iconv: Fix a stack buffer overflow in _ISO2022_sputwchar()
In the ISO2022-CN encoding, characters may require at least seven bytes,
and MB_LEN_MAX==6 is insufficient. From code inspection,
_ISO2022_sputwchar() can emit 10 bytes in the worst case, so use that to
size buffers.
Add a regression test.
Approved by: so
Security: FreeBSD-SA-26:49.iconv
Security: CVE-2026-58082
Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D57950
ktls CBC decrypt: Only increment iovec index when an entry is used
If an mbuf in the chain was skipped because it only contained bytes
from the header, the iovec index ('i') was incremented even though the
entry was not populated. Only increment 'i' when an iovec entry is
consumed.
Add a new type of KTLS receive test which writes a single TLS record
via two separate write(2) calls over a TCP_NODELAY socket to trigger
a split in the mbuf chain in the kernel. Test various split locations
including after the "plain" TLS header (5 bytes), after the full TLS
header, in the middle of the data payload, just before the start of
the trailer, and in the middle of the trailer. These tests are also
run against all supported ciphers, not just CBC. The 'header' test
for CBC ciphersuites was able to trigger the bug.
Approved by: so
Security: FreeBSD-SA-26:46.ktls
Security: CVE-2026-49423
Sponsored by: Chelsio Communications
posixshm: Disallow truncation of largepage objects
We correctly handled ftruncate(), but not open(O_TRUNC).
Add a regression test.
Approved by: so
Security: FreeBSD-SA-26:44.posixshm
Security: CVE-2026-49428
Reported by: Chris Jarrett-Davies <chrisjd at openai.com>
Reviewed by: kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57831
kern: fix auditing of ptrace(2) syscall requests
`error` here is the return value of syscall_thread_enter() rather than
the syscall itself, so the committed audit records do not reflect
reality. This is less harmful than them recording an error when the
operation actually succeeded, but it could still possibly be used to
throw off IDS techniques with things like bsmtrace.
Approved by: so
Security: FreeBSD-SA-26:45.audit
Security: CVE-2026-49426
Reviewed by: des, kib, markj, csjp
Differential Revision: https://reviews.freebsd.org/D57847
unlinkat: Pass flags down to the work functions
The unlinkat(2) and funlinkat(2) system calls were ignoring
AT_RESOLVE_BENEATH.
Also pass pathseg through instead of assuming it's UIO_USERSPACE.
Add some tests which make sure that AT_RESOLVE_BENEATH is handled
properly by various system calls.
Approved by: so
Security: FreeBSD-SA-26:42.unlinkat
Security: CVE-2026-49421
Reported by: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai
Reviewed by: kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57790
device_pager: Avoid double-insertion of pages into the pager list
Unmanaged device pager objects maintain a linked list of pages that were
returned from the fault handler. Initially, such pages are valid, but
msync(MS_INVALIDATE) can mark them invalid (and clean). They are not
removed from page tables (since they are unmanaged), but a subsequent
mlock() call can trigger a page fault that is handled by the pager.
dev_pager_getpages() then re-inserts the page into the linked list even
though it's already present there.
This patch fixes the problem by removing the linked list. OBJ_PG_DTOR
is set, so vm_object_terminate_pages() does nothing, and
dev_pager_dealloc() instead handles cleanup of the object.
Add a regression test case which triggers a queue.h assertion failure in
unpatched kernels.
Note, in stable branches we should avoid changing the layout of struct
vm_object.
[8 lines not shown]
libalias: Fix buffer overflow in RTSP aliasing
In alias_rtsp_out(), we construct a new packet in a fixed-length buffer
before copying it back into the original buffer. We never checked if
the data we were writing to this temporary buffer fit in it, nor if the
result fit in the original buffer.
* Use a dynamically sized allocated buffer instead of a fixed-length
stack buffer.
* Check for overflow before appending to our temporary buffer.
* Check for overflow before copying the data back to the packet buffer.
