[Midnightbsd-cvs] [MidnightBSD/src] 0eefc6: posixshm: Fix use-after-free vulnerabilities in la...
Lucas Holt
noreply at github.com
Tue Jun 30 21:58:47 EDT 2026
Branch: refs/heads/master
Home: https://github.com/MidnightBSD/src
Commit: 0eefc6fdcd8330809ec112b4bff3475074ac3782
https://github.com/MidnightBSD/src/commit/0eefc6fdcd8330809ec112b4bff3475074ac3782
Author: Lucas Holt <luke at foolishgames.com>
Date: 2026-06-30 (Tue, 30 Jun 2026)
Changed paths:
M sys/kern/uipc_shm.c
M sys/vm/vm_page.c
Log Message:
-----------
posixshm: Fix use-after-free vulnerabilities in largepage objects
Pages belonging to largepage POSIX shared memory objects were not
explicitly wired. When sendfile(2) transmitted such an object with the
SF_NOCACHE flag, the underlying pages were freed after transmission even
though existing mappings still referred to them. [CVE-2026-49427]
Additionally, open(2) with O_TRUNC could incorrectly free memory in
largepage objects: the O_TRUNC path called shm_dotruncate_locked()
directly, bypassing the largepage dispatch in shm_dotruncate_cookie()
which rejects truncation of largepage objects with ENOTSUP.
[CVE-2026-49428]
An unprivileged local user could abuse these to access freed kernel
memory and potentially escalate privileges.
Wire largepage pages at allocation (VM_ALLOC_WIRED) and unwire them
explicitly in the phys object destructor via the object memq, and route
the O_TRUNC path through shm_dotruncate_cookie(). The supporting
vm_page_unwire()/vm_page_release() changes allow unwiring unmanaged,
wired pages to PQ_NONE.
Note: the fspacectl(2) portion of CVE-2026-49428 does not apply to
MidnightBSD, which does not implement fspacectl(2) for shm objects
(no fo_fspacectl in shm_ops), so that hunk is intentionally omitted.
Ported from the FreeBSD fix for SA-26:44.posixshm (FreeBSD commit
f30052c16dba), by Mark Johnston.
Security: FreeBSD-SA-26:44.posixshm
Security: CVE-2026-49427
Security: CVE-2026-49428
Obtained from: FreeBSD
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply at anthropic.com>
Commit: 53e5496159ff069bd9492b200188e07aab83695f
https://github.com/MidnightBSD/src/commit/53e5496159ff069bd9492b200188e07aab83695f
Author: Lucas Holt <luke at foolishgames.com>
Date: 2026-06-30 (Tue, 30 Jun 2026)
Changed paths:
M UPDATING
Log Message:
-----------
UPDATING: Note SA-26:44.posixshm fix
Security: FreeBSD-SA-26:44.posixshm
Security: CVE-2026-49427
Security: CVE-2026-49428
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply at anthropic.com>
Compare: https://github.com/MidnightBSD/src/compare/6d5a2037d1ed...53e5496159ff
To unsubscribe from these emails, change your notification settings at https://github.com/MidnightBSD/src/settings/notifications
More information about the Midnightbsd-cvs
mailing list