Add UPDATING entries and bump version.
Approved by: so
ssh: Bump VersionAddendum for CVE fixes
Security: FreeBSD-SA-25:05.openssh
Approved by: so
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 62df41ae0a71e77ccb1e8fae06d82eec5dff441a)
(cherry picked from commit 24ce323f020fb1ee1b463e524a7a6c15f47ec2a4)
ssh: Fix cases where error codes were not correctly set
Obtained from: OpenSSH 38df39ecf278
Security: CVE-2025-26465
Security: FreeBSD-SA-25:05.openssh
Approved by: so
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 170059d6d33cf4e890067097f3c0beb3061cabbd)
(cherry picked from commit 4ad8c195cf54411e3b3fa0bec227eb83ca078404)
ssh: Don't reply to PING in preauth phase or during KEX
Obtained from: OpenSSH 5e07dee272c3
Security: CVE-2025-26466
Security: FreeBSD-SA-25:05.openssh
Approved by: so
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 8a16d0831e70530b2fbd682e748bd051de35f192)
(cherry picked from commit 34798cb576bbd2064ab8da372112482bf8e2a7e6)
Add UPDATING entries and bump version
Approved by: so
etcupdate: Restrict access to the conflicts directory
In the window during conflict resolution, copies of installed files with
conflicts are added here with the default mode. Restrict access.
Approved by: so
Security: FreeBSD-SA-25:03.etcupdate
PR: 277470
Reviewed by: philip, jhb, emaste
Differential Revision: https://reviews.freebsd.org/D48576
(cherry picked from commit c43ae7ab4bf89c2b274c1cbefe663c456e9211d1)
(cherry picked from commit 93836ff92be84a1d4e7611577ffe116a0e30d008)
OpenSSH: correct logic error in ObscureKeystrokeTiming
Cherry-pick fix:
upstream: when sending ObscureKeystrokeTiming chaff packets, we
can't rely on channel_did_enqueue to tell that there is data to send. This
flag indicates that the channels code enqueued a packet on _this_ ppoll()
iteration, not that data was enqueued in _any_ ppoll() iteration in the
timeslice. ok markus@
OpenBSD-Commit-ID: 009b74fd2769b36b5284a0188ade182f00564136
Approved by: so
Security: FreeBSD-SA-25:01.openssh
Obtained from: openssh-portable 146c420d29d0
Reviewed by: gordon
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D45823
(cherry picked from commit b81424adf7181d816c10b1345aaa3305ab0ec304)
(cherry picked from commit bf9a275b24f6655616cc691555fe1a36ed5e4338)
contrib/tzdata: import tzdata 2025a
Changes: https://github.com/eggert/tz/blob/2025a/NEWS
Approved by: so
Security: FreeBSD-EN-25:03.tzdata
(cherry picked from commit 46226b0162ba03986b1de2c790804b37dd8e64d6)
(cherry picked from commit a158d26e89f2e3274ba1064e3fd6b341c6fcb07c)
contrib/tzdata: import tzdata 2024b
Changes: https://github.com/eggert/tz/blob/2024b/NEWS
Approved by: so
Security: FreeBSD-EN-25:03.tzdata
(cherry picked from commit e273650f2c538034b45f78e670a89cbf333ab6db)
(cherry picked from commit 7eb0b02bc4eddee6c916ab6a01ec92e0b9dc867e)
tarfs: Fix the size of struct tarfs_fid and add a static assert
File system specific *fid structures are copied into the generic
struct fid defined in sys/mount.h.
As such, they cannot be larger than struct fid.
This patch packs the structure and checks via a __Static_assert().
Approved by: so
Security: FreeBSD-SA-25:02.fs
Reviewed by: markj
MFC after: 2 weeks
(cherry picked from commit 4db1b113b15158c7d134df83e7a7201cf46d459b)
(cherry picked from commit 155987e2019089a5bd2eef77ed7bcc5cc26c362e)
ext2fs: Fix the size of struct ufid and add a static assert
File system specific *fid structures are copied into the generic
struct fid defined in sys/mount.h.
As such, they cannot be larger than struct fid.
This patch packed the structure and checks via a __Static_assert().
Approved by: so
Security: FreeBSD-SA-25:02.fs
Reviewed by: markj
MFC after: 2 weeks
(cherry picked from commit bfc8e3308bee23d0f7836d57f32ed8d47da02627)
(cherry picked from commit 7a3a0402aeb626a7379addd344cbfd8900e83baa)
cd9660: Make sure that struct ifid fits in generic filehandle structure
File system specific *fid structures are copied into the generic
struct fid defined in sys/mount.h.
As such, they cannot be larger than struct fid.
This patch packs the structure and checks via a __Static_assert().
