HardenedBSD/src 594bb78share/mk bsd.lib.mk, tools/tools/git git-arc.sh

Merge branch 'freebsd/current/main' into hardened/current/master
DeltaFile
+15-0share/mk/bsd.lib.mk
+2-2tools/tools/git/git-arc.sh
+1-1usr.sbin/pkg/FreeBSD.conf.quarterly-release
+1-1usr.sbin/mountd/exports.5
+19-44 files

HardenedBSD/src 90697edlibexec/rtld-elf rtld.c, libexec/rtld-elf/powerpc reloc.c

Merge branch 'freebsd/15-stable/main' into hardened/15-stable/main
DeltaFile
+25-7sys/vm/vm_page.c
+1-24libexec/rtld-elf/rtld.c
+24-0libexec/rtld-elf/powerpc64/reloc.c
+24-0libexec/rtld-elf/powerpc/reloc.c
+20-0sys/vm/vm_fault.c
+3-0sys/vm/vm_extern.h
+97-318 files not shown
+112-3214 files

HardenedBSD/src 6049f1btools/tools/git git-arc.sh

git-arc: Fix failure to call arc() function

As of b3e53f9fff11, git-arc attempted to call the internal shell
function, arc(), using env(1).  However, because env(1) does not call
shell functions, it actually attempted to run the arc utility.  This led
to errors:

    % git arc create -r xxx HEAD
    env: arc: No such file or directory
    git-arc: could not create Phabricator diff

This change removes the unnecessary use of env(1), so the arc() function
is correctly called.

Reviewed by:    markj
Fixes:          b3e53f9fff11 ("git-arc: Don't require devel/arcanist")
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D53972
DeltaFile
+1-1tools/tools/git/git-arc.sh
+1-11 files

HardenedBSD/src b903f27libexec/rtld-elf/powerpc reloc.c, libexec/rtld-elf/powerpc64 reloc.c

rtld: fix powerpc build

(cherry picked from commit 0628c252bd161ccdd1228a3b8aefeb471044ca04)
DeltaFile
+1-3libexec/rtld-elf/powerpc/reloc.c
+1-3libexec/rtld-elf/powerpc64/reloc.c
+2-62 files

HardenedBSD/src 452052esys/vm vm_page.c vm_extern.h

vm_page_free_prep(): convert PG_ZERO zeroed page check to use sf_buf

(cherry picked from commit b9fc7628dbb24b55cbb8791c83bd69f73cfadf23)
DeltaFile
+25-7sys/vm/vm_page.c
+3-0sys/vm/vm_extern.h
+28-72 files

HardenedBSD/src ff6a70elibexec/rtld-elf rtld.c, libexec/rtld-elf/aarch64 rtld_machdep.h

rtld-elf: move powerpc-specific auxv compat code into arch hook

(cherry picked from commit b2b3d2a962eb00005641546fbe672b95e5d0672a)
DeltaFile
+26-0libexec/rtld-elf/powerpc64/reloc.c
+26-0libexec/rtld-elf/powerpc/reloc.c
+1-24libexec/rtld-elf/rtld.c
+2-0libexec/rtld-elf/i386/rtld_machdep.h
+2-0libexec/rtld-elf/powerpc/rtld_machdep.h
+2-0libexec/rtld-elf/aarch64/rtld_machdep.h
+59-244 files not shown
+67-2410 files

HardenedBSD/src be9e4c0sys/vm vm_fault.c

vm_fault: add a verifier that the PG_ZERO page is indeed zeroed

(cherry picked from commit d8bfcacd12aba73188c44a157c707908e275825d)
DeltaFile
+20-0sys/vm/vm_fault.c
+20-01 files

HardenedBSD/src e92eaeecontrib/unbound/iterator iter_scrub.c

Mitigate YXDOMAIN and nodata non-referral answer poisoning.

Add a fix to apply scrubbing of unsolicited NS RRSets (and their
respective address records) for YXDOMAIN and nodata non-referral
answers. This prevents a malicious actor from exploiting a possible
cache poison attack.

