openssl: Fix multiple vulnerabilities
This is a rollup commit from upstream to fix:
Heap out-of-bounds write in BIO_f_linebuffer on short writes (CVE-2025-68160)
Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (CVE-2025-69418)
Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (CVE-2025-69419)
Missing ASN1_TYPE validation in TS_RESP_verify_response() function (CVE-2025-69420)
NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (CVE-2025-69421)
Missing ASN1_TYPE validation in PKCS#12 parsing (CVE-2026-22795)
ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (CVE-2026-22796)
See https://openssl-library.org/news/secadv/ for additional details.
Approved by: so
Obtained from: OpenSSL
Security: FreeBSD-SA-26:01.openssl
Security: CVE-2025-68160
Security: CVE-2025-69418
Security: CVE-2025-69419
[4 lines not shown]
openssl: Fix multiple vulnerabilities
This is a rollup commit from upstream to fix:
Stack buffer overflow in CMS AuthEnvelopedData parsing (CVE-2025-15467)
Heap out-of-bounds write in BIO_f_linebuffer on short writes (CVE-2025-68160)
Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (CVE-2025-69418)
Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (CVE-2025-69419)
Missing ASN1_TYPE validation in TS_RESP_verify_response() function (CVE-2025-69420)
NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (CVE-2025-69421)
Missing ASN1_TYPE validation in PKCS#12 parsing (CVE-2026-22795)
ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (CVE-2026-22796)
See https://openssl-library.org/news/secadv/ for additional details.
Approved by: so
Obtained from: OpenSSL
Security: FreeBSD-SA-26:01.openssl
Security: CVE-2025-15467
Security: CVE-2025-68160
[6 lines not shown]
openssl: Fix multiple vulnerabilities
This is a rollup commit from upstream to fix:
Improper validation of PBMAC1 parameters in PKCS#12 MAC verification (CVE-2025-11187)
Stack buffer overflow in CMS AuthEnvelopedData parsing (CVE-2025-15467)
NULL dereference in SSL_CIPHER_find() function on unknown cipher ID (CVE-2025-15468)
"openssl dgst" one-shot codepath silently truncates inputs >16MB (CVE-2025-15469)
TLS 1.3 CompressedCertificate excessive memory allocation (CVE-2025-66199)
Heap out-of-bounds write in BIO_f_linebuffer on short writes (CVE-2025-68160)
Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (CVE-2025-69418)
Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (CVE-2025-69419)
Missing ASN1_TYPE validation in TS_RESP_verify_response() function (CVE-2025-69420)
NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (CVE-2025-69421)
Missing ASN1_TYPE validation in PKCS#12 parsing (CVE-2026-22795)
ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (CVE-2026-22796)
See https://openssl-library.org/news/secadv/ for additional details.
Approved by: so
[14 lines not shown]
openssl: Fix multiple vulnerabilities
This is a rollup commit from upstream to fix:
Improper validation of PBMAC1 parameters in PKCS#12 MAC verification (CVE-2025-11187)
Stack buffer overflow in CMS AuthEnvelopedData parsing (CVE-2025-15467)
NULL dereference in SSL_CIPHER_find() function on unknown cipher ID (CVE-2025-15468)
"openssl dgst" one-shot codepath silently truncates inputs >16MB (CVE-2025-15469)
TLS 1.3 CompressedCertificate excessive memory allocation (CVE-2025-66199)
Heap out-of-bounds write in BIO_f_linebuffer on short writes (CVE-2025-68160)
Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (CVE-2025-69418)
Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (CVE-2025-69419)
Missing ASN1_TYPE validation in TS_RESP_verify_response() function (CVE-2025-69420)
NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (CVE-2025-69421)
Missing ASN1_TYPE validation in PKCS#12 parsing (CVE-2026-22795)
ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (CVE-2026-22796)
See https://openssl-library.org/news/secadv/ for additional details.