Approved by: so
Security: FreeBSD-SA-25:02.fs
Reported by: Kevin Miller <mas at 0x194.net>
Reviewed by: olce, imp, kib, emaste
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D47879
(cherry picked from commit 205659c43d87bd42c4a0819fde8f81e8ebba068e)
(cherry picked from commit 54974e731f279941ef7aebd7d30ba2e9299a4056)
audit: Fix short-circuiting in syscallenter()
syscallenter() has a slow path to handle syscall auditing and dtrace
syscall tracing. It uses AUDIT_SYSCALL_ENTER() to check whether to take
the slow path, but this macro also has side effects: it writes the audit
log entry. When systrace (dtrace syscall tracing) is enabled, this
would get short-circuited, and we end up not writing audit log entries.
Introduce a pure macro to check whether auditing is enabled, use it in
syscallenter() instead of AUDIT_SYSCALL_ENTER().
Approved by: so
Security: FreeBSD-EN-25:02.audit
Reviewed by: kib
Reported by: Joe Duin <jd at firexfly.com>
Fixes: 2f7292437d0c ("Merge audit and systrace checks")
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48448
[3 lines not shown]svc.c: Check for a non-NULL xp_socket
Commit a16ff32f04b5 added support to the kernel RPC to set
TCP_USE_DDP.
However, for the unusual case of a NFSv4.1/4.2 non-NULL callback,
the xp_socket field of SVCXPRT is NULL, since it uses the same
socket as the client->server connection.
This patch adds the check for this to avoid crashes.
This only affects NFSv4.1/4.2 mounts where either pNFS or
delegations are in use.
Approved by: so
Security: FreeBSD-EN-25:01.rpc
(cherry picked from commit 6c9170e0afc4ebec81ba88a6370ebf6cb55520ba)
(cherry picked from commit 4c136aad80e6da1c9aa99de863642fe64a54f9a8)
Add UPDATING entries and bump revision
EN-24:17.pam_xdg
SA-24:17.bhyve
SA-24:18.ctl
SA-24:19.fetch
Approved by: so
pam_xdg: Fix user xdg runtime directory's descriptor leak
Approved by: emaste (mentor)
Fixes: 6e69612d5df1 ("pam: Add pam_xdg module")
MFC after: 3 days
Security: FreeBSD-EN-17.pam_xdg
Approved by: so
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 06986e899972ac3a127ab2ab46196672d0e1e5b2)
(cherry picked from commit 9e8d504bb5a1e7ede55814069e213d4702172b81)
fetch: correct env var name for --crl option to work
Reviewed by: grembo
MFC after: 3 days
Security: FreeBSD-SA-24:19.fetch
Approved by: so
Differential Revision: https://reviews.freebsd.org/D46973
(cherry picked from commit 1d7a33888e09f86feb4c2c9f9640d936be07ce9d)
(cherry picked from commit 51676e0a3bd38ab6deae27f72fb6fb6dd648825f)
ctl: limit memory allocation in pci_virtio_scsi
The virtio_scsi device allows a VM guest to directly send SCSI commands
(ctsio->cdb array) to the kernel driver exposed on /dev/cam/ctl
(ctl.ko).
All kernel commands accessible from the guest are defined by
ctl_cmd_table.
The command ctl_persistent_reserve_out (cdb[0]=0x5F and cbd[1]=0) allows
the caller to call malloc() with an arbitrary size (uint32_t). This can
be used by the guest to overload the kernel memory (DOS attack).
Reported by: Synacktiv
Reviewed by: asomers
Security: HYP-08
Security: FreeBSD-SA-24:18.ctl
Approved by: so
Sponsored by: The Alpha-Omega Project
[5 lines not shown]bhyve/nvme: Fix Infinite loop in queue processing
In the functions pci_nvme_handle_admin_cmd and pci_nvme_handle_io_cmd
infinite loops are possible in the bhyve process if the sq->tail value
is greater than sq->size.
An attacker could overload the host CPU.
Fix is to validate that doorbell values:
- Are for a valid (i.e., created) queue
- Are not the same as the previous value
- Fit within the available capacity
The emulation will generate an Asynchronous Event Notification (Invalid
Doorbell or Invalid Doorbell Value) if enabled and ignore the doorbell
update.
While in the neighborhood, remove a redundant bounds check.
[11 lines not shown]bhyve: improve bounds checks in hda_codec
The function hda_codec_command is vulnerable to buffer over-read, the
payload value is extracted from the command and used as an array index
without any validation.
Fortunately, the payload value is capped at 255, so the information
disclosure is limited and only a small part of .rodata of bhyve binary
can be disclosed.
The risk is low because the leaked information is not sensitive. An
attacker may be able to validate the version of the bhyve binary using
this information disclosure (layout of .rodata information, ex:
jmp_tables) before executing an exploit.
Reported by: Synacktiv
Reviewed by: christos, emaste
Security: HYP-13
Security: FreeBSD-SA-24:17.bhyve
Approved by: so
[6 lines not shown]bhyve: validate corb->wp to avoid infinite loop
Guests must set HDAC_CORBWP less than corb->size. Treat invalid values
as an error rather than entering an infinite loop.
