openssl: Fix multiple vulnerabilities
This is a rollup commit from upstream to fix:
Stack buffer overflow in CMS AuthEnvelopedData parsing (CVE-2025-15467)
Heap out-of-bounds write in BIO_f_linebuffer on short writes (CVE-2025-68160)
Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (CVE-2025-69418)
Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (CVE-2025-69419)
Missing ASN1_TYPE validation in TS_RESP_verify_response() function (CVE-2025-69420)
NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (CVE-2025-69421)
Missing ASN1_TYPE validation in PKCS#12 parsing (CVE-2026-22795)
ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (CVE-2026-22796)
See https://openssl-library.org/news/secadv/ for additional details.
Approved by: so
Obtained from: OpenSSL
Security: FreeBSD-SA-26:01.openssl
Security: CVE-2025-15467
Security: CVE-2025-68160
[6 lines not shown]
vfs: Don't clobber namei flags in vn_open_cred()
Otherwise NAMEILOOKUP is cleared. More generally it seems quite
surprising that the flags set by vn_open_cred() callers are not
automatically preserved. Modify open2nameif() such that it takes
already-set namei flags into account.
Approved by: so
Reviewed by: olce, kib
Fixes: 7587f6d4840f ("namei: Make stackable filesystems check harder for jail roots")
Differential Revision: https://reviews.freebsd.org/D50531
(cherry picked from commit e05e33041c252dc236939683c01ca4b7b083562c)
(cherry picked from commit a66767844690dfd82e14df2d22bd9bc40e46546b)
namei: Make stackable filesystems check harder for jail roots
Suppose a process has its cwd pointing to a nullfs directory, where the
lower directory is also visible in the jail's filesystem namespace.
Suppose that the lower directory vnode is moved out from under the
nullfs mount. The nullfs vnode still shadows the lower vnode, and
dotdot lookups relative to that directory will instantiate new nullfs
vnodes outside of the nullfs mountpoint, effectively shadowing the lower
filesystem.
This phenomenon can be abused to escape a chroot, since the nullfs
vnodes instantiated by these dotdot lookups defeat the root vnode check
in vfs_lookup(), which uses vnode pointer equality to test for the
process root.
Fix this by extending nullfs and unionfs to perform the same check,
exploiting the fact that the passed componentname is embedded in a
nameidata structure to avoid changing the VOP_LOOKUP interface. That
is, add a flag to indicate that containerof can be used to get the full
[13 lines not shown]
arm64: Correctly align the SVE signal context
The SVE signal context needs to be correctly aligned. Fix this by
creating a new macro to calculate the needed size to provide this
alignment, and use it when setting and checking the saved SVE signal
context.
Approved by: so
Security: FreeBSD-EN-26:02.arm64
Reported by: cperciva
Reviewed by: cperciva, markj
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D54396
(cherry picked from commit a9e77eb7016df70723c208fc09fbd01ec23a732d)
(cherry picked from commit bcd6bb8067d13d28d13a309e32818cda9e0d29ff)
openssl: Fix multiple vulnerabilities
This is a rollup commit from upstream to fix:
Stack buffer overflow in CMS AuthEnvelopedData parsing (CVE-2025-15467)
Heap out-of-bounds write in BIO_f_linebuffer on short writes (CVE-2025-68160)
Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (CVE-2025-69418)
Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (CVE-2025-69419)
Missing ASN1_TYPE validation in TS_RESP_verify_response() function (CVE-2025-69420)
NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (CVE-2025-69421)
Missing ASN1_TYPE validation in PKCS#12 parsing (CVE-2026-22795)
ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (CVE-2026-22796)
See https://openssl-library.org/news/secadv/ for additional details.
Approved by: so
Obtained from: OpenSSL
Security: FreeBSD-SA-26:01.openssl
Security: CVE-2025-15467
Security: CVE-2025-68160
[6 lines not shown]
vfs: Don't clobber namei flags in vn_open_cred()
Otherwise NAMEILOOKUP is cleared. More generally it seems quite
surprising that the flags set by vn_open_cred() callers are not
automatically preserved. Modify open2nameif() such that it takes
already-set namei flags into account.
