Delete error-check code that can never happen.
Near the top of kern_mmap() that implements the mmap(2) system call,
it sets
prot = PROT_EXTRACT(prot);
with
So prot can only be the three PROT_ flags.
The following test of the user's mmap(2) parameters (near line 275
in vm/vm_mmap.c):
if (prot != PROT_NONE &&
(prot & ~(PROT_READ | PROT_WRITE | PROT_EXEC)) != 0) {
return (EXTERROR(EINVAL, "invalid prot %#jx", prot));
}
[8 lines not shown]
rpcsec_gss: Fix a stack overflow in svc_rpc_gss_validate()
svc_rpc_gss_validate() copies the input message into a stack buffer
without ensuring that the buffer is large enough. Sure enough,
oa_length may be up to 400 bytes, much larger than the provided space.
This enables an unauthenticated user to trigger an overflow and obtain
remote code execution.
Add a runtime check which verifies that the copy won't overflow.
Approved by: so
Security: FreeBSD-SA-26:08.rpcsec_gss
Security: CVE-2026-4747
Reported by: Nicholas Carlini <npc at anthropic.com>
Reviewed by: rmacklem
Fixes: a9148abd9da5d
rpcsec_gss: Fix a stack overflow in svc_rpc_gss_validate()
svc_rpc_gss_validate() copies the input message into a stack buffer
without ensuring that the buffer is large enough. Sure enough,
oa_length may be up to 400 bytes, much larger than the provided space.
This enables an unauthenticated user to trigger an overflow and obtain
remote code execution.
Add a runtime check which verifies that the copy won't overflow.
Approved by: so
Security: FreeBSD-SA-26:08.rpcsec_gss
Security: CVE-2026-4747
Reported by: Nicholas Carlini <npc at anthropic.com>
Reviewed by: rmacklem
Fixes: a9148abd9da5d
(cherry picked from commit 143293c14f8de00c6d3de88cd23fc224e7014206)
rpcsec_gss: Fix a stack overflow in svc_rpc_gss_validate()
svc_rpc_gss_validate() copies the input message into a stack buffer
without ensuring that the buffer is large enough. Sure enough,
oa_length may be up to 400 bytes, much larger than the provided space.
This enables an unauthenticated user to trigger an overflow and obtain
remote code execution.
Add a runtime check which verifies that the copy won't overflow.
Approved by: so
Security: FreeBSD-SA-26:08.rpcsec_gss
Security: CVE-2026-4747
Reported by: Nicholas Carlini <npc at anthropic.com>
Reviewed by: rmacklem
Fixes: a9148abd9da5d
(cherry picked from commit 143293c14f8de00c6d3de88cd23fc224e7014206)
tcp: plug an mbuf leak
When a challenge ACK should be sent via tcp_send_challenge_ack(),
but the rate limiter suppresses the sending, free the mbuf chain.
The caller of tcp_send_challenge_ack() expects this similar to the
callers of tcp_respond().
Approved by: so
Security: FreeBSD-SA-26:06.tcp
Security: CVE-2026-4247
Reviewed by: lstewart
Tested by: lstewart
Sponsored by: Netflix, Inc.
(cherry picked from commit 6b2d6ccad2552e46a5c9c3ba70b2d0ed27c70ca8)
rpcsec_gss: Fix a stack overflow in svc_rpc_gss_validate()
svc_rpc_gss_validate() copies the input message into a stack buffer
without ensuring that the buffer is large enough. Sure enough,
oa_length may be up to 400 bytes, much larger than the provided space.
This enables an unauthenticated user to trigger an overflow and obtain
remote code execution.
Add a runtime check which verifies that the copy won't overflow.
Approved by: so
Security: FreeBSD-SA-26:08.rpcsec_gss
Security: CVE-2026-4747
Reported by: Nicholas Carlini <npc at anthropic.com>
Reviewed by: rmacklem
Fixes: a9148abd9da5d
(cherry picked from commit 143293c14f8de00c6d3de88cd23fc224e7014206)
tcp: plug an mbuf leak
When a challenge ACK should be sent via tcp_send_challenge_ack(),
but the rate limiter suppresses the sending, free the mbuf chain.
The caller of tcp_send_challenge_ack() expects this similar to the
callers of tcp_respond().
Approved by: so
Security: FreeBSD-SA-26:06.tcp
Security: CVE-2026-4247
Reviewed by: lstewart
Tested by: lstewart
Sponsored by: Netflix, Inc.
