[Midnightbsd-cvs] [MidnightBSD/src] 44b80d: Fix ASLR bypass for setuid executables via procctl...

Lucas Holt noreply at github.com
Wed Jun 10 20:43:57 EDT 2026


  Branch: refs/heads/stable/4.1
  Home:   https://github.com/MidnightBSD/src
  Commit: 44b80dd511d419b37f19768c879f333a092cd518
      https://github.com/MidnightBSD/src/commit/44b80dd511d419b37f19768c879f333a092cd518
  Author: Lucas Holt <luke at foolishgames.com>
  Date:   2026-06-10 (Wed, 10 Jun 2026)

  Changed paths:
    M sys/kern/imgact_elf.c
    M tests/sys/kern/Makefile
    A tests/sys/kern/aslr.c

  Log Message:
  -----------
  Fix ASLR bypass for setuid executables via procctl(2) (CVE-2026-49414)

The ELF image activator cleared per-process ASLR preference flags for
setuid binaries after the code that computes the PIE base address.  An
unprivileged user could call procctl(PROC_ASLR_CTL, PROC_ASLR_FORCE_DISABLE)
before execve(2) to disable ASLR for a setuid PIE binary, significantly
easing exploitation of memory corruption vulnerabilities in that binary.

Move VOP_UNLOCK and the credential_setid flag-clearing block to before
the et_dyn_addr computation so that user-set ASLR disable preferences are
cleared before the PIE load base is chosen.  Add a re-lock on the
BI_CAN_EXEC_DYN error exit path introduced by the reordering.

Add a regression test (tests/sys/kern/aslr.c) that verifies ASLR remains
active for setuid binaries even when an unprivileged caller has requested
force-disable.

Security: CVE-2026-49414
Security: FreeBSD-SA-26:32.elf

Co-Authored-By: Claude Sonnet 4.6 <noreply at anthropic.com>


  Commit: 7d406e8ae5155f1e5b33d896fab27c07556cb0bf
      https://github.com/MidnightBSD/src/commit/7d406e8ae5155f1e5b33d896fab27c07556cb0bf
  Author: Lucas Holt <luke at foolishgames.com>
  Date:   2026-06-10 (Wed, 10 Jun 2026)

  Changed paths:
    M UPDATING

  Log Message:
  -----------
  UPDATING: note CVE-2026-49414 ASLR bypass fix


  Commit: dcde8509f818476826562d31999b0bf83bb7777c
      https://github.com/MidnightBSD/src/commit/dcde8509f818476826562d31999b0bf83bb7777c
  Author: Lucas Holt <luke at foolishgames.com>
  Date:   2026-06-10 (Wed, 10 Jun 2026)

  Changed paths:
    M sys/compat/linux/linux_elf.c
    M sys/netinet/in_mcast.c
    M sys/netinet6/in6_mcast.c

  Log Message:
  -----------
  Merge remote-tracking branch 'origin/stable/4.1' into stable/4.1


Compare: https://github.com/MidnightBSD/src/compare/5b92e28ab6c9...dcde8509f818

To unsubscribe from these emails, change your notification settings at https://github.com/MidnightBSD/src/settings/notifications


More information about the Midnightbsd-cvs mailing list