This adds a metadata variable, require.kmods, and corresponding functions
or methods in C, C++, and shell, which allow a test to specify that it
requires particular kernel modules to run. If the kernel modules are not
present, the test is skipped. One might want to consider a kyua option
which makes it attempt to load the modules instead.
Differential Revision: https://reviews.freebsd.org/D47470
(cherry picked from commit 83a1ee578c9d1ab7013e997289c7cd470c0e6902)
Make sure that only a CA without a CRL is being reported.
1. CRL verification takes places when provided. As OpenSSL
assumes that hidden CRLs may exist but a distribution point
is not mandatory there is no definitive truth about the matter.
OpenSSL makes no effort to bridge this gap.
2. CRLs are anchored in the CA that is signing the certificate
underneath so printing when that check fails because no CRL
was provided is enough.
libarchive 3.8.1
New features:
#2088 7-zip reader: improve self-extracting archive detection
#2137 zip writer: added XZ, LZMA, ZSTD and BZIP2 support
#2403 zip writer: added LZMA + RISCV BCJ filter
#2601 bsdtar: support --mtime and --clamp-mtime
#2602 libarchive: mbedtls 3.x compatibility
Security fixes:
#2422 tar reader: Handle truncation in the middle of a GNU long linkname
(CVE-2024-57970)
#2532 tar reader: fix unchecked return value in list_item_verbose()
(CVE-2025-25724)
#2532 unzip: fix null pointer dereference (CVE-2025-1632)
#2568 warc: prevent signed integer overflow (CVE-2025-5916)
#2584 rar: do not skip past EOF while reading (CVE-2025-5918)
#2588 tar: fix overflow in build_ustar_entry (CVE-2025-5917)
#2598 rar: fix double free with over 4 billion nodes (CVE-2025-5914)
#2599 rar: fix heap-buffer-overflow (CVE-2025-5915)
Important bugfixes:
#2399 7-zip reader: add SPARC filter support for non-LZMA compressors
#2405 tar reader: ignore ustar size when pax size is present
#2435 tar writer: fix bug when -s/a/b/ used more than once with b flag
#2459 7-zip reader: add POWERPC filter support for non-LZMA compressors
#2519 libarchive: handle ARCHIVE_FILTER_LZOP in archive_read_append_filter
#2539 libarchive: add missing seeker function to archive_read_open_FILE()
#2544 gzip: allow setting the original filename for gzip compressed files
#2564 libarchive: improve lseek handling
#2582 rar: support large headers on 32 bit systems
#2587 bsdtar: don't hardlink negative inode files together
#2596 rar: support large headers on 32 bit systems
#2606 libarchive: support @-prefixed Unix epoch timestamps as date strings
#2634 tar: Support negative time values with pax
#2637 tar: Keep block alignment after pax error
#2642 libarchive: fix FILE_skip regression
#2643 tar: Handle extra bytes after sparse entries
#2649 compress: Prevent call stack overflow
#2651 iso9660: always check archive_string_ensure return value
CVE: CVE-2024-57970, CVE-2025-1632, CVE-2025-25724,
CVE-2025-5914, CVE-2025-5915, CVE-2025-5916,
CVE-2025-5917, CVE-2025-5918
PR: 286944 (exp-run, main, libarchive 3.8.0)
Approved by: so
Security: FreeBSD-SA-25:07.libarchive
(cherry picked from commit 2e113ef82465598b8c26e0ca415fbe90677fbd47)
(cherry picked from commit 6dad4525a2910496ecf3c41de659aac906f6c1f4)
Since the default store already points to /etc/ssl/certs and the
CRLs are hashed there too it is trivial to bring libfetch applications
to verifying the CRLs contained when doing a SSL connection.
libfetch: ignore the error of an absence of a CRL
... when passing SSL_CRL_FILE / SSL_CRL_VERIFY.
The situation isn't ideal, but since we don't know what we are going to deal
with the situation is tricky. It's especially pointless in scenarios of
pkg multi-repo cases where we need to deal wit a mixed bag of URLs during
the same context. For the benefit of the doubt print the appropriate message
for the user to see.