Obtained from:  NLnet Labs
Security:       FreeBSD-SA-25:10.unbound
Security:       CVE-2025-11411

(cherry picked from commit 2a3a6a1771148a709c2d9694c1d66c41ce8dee79)
(cherry picked from commit cd40a23fb249bba461e38ca0c3d243a20a12eef4)
Signed-off-by: Shawn Webb <shawn.webb at hardenedbsd.org>
DeltaFile
+35-4contrib/unbound/iterator/iter_scrub.c
+35-41 files

HardenedBSD/src c49b927contrib/unbound configure aclocal.m4, contrib/unbound/testdata test_ldnsrr.c3

unbound: Vendor import 1.24.1

Release notes at
        https://nlnetlabs.nl/news/2025/Oct/22/unbound-1.24.1-released/

Security:       CVE-2025-11411

Merge commit '73dd92916f532cb3fe353220103babe576d30a15'

(cherry picked from commit 8b29c373e6ab530b62122ea2adcbe637c07e06c9)
(cherry picked from commit eeb41dca070f45f9ebb2b2831f81da65786ba820)
Signed-off-by: Shawn Webb <shawn.webb at hardenedbsd.org>
DeltaFile
+2,951-2,948contrib/unbound/configure
+2,600-2,592contrib/unbound/util/configlexer.c
+2,058-2,088contrib/unbound/util/configparser.c
+0-1,068contrib/unbound/testdata/test_ldnsrr.c3
+509-348contrib/unbound/aclocal.m4
+0-681contrib/unbound/testdata/stat_values.tdir/stat_values.test
+8,118-9,725136 files not shown
+8,317-25,092142 files

HardenedBSD/src fc68822contrib/unbound Makefile.in, contrib/unbound/doc unbound.conf.5.in unbound.conf.rst

unbound: Vendor import 1.24.0

Release notes at
        https://nlnetlabs.nl/news/2025/Sep/18/unbound-1.24.0-released/

MFC after:      1 week

Merge commit '0064eb9cf1c8d526e87d3149249445d4bc8d0248'

(cherry picked from commit b2efd602aea8b3cbc3fb215b9611946d04fceb10)
(cherry picked from commit fe7bb59bb014734f95af7c71f10825535a3a2a19)
Signed-off-by: Shawn Webb <shawn.webb at hardenedbsd.org>
DeltaFile
+5,033-2,546contrib/unbound/doc/unbound.conf.5.in
+4,997-0contrib/unbound/doc/unbound.conf.rst
+1,202-637contrib/unbound/doc/unbound-control.8.in
+816-564contrib/unbound/Makefile.in
+1,374-0contrib/unbound/doc/unbound-control.rst
+651-649contrib/unbound/util/configparser.c
+14,073-4,396117 files not shown
+22,822-5,775123 files

HardenedBSD/src 0c87d29usr.sbin/pkg FreeBSD.conf.quarterly-release

pkg: Move FreeBSD-base to pkg.freebsd.org

Rather than fetching packages directly from the CDN which currently
backs pkgbase.freebsd.org, requests will go to pkg.freebsd.org mirrors
and be 302ed to the correct servers.  This adds ~70 seconds to the
process of installing or upgrading a pkgbase system; it also orphans
systems with 15.0-{PRERELEASE,ALPHA*,BETA*} installed since they are
expecting to see pkgbase files signed with the pkg keys, not the new
pkgbase signing keys.

Reviewed by:    dch, philip
MFC after:      immediately (for 15.0-RELEASE)
With hat:       re
Requested by:   clusteradm, core
Differential Revision:  https://reviews.freebsd.org/D53964

(cherry picked from commit a3b0902d73901e7243103e60cf78c53cd7f566a1)
DeltaFile
+1-1usr.sbin/pkg/FreeBSD.conf.quarterly-release
+1-11 files

HardenedBSD/src a3b0902usr.sbin/pkg FreeBSD.conf.quarterly-release

pkg: Move FreeBSD-base to pkg.freebsd.org

Rather than fetching packages directly from the CDN which currently
backs pkgbase.freebsd.org, requests will go to pkg.freebsd.org mirrors
and be 302ed to the correct servers.  This adds ~70 seconds to the
process of installing or upgrading a pkgbase system; it also orphans
systems with 15.0-{PRERELEASE,ALPHA*,BETA*} installed since they are
expecting to see pkgbase files signed with the pkg keys, not the new
pkgbase signing keys.

