From nobody Tue Apr 21 15:43:56 2026
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g0RV46Ny5z6WtjL
	for <dev-commits-src-branches@mlmmj.nyi.freebsd.org>; Tue, 21 Apr 2026 15:43:56 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4g0RV45Jhpz3P5W
	for <dev-commits-src-branches@FreeBSD.org>; Tue, 21 Apr 2026 15:43:56 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1776786236;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=brb7d3yr/w2vVSbtfqovjwreCJID77/P9vu2qHmk3uk=;
	b=PHk/8B8YGTXOlagIdR2dEPD5G2qeDOmkQTf0VTKUh7nGIx7vjCdC/Xilim1XyIslyoceYZ
	CFvIHmA3RXL2xz3mBPIpdPsGebTbavYlKb8KMO7e7if9x1ks3VBwh+CQwhfjlrYFKdBgsA
	evSvm34Bz5UDwsc35dLTFBBJANjiq53/a/yyf+ncfdyMpwKIPMN4XTtkaIZ1G0pLpUi1M7
	NRPtQspr9tw68srC+pfzjtmIlLz3F2AvEDf77kMtjRnwdf5ZuwqiLcJHuIySRXgkqsbLbe
	cfqKbNwKP/0IHc/y/6Ht2+PeUfpDyk4rDA9F9Lwx6OoxU739EtD7/dX7vaJWLg==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1776786236; a=rsa-sha256; cv=none;
	b=KfTliQCq3YQbkar1BJFoOh43DCwWzSpXaHEclkKvRrU/XJX/Iz/0jMk2WZCims5+t1TVQv
	k7NX0809+EDqpliHsFejsi8Vuo0pBglXM4B55hy4xVIf6B6ToWygke/JrLRLVHJ8pKhCa7
	K/n9dopZtzAFcoYezxtZHfoiCqQyV7eNgIY0z1E28WJFfy0rPjTK7l+zOY1yLSvBouPREU
	nXzP7XyBjP9kscIkNXYlzwi2cvsyfE9uYN2d9Bib8kf3JgDB+Q6uiMxZFuBZwHd1RMY3jr
	YF9Yb+smS4edG5iN0vuDlcnLloL+yt3kyKoaH72elfJ0wsWvtFIa6gA1NAF7rw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1776786236;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=brb7d3yr/w2vVSbtfqovjwreCJID77/P9vu2qHmk3uk=;
	b=dTDtbvuhdAeE4+Poscgoi2TE1qe0VYiGh+HCOvEtKOA9OpCrerBkIlEWuLpmoI4VgS8JkK
	hstakZDeOSVyZPSfJpUISaW9crQ3GCy5J5UqcTfQcJaD5YOrSBpS8FL60KsN1F+pEJThSr
	6e/HMT4fZSOLNf+sfe4royLp7F/ZcPTP8zB1pTMfOy6jnkk05se8Ru2Iavjyc5IHEUIX/z
	2PnRY7YyLLPHI0QPJbZU6TgbIeUsLTjIXz4Xm+a2NgKhCB1XvlV5QkJzrrp+pxePPvfn5R
	qFKl4KP6JEaqMfAPVh8mEAncUzQ8jQ4BphZsGU559MVRAarHmBy6+cDKXTOIPQ==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4g0RV44wDhzqQ4
	for <dev-commits-src-branches@FreeBSD.org>; Tue, 21 Apr 2026 15:43:56 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 3406e
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Tue, 21 Apr 2026 15:43:56 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
From: Mark Johnston <markj@FreeBSD.org>
Subject: git: 5eae7f23fe0e - stable/13 - tty: Avoid leaving dangling pointers in tty_drop_ctty()
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-branches@freebsd.org
Sender: owner-dev-commits-src-branches@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: markj
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: 5eae7f23fe0e189f2d5160772cf6cd4d107dd30a
Auto-Submitted: auto-generated
Date: Tue, 21 Apr 2026 15:43:56 +0000
Message-Id: <69e79b3c.3406e.44befbe6@gitrepo.freebsd.org>

The branch stable/13 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=5eae7f23fe0e189f2d5160772cf6cd4d107dd30a

commit 5eae7f23fe0e189f2d5160772cf6cd4d107dd30a
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-03-23 15:22:48 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-04-21 15:43:53 +0000

    tty: Avoid leaving dangling pointers in tty_drop_ctty()
    
    The TIOCNOTTY handler detaches the calling process from its controlling
    terminal.  It clears the link from the session to the tty, but not the
    pointers from the tty to the session and process group.  This means that
    sess_release() doesn't call tty_rel_sess(), and that pgdelete() doesn't
    call tty_rel_pgrp(), so the pointers are left dangling.
    
    Fix this by clearing pointers in tty_drop_ctty().  Add a standalone
    regression test.
    