* While here, use size_t for sizes and bool for booleans.
Approved by: so
Security: FreeBSD-SA-26:41.libalias
Security: CVE-2026-49420
[3 lines not shown]
rack: Reload the TCP stack PCB after reacquiring the inpcb lock
Malicious userspace might switch TCP stacks twice while the inpcb lock
is dropped. If it does so, the validation of tp->t_fb might succeed,
but the saved pointer to the stack PCB might be invalid. Reload it to
avoid this problem, as BBR already does.
Approved by: so
Security: FreeBSD-SA-26:43.tcp
Security: CVE-2026-49422
Reported by: Maik Münch
Reviewed by: tuexen
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57791
posixshm: Disallow fspacectl() on largepage objects
As with truncation, the operation isn't supported, but nothing prevented
it.
Add a regression test.
Approved by: so
Security: FreeBSD-SA-26:44.posixshm
Security: CVE-2026-49428
Reported by: Chris Jarrett-Davies <chrisjd at openai.com>
Reviewed by: kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57830
iconv: Fix a buffer overflow in the HZ encoding
wcrtomb may store up to 2 2-byte escape sequences to the state buffer in
addition to the character itself. In the worst case, a 3-byte heap
overflow is possible.
Approved by: so
Security: FreeBSD-SA-26:49.iconv
Security: CVE-2026-58081
Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D57949
posixshm: Fix handling of sendfile() with largepage objects
sendfile(2) can transmit POSIX shared memory objects. Typically it will
look up and wire each page before sending it to a socket; once
transmission is complete, the page is unwired and typically released
back into the page queues. sendfile() has an advisory flag, SF_NOCACHE,
which means, "try to free the page once transmission is complete." This
is implemented in vm_page_release(), which expects to operate on managed
pages.
Pages belonging a largepage object are de-facto wired not explicitly so.
Thus, vm_page_release() will unwire and, having found no additional
references, free the page. Because mappings of largepage objects are
unmanaged, userspace can still access the now freed page.
Fix the problem by explicitly wiring largepage pages. Make the VM
object destructor responsible for unwiring and freeing them.
Add a regression test.
[8 lines not shown]
ktls CBC decrypt: Only increment iovec index when an entry is used
If an mbuf in the chain was skipped because it only contained bytes
from the header, the iovec index ('i') was incremented even though the
entry was not populated. Only increment 'i' when an iovec entry is
consumed.
Add a new type of KTLS receive test which writes a single TLS record
via two separate write(2) calls over a TCP_NODELAY socket to trigger
a split in the mbuf chain in the kernel. Test various split locations
including after the "plain" TLS header (5 bytes), after the full TLS
header, in the middle of the data payload, just before the start of
the trailer, and in the middle of the trailer. These tests are also
run against all supported ciphers, not just CBC. The 'header' test
for CBC ciphersuites was able to trigger the bug.
Approved by: so
Security: FreeBSD-SA-26:46.ktls
Security: CVE-2026-49423
Sponsored by: Chelsio Communications
posixshm: Fix handling of sendfile() with largepage objects
sendfile(2) can transmit POSIX shared memory objects. Typically it will
look up and wire each page before sending it to a socket; once
transmission is complete, the page is unwired and typically released
back into the page queues. sendfile() has an advisory flag, SF_NOCACHE,
which means, "try to free the page once transmission is complete." This
is implemented in vm_page_release(), which expects to operate on managed
pages.
Pages belonging a largepage object are de-facto wired not explicitly so.
Thus, vm_page_release() will unwire and, having found no additional
references, free the page. Because mappings of largepage objects are
unmanaged, userspace can still access the now freed page.
Fix the problem by explicitly wiring largepage pages. Make the VM
object destructor responsible for unwiring and freeing them.
Add a regression test.
