[Midnightbsd-cvs] [MidnightBSD/src] f5e0e6: Fix ASLR bypass for setuid executables via procctl...

Lucas Holt noreply at github.com
Wed Jun 10 20:45:08 EDT 2026


  Branch: refs/heads/stable/4.0
  Home:   https://github.com/MidnightBSD/src
  Commit: f5e0e631dff9cd77c617f4583c1348ad9fa956af
      https://github.com/MidnightBSD/src/commit/f5e0e631dff9cd77c617f4583c1348ad9fa956af
  Author: Lucas Holt <luke at foolishgames.com>
  Date:   2026-06-10 (Wed, 10 Jun 2026)

  Changed paths:
    M sys/kern/imgact_elf.c
    M tests/sys/kern/Makefile
    A tests/sys/kern/aslr.c

  Log Message:
  -----------
  Fix ASLR bypass for setuid executables via procctl(2) (CVE-2026-49414)

The ELF image activator cleared per-process ASLR preference flags for
setuid binaries after the code that computes the PIE base address.  An
unprivileged user could call procctl(PROC_ASLR_CTL, PROC_ASLR_FORCE_DISABLE)
before execve(2) to disable ASLR for a setuid PIE binary, significantly
easing exploitation of memory corruption vulnerabilities in that binary.

Move VOP_UNLOCK and the credential_setid flag-clearing block to before
the et_dyn_addr computation so that user-set ASLR disable preferences are
cleared before the PIE load base is chosen.  Add a re-lock on the
BI_CAN_EXEC_DYN error exit path introduced by the reordering.

Add a regression test (tests/sys/kern/aslr.c) that verifies ASLR remains
active for setuid binaries even when an unprivileged caller has requested
force-disable.

Security: CVE-2026-49414
Security: FreeBSD-SA-26:32.elf

Co-Authored-By: Claude Sonnet 4.6 <noreply at anthropic.com>


  Commit: ff192156764de302c27b371223268a6c0bdbc61f
      https://github.com/MidnightBSD/src/commit/ff192156764de302c27b371223268a6c0bdbc61f
  Author: Lucas Holt <luke at foolishgames.com>
  Date:   2026-06-10 (Wed, 10 Jun 2026)

  Changed paths:
    M UPDATING

  Log Message:
  -----------
  UPDATING: note CVE-2026-49414 ASLR bypass fix


  Commit: 540fbca304fe4bd03086512fbb810579605ed5bc
      https://github.com/MidnightBSD/src/commit/540fbca304fe4bd03086512fbb810579605ed5bc
  Author: Lucas Holt <luke at foolishgames.com>
  Date:   2026-06-10 (Wed, 10 Jun 2026)

  Changed paths:
    A .gemini/agents/observer.md
    A .github/workflows/claude-review-ondemand.yml
    A .github/workflows/claude-review.yml
    A AGENTS.md
    A AI_POLICY.md
    A CLAUDE.md
    A CODE_OF_CONDUCT.md
    A DCO.md
    A EULA
    M contrib/capsicum-test/capmode.cc
    M sys/compat/linux/linux_elf.c
    M sys/dev/sound/pcm/buffer.c
    M sys/dev/sound/pcm/buffer.h
    M sys/dev/sound/pcm/dsp.c
    M sys/dev/vt/vt_buf.c
    M sys/dev/vt/vt_core.c
    M sys/kern/kern_sig.c
    M sys/kern/kern_thr.c
    M sys/kern/uipc_ktls.c
    M sys/netinet/in_mcast.c
    M sys/netinet6/in6_mcast.c
    M tests/sys/Makefile
    M tests/sys/kern/ktls_test.c
    A tests/sys/sound/Makefile
    A tests/sys/sound/mmap.c
    M usr.bin/bsdcat/Makefile
    M usr.bin/cpio/Makefile
    M usr.bin/cpio/tests/Makefile
    M usr.bin/tar/Makefile
    M usr.bin/unzip/Makefile
    M usr.bin/unzip/tests/Makefile

  Log Message:
  -----------
  Merge remote-tracking branch 'origin/stable/4.0' into stable/4.0


Compare: https://github.com/MidnightBSD/src/compare/572505c33fdc...540fbca304fe

To unsubscribe from these emails, change your notification settings at https://github.com/MidnightBSD/src/settings/notifications


More information about the Midnightbsd-cvs mailing list