[Midnightbsd-cvs] [MidnightBSD/src] f5e0e6: Fix ASLR bypass for setuid executables via procctl...
Lucas Holt
noreply at github.com
Wed Jun 10 20:45:08 EDT 2026
Branch: refs/heads/stable/4.0
Home: https://github.com/MidnightBSD/src
Commit: f5e0e631dff9cd77c617f4583c1348ad9fa956af
https://github.com/MidnightBSD/src/commit/f5e0e631dff9cd77c617f4583c1348ad9fa956af
Author: Lucas Holt <luke at foolishgames.com>
Date: 2026-06-10 (Wed, 10 Jun 2026)
Changed paths:
M sys/kern/imgact_elf.c
M tests/sys/kern/Makefile
A tests/sys/kern/aslr.c
Log Message:
-----------
Fix ASLR bypass for setuid executables via procctl(2) (CVE-2026-49414)
The ELF image activator cleared per-process ASLR preference flags for
setuid binaries after the code that computes the PIE base address. An
unprivileged user could call procctl(PROC_ASLR_CTL, PROC_ASLR_FORCE_DISABLE)
before execve(2) to disable ASLR for a setuid PIE binary, significantly
easing exploitation of memory corruption vulnerabilities in that binary.
Move VOP_UNLOCK and the credential_setid flag-clearing block to before
the et_dyn_addr computation so that user-set ASLR disable preferences are
cleared before the PIE load base is chosen. Add a re-lock on the
BI_CAN_EXEC_DYN error exit path introduced by the reordering.
Add a regression test (tests/sys/kern/aslr.c) that verifies ASLR remains
active for setuid binaries even when an unprivileged caller has requested
force-disable.
Security: CVE-2026-49414
Security: FreeBSD-SA-26:32.elf
Co-Authored-By: Claude Sonnet 4.6 <noreply at anthropic.com>
Commit: ff192156764de302c27b371223268a6c0bdbc61f
https://github.com/MidnightBSD/src/commit/ff192156764de302c27b371223268a6c0bdbc61f
Author: Lucas Holt <luke at foolishgames.com>
Date: 2026-06-10 (Wed, 10 Jun 2026)
Changed paths:
M UPDATING
Log Message:
-----------
UPDATING: note CVE-2026-49414 ASLR bypass fix
Commit: 540fbca304fe4bd03086512fbb810579605ed5bc
https://github.com/MidnightBSD/src/commit/540fbca304fe4bd03086512fbb810579605ed5bc
Author: Lucas Holt <luke at foolishgames.com>
Date: 2026-06-10 (Wed, 10 Jun 2026)
Changed paths:
A .gemini/agents/observer.md
A .github/workflows/claude-review-ondemand.yml
A .github/workflows/claude-review.yml
A AGENTS.md
A AI_POLICY.md
A CLAUDE.md
A CODE_OF_CONDUCT.md
A DCO.md
A EULA
M contrib/capsicum-test/capmode.cc
M sys/compat/linux/linux_elf.c
M sys/dev/sound/pcm/buffer.c
M sys/dev/sound/pcm/buffer.h
M sys/dev/sound/pcm/dsp.c
M sys/dev/vt/vt_buf.c
M sys/dev/vt/vt_core.c
M sys/kern/kern_sig.c
M sys/kern/kern_thr.c
M sys/kern/uipc_ktls.c
M sys/netinet/in_mcast.c
M sys/netinet6/in6_mcast.c
M tests/sys/Makefile
M tests/sys/kern/ktls_test.c
A tests/sys/sound/Makefile
A tests/sys/sound/mmap.c
M usr.bin/bsdcat/Makefile
M usr.bin/cpio/Makefile
M usr.bin/cpio/tests/Makefile
M usr.bin/tar/Makefile
M usr.bin/unzip/Makefile
M usr.bin/unzip/tests/Makefile
Log Message:
-----------
Merge remote-tracking branch 'origin/stable/4.0' into stable/4.0
Compare: https://github.com/MidnightBSD/src/compare/572505c33fdc...540fbca304fe
To unsubscribe from these emails, change your notification settings at https://github.com/MidnightBSD/src/settings/notifications
More information about the Midnightbsd-cvs
mailing list