<feed xmlns='http://www.w3.org/2005/Atom'>
<title>src, branch releng/15.0</title>
<subtitle>FreeBSD source tree</subtitle>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/'/>
<entry>
<title>Add UPDATING entries and bump version</title>
<updated>2026-06-30T02:32:58+00:00</updated>
<author>
<name>Mark Johnston</name>
<email>markj@FreeBSD.org</email>
</author>
<published>2026-06-26T21:44:58+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=f05aebcc1452fe5effb2fe4b08709b74c03aa15b'/>
<id>f05aebcc1452fe5effb2fe4b08709b74c03aa15b</id>
<content type='text'>
Approved by:	so
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Approved by:	so
</pre>
</div>
</content>
</entry>
<entry>
<title>iconv: Fix a stack buffer overflow in _ISO2022_sputwchar()</title>
<updated>2026-06-30T02:32:58+00:00</updated>
<author>
<name>Mark Johnston</name>
<email>markj@FreeBSD.org</email>
</author>
<published>2026-06-23T17:45:28+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=2ac85d131d91a5b638a9385661337e10c1223689'/>
<id>2ac85d131d91a5b638a9385661337e10c1223689</id>
<content type='text'>
In the ISO2022-CN encoding, characters may require at least seven bytes,
and MB_LEN_MAX==6 is insufficient.  From code inspection,
_ISO2022_sputwchar() can emit 10 bytes in the worst case, so use that to
size buffers.

Add a regression test.

Approved by:	so
Security:	FreeBSD-SA-26:49.iconv
Security:	CVE-2026-58082
Reviewed by:	kevans
Differential Revision:	https://reviews.freebsd.org/D57950
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
In the ISO2022-CN encoding, characters may require at least seven bytes,
and MB_LEN_MAX==6 is insufficient.  From code inspection,
_ISO2022_sputwchar() can emit 10 bytes in the worst case, so use that to
size buffers.

Add a regression test.

Approved by:	so
Security:	FreeBSD-SA-26:49.iconv
Security:	CVE-2026-58082
Reviewed by:	kevans
Differential Revision:	https://reviews.freebsd.org/D57950
</pre>
</div>
</content>
</entry>
<entry>
<title>iconv: Fix a buffer overflow in the HZ encoding</title>
<updated>2026-06-30T02:32:58+00:00</updated>
<author>
<name>Mark Johnston</name>
<email>markj@FreeBSD.org</email>
</author>
<published>2026-06-23T16:05:31+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=fc6e7313929da2187c2e7662df03022c321e5320'/>
<id>fc6e7313929da2187c2e7662df03022c321e5320</id>
<content type='text'>
wcrtomb may store up to 2 2-byte escape sequences to the state buffer in
addition to the character itself.  In the worst case, a 3-byte heap
overflow is possible.

Approved by:	so
Security:	FreeBSD-SA-26:49.iconv
Security:	CVE-2026-58081
Reviewed by:	kevans
Differential Revision:	https://reviews.freebsd.org/D57949
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
wcrtomb may store up to 2 2-byte escape sequences to the state buffer in
addition to the character itself.  In the worst case, a 3-byte heap
overflow is possible.

Approved by:	so
Security:	FreeBSD-SA-26:49.iconv
Security:	CVE-2026-58081
Reviewed by:	kevans
Differential Revision:	https://reviews.freebsd.org/D57949
</pre>
</div>
</content>
</entry>
<entry>
<title>iconv(3): Draft some automatic tests.</title>
<updated>2026-06-30T02:32:58+00:00</updated>
<author>
<name>Taylor R Campbell</name>
<email>riastradh@NetBSD.org</email>
</author>
<published>2026-06-22T19:44:55+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=d463196dac2776865db6c2057f0709b68167fde0'/>
<id>d463196dac2776865db6c2057f0709b68167fde0</id>
<content type='text'>
Based on a report by Nick Wellnhofer.

Approved by:	so
Security:	FreeBSD-SA-26:49.iconv
Reviewed by:	markj, kevans
Differential Revision:	https://reviews.freebsd.org/D57948
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Based on a report by Nick Wellnhofer.

Approved by:	so
Security:	FreeBSD-SA-26:49.iconv
Reviewed by:	markj, kevans
Differential Revision:	https://reviews.freebsd.org/D57948
</pre>
</div>
</content>
</entry>
<entry>
<title>iconv(3): Fix problems in various encodings</title>
<updated>2026-06-30T02:32:58+00:00</updated>
<author>
<name>Taylor R Campbell</name>
<email>riastradh@NetBSD.org</email>
</author>
<published>2026-06-22T21:15:25+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=e53ab9aec6e027ae49c64a4f03ee38f256904c3f'/>
<id>e53ab9aec6e027ae49c64a4f03ee38f256904c3f</id>
<content type='text'>
Fix null pointer dereference with HZ8 encoding.