Reviewed by:    dch, philip
MFC after:      immediately (for 15.0-RELEASE)
With hat:       re
Requested by:   clusteradm, core
Differential Revision:  https://reviews.freebsd.org/D53964
DeltaFile
+1-1usr.sbin/pkg/FreeBSD.conf.quarterly-release
+1-11 files

HardenedBSD/src 7521dc5usr.sbin/mountd exports.5

exports.5: Typo: "auomatically" => "automatically"

Fixes:          9d975e47d5a3 ("exports.5: Clarify that exported dirs should be local mount points")
MFC after:      3 days
Sponsored by:   The FreeBSD Foundation
DeltaFile
+1-1usr.sbin/mountd/exports.5
+1-11 files

HardenedBSD/src e60861eshare/mk bsd.lib.mk

bsd.lib.mk: document INTERNALLIB and PRIVATELIB

Reviewed by:    des, dim, emaste
Sponsored by:   The FreeBSD Foundation
MFC after:      1 week
Differential revision:  https://reviews.freebsd.org/D53948
DeltaFile
+15-0share/mk/bsd.lib.mk
+15-01 files

HardenedBSD/src 257da67tools/tools/git git-arc.sh

git-arc: Fix existence check

Fixes:          b3e53f9fff11 ("git-arc: Don't require devel/arcanist")
Reviewed by:    markj
Differential Revision:  https://reviews.freebsd.org/D53942
DeltaFile
+1-1tools/tools/git/git-arc.sh
+1-11 files

HardenedBSD/src 1ec2a73share/man/man7 arch.7, sys/sys _types.h _stdint.h

Merge branch 'freebsd/current/main' into hardened/current/master
DeltaFile
+34-5sys/sys/_types.h
+16-0sys/sys/_stdint.h
+14-0tools/tools/git/git-arc.sh
+8-0sys/sys/stddef.h
+7-0tests/sys/netpfil/pf/pflog.sh
+3-2share/man/man7/arch.7
+82-72 files not shown
+85-88 files

HardenedBSD/src 5d52822sys/sys _types.h

Merge branch 'freebsd/15-stable/main' into hardened/15-stable/main
DeltaFile
+1-1sys/sys/_types.h
+1-11 files

HardenedBSD/src b3e53f9tools/tools/git git-arc.sh

git-arc: Don't require devel/arcanist

Instead of invoking just “arc”, which requires devel/arcanist, which
conflicts with archivers/arc, invoke the underlying script installed by
devel/arcanist-lib.

Reviewed by:    markj
Differential Revision:  https://reviews.freebsd.org/D53942
DeltaFile
+14-0tools/tools/git/git-arc.sh
+14-01 files

HardenedBSD/src 56114d2sys/sys _types.h

max_align_t: apply alignof to 'long double' for long double alignment

(cherry picked from commit 39cad8402d19f361cb8d489a3a69ff94b643c6df)
DeltaFile
+1-1sys/sys/_types.h
+1-11 files

HardenedBSD/src 6aaba75sys/sys _types.h

sys/_types.h: centralize __vm_offset_t and __vm_size_t definitions

Use __ptraddr_t to define __vm_offset_t and __size_t for __vm_size_t
rather than per-pointer-size definitions.

Reviewed by:    kib, markj
Effort:         CHERI upstreaming
Sponsored by:   Innovate UK
Differential Revision:  https://reviews.freebsd.org/D53818
DeltaFile
+3-4sys/sys/_types.h
+3-41 files

HardenedBSD/src 6ebbfe7sys/sys _types.h

sys/_types.h: add __intptr_t to __mbstate_t

Extend __mbstate_t to include an intptr_t to ensure it can hold a
pointer if required.

Reviewed by:    kib, markj
Effort:         CHERI upstreaming
Sponsored by:   Innovate UK
Differential Revision:  https://reviews.freebsd.org/D53822
DeltaFile
+1-0sys/sys/_types.h
+1-01 files

HardenedBSD/src 4e22cd3sys/sys _stdint.h _types.h

add types: (u)int64ptr_t

This type represents an integer value of at least 64 bits which is
capable of being cast to and from pointer types.  It is intended to
replace various spellings of (u)int64_t there the value is expected to
hold a pointer.  This is common in Linux code to allow 32-bit and 64-bit
structures to be the same and used other places including OpenZFS.  With
the introduction of CHERI this no longer works, but we need to preserve
the ABI for integer pointer targets.  Rather than adding ifdefs in every
case, we introduce a new type.

