Delete error-check code that can never happen.
Near the top of kern_mmap() that implements the mmap(2) system call,
it sets
prot = PROT_EXTRACT(prot);
with
So prot can only be the three PROT_ flags.
The following test of the user's mmap(2) parameters (near line 275
in vm/vm_mmap.c):
if (prot != PROT_NONE &&
(prot & ~(PROT_READ | PROT_WRITE | PROT_EXEC)) != 0) {
return (EXTERROR(EINVAL, "invalid prot %#jx", prot));
}
[8 lines not shown]
15.0: Update "latest" AMIs
We now have 15.0-RELEASE-p5 AMIs.
Note that, due to ongoing issues impacting hardware in the region, AMIs for
the me-south-1 region have not been updated.
Approved by: re (implicit)
Sponsored by: Amazon
rpcsec_gss: Fix a stack overflow in svc_rpc_gss_validate()
svc_rpc_gss_validate() copies the input message into a stack buffer
without ensuring that the buffer is large enough. Sure enough,
oa_length may be up to 400 bytes, much larger than the provided space.
This enables an unauthenticated user to trigger an overflow and obtain
remote code execution.
Add a runtime check which verifies that the copy won't overflow.
Approved by: so
Security: FreeBSD-SA-26:08.rpcsec_gss
Security: CVE-2026-4747
Reported by: Nicholas Carlini <npc at anthropic.com>
Reviewed by: rmacklem
Fixes: a9148abd9da5d
rpcsec_gss: Fix a stack overflow in svc_rpc_gss_validate()
svc_rpc_gss_validate() copies the input message into a stack buffer
without ensuring that the buffer is large enough. Sure enough,
oa_length may be up to 400 bytes, much larger than the provided space.
This enables an unauthenticated user to trigger an overflow and obtain
remote code execution.
Add a runtime check which verifies that the copy won't overflow.
Approved by: so
Security: FreeBSD-SA-26:08.rpcsec_gss
Security: CVE-2026-4747
Reported by: Nicholas Carlini <npc at anthropic.com>
Reviewed by: rmacklem
Fixes: a9148abd9da5d
(cherry picked from commit 143293c14f8de00c6d3de88cd23fc224e7014206)