[Midnightbsd-cvs] [MidnightBSD/src] 50fc89: zfs: Fix multiple OpenZFS vulnerabilities (SA-26:4...
Lucas Holt
noreply at github.com
Wed Jul 1 09:29:18 EDT 2026
Branch: refs/heads/stable/4.0
Home: https://github.com/MidnightBSD/src
Commit: 50fc89d43164d541cfc2ebc60eaa7364fa205402
https://github.com/MidnightBSD/src/commit/50fc89d43164d541cfc2ebc60eaa7364fa205402
Author: Lucas Holt <luke at foolishgames.com>
Date: 2026-07-01 (Wed, 01 Jul 2026)
Changed paths:
M sys/contrib/openzfs/module/nvpair/nvpair.c
M sys/contrib/openzfs/module/zfs/dmu_recv.c
M sys/contrib/openzfs/module/zfs/vdev_label.c
M sys/contrib/openzfs/module/zfs/zfs_ioctl.c
Log Message:
-----------
zfs: Fix multiple OpenZFS vulnerabilities (SA-26:40 / CVE-2026-49429..31)
Targeted backport of the three OpenZFS security fixes to the 2.1.15 tree
shipped by MidnightBSD. The FreeBSD SA-26:40 patch targets OpenZFS 2.2.x
and does not apply cleanly to 2.1.15, so the fixes were ported by hand.
CVE-2026-49429: ZFS_IOC_USERSPACE_MANY truncated the 64-bit output
buffer size to a 32-bit int for the kernel allocation but used the
original 64-bit size when writing records, allowing a heap overflow by a
user with the "userused" delegated permission. Use a uint64_t bufsize
capped to 1000 entries (zfs_ioc_userspace_many).
CVE-2026-49430: the ZFS_IOC_RECV_NEW heal path truncated a 64-bit
payload size to 32 bits for allocation, then used the 64-bit size for a
byteswap. Bound DRR_OBJECT/WRITE/WRITE_EMBEDDED/SPILL payload sizes to
SPA_MAXBLOCKSIZE (returning ERANGE) in receive_read_record(), and widen
the DRR_WRITE/DRR_SPILL size from int to uint64_t. Also harden
nvpair i_get_value_size() to bound string scans with strnlen() so a
crafted (received) packed nvlist cannot be read past its buffer.
CVE-2026-49431: ZFS_IOC_SET_PROP was registered with zfs_secpolicy_none,
letting any local user set the internal "$hasrecvd" metadata. Register
it with a new zfs_secpolicy_setprops() that requires zfs_secpolicy_recv()
when the received flag (zc_cookie) is set.
Also NUL-terminate vbe_bootenv before reading it as a string in
vdev_label_read_bootenv (defensive, matches upstream).
Deviations from the FreeBSD 2.2 patch, deliberate for the 2.1.15 port:
- Kept kmem_zalloc()/kmem_free() rather than switching to vmem_* in
receive_read_record(). The SPA_MAXBLOCKSIZE bound makes the existing
kmem path safe and avoids touching the receive_process_record() free
sites, which differ in 2.1 (upstream's vmem free hunks do not apply).
- Omitted the zfs_quota.c VERIFY3U->return(EINVAL) hardening: it is not
one of the three CVEs, and in 2.1.15 dmu_objset_userquota_get_ids()
ignores the callback's return and would read an uninitialized zfi.
Applying it safely would require a matching caller change absent from
this tree.
Built and verified: zfs.ko (kernel) links clean and libnvpair (userland)
compiles clean under -Werror.
Security: FreeBSD-SA-26:40.zfs
Security: CVE-2026-49429
Security: CVE-2026-49430
Security: CVE-2026-49431
Obtained from: OpenZFS (adapted to 2.1.15)
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply at anthropic.com>
Commit: 6e7e5a8a76cf1f51ce954040e61bf1b20fe21b34
https://github.com/MidnightBSD/src/commit/6e7e5a8a76cf1f51ce954040e61bf1b20fe21b34
Author: Lucas Holt <luke at foolishgames.com>
Date: 2026-07-01 (Wed, 01 Jul 2026)
Changed paths:
M UPDATING
Log Message:
-----------
UPDATING: Note SA-26:40.zfs fix
Security: FreeBSD-SA-26:40.zfs
Security: CVE-2026-49429
Security: CVE-2026-49430
Security: CVE-2026-49431
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply at anthropic.com>
Compare: https://github.com/MidnightBSD/src/compare/8f952dbed450...6e7e5a8a76cf
To unsubscribe from these emails, change your notification settings at https://github.com/MidnightBSD/src/settings/notifications
More information about the Midnightbsd-cvs
mailing list