kern_prot.c: Belatedly add copyright
See the commit log for the why.
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 1c0e5c53ff1672a93fc42988020723bb6bc427c1)
style.9: Fix a typo (missing word)
Fixes: af2c7d9f6452 ("style.9: Encourage style changes when doing significant modifications")
MFC after: 1 day
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 1876f629b97608679f1bd71b9aa88a57b55c4574)
MAC/do: Clarify comments about flags attached per-ID or per-ID-type
No functional change.
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 0c2d64ce3da9c042da133c8b6d7391abb177f2c9)
MAC/do: Tests: Quote the source directory
In a standard test suite installation, this is not necessary, but be
bullet-proof to custom ones, however improbable.
Reviewed by: bapt
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Pull Request: https://ron-dev.freebsd.org/FreeBSD/src/pulls/38
(cherry picked from commit 33daea3f862d7fe996602756805a92a600356f94)
acpi: On /dev/power suspend, trigger userspace notifications
On a suspend request via ioctl(), /dev/acpi (and compatible /dev/apm)
both call acpi_ReqSleepState() instead of directly calling
acpi_EnterSleepState(). The former does more checks, returns success if
the machine is already suspending, and notifies user space (via devd(8))
about the impending suspend. In other words, it seems to have been
designed for user consumption more than the latter function.
So, use acpi_ReqSleepState() in place of acpi_EnterSleepState() in
acpi_pm_func(), which is ultimately called by power_pm_suspend(), itself
called by power_ioctl(). Other callers of power_pm_suspend() (such as
the console drivers) are also user-facing facilities, so should also
benefit from this change.
Reviewed by: mhorne, imp
Tested by: mhorne
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
[3 lines not shown]
filesystems/pjdfstest: new port
pjdfstest is a file system test suite to assess the correctness of file
system implementations in terms of POSIX compliance. This port is for the
Rust rewrite of the sh-based original, which remains in contrib/ for
now.
WWW: https://github.com/saidsay-so/pjdfstest
Reviewed by: olivier
Differential Revision: https://reviews.freebsd.org/D56848
hwpmc: Disable AMD PMCs if in an unsupported VM
AMD does not have a CPUID bit to indicate the lack of K8 PMCs. If all
other PMC features are not present we should test an event selector to
see if it stores and returns a value. If the VM is implemented
correctly, this should result in a #GP on the initial wrmsr_safe. Bhyve
and a few other VMs ignore writes, so I got one step further and test
that it retains the OS and USR bits.
Tested on Zen 5 native and a Zen 5 Bhyve virtual machine. This code
should not run on any recent hardware, except in a VM, as it checks that
the core counter extension is missing.
PR: 268943
Reported by: Sandipan Das, John F. Carr <jfc at mit.edu>
Reviewed by: mhorne, imp
Sponsored by: Netflix
MFC after: 1 week
Pull Request: https://github.com/freebsd/freebsd-src/pull/2272/changes
OpenSSL: update MAINTAINERS/CODEOWNERS
I've been the quasi-defacto component maintainer for OpenSSL since
14.0-RELEASE. Make it official via CODEOWNERS/MAINTAINERS.
The goal is to help guide those interested in making changes in this
space to solicit my input with the new vendor import process and
coordinate fixes with upstream until things are at a point where most of
this is automated a system of automated checks and balances to confirm
that the updates being made to the component help maintain a security
supply chain for this given component.
Thank you benl and jkim for your past efforts in this component area.
Hopefully I can do my part to help improve this critical space further
as you both did in your respective tenures.
MFC after: 3 days
www/py-yubal-api: New port: Self-hosted YouTube Music downloader (API)
yubal is a self-hosted YouTube Music downloader. Paste a link, get
a tagged, organized library.
Scheduled sync. Smart deduplication. Media server ready. Browser
extension included.