Approved by: so
Reviewed by: olce, kib
Fixes: 7587f6d4840f ("namei: Make stackable filesystems check harder for jail roots")
Differential Revision: https://reviews.freebsd.org/D50531
(cherry picked from commit e05e33041c252dc236939683c01ca4b7b083562c)
(cherry picked from commit a66767844690dfd82e14df2d22bd9bc40e46546b)
namei: Make stackable filesystems check harder for jail roots
Suppose a process has its cwd pointing to a nullfs directory, where the
lower directory is also visible in the jail's filesystem namespace.
Suppose that the lower directory vnode is moved out from under the
nullfs mount. The nullfs vnode still shadows the lower vnode, and
dotdot lookups relative to that directory will instantiate new nullfs
vnodes outside of the nullfs mountpoint, effectively shadowing the lower
filesystem.
This phenomenon can be abused to escape a chroot, since the nullfs
vnodes instantiated by these dotdot lookups defeat the root vnode check
in vfs_lookup(), which uses vnode pointer equality to test for the
process root.
Fix this by extending nullfs and unionfs to perform the same check,
exploiting the fact that the passed componentname is embedded in a
nameidata structure to avoid changing the VOP_LOOKUP interface. That
is, add a flag to indicate that containerof can be used to get the full
[13 lines not shown]
arm64: Correctly align the SVE signal context
The SVE signal context needs to be correctly aligned. Fix this by
creating a new macro to calculate the needed size to provide this
alignment, and use it when setting and checking the saved SVE signal
context.
Approved by: so
Security: FreeBSD-EN-26:02.arm64
Reported by: cperciva
Reviewed by: cperciva, markj
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D54396
(cherry picked from commit a9e77eb7016df70723c208fc09fbd01ec23a732d)
(cherry picked from commit bcd6bb8067d13d28d13a309e32818cda9e0d29ff)
Revert "e1000: Try auto-negotiation for fixed 100 or 10 configuration"
We've gotten a report of this breaking a fixed no autoneg setup.
Since no link is worse than what this intends to fix (negotiating full
duplex at forced speed), revert for the undeway 15.0 release cycle
until this can be further reviewed.
PR: 288827
Differential Revision: https://reviews.freebsd.org/D47336
This reverts commit 645c45e297c0fcbbb9d2d24cdeeb124234825019.
(cherry picked from commit 3ff0231c87f360afa4521e635b46f6c711dc4ee3)
ipv6: account for jumbo payload option
If a jumbo payload option is added, the length of the mbuf chain is
increased by 8 but the actual hop-by-hop extension header with the
jumbo playload option is only inserted in the packet if there are
other options. Therefore, adjust optlen to reflect the actual size
of IPv6 extension headers including the hop-by-hop extension header
containing the jumbo payload option.
Reported by: syzbot+73fe316271df473230eb at syzkaller.appspotmail.com
Reviewed by: markj, Timo Voelker
Differential Revision: https://reviews.freebsd.org/D54394
(cherry picked from commit 1f5b1de1fdf2924066c1851ed6c73f36fe20b438)
linuxkpi: Take const root in read-only radix tree functions
This is a preparation step for a future addition to this file. This is
also closer to what Linux does.
Reviewed by: emaste
Sponsored by: The FreeBSD Foundation
(cherry picked from commit cf39b51d36d82214ebdfd03055d321ddd2d85274)
(cherry picked from commit c5445540995fd37c390ad371a2e95d300ee83988)
tcp: fix checksum calculation bug
The new function in_delayed_cksum_o() was introduced to compute
the checksum in the case the mbuf chain does not start with the
IP header. The offset of the IP header is specified by the
parameter iph_offset.
If iph_offset was positive, the function computed an incorrect
checksum.
Reviewed by: sobomax, tuexen
Fixes: 5feb38e37847 ("netinet: provide "at offset" variant of the in_delayed_cksum() API")
Differential Revision: https://reviews.freebsd.org/D54269
(cherry picked from commit c8b3b605ae854ead6c8804e0400d80cb8fa73fdf)
ip6: add SO_BINTIME support
This adds support for obtaining timestamps from IPv6 packets using the
SO_BINTIME socket option, bringing it in parity with IPv4 behavior.
Enable testing the SO_BINTIME option in the relevant (manual) regression
test.
PR: 289423
Reviewed by: markj
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D52504
(cherry picked from commit cd02a8a9f8be2085d5242606a79668dc3720e7b0)
