[Midnightbsd-cvs] [MidnightBSD/src] dc1300: The mmap(2) system call allows applications and sy...

Lucas Holt noreply at github.com
Tue Apr 21 15:26:16 EDT 2026 

  Branch: refs/heads/master
  Home:   https://github.com/MidnightBSD/src
  Commit: dc1300a7cacd39ee94d2a371c3c4e7327efbe860
      https://github.com/MidnightBSD/src/commit/dc1300a7cacd39ee94d2a371c3c4e7327efbe860
  Author: Lucas Holt <luke at foolishgames.com>
  Date:   2026-04-21 (Tue, 21 Apr 2026)

  Changed paths:
    M sys/vm/vm_fault.c

  Log Message:
  -----------
  The mmap(2) system call allows applications and system libraries to allocate
heap memory using the MAP_ANON flag.  The system call allocates virtual memory
in the calling thread's address space and phyiscal memory is allocated on demand
as page faults occur.  Memory allocated this way is allocated to be zero-filled.

Due to a regression introduced a previous erratum which attempted to fix a
similar problem, under some conditions, particularly heavy memory pressure with
swapping, the phyiscal pages allocated and mapped by the kernel may not be
zero-filled.

Obtained from: FreeBSD


  Commit: b1f71b608cd78f7c46b39d183203e732e8684b1b
      https://github.com/MidnightBSD/src/commit/b1f71b608cd78f7c46b39d183203e732e8684b1b
  Author: Lucas Holt <luke at foolishgames.com>
  Date:   2026-04-21 (Tue, 21 Apr 2026)

  Changed paths:
    M sys/kern/tty.c
    M tests/sys/kern/Makefile
    A tests/sys/kern/tiocnotty.c

  Log Message:
  -----------
  The implementation of TIOCNOTTY failed to clear a back-pointer from the
structure representing the controlling terminal to the calling process'
session.  If the invoking process then exits, the terminal structure
may end up containing a pointer to freed memory.

Obtained from: FreeBSD


  Commit: 223a4894fc31461c58fdd602e5ddcc1ca7a1ebce
      https://github.com/MidnightBSD/src/commit/223a4894fc31461c58fdd602e5ddcc1ca7a1ebce
  Author: Lucas Holt <luke at foolishgames.com>
  Date:   2026-04-21 (Tue, 21 Apr 2026)

  Changed paths:
    M lib/libc/x86/sys/pkru.3
    M sys/amd64/amd64/pmap.c
    M sys/amd64/amd64/sys_machdep.c
    M sys/vm/vm_map.c
    M sys/vm/vm_map.h
    M tests/sys/posixshm/posixshm_test.c

  Log Message:
  -----------
  Memory protection keys are an amd64 CPU feature, available in modern Intel and
AMD CPUs, which allow applications to apply access restrictions to regions of
virtual memory.  On MidnightBSD this functionality is provided by the pkru(3)
interface.

In order to apply a particular protection key to an address range, the kernel
must update the corresponding page table entries.  The subroutine which handled
this failed to take into account the presence of 1GB largepage mappings created
using the shm_create_largepage(3) interface.  In particular, it would always
treat a page directory page entry as pointing to another page table page.

The bug can be abused by an unprivileged user to cause pmap_pkru_update_range()
to treat userspace memory as a page table page, and thus overwrite memory to
which the application would otherwise not have access.

Obtained from: FreeBSD


Compare: https://github.com/MidnightBSD/src/compare/d77caef8e241...223a4894fc31

To unsubscribe from these emails, change your notification settings at https://github.com/MidnightBSD/src/settings/notifications

More information about the Midnightbsd-cvs mailing list