In general it would be a bit safer if we could enforce the existence of a
CRL distribution point as a mandatory CRL check and the others as an optional
one with the warning as printed for the user to see. It would also need a
strict mode if someone needed the other behaviour but since we did not have
any consumers of SSL_CRL_FILE and --crl was broken for a long time it's safe
to assume nobody uses this for these specific reasons.
libfetch: add the error number to verify callback failure case
instead of accepting any character as a delimiter, only accept ':', '.'
and '-', and only permit a single delimiter in an address.
this prevents accepting bizarre addresses like:
ifconfig epair2a link 10.1.2.200/28
... which is particularly problematic on an INET6-only system, in which
case ifconfig defaults to the 'link' family, meaning that:
ifconfig epair2a 10.1.2.200/28
... changes the Ethernet address of the interface.
bump __FreeBSD_version so link_addr() consumers can detect the change.
Reviewed by: kp, des
Approved by: des (mentor)
Differential Revision: https://reviews.freebsd.org/D49936
(cherry picked from commit a1215090416b8afb346fb2ff5b38f25ba0134a3a)
Note-from-OPNsense: not bumping the FreeBSD version for stable/25.7
this is a re-entrant version of link_ntoa. use an in-out parameter for
the buffer size, so the user requires at most two calls to determine the
needed size.
reimplement link_ntoa using link_ntoa_r with a static buffer.
Reviewed by: des
Approved by: des (mentor)
Differential Revision: https://reviews.freebsd.org/D50202
(cherry picked from commit da509c29089ab169b667ebdf82aa903987ba9c6d)
for now, since link_addr() has no way to indicate an error, these are
only positive tests which check the outcome of valid inputs.
Reviewed by: ngie, des, adrian
Approved by: des (mentor)
Differential Revision: https://reviews.freebsd.org/D50062
(cherry picked from commit 757e973fb2112ea442aa8990d991f406d407b6f7)
link_addr_test: use <cstddef>, not <sys/stddef.h>
<cstddef> is the correct header; this fixes the GCC build.
while here, sort the headers.
Fixes: 757e973fb211 ("libc tests: add tests for link_addr(3) and link_ntoa(3)")
Reviewed by: des
Approved by: des (mentor)
Differential Revision: https://reviews.freebsd.org/D50189
(cherry picked from commit bbffdfef3bf04b2f89027cb20e2019fdc74c4b1b)
- Bump BRANCH to RELEASE
- Add the anticipated RELEASE announcement date
- Set a static __FreeBSD_version
Approved by: re (implicit)
Sponsored by: Amazon
Several manual pages for releng/14.3 incorrectly claim that features
were first introduced in FreeBSD 15.0.
I discovered these by running:
git checkout origin/releng/14.3
git grep -F '.Fx 15.0'
Approved by: re (cperciva)
MFC After: 3 days
Reviewed by: imp, ziaee
Pull Request: https://github.com/freebsd/freebsd-src/pull/1685
(cherry picked from commit 5b9660caff69c70c9b6d9df5e04a3f21f8cf7996)
(cherry picked from commit ef4014882ee1413eba75a78f6e307e16123c63d1)
When the file system does not support symbolic links (like in the case
of MSDOS), symlink() returns -1 and sets errno to EOPNOTSUPP.
Document this behavior.
Reviewed by: glebius, markj
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D49803
(cherry picked from commit dd9e59beebbb346f329dfd1de26a84da8afdcb1d)
This is not harmful when making a static library apparently, but will
result in duplicate symbol errors when making a dynamic library.
MFC after: 3 days
(cherry picked from commit 160a2ba804973e4b258c24247fa7c0cdc230dfb4)
The linuxkpi_gplv2.ko module on older-ish -CURRENT had absolutely no
.text contents, but it was still loaded. Instead of hitting the later
assertion because 0 is not less than 0, we can just skip images like
this as we should not have any samples from them.