    Approved by:    so
    Security:       FreeBSD-SA-26:10.tty
    Security:       CVE-2026-5398
    Reported by:    Nicholas Carlini <npc@anthropic.com>
    Reviewed by:    kib, kevans
    Fixes:          1b50b999f9b5 ("tty: implement TIOCNOTTY")
    Differential Revision:  https://reviews.freebsd.org/D56046
---
 sys/kern/tty.c             |  4 +++
 tests/sys/kern/Makefile    |  1 +
 tests/sys/kern/tiocnotty.c | 82 ++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 87 insertions(+)

diff --git a/sys/kern/tty.c b/sys/kern/tty.c
index 42862ffb8a45..22f3645092f8 100644
--- a/sys/kern/tty.c
+++ b/sys/kern/tty.c
@@ -1262,6 +1262,10 @@ tty_drop_ctty(struct tty *tp, struct proc *p)
 	session->s_ttydp = NULL;
 	SESS_UNLOCK(session);
 
+	if (tp->t_session == session) {
+		tp->t_session = NULL;
+		tp->t_pgrp = NULL;
+	}
 	tp->t_sessioncnt--;
 	p->p_flag &= ~P_CONTROLT;
 	PROC_UNLOCK(p);
diff --git a/tests/sys/kern/Makefile b/tests/sys/kern/Makefile
index d499fd525222..faf08a352514 100644
--- a/tests/sys/kern/Makefile
+++ b/tests/sys/kern/Makefile
@@ -35,6 +35,7 @@ ATF_TESTS_C+=	subr_physmem_test
 PLAIN_TESTS_C+=	subr_unit_test
 ATF_TESTS_C+=	sysctl_kern_proc
 ATF_TESTS_C+=	sys_getrandom
+PLAIN_TESTS_C+=	tiocnotty
 ATF_TESTS_C+=	tty_pts
 ATF_TESTS_C+=	unix_passfd_test
 ATF_TESTS_C+=	unix_seqpacket_test
diff --git a/tests/sys/kern/tiocnotty.c b/tests/sys/kern/tiocnotty.c
new file mode 100644
index 000000000000..2581f976b2ef
--- /dev/null
+++ b/tests/sys/kern/tiocnotty.c
@@ -0,0 +1,82 @@
+/*
+ * Copyright (c) 2026 Mark Johnston <markj@FreeBSD.org>
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+/*
+ * A regression test that exercises a bug where TIOCNOTTY would leave some
+ * dangling pointers behind in the controlling terminal structure.
+ */
+
+#include <sys/ioctl.h>
+#include <sys/wait.h>
+
+#include <err.h>
+#include <fcntl.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+int
+main(void)
+{
+	int master, slave, status;
+	pid_t child;
+
+	master = posix_openpt(O_RDWR | O_NOCTTY);
+	if (master < 0)
+		err(1, "posix_openpt");
+	if (grantpt(master) < 0)
+		err(1, "grantpt");
+	if (unlockpt(master) < 0)
+		err(1, "unlockpt");
+
+	child = fork();
+	if (child < 0)
+		err(1, "fork");
+	if (child == 0) {
+		if (setsid() < 0)
+			err(1, "setsid");
+		slave = open(ptsname(master), O_RDWR | O_NOCTTY);
+		if (slave < 0)
+			err(2, "open");
+		if (ioctl(slave, TIOCSCTTY, 0) < 0)
+			err(3, "ioctl(TIOCSCTTY)");
+		/* Detach ourselves from the controlling terminal. */
+		if (ioctl(slave, TIOCNOTTY, 0) < 0)
+			err(4, "ioctl(TIOCNOTTY)");
+		_exit(0);
+	}
+
+	if (waitpid(child, &status, 0) < 0)
+		err(1, "waitpid");
+	if (!WIFEXITED(status) || WEXITSTATUS(status) != 0)
+		errx(1, "child exited with status %d", WEXITSTATUS(status));
+
+	child = fork();
+	if (child < 0)
+		err(1, "fork");
+	if (child == 0) {
+		struct winsize winsz;
+
+		if (setsid() < 0)
+			err(1, "setsid");
+		slave = open(ptsname(master), O_RDWR | O_NOCTTY);
+		if (slave < 0)
+			err(2, "open");
+		/* Dereferences dangling t_pgrp pointer in the terminal. */
+		memset(&winsz, 0xff, sizeof(winsz));
+		if (ioctl(slave, TIOCSWINSZ, &winsz) < 0)
+			err(3, "ioctl(TIOCSWINSZ)");
+		/* Dereferences dangling t_session pointer in the terminal. */
+		if (ioctl(slave, TIOCSCTTY, 0) < 0)
+			err(4, "ioctl(TIOCSCTTY)");
+		_exit(0);
+	}
+
+	if (waitpid(child, &status, 0) < 0)
+		err(1, "waitpid");
+	if (!WIFEXITED(status) || WEXITSTATUS(status) != 0)
+		errx(1, "child exited with status %d", WEXITSTATUS(status));
+}