Fix output buffer overrun in UTF-7, VIQR, ZW encodings.

Approved by:	so
Security:	FreeBSD-SA-26:49.iconv
Security:	CVE-2026-58081
Reviewed by:	markj, kevans
Differential Revision:	https://reviews.freebsd.org/D57947
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Fix null pointer dereference with HZ8 encoding.

Fix output buffer overrun in UTF-7, VIQR, ZW encodings.

Approved by:	so
Security:	FreeBSD-SA-26:49.iconv
Security:	CVE-2026-58081
Reviewed by:	markj, kevans
Differential Revision:	https://reviews.freebsd.org/D57947
</pre>
</div>
</content>
</entry>
<entry>
<title>compat32: Zero struct to avoid stack disclosure</title>
<updated>2026-06-30T02:32:58+00:00</updated>
<author>
<name>Ed Maste</name>
<email>emaste@FreeBSD.org</email>
</author>
<published>2026-03-11T15:02:18+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=760b3f0b86a91b774713b03305c6ebe5c18cb642'/>
<id>760b3f0b86a91b774713b03305c6ebe5c18cb642</id>
<content type='text'>
Approved by:	so
Security:	FreeBSD-SA-26:48.compat32
Security:	CVE-2026-49425
Reported by:	Adam Crosser, Praetorian
Reviewed by:	philip
Sponsored by:	The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D55811

(cherry picked from commit 097cb4e9f0432c543c704cec712ce1cd3302335c)
(cherry picked from commit 4551ea3b3f04650cd5300a9eae8994bdb080db91)
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Approved by:	so
Security:	FreeBSD-SA-26:48.compat32
Security:	CVE-2026-49425
Reported by:	Adam Crosser, Praetorian
Reviewed by:	philip
Sponsored by:	The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D55811

(cherry picked from commit 097cb4e9f0432c543c704cec712ce1cd3302335c)
(cherry picked from commit 4551ea3b3f04650cd5300a9eae8994bdb080db91)
</pre>
</div>
</content>
</entry>
<entry>
<title>compat/linux: Avoid waitid() kernel stack disclosure</title>
<updated>2026-06-30T02:32:58+00:00</updated>
<author>
<name>Ed Maste</name>
<email>emaste@FreeBSD.org</email>
</author>
<published>2026-03-10T13:53:46+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=008ca5def63b5fd754c1acdf60bbd64786a36abc'/>
<id>008ca5def63b5fd754c1acdf60bbd64786a36abc</id>
<content type='text'>
Approved by:	so
Security:	FreeBSD-SA-26:47.linux
Security:	CVE-2026-49424
Reported by:	Adam Crosser, Praetorian
Reviewed by:	philip
Sponsored by:	The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D55812

(cherry picked from commit 9a9f93bcf1aa0059d759b2f3ea6faeb2760a11bd)
(cherry picked from commit 9f8db9cc67fb86eeb2b645ce7f8aa748e99241a9)
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Approved by:	so
Security:	FreeBSD-SA-26:47.linux
Security:	CVE-2026-49424
Reported by:	Adam Crosser, Praetorian
Reviewed by:	philip
Sponsored by:	The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D55812

(cherry picked from commit 9a9f93bcf1aa0059d759b2f3ea6faeb2760a11bd)
(cherry picked from commit 9f8db9cc67fb86eeb2b645ce7f8aa748e99241a9)
</pre>
</div>
</content>
</entry>
<entry>
<title>ktls CBC decrypt: Only increment iovec index when an entry is used</title>
<updated>2026-06-30T02:32:58+00:00</updated>
<author>
<name>John Baldwin</name>
<email>jhb@FreeBSD.org</email>
</author>
<published>2026-06-24T01:14:11+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=5357f822416a2ea6adccfefdb88572f7b18065cb'/>
<id>5357f822416a2ea6adccfefdb88572f7b18065cb</id>
<content type='text'>
If an mbuf in the chain was skipped because it only contained bytes
from the header, the iovec index ('i') was incremented even though the
entry was not populated.  Only increment 'i' when an iovec entry is
consumed.

Add a new type of KTLS receive test which writes a single TLS record
via two separate write(2) calls over a TCP_NODELAY socket to trigger
a split in the mbuf chain in the kernel.  Test various split locations
including after the "plain" TLS header (5 bytes), after the full TLS
header, in the middle of the data payload, just before the start of
the trailer, and in the middle of the trailer.  These tests are also
run against all supported ciphers, not just CBC.  The 'header' test
for CBC ciphersuites was able to trigger the bug.

Approved by:	so
Security:	FreeBSD-SA-26:46.ktls
Security:	CVE-2026-49423
Sponsored by:	Chelsio Communications
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
If an mbuf in the chain was skipped because it only contained bytes
from the header, the iovec index ('i') was incremented even though the
entry was not populated.  Only increment 'i' when an iovec entry is
consumed.