Approved by: so
[14 lines not shown]
bluetooth: Don't use a non-string to initialize NG_HCI_BDADDR_ANY
Explicitly use an array of 6 zeroes instead of a C string containing
nul characters. GCC 15 warns about the truncation, but this is
cleaner regardless.
In file included from /usr/obj/.../amd64.amd64/tmp/usr/include/bluetooth.h:51,
from usr.sbin/virtual_oss/virtual_bt_speaker/bt_speaker.c:45:
usr.sbin/virtual_oss/virtual_bt_speaker/bt_speaker.c: In function 'register_sdp':
usr.sbin/virtual_oss/virtual_bt_speaker/bt_speaker.c:96:13: error: initializer-string for array of 'unsigned char' truncates NUL terminator but destination lacks 'nonstring' attribute (7 chars into 6 available) [-Werror=unterminated-string-initialization]
96 | NG_HCI_BDADDR_ANY, (const uint8_t *)&record, sizeof(record),
| ^~~~~~~~~~~~~~~~~
Reviewed by: dim
Differential Revision: https://reviews.freebsd.org/D54869
kyua: Workaround unclear warning from GCC
GCC 15 does not like a push_back() invocation in utils::find_core()
and incorrectly believes libc++ will free a non-heap pointer. Disable
the warning to pacify GCC.
In function 'void std::__1::__libcpp_operator_delete(_Args ...) [with _Args = {void*, long unsigned int}]',
inlined from 'void std::__1::__do_deallocate_handle_size(void*, size_t, _Args ...) [with _Args = {}]' at /usr/obj/.../amd64.amd64/tmp/usr/include/c++/v1/new:298:39,
inlined from 'void std::__1::__libcpp_deallocate(void*, size_t, size_t)' at /usr/obj/.../amd64.amd64/tmp/usr/include/c++/v1/new:311:39,
inlined from 'void std::__1::allocator<_Tp>::deallocate(_Tp*, size_t) [with _Tp = utils::fs::path]' at /usr/obj/.../amd64.amd64/tmp/usr/include/c++/v1/__memory/allocator.h:132:31,
inlined from 'static void std::__1::allocator_traits<_Alloc>::deallocate(allocator_type&, pointer, size_type) [with _Alloc = std::__1::allocator<utils::fs::path>]' at /usr/obj/.../amd64.amd64/tmp/usr/include/c++/v1/__memory/allocator_traits.h:314:19,
inlined from 'std::__1::__split_buffer<_Tp, _Allocator>::~__split_buffer() [with _Tp = utils::fs::path; _Allocator = std::__1::allocator<utils::fs::path>&]' at /usr/obj/.../amd64.amd64/tmp/usr/include/c++/v1/__split_buffer:365:31,
inlined from 'std::__1::vector<_Tp, _Alloc>::pointer std::__1::vector<_Tp, _Alloc>::__push_back_slow_path(_Up&&) [with _Up = utils::fs::path; _Tp = utils::fs::path; _Allocator = std::__1::allocator<utils::fs::path>]' at /usr/obj/.../amd64.amd64/tmp/usr/include/c++/v1/vector:1504:1,
inlined from 'void std::__1::vector<_Tp, _Alloc>::push_back(value_type&&) [with _Tp = utils::fs::path; _Allocator = std::__1::allocator<utils::fs::path>]' at /usr/obj/.../amd64.amd64/tmp/usr/include/c++/v1/vector:1526:34,
inlined from 'utils::optional<utils::fs::path> utils::find_core(const fs::path&, const process::status&, const fs::path&)' at contrib/kyua/utils/stacktrace.cpp:217:25:
/usr/obj/.../amd64.amd64/tmp/usr/include/c++/v1/new:274:38: error: 'void operator delete(void*, size_t)' called on pointer '<unknown>' with nonzero offset [24, 9223372036854775807] [-Werror=free-nonheap-object]
274 | __builtin_operator_delete(__args...);
| ^
In function 'void* std::__1::__libcpp_operator_new(_Args ...) [with _Args = {long unsigned int}]',
[13 lines not shown]
bsd.sys.mk: Silence a few GCC warnings for C++
These warnings were already marked with -Wno-error=, but they trigger
so many false positives in libc++ headers to be utterly useless for
C++ code, so disable them entirely for C++.
