[Midnightbsd-cvs] [MidnightBSD/src] 0eefc6: posixshm: Fix use-after-free vulnerabilities in la...

Lucas Holt noreply at github.com
Tue Jun 30 21:58:47 EDT 2026


  Branch: refs/heads/master
  Home:   https://github.com/MidnightBSD/src
  Commit: 0eefc6fdcd8330809ec112b4bff3475074ac3782
      https://github.com/MidnightBSD/src/commit/0eefc6fdcd8330809ec112b4bff3475074ac3782
  Author: Lucas Holt <luke at foolishgames.com>
  Date:   2026-06-30 (Tue, 30 Jun 2026)

  Changed paths:
    M sys/kern/uipc_shm.c
    M sys/vm/vm_page.c

  Log Message:
  -----------
  posixshm: Fix use-after-free vulnerabilities in largepage objects

Pages belonging to largepage POSIX shared memory objects were not
explicitly wired.  When sendfile(2) transmitted such an object with the
SF_NOCACHE flag, the underlying pages were freed after transmission even
though existing mappings still referred to them. [CVE-2026-49427]

Additionally, open(2) with O_TRUNC could incorrectly free memory in
largepage objects: the O_TRUNC path called shm_dotruncate_locked()
directly, bypassing the largepage dispatch in shm_dotruncate_cookie()
which rejects truncation of largepage objects with ENOTSUP.
[CVE-2026-49428]

An unprivileged local user could abuse these to access freed kernel
memory and potentially escalate privileges.

Wire largepage pages at allocation (VM_ALLOC_WIRED) and unwire them
explicitly in the phys object destructor via the object memq, and route
the O_TRUNC path through shm_dotruncate_cookie().  The supporting
vm_page_unwire()/vm_page_release() changes allow unwiring unmanaged,
wired pages to PQ_NONE.

Note: the fspacectl(2) portion of CVE-2026-49428 does not apply to
MidnightBSD, which does not implement fspacectl(2) for shm objects
(no fo_fspacectl in shm_ops), so that hunk is intentionally omitted.

Ported from the FreeBSD fix for SA-26:44.posixshm (FreeBSD commit
f30052c16dba), by Mark Johnston.

Security:	FreeBSD-SA-26:44.posixshm
Security:	CVE-2026-49427
Security:	CVE-2026-49428
Obtained from:	FreeBSD

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply at anthropic.com>


  Commit: 53e5496159ff069bd9492b200188e07aab83695f
      https://github.com/MidnightBSD/src/commit/53e5496159ff069bd9492b200188e07aab83695f
  Author: Lucas Holt <luke at foolishgames.com>
  Date:   2026-06-30 (Tue, 30 Jun 2026)

  Changed paths:
    M UPDATING

  Log Message:
  -----------
  UPDATING: Note SA-26:44.posixshm fix

Security:	FreeBSD-SA-26:44.posixshm
Security:	CVE-2026-49427
Security:	CVE-2026-49428

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply at anthropic.com>


Compare: https://github.com/MidnightBSD/src/compare/6d5a2037d1ed...53e5496159ff

To unsubscribe from these emails, change your notification settings at https://github.com/MidnightBSD/src/settings/notifications


More information about the Midnightbsd-cvs mailing list