[Midnightbsd-cvs] [MidnightBSD/src] 8401a6: zfs: Fix multiple OpenZFS vulnerabilities (SA-26:4...

Lucas Holt noreply at github.com
Wed Jul 1 09:29:15 EDT 2026


  Branch: refs/heads/master
  Home:   https://github.com/MidnightBSD/src
  Commit: 8401a6b685668b19b9a016135c4973a0ed087d92
      https://github.com/MidnightBSD/src/commit/8401a6b685668b19b9a016135c4973a0ed087d92
  Author: Lucas Holt <luke at foolishgames.com>
  Date:   2026-07-01 (Wed, 01 Jul 2026)

  Changed paths:
    M sys/contrib/openzfs/module/nvpair/nvpair.c
    M sys/contrib/openzfs/module/zfs/dmu_recv.c
    M sys/contrib/openzfs/module/zfs/vdev_label.c
    M sys/contrib/openzfs/module/zfs/zfs_ioctl.c

  Log Message:
  -----------
  zfs: Fix multiple OpenZFS vulnerabilities (SA-26:40 / CVE-2026-49429..31)

Targeted backport of the three OpenZFS security fixes to the 2.1.15 tree
shipped by MidnightBSD.  The FreeBSD SA-26:40 patch targets OpenZFS 2.2.x
and does not apply cleanly to 2.1.15, so the fixes were ported by hand.

CVE-2026-49429: ZFS_IOC_USERSPACE_MANY truncated the 64-bit output
buffer size to a 32-bit int for the kernel allocation but used the
original 64-bit size when writing records, allowing a heap overflow by a
user with the "userused" delegated permission.  Use a uint64_t bufsize
capped to 1000 entries (zfs_ioc_userspace_many).

CVE-2026-49430: the ZFS_IOC_RECV_NEW heal path truncated a 64-bit
payload size to 32 bits for allocation, then used the 64-bit size for a
byteswap.  Bound DRR_OBJECT/WRITE/WRITE_EMBEDDED/SPILL payload sizes to
SPA_MAXBLOCKSIZE (returning ERANGE) in receive_read_record(), and widen
the DRR_WRITE/DRR_SPILL size from int to uint64_t.  Also harden
nvpair i_get_value_size() to bound string scans with strnlen() so a
crafted (received) packed nvlist cannot be read past its buffer.

CVE-2026-49431: ZFS_IOC_SET_PROP was registered with zfs_secpolicy_none,
letting any local user set the internal "$hasrecvd" metadata.  Register
it with a new zfs_secpolicy_setprops() that requires zfs_secpolicy_recv()
when the received flag (zc_cookie) is set.

Also NUL-terminate vbe_bootenv before reading it as a string in
vdev_label_read_bootenv (defensive, matches upstream).

Deviations from the FreeBSD 2.2 patch, deliberate for the 2.1.15 port:
- Kept kmem_zalloc()/kmem_free() rather than switching to vmem_* in
  receive_read_record().  The SPA_MAXBLOCKSIZE bound makes the existing
  kmem path safe and avoids touching the receive_process_record() free
  sites, which differ in 2.1 (upstream's vmem free hunks do not apply).
- Omitted the zfs_quota.c VERIFY3U->return(EINVAL) hardening: it is not
  one of the three CVEs, and in 2.1.15 dmu_objset_userquota_get_ids()
  ignores the callback's return and would read an uninitialized zfi.
  Applying it safely would require a matching caller change absent from
  this tree.

Built and verified: zfs.ko (kernel) links clean and libnvpair (userland)
compiles clean under -Werror.

Security:	FreeBSD-SA-26:40.zfs
Security:	CVE-2026-49429
Security:	CVE-2026-49430
Security:	CVE-2026-49431
Obtained from:	OpenZFS (adapted to 2.1.15)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply at anthropic.com>


  Commit: 12e89cf3bd6086a9ec57d0fd272444d789d91d76
      https://github.com/MidnightBSD/src/commit/12e89cf3bd6086a9ec57d0fd272444d789d91d76
  Author: Lucas Holt <luke at foolishgames.com>
  Date:   2026-07-01 (Wed, 01 Jul 2026)

  Changed paths:
    M UPDATING

  Log Message:
  -----------
  UPDATING: Note SA-26:40.zfs fix

Security:	FreeBSD-SA-26:40.zfs
Security:	CVE-2026-49429
Security:	CVE-2026-49430
Security:	CVE-2026-49431

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply at anthropic.com>


Compare: https://github.com/MidnightBSD/src/compare/bf1593c2f082...12e89cf3bd60

To unsubscribe from these emails, change your notification settings at https://github.com/MidnightBSD/src/settings/notifications


More information about the Midnightbsd-cvs mailing list