[Midnightbsd-cvs] [MidnightBSD/src] 44b80d: Fix ASLR bypass for setuid executables via procctl...
Lucas Holt
noreply at github.com
Wed Jun 10 20:43:57 EDT 2026
Branch: refs/heads/stable/4.1
Home: https://github.com/MidnightBSD/src
Commit: 44b80dd511d419b37f19768c879f333a092cd518
https://github.com/MidnightBSD/src/commit/44b80dd511d419b37f19768c879f333a092cd518
Author: Lucas Holt <luke at foolishgames.com>
Date: 2026-06-10 (Wed, 10 Jun 2026)
Changed paths:
M sys/kern/imgact_elf.c
M tests/sys/kern/Makefile
A tests/sys/kern/aslr.c
Log Message:
-----------
Fix ASLR bypass for setuid executables via procctl(2) (CVE-2026-49414)
The ELF image activator cleared per-process ASLR preference flags for
setuid binaries after the code that computes the PIE base address. An
unprivileged user could call procctl(PROC_ASLR_CTL, PROC_ASLR_FORCE_DISABLE)
before execve(2) to disable ASLR for a setuid PIE binary, significantly
easing exploitation of memory corruption vulnerabilities in that binary.
Move VOP_UNLOCK and the credential_setid flag-clearing block to before
the et_dyn_addr computation so that user-set ASLR disable preferences are
cleared before the PIE load base is chosen. Add a re-lock on the
BI_CAN_EXEC_DYN error exit path introduced by the reordering.
Add a regression test (tests/sys/kern/aslr.c) that verifies ASLR remains
active for setuid binaries even when an unprivileged caller has requested
force-disable.
Security: CVE-2026-49414
Security: FreeBSD-SA-26:32.elf
Co-Authored-By: Claude Sonnet 4.6 <noreply at anthropic.com>
Commit: 7d406e8ae5155f1e5b33d896fab27c07556cb0bf
https://github.com/MidnightBSD/src/commit/7d406e8ae5155f1e5b33d896fab27c07556cb0bf
Author: Lucas Holt <luke at foolishgames.com>
Date: 2026-06-10 (Wed, 10 Jun 2026)
Changed paths:
M UPDATING
Log Message:
-----------
UPDATING: note CVE-2026-49414 ASLR bypass fix
Commit: dcde8509f818476826562d31999b0bf83bb7777c
https://github.com/MidnightBSD/src/commit/dcde8509f818476826562d31999b0bf83bb7777c
Author: Lucas Holt <luke at foolishgames.com>
Date: 2026-06-10 (Wed, 10 Jun 2026)
Changed paths:
M sys/compat/linux/linux_elf.c
M sys/netinet/in_mcast.c
M sys/netinet6/in6_mcast.c
Log Message:
-----------
Merge remote-tracking branch 'origin/stable/4.1' into stable/4.1
Compare: https://github.com/MidnightBSD/src/compare/5b92e28ab6c9...dcde8509f818
To unsubscribe from these emails, change your notification settings at https://github.com/MidnightBSD/src/settings/notifications
More information about the Midnightbsd-cvs
mailing list