Reviewed by: gallatin
(cherry picked from commit 77721403c91d67dbfd5a2c5c667e7f5d87acb3f6)
We use a be_mount.XXXX pattern to mkdtemp(3) when creating these, which
seems reasonably unique enough to just continue using that. Record the
mountpoint of the root dataset and check the dirname of that for the
auto-creation trait. There's no sense in this bubbling up an error to
callers, so we'll just ignore an error for now.
Requested by: manu
(cherry picked from commit d6fbae084a2a0e07805633ca46935963357f1efa)
wchar_t is unsigned on ARM platforms, and signed pretty much everywhere
else. On signed platforms, `nm` ends up with bogus upper bits set if we
did in-fact have a valid CS2 or CS3 (MSB set). Mask just the low byte
to avoid sign bit garbage.
Bare basic test of converting a CS2 widechar in eucCN, which would
previously kick back an EILSEQ.
Reviewed by: bapt, rew
Sponsored by: Klara, Inc.
(cherry picked from commit c4c562eadf3b790fa221e220d6a442f0cb84ca35)
This is a cosmetic change affecting the "plugged: ..." line in the
output of ifconfig -v. Both the 100G active cables were missing a
closing parenthesis.
Sponsored by: Chelsio Communications
(cherry picked from commit 6460c327f6f3fdf2d1cd4db648baf6cb7d74828e)
Try to help people in TW to get onto 11ac as well by adding the missing
entries to regdomain.xml. Use at your own risk.
regdomain.xml is unmaintanable in the modern world with too many tiny
difference between countries. We'll need a different way to generate
this or a different representation long term.
Sponsored by: The FreeBSD Foundation
Reported by: lwhsu
Tested by: lwhsu
Reviewed by: lwhsu, adrian
Differential Revision: https://reviews.freebsd.org/D49776
(cherry picked from commit 84e1eb50dd9529b234e568ccb6f6c37f897688dc)
This adds a basic test that __cxa_atexit works, and also adds some tests
for __cxa_atexit handlers registered in the middle of __cxa_finalize.
PR: 285870
(cherry picked from commit ee9ce1078c596f5719f312feedd616ab0fb41dc9)
science/dlib-cpp reveals an interesting scenario that works fine on
other platforms but not on FreeBSD; notably, it ends up creating a new
global object from some destructor which is called during
__cxa_finalize. This breaks when libdlib is dlopen()ed and then
subsequently dlclose()ed, as we never end up invoking the created
object's dtor until program exit when the shlib is already unmapped.
Fix it by noting when we're in the middle of __cxa_finalize for a dso,
and then restarting the search if __cxa_atexit() was called in the
middle somewhere.
We wait until we've processed the initial set before starting over and
processing the newly added handlers as if it were a complete set of
handlers added during runtime. The alternative is calling them as
they're added to maintain a LIFO in terms of total ordering, but in
theory a constructor could add another global object that also needs to
be destroyed, and that object needs to be destroyed after the one that
constructed it to avoid creating unexpected lifetime issues.
This manifests in the pdlib PHP extension for dlib crashing, see [0].
[0] https://github.com/goodspb/pdlib/issues/39
PR: 285870
Reviewed by: kevans (also supplied commit message)
(cherry picked from commit 23427c8e1fedb9fc68ad0bd27a59c7ffd2b3008c)
libzfs insists that these be cloned from the origin, so avoid making a
deep copy of them ourselves to unbreak creating a new BE from a BE with
encrypted components -- in today's environment, without a loader that
does encryption, this means a deep BE setup where something underneath
the BE (e.g., home directories) are encrypted.
Reported and tested by: arrowd
Reviewed by: allanjude
(cherry picked from commit 181549c37f1913f5ca292d8515a6e5e0068a9fe7)
This flag is used in field 'cr_flags', which is never directly visible
outside the kernel. That field is however exported through 'struct
kinfo_proc' objects (field 'ki_cr_flags'), either from the kernel via
sysctls or from libkvm, and is supposed to contain exported flags
prefixed with KI_CRF_ (currently, KI_CRF_CAPABILITY_MODE and
KI_CRF_GRP_OVERFLOW, this second one being a purely userland one
signaling overflow of 'ki_groups').