[8 lines not shown]
iconv: Fix a stack buffer overflow in _ISO2022_sputwchar()
In the ISO2022-CN encoding, characters may require at least seven bytes,
and MB_LEN_MAX==6 is insufficient. From code inspection,
_ISO2022_sputwchar() can emit 10 bytes in the worst case, so use that to
size buffers.
Add a regression test.
Approved by: so
Security: FreeBSD-SA-26:49.iconv
Security: CVE-2026-58082
Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D57950
posixshm: Disallow fspacectl() on largepage objects
As with truncation, the operation isn't supported, but nothing prevented
it.
Add a regression test.
Approved by: so
Security: FreeBSD-SA-26:44.posixshm
Security: CVE-2026-49428
Reported by: Chris Jarrett-Davies <chrisjd at openai.com>
Reviewed by: kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57830
unlinkat: Pass flags down to the work functions
The unlinkat(2) and funlinkat(2) system calls were ignoring
AT_RESOLVE_BENEATH.
Also pass pathseg through instead of assuming it's UIO_USERSPACE.
Add some tests which make sure that AT_RESOLVE_BENEATH is handled
properly by various system calls.
Approved by: so
Security: FreeBSD-SA-26:42.unlinkat
Security: CVE-2026-49421
Reported by: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai
Reviewed by: kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57790
iconv: Fix a buffer overflow in the HZ encoding
wcrtomb may store up to 2 2-byte escape sequences to the state buffer in
addition to the character itself. In the worst case, a 3-byte heap
overflow is possible.
Approved by: so
Security: FreeBSD-SA-26:49.iconv
Security: CVE-2026-58081
Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D57949
kern: fix auditing of ptrace(2) syscall requests
`error` here is the return value of syscall_thread_enter() rather than
the syscall itself, so the committed audit records do not reflect
reality. This is less harmful than them recording an error when the
operation actually succeeded, but it could still possibly be used to
throw off IDS techniques with things like bsmtrace.
Approved by: so
Security: FreeBSD-SA-26:45.audit
Security: CVE-2026-49426
Reviewed by: des, kib, markj, csjp
Differential Revision: https://reviews.freebsd.org/D57847
posixshm: Disallow truncation of largepage objects
We correctly handled ftruncate(), but not open(O_TRUNC).
Add a regression test.
Approved by: so
Security: FreeBSD-SA-26:44.posixshm
Security: CVE-2026-49428
Reported by: Chris Jarrett-Davies <chrisjd at openai.com>
Reviewed by: kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57831
rack: Reload the TCP stack PCB after reacquiring the inpcb lock
Malicious userspace might switch TCP stacks twice while the inpcb lock
is dropped. If it does so, the validation of tp->t_fb might succeed,
but the saved pointer to the stack PCB might be invalid. Reload it to
avoid this problem, as BBR already does.
Approved by: so
Security: FreeBSD-SA-26:43.tcp
Security: CVE-2026-49422
Reported by: Maik Münch
Reviewed by: tuexen
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57791
libalias: Fix buffer overflow in RTSP aliasing
In alias_rtsp_out(), we construct a new packet in a fixed-length buffer
before copying it back into the original buffer. We never checked if
the data we were writing to this temporary buffer fit in it, nor if the
result fit in the original buffer.
* Use a dynamically sized allocated buffer instead of a fixed-length
stack buffer.
* Check for overflow before appending to our temporary buffer.
* Check for overflow before copying the data back to the packet buffer.
* While here, use size_t for sizes and bool for booleans.
Approved by: so
Security: FreeBSD-SA-26:41.libalias
Security: CVE-2026-49420
[3 lines not shown]
iconv: Fix a stack buffer overflow in _ISO2022_sputwchar()
In the ISO2022-CN encoding, characters may require at least seven bytes,
and MB_LEN_MAX==6 is insufficient. From code inspection,
_ISO2022_sputwchar() can emit 10 bytes in the worst case, so use that to
size buffers.
Add a regression test.
Approved by: so
Security: FreeBSD-SA-26:49.iconv
Security: CVE-2026-58082
Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D57950