Reviewed by: imp, dim
Differential Revision: https://reviews.freebsd.org/D54867
netbsd-tests t_regex_att: Use __nonstring for a non-string constant
Fixes the following warning from GCC 15:
contrib/netbsd-tests/lib/libc/regex/t_regex_att.c:54:30: error: initializer-string for array of 'char' truncates NUL terminator but destination lacks 'nonstring' attribute (4 chars into 3 available) [-Werror=unterminated-string-initialization]
54 | static const char delim[3] = "\\\\\0";
| ^~~~~~~~
Reviewed by: ngie, imp, dim
Differential Revision: https://reviews.freebsd.org/D54866
Merge commit 81b20e110b3f from llvm git (by Roland McGrath):
[libc++] Work around new GCC 15 type_traits builtins that can't be
used as Clang's can (#137871)
GCC 15 has added builtins for various C++ type traits that Clang
already had. Since `__has_builtin(...)` now finds these, the #if
branches previously only used for Clang are now used for GCC 15.
However, GCC 15 requires that these builtins only be used in type
aliases, not in template aliases.
For now, just don't use the `__has_builtin(...)` branches under newer
GCC versions, so both 14 and 15 work during the transition. This
can be cleaned up later to use all the GCC 15 builtins available.
Fixed: #137704
Fixed: #117319
Reviewed by: dim
Differential Revision: https://reviews.freebsd.org/D54865
powerpc: Fix alignment of initial PCB on kstack
Commit cc81c44dd806737f98b4fd4094674dd71c8749f3 aimed to consolidate
duplicated code between the Book-E and AIM backends. For
cpu_thread_alloc cpu_thread_alloc and cpu_fork it used the AIM
functions which used a bogus alignment mask (~0x2f). The Book-E
functions used a proper alignment mask (~0x3f). The AIM functions
appear to have been busted since they were first imported in commit
919cb3362fded33aca682a6ac57777f8fff86e36.
To fix, use the Book-E mask which requests 64 byte alignment.
Probably this was harmless in practice since td_kstack is page aligned
and struct pcb is probably a multiple of 32 bytes in size, so the 0x10
bit should have been clear anyway.
Reviewed by: fuz, jhibbits
Fixes: cc81c44dd806 ("Unify ABI-related bits of the Book-E and AIM...")
Effort: CHERI upstreaming
Sponsored by: AFRL, DARPA
Differential Revision: https://reviews.freebsd.org/D54839
arm: Make init_proc0 static
This function is not used outside of machdep.c and is already static
on arm64 and riscv.
Reviewed by: imp
Effort: CHERI upstreaming
Sponsored by: AFRL, DARPA
Differential Revision: https://reviews.freebsd.org/D54838
ctld: Do not remove item from an nvlist while iterating it
While here, make use of cnvlist_* to simplify this code.
Fixes: d42a73fb6a85 ("ctld: Add a dedicated API between parse.y and the rest of the program")
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D49650
(cherry picked from commit 30020689fb1e5c9549e430bd23600c88e1257697)
ctld: Rename {ctld,isns}.h to {ctld,isns}.hh
Subsequent commits will use C++ in these headers rather than only C.
conf.h remains as a C-only header since it is intended for use by the
C code generated from parse.y.
Sponsored by: Chelsio Communications
Pull Request: https://github.com/freebsd/freebsd-src/pull/1794
(cherry picked from commit 34e8d66412cd81d020f0e75d078a4404ec39cf5a)
ctld: Remove dead code in UCL parsing of hex DSCP values
libucl treats strings starting with "0x" as an integer if they do
not contain invalid characters. The code also looks broken as it
only calls strtol if the string exactly matches "0x" without any
trailing characters.
