Reported by: Ryan Austin of Calif.io Reviewed by: brooks, kib Fixes: f373437a01a3 ("Add helper functions to copy strings into struct image_args.") Differential Revision: https://reviews.freebsd.org/D56665 2026-04-28T20:33:04Z Kristof Provost kp@FreeBSD.org 2026-04-26T09:34:55Z urn:sha1:63495b09ccf53bfc87fd1e13658f0dba38f0d2ac As per RFC5061 "4.2. New Parameter Types" the add/delete IP address parameters (0xc001, 0xc002) may not be present in an INIT or INIT-ACK chunk. They are only allowed to be present in an ASCONF chunk. This also prevents unbounded recursion while parsing an SCTP packet. Approved by: so Security: FreeBSD-SA-26:14.pf Security: CVE-2026-7164 PR: 294799 Reported by: Igor Gabriel Sousa e Souza Sponsored by: Orange Business Services 2026-04-28T20:33:04Z Kyle Evans kevans@FreeBSD.org 2026-04-20T20:18:17Z urn:sha1:3b1365cb816e18969244ffdab0861d70ec2a4dc8 AMD64 Architecture Programmer's Manual Volume 3 says the following: > ECX[15:0] contains a count of the number of sequential pages to > invalidate in addition to the original virtual address, starting from > the virtual address specified in rAX. A count of 0 invalidates a > single page. ECX[31]=0 indicates to increment the virtual address at > the 4K boundary. ECX[31]=1 indicates to increment the virtual address > at the 2M boundary. The maximum count supported is reported in > CPUID function 8000_0008h, EDX[15:0]. ECX[31] being what we call INVLPGB_2M_CNT, signaling to increment the VA by 2M. > This instruction invalidates the TLB entry or entries, regardless of > the page size (4 Kbytes, 2 Mbytes, 4 Mbytes, or 1 Gbyte). [...] Combined with this, my interpretation of the current code is: if <va> is aligned on a PDE boundary, we'll use INVLPGB_2M_CNT to try and invalidate <cnt> PDEs with a single call, but that only works if <va> is the start of at least <cnt> 2M pages. Otherwise, if <va> or any of the subsequent PDEs isn't actually a superpage, then we would actually only invalidate the *first* page within the PDE before skipping to the next PDE, leaving the remainder of the 4K pages in between as they were. The implication would seem to be that we would need to inspect the range that we're trying to invalidate if we're planning on using INVLPGB_2M_CNT at all, so this patch just simplifies it to a series of 4K invalidations. My gut feeling is that we likely still come out on top vs. the TLB shootdown we're avoiding. This seems to explain some issues we've seen lately with fdgrowtable() and kqueue on recent Zen4/Zen5 EPYC hardware, where we'd experience corruption that we can't explain. Approved by: so Security: FreeBSD-EN-26:10.amd64 PR: 293382 Reviewed by: alc, kib, markj (cherry picked from commit 1b8e5c02f5c07521129e06ff8ab7c660238fd75c) (cherry picked from commit ff11ae166cd9f8ae16a5c384d46aa1218f3ff013) 2026-04-21T15:45:50Z Mark Johnston markj@FreeBSD.org 2026-04-20T13:48:45Z urn:sha1:0224acf7f7db159f290eca918f50d2e4f6730705 Approved by: so 2026-04-21T15:45:50Z Mark Johnston markj@FreeBSD.org 2026-03-31T13:37:43Z urn:sha1:979e645dd25e8b9df065ca2bf3059c269224fec6 pmap_pkru_update_range() did not handle the case where a PDPE has PG_PS set. More generally, the SET_PKRU and CLEAR_PKRU sysarch implementations did not check whether the request covers a "boundary" vm map entry. Fix this, add the missing PG_PS test, and add some tests. Approved by: so Security: FreeBSD-SA-26:11.amd64 Security: CVE-2026-6386 Reported by: Nicholas Carlini <npc@anthropic.com> Reviewed by: kib, alc Differential Revision: https://reviews.freebsd.org/D56184 2026-04-21T15:45:50Z Mark Johnston markj@FreeBSD.org 2026-03-23T15:22:48Z urn:sha1:44077c07f19f5e60593dcd87f7c2c33ea7e5ca69 The TIOCNOTTY handler detaches the calling process from its controlling terminal. It clears the link from the session to the tty, but not the pointers from the tty to the session and process group. This means that sess_release() doesn't call tty_rel_sess(), and that pgdelete() doesn't call tty_rel_pgrp(), so the pointers are left dangling. Fix this by clearing pointers in tty_drop_ctty(). Add a standalone regression test. Approved by: so Security: FreeBSD-SA-26:10.tty Security: CVE-2026-5398 Reported by: Nicholas Carlini <npc@anthropic.com> Reviewed by: kib, kevans Fixes: 1b50b999f9b5 ("tty: implement TIOCNOTTY") Differential Revision: https://reviews.freebsd.org/D56046