(cherry picked from commit 6b2d6ccad2552e46a5c9c3ba70b2d0ed27c70ca8)
rpcsec_gss: Fix a stack overflow in svc_rpc_gss_validate()
svc_rpc_gss_validate() copies the input message into a stack buffer
without ensuring that the buffer is large enough. Sure enough,
oa_length may be up to 400 bytes, much larger than the provided space.
This enables an unauthenticated user to trigger an overflow and obtain
remote code execution.
Add a runtime check which verifies that the copy won't overflow.
Approved by: so
Security: FreeBSD-SA-26:08.rpcsec_gss
Security: CVE-2026-4747
Reported by: Nicholas Carlini <npc at anthropic.com>
Reviewed by: rmacklem
Fixes: a9148abd9da5d
tcp: plug an mbuf leak
When a challenge ACK should be sent via tcp_send_challenge_ack(),
but the rate limiter suppresses the sending, free the mbuf chain.
The caller of tcp_send_challenge_ack() expects this similar to the
callers of tcp_respond().
Approved by: so
Security: FreeBSD-SA-26:06.tcp
Security: CVE-2026-4247
Reviewed by: lstewart
Tested by: lstewart
Sponsored by: Netflix, Inc.
timerfd: Expect periodic timer performance failures
The current timerfd implementation fails to correctly count events on a
nanosecond callout interval. The timerfd__periodic_timer_performance
test detects this and reports failure.
Mark this test as an expected failure so it isn't flagged by CI. A link
to the bug report is attached to the test for reference.
While we're here, clean up some minor style and Make issues.
Fixes: 834c1ba793d9 ("timerfd: Add tests")
MFC after: 1 week
pmc: Fix copyright in previous commits
Fix the copyright attribution to Netflix and the date and missing SPDX
line in pmc.ibs man page.
Sponsored by: Netflix
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/2094
clnt_bck.c: Delete a couple of old diagnostic printfs
There were two debug printf()s that were left in the
code while debugging the handling of callbacks over
a NFSv4.1/4.2 backchannel was being done.
This patch removes them, since they are no longer
of benefit and cause "noise".
Requested by: wollman
MFC after: 2 weeks
Add ASMC_DEBUG make option
This allows folks to enable debug statements in asmc(4) using kernel
configs via the `options ASMC_DEBUG` directive.
While here, remove a duplicate `device vt_efifb` directive in `NOTES`
as it's already handled in the `GENERIC` config
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D54511
(cherry picked from commit f224591746bdaf14ad5f63de4738a3146cc2f55f)
asmc(4): pull 32-bit support for the driver
The asmc(4) driver should work for 32-bit Intel-based Macs, in theory, if
the model details were added to the detection list. That being said,
32-bit Intel Macs were only released and available to the general public
for 8 months [1], so the value in maintaining i386 support in the driver is
reduced due to limited hardware access.
Remove 32-bit support for the driver officially to make it clear its use is
not supported.
This should fix building `NOTES.i386` by proxy as well.
Relnotes: yes
MFC after: 2 weeks
Fixes: f224591746b ("Add ASMC_DEBUG make option")
Fixes: 8342d9f7b5f ("asmc(4): Stop building it on i386, as...")
Differential Revision: https://reviews.freebsd.org/D55544
(cherry picked from commit 1f2f5eba24aa53e180a4eb46b772410e5a782469)
tests/netinet: add raw:reconnect test
It tests repetitive connect(2) on AF_INET/SOCK_RAW including connect(2)
to INADDR_ANY that puts socket back into receive-all mode.
pf tests: verify that we handle address range rules correctly
There's been a problem where rules which differed only in address ranges
were considered duplicates and not added. Test for this.
Approved by: so
Security: FreeBSD-SA-26:09.pf
Security: CVE-2026-4748
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit ab74151e8d097b263237942c0b12277098bc9533)
(cherry picked from commit 958dbc87e9c59a2e9f83d84115ce03fb96e9b249)
pf tests: verify that we handle address range rules correctly
There's been a problem where rules which differed only in address ranges
were considered duplicates and not added. Test for this.
Approved by: so
Security: FreeBSD-SA:26:09.pf
Security: CVE-2026-4748
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit ab74151e8d097b263237942c0b12277098bc9533)
(cherry picked from commit 958dbc87e9c59a2e9f83d84115ce03fb96e9b249)