Make sure that KI_CRF_CAPABILITY_MODE is the flag actually exported and
tested by userland programs, and hide the internal CRED_FLAG_CAPMODE.
As both flags are currently defined to the same value, this doesn't
change the KBI, but of course does change the KPI. A code search via
GitHub and Google fortunately doesn't reveal any outside uses for
CRED_FLAG_CAPMODE.
While here, move assignment of 'ki_uid' to a more logical place in
kvm_proclist(), and definition of XU_NGROUPS as well in 'sys/ucred.h'
(no functional/interface changes intended).
Reviewed by: mhorne
Approved by: markj (mentor)
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46909
(cherry picked from commit 09290c3a0c82524138973b14f393379edf733753)
A ports exp-run (PR 283410) showed one port to be affected
(sysutils/procs), which has been fixed upstream and in the ports tree.
All additional indirect references to CRED_FLAG_CAPMODE we found after
the code search mentioned in the original commit message are
automatically generated from our headers by FFI mechanisms, so
automatically disappear at recompilation (and the KBI is not changed, as
explained above, so recompilation is not needed).
Reviewed by: Alexander Ziaee <concussious@runbox.com>
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48063
(cherry picked from commit b6f4027ad9a2ede69a7ec11137cc4ea69ec2f0a0)
This new system call allows to set all necessary credentials of
a process in one go: Effective, real and saved UIDs, effective, real and
saved GIDs, supplementary groups and the MAC label. Its advantage over
standard credential-setting system calls (such as setuid(), seteuid(),
etc.) is that it enables MAC modules, such as MAC/do, to restrict the
set of credentials some process may gain in a fine-grained manner.
Traditionally, credential changes rely on setuid binaries that call
multiple credential system calls and in a specific order (setuid() must
be last, so as to remain root for all other credential-setting calls,
which would otherwise fail with insufficient privileges). This
piecewise approach causes the process to transiently hold credentials
that are neither the original nor the final ones. For the kernel to
enforce that only certain transitions of credentials are allowed, either
these possibly non-compliant transient states have to disappear (by
setting all relevant attributes in one go), or the kernel must delay
setting or checking the new credentials. Delaying setting credentials
could be done, e.g., by having some mode where the standard system calls
contribute to building new credentials but without committing them. It
could be started and ended by a special system call. Delaying checking
could mean that, e.g., the kernel only verifies the credentials
transition at the next non-credential-setting system call (we just
mention this possibility for completeness, but are certainly not
endorsing it).
We chose the simpler approach of a new system call, as we don't expect
the set of credentials one can set to change often. It has the
advantages that the traditional system calls' code doesn't have to be
changed and that we can establish a special MAC protocol for it, by
having some cleanup function called just before returning (this is
a requirement for MAC/do), without disturbing the existing ones.
The mac_cred_check_setcred() hook is passed the flags received by
setcred() (including the version) and both the old and new kernel's
'struct ucred' instead of 'struct setcred' as this should simplify
evolving existing hooks as the 'struct setcred' structure evolves. The
mac_cred_setcred_enter() and mac_cred_setcred_exit() hooks are always
called by pairs around potential calls to mac_cred_check_setcred().
They allow MAC modules to allocate/free data they may need in their
mac_cred_check_setcred() hook, as the latter is called under the current
process' lock, rendering sleepable allocations impossible. MAC/do is
going to leverage these in a subsequent commit. A scheme where
mac_cred_check_setcred() could return ERESTART was considered but is
incompatible with proper composition of MAC modules.
While here, add missing includes and declarations for standalone
inclusion of <sys/ucred.h> both from kernel and userspace (for the
latter, it has been working thanks to <bsm/audit.h> already including
<sys/types.h>).
Reviewed by: brooks
Approved by: markj (mentor)
Relnotes: yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D47618
(cherry picked from commit ddb3eb4efe55e57c206f3534263c77b837aff1dc)
- Use GETENTROPY_MAX instead of hard-coding the value.