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D49644
(cherry picked from commit 251439f1a06867a6baccb274c671b2169c9959fd)
ctld: Require a mask if / is specified in an initiator portal
If the / separator in a portal string is the last character in the
string, treat the portal as invalid.
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D49648
(cherry picked from commit 4449cf28a3152cf6e87a45176ae15ae250e543de)
ctld: Tighten parsing of IPv6 addresses for initiator-portal
If an address starts with a [ character, require that it ends with a ]
character. Also, if an address starts with a [ character, assume it
is an IPv6 address.
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D49647
(cherry picked from commit f3eb1514ce44aea5d288a74f34a0c6925ecd43ea)
ctld: Properly validate mutual user/secret for CHAP-MUTUAL in the UCL parser
The code was checking the non-mutual UCL objects twice instead.
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D49645
(cherry picked from commit bf41156712929460aaf968e9d38ddc3847f90f6a)
ctld: Drop commented-out code to print the configuration
This code is incomplete (it does not handle some of the options that
can be set) and easily rots since it is not enabled by default or
hooked up to anything that calls it.
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D49646
(cherry picked from commit 0708eb01f28040a50693f40833562ab14fbfe2ad)
ctld: Reduce code duplication in auth_check_secret_length
Only check a single secret length in the function and call it twice
for the CHAP-MUTUAL case.
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D49642
(cherry picked from commit 4214775235ebc01e0d22da5f09a2e4cff16bfa74)
ctld: Disable -Wshadow for GCC
GCC raises shadow warnings in C++ when a global function shadows a
structure type name (since it shadows the constructors for that type).
System headers are full of such cases (and some such as struct sigaction
vs sigaction() are mandated by POSIX), so just disable the warning.
For example:
In file included from usr.sbin/ctld/ctld.cc:33:
sys/sys/event.h:366:20: error: 'int kqueue()' hides constructor for 'struct kqueue' [-Werror=shadow]
366 | int kqueue(void);
| ^
sys/sys/event.h:371:43: error: 'int kevent(int, const kevent*, int, kevent*, int, const timespec*)' hides constructor for 'struct kevent' [-Werror=shadow]
371 | const struct timespec *timeout);
| ^
In file included from usr.sbin/ctld/ctld.cc:37:
sys/sys/stat.h:396:63: error: 'int stat(const char*, stat*)' hides constructor for 'struct stat' [-Werror=shadow]
396 | int stat(const char * __restrict, struct stat * __restrict);
[5 lines not shown]
ctld: Convert to C++
This is the minimal set of changes need to compile as C++ so git can
handle the rename correctly.
Reviewed by: asomers
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D49139
(cherry picked from commit 839d0755fea8ef761698b50fa5f293546ae832a8)
ctld: Permit targets to use a string for portal-groups in UCL
In the case that a separate auth-group is not required, this permits
replacing:
portal-group = { name = pg0 }
with:
portal-group = pg0
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D48938
(cherry picked from commit e49db000c4932753fb309ad895c02e98723023f3)
ctld: Support anonymous LUN entries in UCL
If a target LUN entry doesn't have a name property, assume it is an
anonymous LUN and parse other properties from the entry to define the
LUN.
This removes the odd support for target LUNs only named by an integer.
My guess is this was meant to implement support for anonymous LUNs
based on how the syntax for this works in the non-UCL case, but the
prior implementation was useless (it just created unconfigured LUNs).
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D48937
(cherry picked from commit b797cc839a12fc358e99635ca3adf3cf80e0825b)
ctld: Add missing properties to the UCL parser
- Support for "foreign", "offload", and "tag" properties in portal
group contexts.
- Support for "ctl-lun" and "device-type" properties in LUN contexts.
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D48936
(cherry picked from commit 67940b204f5829a72e7c47f92069fb06a7dad91f)
ctld: Fail UCL configurations with a nested error
Errors from auth groups, portal groups, global luns, and targets were
not propagated out of the main loop.
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D49071
(cherry picked from commit f3a43b3db881679d0b82b97f18871422050a5819)