Reported by: Synacktiv
Reviewed by: markj
Security: HYP-12
Security: FreeBSD-SA-24:17.bhyve
Approved by: so
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46134
(cherry picked from commit a305f44d1404fbf386bb2b50ab7233ce9eabe0bb)
(cherry picked from commit 6a645bb3535cb73b1f20db652c9e3893f26a986e)
bhyve: avoid TOCTOU on iov_len in virtio_vq_recordon()
Avoid a race condition when accessing guest memory, by reading memory
contents only once.
This has also been applied to _vq_record() in
sys/dev/beri/virtio/virtio.c, as per markj@'s suggestion.
Reported by: Synacktiv
Reviewed by: markj
Security: HYP-10
Security: FreeBSD-SA-24:17.bhyve
Approved by: so
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D45735
(cherry picked from commit 869d760cb9d7a307faa2fbe8c1c2b238a81b74d4)
(cherry picked from commit ed03c309908687bdb9f71dc6d9c9c8a92c54fc20)
bhyve/nvme: Fix out-of-bounds read in NVMe log page
The function nvme_opc_get_log_page in the file usr.sbin/bhyve/pci_nvme.c
is vulnerable to buffer over-read. The value logoff is user controlled
but never checked against the value of logsize. Thus the difference:
logsize - logoff
can underflow.
Due to the sc structure layout, an attacker can dump internals fields of
sc and the content of next heap allocation.
Reported by: Synacktiv
Reviewed by: emaste, jhb
Security: HYP-07
Security: FreeBSD-SA-24:17.bhyve
Approved by: so
Sponsored by: Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46021
[3 lines not shown]Add UPDATING entries and bump revision.
Approved by: so
libnv: correct the calculation of the structure's size
Reported by: Milosz Kaniewski <milosz.kaniewski at gmail.com>
Approved by: so
Security: FreeBSD-SA-24:16.libnv
Security: CVE-2024-45287
(cherry picked from commit 7f4731ab67f1d3345aee6626eb83cc5ce00010f0)
(cherry picked from commit 056c50c48be3e3828ef740d2fcce988a545e52aa)
bhyve: improve input validation in pci_xhci
Several functions did not validate the slot index resulting in OOB read
on the heap of the slot device structure which could lead to arbitrary
reads/writes and potentially code execution.
Reported by: Synacktiv
Reviewed by: markj (earlier), jhb
Approved by: so
Security: FreeBSD-SA-24:15.bhyve
Security: CVE-2024-41721
Security: HYP-02
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D45996
(cherry picked from commit e72d86ad9c62c8054d7977a71f08e68ef755c132)
(cherry picked from commit 419da61f8203ac475550ae4b0971dbef10f811f2)
pf: rework pf_icmp_state_lookup() failure mode
If pf_icmp_state_lookup() finds a state but rejects it for not matching the
expected direction we should unlock the state (and NULL out *state). This
simplifies life for callers, and also ensures there's no confusion about what a
non-NULL returned state means.
Previously it could have been left in there by the caller, resulting in callers
unlocking the same state twice.
Approved by: so
Security: FreeBSD-EN-24:16.pf
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 0578fe492284ded4745167060be794032e6e22f0)
(cherry picked from commit 38f74de7184ac3ad7acc48055551aaa9ec9cded9)
pf: be less strict about icmp state checking for sloppy state tracking
Sloppy state tracking renders ICMP direction check useless
and harmful as we might see only half of the connection in
the asymmetric setups but ignore the state match. The bug
was reported and fix was verified by Insan Praja <insan ()
ims-solusi ! com>. Thanks! OK mcbride, henning
Approved by: so
Security: FreeBSD-EN-24:16.pf
MFC after: 1 week
Obtained from: OpenBSD, mikeb <mikeb at openbsd.org>, 538596657140
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 3da3eb6081a2e2f6ea2fed1728d5dd7f9e8786e5)
(cherry picked from commit b822e3fab468ffbe941d0758d960e1aa46069a38)
pf: try to lookup the icmp state based on a correct packet descriptor
Approved by: so
Security: FreeBSD-EN-24:16.pf
MFC after: 1 week
Obtained from: OpenBSD, mikeb <mikeb at openbsd.org>, e467ea25dcd3
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit b8cd169efa6ac0899b4998898129765ae5c685a6)
(cherry picked from commit f40b0e735177b25ce67fb488a93834168f4c16e1)
pf: improve the ICMPv6 direction check
Following bluhm's advice this changes the way we setup state keys and
perform state lookups for ICMPv6 Neighbor Discovery packets:
- replace the NS-dst with ND target address;
- replace the NA-src with ND target address;
- replace the NA-dst with unspecified address if it is a multicast.
This allows pf to match Address Resolution, Neighbor Unreachability
Detection and Duplicate Address Detection packets to the corresponding
states without the need to create new ones or match unrelated ones.
As a side effect we're doing now one state table lookup for ND packets
instead of two.
Fixes a bug uncovered by one of the previous commits that virtually
breaks IPv6 connectivity after few minutes of use.
ok stsp henning, with and ok bluhm
[9 lines not shown]