rpcsec_gss: Fix a stack overflow in svc_rpc_gss_validate()
svc_rpc_gss_validate() copies the input message into a stack buffer
without ensuring that the buffer is large enough. Sure enough,
oa_length may be up to 400 bytes, much larger than the provided space.
This enables an unauthenticated user to trigger an overflow and obtain
remote code execution.
Add a runtime check which verifies that the copy won't overflow.
Approved by: so
Security: FreeBSD-SA-26:08.rpcsec_gss
Security: CVE-2026-4747
Reported by: Nicholas Carlini <npc at anthropic.com>
Reviewed by: rmacklem
Fixes: a9148abd9da5d
rpcsec_gss: Fix a stack overflow in svc_rpc_gss_validate()
svc_rpc_gss_validate() copies the input message into a stack buffer
without ensuring that the buffer is large enough. Sure enough,
oa_length may be up to 400 bytes, much larger than the provided space.
This enables an unauthenticated user to trigger an overflow and obtain
remote code execution.
Add a runtime check which verifies that the copy won't overflow.
Approved by: so
Security: FreeBSD-SA-26:08.rpcsec_gss
Security: CVE-2026-4747
Reported by: Nicholas Carlini <npc at anthropic.com>
Reviewed by: rmacklem
Fixes: a9148abd9da5d
(cherry picked from commit 143293c14f8de00c6d3de88cd23fc224e7014206)
rpcsec_gss: Fix a stack overflow in svc_rpc_gss_validate()
svc_rpc_gss_validate() copies the input message into a stack buffer
without ensuring that the buffer is large enough. Sure enough,
oa_length may be up to 400 bytes, much larger than the provided space.
This enables an unauthenticated user to trigger an overflow and obtain
remote code execution.
Add a runtime check which verifies that the copy won't overflow.
Approved by: so
Security: FreeBSD-SA-26:08.rpcsec_gss
Security: CVE-2026-4747
Reported by: Nicholas Carlini <npc at anthropic.com>
Reviewed by: rmacklem
Fixes: a9148abd9da5d
(cherry picked from commit 143293c14f8de00c6d3de88cd23fc224e7014206)
tcp: plug an mbuf leak
When a challenge ACK should be sent via tcp_send_challenge_ack(),
but the rate limiter suppresses the sending, free the mbuf chain.
The caller of tcp_send_challenge_ack() expects this similar to the
callers of tcp_respond().
Approved by: so
Security: FreeBSD-SA-26:06.tcp
Security: CVE-2026-4247
Reviewed by: lstewart
Tested by: lstewart
Sponsored by: Netflix, Inc.
(cherry picked from commit 6b2d6ccad2552e46a5c9c3ba70b2d0ed27c70ca8)
rpcsec_gss: Fix a stack overflow in svc_rpc_gss_validate()
svc_rpc_gss_validate() copies the input message into a stack buffer
without ensuring that the buffer is large enough. Sure enough,
oa_length may be up to 400 bytes, much larger than the provided space.
This enables an unauthenticated user to trigger an overflow and obtain
remote code execution.
Add a runtime check which verifies that the copy won't overflow.
Approved by: so
Security: FreeBSD-SA-26:08.rpcsec_gss
Security: CVE-2026-4747
Reported by: Nicholas Carlini <npc at anthropic.com>
Reviewed by: rmacklem
Fixes: a9148abd9da5d
(cherry picked from commit 143293c14f8de00c6d3de88cd23fc224e7014206)
tcp: plug an mbuf leak
When a challenge ACK should be sent via tcp_send_challenge_ack(),
but the rate limiter suppresses the sending, free the mbuf chain.
The caller of tcp_send_challenge_ack() expects this similar to the
callers of tcp_respond().
Approved by: so
Security: FreeBSD-SA-26:06.tcp
Security: CVE-2026-4247
Reviewed by: lstewart
Tested by: lstewart
Sponsored by: Netflix, Inc.
(cherry picked from commit 6b2d6ccad2552e46a5c9c3ba70b2d0ed27c70ca8)
[lldb/test] Remove stale Windows expectedFailure decorators (NFC)
The @expectedFailureAll decorators for Windows (llvm.org/pr24778) are no
longer needed on test_circular_dependency_handle_command_in_init and
test_provider_receives_parent_frames.
