[Midnightbsd-cvs] [MidnightBSD/src] 5d203e: ktls: reject shared mbufs on receive decrypt

Lucas Holt noreply at github.com
Wed Jun 10 19:16:17 EDT 2026


  Branch: refs/heads/stable/4.1
  Home:   https://github.com/MidnightBSD/src
  Commit: 5d203ec2e926139575890e0420e8cf202af12be6
      https://github.com/MidnightBSD/src/commit/5d203ec2e926139575890e0420e8cf202af12be6
  Author: Lucas Holt <luke at foolishgames.com>
  Date:   2026-06-10 (Wed, 10 Jun 2026)

  Changed paths:
    M sys/kern/uipc_ktls.c
    M tests/sys/kern/ktls_test.c

  Log Message:
  -----------
  ktls: reject shared mbufs on receive decrypt

Avoid decrypting KTLS receive records in place when the detached record contains non-anonymous M_EXTPG pages or sendfile EXT_SFBUF mbufs.  Those buffers may reference file-backed memory and must not be modified by the receive path.

CVE-2026-45257

AI-Assisted-by: OpenAI Codex
Signed-off-by: Lucas Holt <luke at foolishgames.com>


  Commit: ded4930d72e8f69804eb6e119982bd255e420537
      https://github.com/MidnightBSD/src/commit/ded4930d72e8f69804eb6e119982bd255e420537
  Author: Lucas Holt <luke at foolishgames.com>
  Date:   2026-06-10 (Wed, 10 Jun 2026)

  Changed paths:
    M UPDATING

  Log Message:
  -----------
  UPDATING: note ktls CVE-2026-45257

AI-Assisted-by: OpenAI Codex
Signed-off-by: Lucas Holt <luke at foolishgames.com>


  Commit: 117b0dd9ab226990d1f3b7e35ce2cdc7593214e5
      https://github.com/MidnightBSD/src/commit/117b0dd9ab226990d1f3b7e35ce2cdc7593214e5
  Author: Lucas Holt <luke at foolishgames.com>
  Date:   2026-06-10 (Wed, 10 Jun 2026)

  Changed paths:
    M sys/kern/kern_thr.c

  Log Message:
  -----------
  The missing check allows an unprivileged local user who knows or can guess a
target's process and thread IDs to send any signal to a process they would
not normally be permitted to signal, including processes owned by other
users or by root.  The same check enforces jail boundaries, so a jailed
process can signal processes on the host or in other jails.  Thread IDs are
allocated globally and sequentially, and so can be discovered by brute force
with no visibility into the target.

An attacker can stop or terminate arbitrary processes, including critical
system daemons, resulting in a Denial of Service (DoS).

Obtained from: FreeBSD


Compare: https://github.com/MidnightBSD/src/compare/f7a71ebde6a1...117b0dd9ab22

To unsubscribe from these emails, change your notification settings at https://github.com/MidnightBSD/src/settings/notifications


More information about the Midnightbsd-cvs mailing list