WWW: https://github.com/guillevc/yubal/
devel/py-ytmusicapi: New port: Unofficial API for YouTube Music
ytmusicapi is a Python 3 library to send requests to the YouTube
Music API. It emulates YouTube Music web client requests using the
user's cookie data for authentication.
WWW: https://github.com/sigma67/ytmusicapi
www/py-yubal: New port: Self-hosted YouTube Music downloader
yubal is a self-hosted YouTube Music downloader. Paste a link, get
a tagged, organized library.
Scheduled sync. Smart deduplication. Media server ready. Browser
extension included.
WWW: https://github.com/guillevc/yubal/
openssl: Fix multiple vulnerabilities
This is a rollup commit from upstream to fix:
Reject oversized inputs in ASN1_mbstring_ncopy()
cms: kek_unwrap_key: Fix out-of-bounds read in check-byte validation
cms: kek_unwrap_key: test for fix out-of-bounds read in check-byte validation
Avoid length truncation in ASN1_STRING_set
pkcs12: verify that the pbmac1 key length is safe
Reject potentially forged encrypted CMS AuthEnvelopedData messages
QUIC stack must limit the number of PATH_CHALLENGE frames processed in RX
Fix NULL dereference in QUIC address validation
Fix potential NULL dereference processing CMS PasswordRecipientInfo
Fix potential NULL dereference in OSSL_CRMF_ENCRYPTEDVALUE_decrypt()
Enforce implicit rejection for CMS/PKCS#7 decryption
Use the correct issuer when validating rootCAKeyUpdate
Match the local q DHX parameter against the peer's q
Apply the buffered IV on the AES-OCB EVP_Cipher() path
Fix handling of empty-ciphertext messages in AES-GCM-SIV and AES-SIV
Fix possible use-after-free in OpenSSL PKCS7_verify()
[19 lines not shown]
imgact_elf: Clear no-ASLR and -WXORX flags earlier for setugid images
Otherwise an unprivileged user can disable randomization of the base
address for PIEs even if they are setugid.
Add a regression test.
Approved by: so
Security: FreeBSD-SA-26:32.elf
Security: CVE-2026-49414
Reported by: David Berard
Reviewed by: kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57397
linux: Correct the issetugid check in copyout_auxargs
The runtime linker in glibc relies on the AT_SECURE auxv entry to know
whether the executable is set-ugid, if so then various dangerous
functionality such as LD_PRELOAD is disabled.
The check added in commit 669414e4fb74 failed to take into account the
fact that during execve, P_SUGID may not yet be set for a set-ugid
process. Correct the test.
Approved by: so
Security: FreeBSD-SA-26:30.linux
Security: CVE-2026-49413
Reported by: Minseong Kim
Fixes: 669414e4fb74 ("Implement AT_SECURE properly.")
Reviewed by: kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57350
sound: Fix software buffer lifetime issues
The channel buffer mapped by dsp_mmap_single() may be freed when the
device handle is closed, but the mapping persists beyond that, allowing
userspace to read or write memory owned by a different consumer.
Fix the problem by adding a reference counter to the sound buffer.
Define pager ops for the VM object returned by dsp_mmap_single() and use
them to manage the extra reference.
Add a regression test.
Approved by: so
Security: FreeBSD-SA-26:27.sound
Security: CVE-2026-49417
Reported by: Lexpl0it, 75Acol, Liyw979, Rob1n
Reviewed by kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57393
in6_mcast: Fix a race in in6p_set_source_filter()
We drop the inpcb lock in order to copy in the source list, but this
leaves a window where the multicast filter structure might be freed.
This can be exploited to obtain root privileges.
In the v4 code this race is mitigated by holding the global multicast
lock across the gap.
Restructure the code to copy in filters before doing anything else, so
that there's no need to drop the inpcb lock and reason about the
correctness of doing so. Do the same in the v4 code for consistency.
