Date: Fri, 12 Jun 2026 10:34:57 +0200 From: Joerg Wunsch <joerg@freebsd.org> To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-26:26.ktls Message-ID: <aivEsSeWPk7zRc-r@uriah.heep.sax.de> In-Reply-To: <20260609231311.7E26A1FD21@freefall.freebsd.org>
index | next in thread | previous in thread | raw e-mail
According to their (evil, IMHO) web page, kern.ipc.mb_use_ext_pgs=0 is a viable workaround. As FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > ============================================================================= > FreeBSD-SA-26:26.ktls Security Advisory > The FreeBSD Project > > Topic: Arbitrary file overwrite via the KTLS receive path > > Category: core > Module: ktls > Announced: 2026-06-09 > Credits: Bumsrakete > Affects: All supported versions of FreeBSD > Corrected: 2026-06-09 19:17:28 UTC (stable/15, 15.1-STABLE) > 2026-06-09 19:20:06 UTC (releng/15.1, 15.1-RC3-p1) > 2026-06-09 19:19:43 UTC (releng/15.0, 15.0-RELEASE-p10) > 2026-06-09 19:17:46 UTC (stable/14, 14.4-STABLE) > 2026-06-09 19:19:05 UTC (releng/14.4, 14.4-RELEASE-p6) > 2026-06-09 19:18:35 UTC (releng/14.3, 14.3-RELEASE-p15) > CVE Name: CVE-2026-45257 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit <URL:https://security.FreeBSD.org/>. > > I. Background > > Kernel TLS (KTLS) moves Transport Layer Security (TLS) record processing > into the kernel, allowing applications to encrypt and decrypt socket data > without copying it to and from userspace and to serve TLS data with > sendfile(2). When a connection uses software KTLS on the receive path, > the kernel decrypts each incoming TLS record in place within the socket > buffer. > > II. Problem Description > > The KTLS receive path decrypted each record in place, assuming that the > mbufs holding received data were anonymous and safe to modify. This > assumption does not hold for data placed on a socket by sendfile(2), > which can reference file-backed memory directly through non-anonymous > M_EXTPG pages or EXT_SFBUF mbufs. When the sender transmits such data > over a loopback connection without enabling KTLS on the transmit side, > the file-backed mbufs reach the receiver's decryption path unchanged. > Decrypting a record in place then overwrites the backing file's page > cache instead of a private copy of the data. > > III. Impact > > An unprivileged local user who can read a file can overwrite its > contents with data of their choosing by sending the file over a loopback > connection on which they have enabled KTLS receive. The write modifies > the page cache directly, so it bypasses file flags such as schg and is > written back to disk. By overwriting a setuid binary or other trusted > file, a local user can escalate privileges, potentially gaining full > control of the affected system. > > IV. Workaround > > No workaround is available. > > V. Solution > > Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date, > and reboot the system. > > Perform one of the following: > > 1) To update your vulnerable system installed from base system packages: > > Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 > platforms, which were installed using base system packages, can be updated > via the pkg(8) utility: > > # pkg upgrade -r FreeBSD-base > # shutdown -r +10min "Rebooting for a security update" > > 2) To update your vulnerable system installed from binary distribution sets: > > Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms > which were not installed using base system packages can be updated via the > freebsd-update(8) utility: > > # freebsd-update fetch > # freebsd-update install > # shutdown -r +10min "Rebooting for a security update" > > 3) To update your vulnerable system via a source code patch: > > The following patches have been verified to apply to the applicable > FreeBSD release branches. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch https://security.FreeBSD.org/patches/SA-26:26/ktls.patch > # fetch https://security.FreeBSD.org/patches/SA-26:26/ktls.patch.asc > # gpg --verify ktls.patch.asc > > b) Apply the patch. Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile your kernel as described in > <URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the > system. > > VI. Correction details > > This issue is corrected as of the corresponding Git commit hash in the > following stable and release branches: > > Branch/path Hash Revision > - ------------------------------------------------------------------------- > stable/15/ a51345704403 stable/15-n283882 > releng/15.1/ 48c1c5e3c348 releng/15.1-n283550 > releng/15.0/ 540a315cdb46 releng/15.0-n281052 > stable/14/ 333bdd7e9427 stable/14-n274311 > releng/14.4/ d43259dd66b3 releng/14.4-n273714 > releng/14.3/ af3398862ac0 releng/14.3-n271514 > - ------------------------------------------------------------------------- > > Run the following command to see which files were modified by a > particular commit: > > # git show --stat <commit hash> > > Or visit the following URL, replacing NNNNNN with the hash: > > <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; > > To determine the commit count in a working tree (for comparison against > nNNNNNN in the table above), run: > > # git rev-list --count --first-parent HEAD > > VII. References > > <URL:https://www.cve.org/CVERecord?id=CVE-2026-45257>; > > The latest revision of this advisory is available at > <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:26.ktls.asc>; > -----BEGIN PGP SIGNATURE----- > > iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiUwbFIAAAAAABAAO > bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv6hQP/3x8lGHZpLeT8PjB5NMF > xCfwzKQlu5vlkOqSv+9uEGsh3FQa9gHE/68SwZYa01waeFbTSKpBvrf1X4kRKGnE > r3z8DSAPnVqSRzp4k0PNTxPLtF09FfWiMEBA+PIedL91WkG24gQ63k3fORVjkSvs > a/uY1DQnmypV2mdV/S/hWmrtVCmi5itZKsVedZFoZHZ04GKwIObMoqXgtbUxdfhJ > XvjSCqGgvpsUPVpE72nKYAbbL81w344tNOGtjoC07utitkLoHtMlYqMTfXCv0dY7 > Oo3RZ408afAl1CalUdZ64KXJWqjCZt3FWxtn4ugZkewLc3cDyO5Y2ZUDMAb71P/V > Sdq6+GRIC5wMOmd2C2Wb4C72FODhh4o4+n/E7qeIojT5jozWNFAFN0ugzNcqzuM9 > b8ekwLWK9MbtjZWF1A0OhsLqQoYuBcwX4RymVJCfpEnlPEDwaf0fv/Sx/OyU9MBx > zbT/Thqa9cB++4U6Obodcj55mXM9p23b9OpEnSD5FKlhxXPxCYW5gc2mK4k+yoKd > 5ZCzzcdzbMoNgqyHnvrBgFGMsPggXJxaidsRFtVSb9E1GWQUweyN9hR10Gr8wX5j > QL18EHe3Lcgg2Z+mi8NQ8lrqPoGpTIjZ8enEYHLrILe/p8JMjNU5fe+YqQTE0tyD > pWQqqx8AYbHJsnCDELTeqt96 > =lD4w > -----END PGP SIGNATURE----- > -- cheers, Joerg .-.-. --... ...-- -.. . DL8DTL http://www.sax.de/~joerg/ Never trust an operating system you don't have sources for. ;-)home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?aivEsSeWPk7zRc-r>