Signed-off-by: Med Ismail Bennani <ismail at bennani.ma>
[libunwind][Apple] Improve test coverage on Apple platforms (#186423)
Introduces a macro abstraction around capturing the bounds of a
function, which many platforms handle subtly differently (Mach-O, and
ELF, for example).
Also introduce an arm64[^-]* -> aarch64 available feature, to enable
more tests that would otherwise be excluded on Apple platforms, whose
target triples tend to take the form e.g. 'arm64-apple-macosx', rather
than 'aarch64-apple-macosx'.
Third, we implement the has-sme check using the appropriate sysctl, as
getauxval is not available on Darwin platforms.
rpcsec_gss: Fix a stack overflow in svc_rpc_gss_validate()
svc_rpc_gss_validate() copies the input message into a stack buffer
without ensuring that the buffer is large enough. Sure enough,
oa_length may be up to 400 bytes, much larger than the provided space.
This enables an unauthenticated user to trigger an overflow and obtain
remote code execution.
Add a runtime check which verifies that the copy won't overflow.
Approved by: so
Security: FreeBSD-SA-26:08.rpcsec_gss
Security: CVE-2026-4747
Reported by: Nicholas Carlini <npc at anthropic.com>
Reviewed by: rmacklem
Fixes: a9148abd9da5d
tcp: plug an mbuf leak
When a challenge ACK should be sent via tcp_send_challenge_ack(),
but the rate limiter suppresses the sending, free the mbuf chain.
The caller of tcp_send_challenge_ack() expects this similar to the
callers of tcp_respond().
Approved by: so
Security: FreeBSD-SA-26:06.tcp
Security: CVE-2026-4247
Reviewed by: lstewart
Tested by: lstewart
Sponsored by: Netflix, Inc.
[mlir][CAPI] Fix unused-but-set-variable warning in smt.c (NFC) (#188473)
llvm-project/mlir/test/CAPI/smt.c:37:21: warning: variable 'result' set
but not used [-Wunused-but-set-variable]
37 | MlirLogicalResult result = mlirTranslateModuleToSMTLIB(
| ^
1 warning generated.
[SSAF][PointerAssignments] Add PointerAssignments summary and extractor
Implement PointerAssignments summary and extractor, which uses
EntityPointerLevel. An assignment is extracted as a pair of
EntityPointerLevels. Extracted assignments form a directed graph
encoding abstracted pointer flow information.
rdar://172429193
[SSAF][UnsafeBufferUsage] Implement AST visitor that respects the constribution model and refactor
Previously, the UnsafeBufferUsage Extractor relied on the
`-Wunsafe-buffer-usage` API to traverse ASTs. The traversal did not
fully respect the contribution model of SSAF---RecordDecls inside
functions were not treated as contributors. Their fields were counted
as contributions of the enclosing function.
This commit adds an AST visitor that respects the contribution model
and will be shared by SSAF analyses. The UnsafeBufferUsage Extractor
still relies on `-Wunsafe-buffer-usage` to provide the unsafe pointer
matching function.
In addition, this commit
- Factors common code in analyses to 'lib/ScalableStaticAnalysisFramework/Analyses/SSAFAnalysesCommon.h'.
- Registers the UnsafeBufferUsage extractor.
- Removes 'UnsafeBufferUsageExtractor.h' since it is useless except
for the unit test. The unit test now directly uses proxy functions
defined in 'UnsafeBufferUsageExtractor.cpp'.
[ssaf][UnsafeBufferUsage] Add support for extracting unsafe pointers from all kinds of contributors (#184899)
- Generalize the `-Wunsafe-buffer-usage` API for finding unsafe pointers
in all kinds of `Decl`s
- Add support in SSAF-based UnsafeBufferUsage analysis for extracting
from various contributors
- Mock implementation of HandleTranslationUnit
rdar://171735836
This is a follow-up PR to
https://github.com/llvm/llvm-project/pull/182941
[SSAF][PointerAssignments] Add PointerAssignments summary and extractor
Implement PointerAssignments summary and extractor, which uses
EntityPointerLevel. An assignment is extracted as a pair of
EntityPointerLevels. Extracted assignments form a directed graph
encoding abstracted pointer flow information.
rdar://172429193
add dev_vdisk devices to DEVICE_GROUP on BACKUP
Without this, set_node_optimized fires bind_alua only for the dev_disk
passthrough devices in the DEVICE_GROUP, bypassing the dev_vdisk devices
entirely.