Approved by: so
Security: FreeBSD-SA-26:29.ip6_multicast
Security: CVE-2026-49412
Reported by: Andrew Griffiths <andrew at calif.io>
Reported by: Maik Münch <maik at secfault-security.com>
Reviewed by: glebius
[2 lines not shown]
sound: Check for offset overflow in dsp_mmap_single()
Approved by: so
Security: FreeBSD-SA-26:27.sound
Security: CVE-2026-45258
Reviewed by: markj
Sponsored by: The FreeBSD Foundation
thr_kill2: Respect p_cansignal()
Approved by: so
Security: FreeBSD-SA-26:25.thr
Security: CVE-2026-45256
Reported by: Igor Gabriel Sousa e Souza
Reported by: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai
Reviewed by: emaste, kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57237
arm64: Workaround the following errata
- ARM C1-Premium erratum 4193780
- ARM C1-Ultra erratum 4193780
- ARM Cortex-A76 erratum 4193800
- ARM Cortex-A76AE erratum 4193801
- ARM Cortex-A77 erratum 4193798
- ARM Cortex-A78 erratum 4193791
- ARM Cortex-A78AE erratum 4193793
- ARM Cortex-A78C erratum 4193794
- ARM Cortex-A710 erratum 4193788
- ARM Cortex-X1 erratum 4193791
- ARM Cortex-X1C erratum 4193792
- ARM Cortex-X2 erratum 4193788
- ARM Cortex-X3 erratum 4193786
- ARM Cortex-X4 erratum 4118414
- ARM Cortex-X925 erratum 4193781
- ARM Neoverse-N1 erratum 4193800
- ARM Neoverse-N2 erratum 4193789
[15 lines not shown]
ktls: Don't attempt to modify non-anonymous mbufs on the receive path
Normally, data processed on the KTLS receive path is contained in
anonymous mbufs that can be modified in place. Either the data
originates in receive buffers from a NIC driver, or for loopback
connections the data is anonymous-backed mbufs created when writing to
a socket. One potential source of non-anonymous mbufs are mbufs
created by sendfile(2) which borrow the pages of the underlying file,
either via M_EXTPG or EXT_SFBUF that are sent over a loopback
connection. For a well-formed loopback TLS session, the sender should
only use sendfile(2) if KTLS is enabled. If TLS is fully handled in
userspace, the sender must use write(2) or send(2) which allocate
anonymous mbufs. If KTLS transmit is enabled, then sendfile(2) on a
loopback connection will always use crypto via OCF and will allocate
anonymous pages to hold the encrypted data.
However, if sendfile(2) is used to send file-backed data directly over
a loopback connection where KTLS is not enabled on the sender side,
the KTLS receive path can modify the file-backed pages in place
[18 lines not shown]
imgact_elf: Clear no-ASLR and -WXORX flags earlier for setugid images
Otherwise an unprivileged user can disable randomization of the base
address for PIEs even if they are setugid.
Add a regression test.
Approved by: so
Security: FreeBSD-SA-26:32.elf
Security: CVE-2026-49414
Reported by: David Berard
Reviewed by: kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57397
arm64: Workaround the following errata
- ARM C1-Premium erratum 4193780
- ARM C1-Ultra erratum 4193780
- ARM Cortex-A76 erratum 4193800
- ARM Cortex-A76AE erratum 4193801
- ARM Cortex-A77 erratum 4193798
- ARM Cortex-A78 erratum 4193791
- ARM Cortex-A78AE erratum 4193793
- ARM Cortex-A78C erratum 4193794
- ARM Cortex-A710 erratum 4193788
- ARM Cortex-X1 erratum 4193791
- ARM Cortex-X1C erratum 4193792
- ARM Cortex-X2 erratum 4193788
- ARM Cortex-X3 erratum 4193786
- ARM Cortex-X4 erratum 4118414
- ARM Cortex-X925 erratum 4193781
- ARM Neoverse-N1 erratum 4193800
- ARM Neoverse-N2 erratum 4193789
[15 lines not shown]