- Check for EINVAL instead of EIO
Fixes: 473681a1a506 ("libc: Fix getentropy POSIX 2024 conformance issues")
(cherry picked from commit c5056a3931b41a803a24b89400d38d5c5f843612)
The SUS doesn't mention this error code as a possible one [1]. The FreeBSD
manual page specifies a possible ECONNRESET for close(2):
[ECONNRESET] The underlying object was a stream socket that was
shut down by the peer before all pending data was
delivered.
In the past it had been EINVAL (see 21367f630d), and this EINVAL was
added as a safety measure in 623dce13c6. After conversion to
ECONNRESET it had been documented in the manual page in 78e3a7fdd5, but
I bet wasn't ever tested to actually be ever returned, cause the
tcp-testsuite[2] didn't exist back then. So documentation is incorrect
since 2006, if my bet wins. Anyway, in the modern FreeBSD the condition
described above doesn't end up with ECONNRESET error code from close(2).
The error condition is reported via SO_ERROR socket option, though. This
can be checked using the tcp-testsuite, temporarily disabling the
getsockopt(SO_ERROR) lines using sed command [3]. Most of these
getsockopt(2)s are followed by '+0.00 close(3) = 0', which will confirm
that close(2) doesn't return ECONNRESET even on a socket that has the
error stored, neither it is returned in the case described in the manual
page. The latter case is covered by multiple tests residing in tcp-
testsuite/state-event-engine/rcv-rst-*.
However, the deleted block of code could be entered in a race condition
between close(2) and processing of incoming packet, when connection had
already been half-closed with shutdown(SHUT_WR) and sits in TCPS_LAST_ACK.
This was reported in the bug 146845. With the block deleted, we will
continue into tcp_disconnect() which has proper handling of INP_DROPPED.
The race explanation follows. The connection is in TCPS_LAST_ACK. The
network input thread acquires the tcpcb lock first, sets INP_DROPPED,
acquires the socket lock in soisdisconnected() and clears SS_ISCONNECTED.
Meanwhile, the syscall thread goes through sodisconnect() which checks for
SS_ISCONNECTED locklessly(!). The check passes and the thread blocks on
the tcpcb lock in tcp_usr_disconnect(). Once input thread releases the
lock, the syscall thread observes INP_DROPPED and returns ECONNRESET.
- Thread 1: tcp_do_segment()->tcp_close()->in_pcbdrop(),soisdisconnected()
- Thread 2: sys_close()...->soclose()->sodisconnect()->tcp_usr_disconnect()
Note that the lockless operation in sodisconnect() isn't correct, but
enforcing the socket lock there will not fix the problem.
[1] https://pubs.opengroup.org/onlinepubs/9799919799/
[2] https://github.com/freebsd-net/tcp-testsuite
[3] sed -i "" -Ee '/\+0\.00 getsockopt\(3, SOL_SOCKET, SO_ERROR, \[ECONNRESET\]/d' $(grep -lr ECONNRESET tcp-testsuite)
PR: 146845
Reviewed by: tuexen, rrs, imp
Differential Revision: https://reviews.freebsd.org/D48148
(cherry picked from commit 053a988497342a6fd0a717cc097d09c23f83e103)
This change is being done first so any functional changes from the tests
will be clearer to reviewers.
No functional change intended.
MFC after: 2 weeks
Ref: https://reviews.freebsd.org/D47826
(cherry picked from commit 991bd461625a2c521d5be4fd6938deed57f60972)
With the %b format specifier we need enough space to write a uintmax_t
in binary.
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1400
(cherry picked from commit d4f9e326393e3298062a58338e2c94ef6baff8b5)
Some devices might not have a software volume control, but still be
able to be set as recording sources.
PR: 279787
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D48730
(cherry picked from commit f121de8fbcbc8aa82f9fb59039c502406b7c88b6)
Fixes: e59991206b fts(3): be less strict when automount does its job under us walking autofs mount
(cherry picked from commit ab6a311c720e93c860d3dd4a335264d725db7a0d)