Reviewed by:    kib, markj
Effort:         CHERI upstreaming
Sponsored by:   Innovate UK
Differential Revision:  https://reviews.freebsd.org/D53823
DeltaFile
+16-0sys/sys/_stdint.h
+6-0sys/sys/_types.h
+22-02 files

HardenedBSD/src 96e05e2sys/sys _types.h

sys/_types.h: define __(u)int(f)ptr_t for CHERI

On pure-capability ABIs, uintptr_t and variants are capabilities and
defined to the new primative type __uintcap_t and variants.  This is
required to allow pointers (capabilities) to round trip through
uintptr_t as required by the C standard.

Reviewed by:    kib, markj
Effort:         CHERI upstreaming
Sponsored by:   Innovate UK
Differential Revision:  https://reviews.freebsd.org/D53819
DeltaFile
+6-1sys/sys/_types.h
+6-11 files

HardenedBSD/src 528e70asys/sys _types.h

sys/_types.h: add void * to __max_align_t

Add a pointer member to __max_align_t as pointers may have different
alignment requirements than long long or long double.

Reviewed by:    kib
Effort:         CHERI upstreaming
Sponsored by:   Innovate UK
Differential Revision:  https://reviews.freebsd.org/D53821
DeltaFile
+1-0sys/sys/_types.h
+1-01 files

HardenedBSD/src 85ab981sys/sys _types.h

sys/_types.h: define fallback __(u)intcap_t

__intcap_t and __uintcap_t are new primative types in CHERI-aware ABIs
that are used to define (u)intptr_t.  To allow coexistance of integer
pointers and hybrid code, define them to __(u)intptr_t when they are
not otherwise available.

Reviewed by:    kib, markj
Effort:         CHERI upstreaming
Sponsored by:   Innovate UK
Differential Revision:  https://reviews.freebsd.org/D53820
DeltaFile
+11-0sys/sys/_types.h
+11-01 files

HardenedBSD/src dca634dshare/man/man7 arch.7, sys/sys stddef.h _types.h

new type: ptraddr_t

ptraddr_t is an unsigned integer type that can hold the address of any
pointer.  It differes from uintptr_t in that it does not carry
provenance which is useful for CHERI in that it can disambigurate the
provenance of uintptr_t expressions.  It differes from size_t in that
some segmented architecture (not supported by FreeBSD) may have a size_t
that does not hold an address.

ptraddr_t is not yet standardized, but is currently proposed for
inclusion in C++2Y.

Prefer the compiler defined __PTRADDR_TYPE__ defintion where available
as this a new type and we don't need to worry about historical values.
Fall back to __size_t where unavailable.

Reviewed by:    kib, markj
Effort:         CHERI upstreaming
Sponsored by:   Innovate UK
Differential Revision:  https://reviews.freebsd.org/D53817
DeltaFile
+8-0sys/sys/stddef.h
+6-0sys/sys/_types.h
+3-2share/man/man7/arch.7
+17-23 files

HardenedBSD/src a9dd68bsys/kern kern_prot.c, sys/riscv/conf GENERIC

Merge branch 'freebsd/current/main' into hardened/current/master
DeltaFile
+22-12sys/kern/kern_prot.c
+2-2sys/sys/exterrvar.h
+1-0sys/riscv/conf/GENERIC
+25-143 files

HardenedBSD/src 39cbfc7tests/sys/netpfil/pf pflog.sh

pf tests: pflog:{rdr_action,state_max} disable IPv6

Turn off IPv6 on all interfaces to avoid having multicast listener
reports generated that might turn up in out pflog output, disrupting
the test.

Sponsored by:   Rubicon Communications, LLC ("Netgate")
DeltaFile
+7-0tests/sys/netpfil/pf/pflog.sh
+7-01 files

HardenedBSD/src 8cf099btests/sys/netpfil/pf syncookie.sh

pf tests: fix syncookie:loopback_v6

Use 'no_dad' when assigning a v6 address, because otherwise we may try
to use it before it becomes usable.

Sponsored by:   Rubicon Communications, LLC ("Netgate")
DeltaFile
+1-1tests/sys/netpfil/pf/syncookie.sh
+1-11 files

HardenedBSD/src 685d586tests/sys/netpfil/pf killstate.sh

pf tests: explicitly set the source address in killstate:v6

We've seen failures due to pft_ping.py selecting the wrong source address.
Explicitly use 2001:db8::1 as source, to match the tests's expectations.

Sponsored by:   Rubicon Communications, LLC ("Netgate")
DeltaFile
+1-0tests/sys/netpfil/pf/killstate.sh
+1-01 files