Add a new type of KTLS receive test which writes a single TLS record
via two separate write(2) calls over a TCP_NODELAY socket to trigger
a split in the mbuf chain in the kernel.  Test various split locations
including after the "plain" TLS header (5 bytes), after the full TLS
header, in the middle of the data payload, just before the start of
the trailer, and in the middle of the trailer.  These tests are also
run against all supported ciphers, not just CBC.  The 'header' test
for CBC ciphersuites was able to trigger the bug.

Approved by:	so
Security:	FreeBSD-SA-26:46.ktls
Security:	CVE-2026-49423
Sponsored by:	Chelsio Communications
</pre>
</div>
</content>
</entry>
<entry>
<title>kern: fix auditing of ptrace(2) syscall requests</title>
<updated>2026-06-30T02:32:58+00:00</updated>
<author>
<name>Kyle Evans</name>
<email>kevans@FreeBSD.org</email>
</author>
<published>2026-06-25T17:02:47+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=f887a2c04c9ec09c468f6bb0dd510588bf5b1225'/>
<id>f887a2c04c9ec09c468f6bb0dd510588bf5b1225</id>
<content type='text'>
`error` here is the return value of syscall_thread_enter() rather than
the syscall itself, so the committed audit records do not reflect
reality.  This is less harmful than them recording an error when the
operation actually succeeded, but it could still possibly be used to
throw off IDS techniques with things like bsmtrace.

Approved by:	so
Security:	FreeBSD-SA-26:45.audit
Security:	CVE-2026-49426
Reviewed by:	des, kib, markj, csjp
Differential Revision:	https://reviews.freebsd.org/D57847
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
`error` here is the return value of syscall_thread_enter() rather than
the syscall itself, so the committed audit records do not reflect
reality.  This is less harmful than them recording an error when the
operation actually succeeded, but it could still possibly be used to
throw off IDS techniques with things like bsmtrace.

Approved by:	so
Security:	FreeBSD-SA-26:45.audit
Security:	CVE-2026-49426
Reviewed by:	des, kib, markj, csjp
Differential Revision:	https://reviews.freebsd.org/D57847
</pre>
</div>
</content>
</entry>
<entry>
<title>posixshm: Fix handling of sendfile() with largepage objects</title>
<updated>2026-06-30T02:32:57+00:00</updated>
<author>
<name>Mark Johnston</name>
<email>markj@FreeBSD.org</email>
</author>
<published>2026-06-24T19:57:00+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=8d086f03b9beebd1caa43549c824b269c8c6bda8'/>
<id>8d086f03b9beebd1caa43549c824b269c8c6bda8</id>
<content type='text'>
sendfile(2) can transmit POSIX shared memory objects.  Typically it will
look up and wire each page before sending it to a socket; once
transmission is complete, the page is unwired and typically released
back into the page queues.  sendfile() has an advisory flag, SF_NOCACHE,
which means, "try to free the page once transmission is complete."  This
is implemented in vm_page_release(), which expects to operate on managed
pages.

Pages belonging a largepage object are de-facto wired not explicitly so.
Thus, vm_page_release() will unwire and, having found no additional
references, free the page.  Because mappings of largepage objects are
unmanaged, userspace can still access the now freed page.

Fix the problem by explicitly wiring largepage pages.  Make the VM
object destructor responsible for unwiring and freeing them.

Add a regression test.

Approved by:	so
Security:	FreeBSD-SA-26:44.posixshm
Security:	CVE-2026-49427
Reported by:	Chris Jarrett-Davies &lt;chrisjd@openai.com&gt;
Reviewed by:	kib
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D57832
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
sendfile(2) can transmit POSIX shared memory objects.  Typically it will
look up and wire each page before sending it to a socket; once
transmission is complete, the page is unwired and typically released
back into the page queues.  sendfile() has an advisory flag, SF_NOCACHE,
which means, "try to free the page once transmission is complete."  This
is implemented in vm_page_release(), which expects to operate on managed
pages.

Pages belonging a largepage object are de-facto wired not explicitly so.
Thus, vm_page_release() will unwire and, having found no additional
references, free the page.  Because mappings of largepage objects are
unmanaged, userspace can still access the now freed page.

Fix the problem by explicitly wiring largepage pages.  Make the VM
object destructor responsible for unwiring and freeing them.

Add a regression test.

Approved by:	so
Security:	FreeBSD-SA-26:44.posixshm
Security:	CVE-2026-49427
Reported by:	Chris Jarrett-Davies &lt;chrisjd@openai.com&gt;
Reviewed by:	kib
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D57832
</pre>
</div>
</content>
</entry>
</feed>
