From nobody Tue Feb 24 16:01:32 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fL2XD2F9Pz6SPMS for ; Tue, 24 Feb 2026 16:01:32 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fL2XD0Z10z3lMw for ; Tue, 24 Feb 2026 16:01:32 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1771948892; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Wq0u8I/S1c7ncP+60D6Cjrp00BqhfyJRZRetab0aSxQ=; b=AzBigM7QHzpwBDemFgvQ4mZgJdkvUGkXpZ3ICDGPw4pWpjGO2hcM0/l1R2qYEpIcw7W4yj MC3aPeusJ0YXdUzs8FzikmQDWG0lpy1neslZw440UqlwzijKgapukGb1eAwMkiQVtdKdup h6/KF7Ea6W+58KTuoE5eLsPkNHj8TJH4ihsbcj4TYR7fKGpng0sWfydg1nftreKSnH1ktB JWhiXKyq4bCTHiS4qylWEUdLsflgPEPqsdNQ6H/FHgwuSphN9DLvyhQmX6qwIkBn27uu/B Do5ayW5SqhrbogCKU8ezF8chgiicrH2mw6Lri6o1dCPCpA1FulbalLm/h3EOkQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1771948892; a=rsa-sha256; cv=none; b=I6bRSUeh2Ll6rLxqWmKoW/Swe5JlWB5FHrI8yhlAzirwW4LqjirambXBaDhOOUiTELx92l BO7njzhRWuy2y7AF0f0U/HmJmhwJ8EnYsrs1Tymi2XTBCIA92gnjCiUz4sk0mEArHZTN2o 89Jl6ytWKKq7DS3YjiPHwxT7ZGg8DB0MckSCbBfOMBz/G738aWgi7ECbmlJjId26eL/6KF mL/jbzWazvHYjmgrLuyHLedgvMVOQ0imJBNm9V4YqaIg63+bcwGCrE0MKrjXQmwAhDjFr6 Vdi8GJfP91ENafpaZ4dekOwu060g/7PcoEADrEcEpcSgzEfNDtjxXVN9oeXfTA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1771948892; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Wq0u8I/S1c7ncP+60D6Cjrp00BqhfyJRZRetab0aSxQ=; b=VtHs/IeSbnMdSl01S95RQzX7PzxaarHXjb7agmwmKxcG+SiuIfALSDXLx+/7Uf3HQnk2cx KZh8BbQ9T0LAiZeziqonRGdyyaucISCQQhhNqj106sGprkkCm4G0/USVe2mSdBJtWt/bKP akIsRj+UMAfcpDVGTRZXPrvI0YYE/Xy5Ozh5EBoE5Q6Nu6lWbrzRWjWd4bzoY1X9D5SZtj yEWig8oHPcPjWYvGMvdYBUuhHQ0cuS9H8hluU9/KgId3a0v6J4R4IlJYcqbEd0+Gop1BzE zNxeEDN5NbjHOCPlu6sDO8G4gHjwvg5YFXHVpmsmgxji9dEPTZJd3V2IkxFLzA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4fL2XD06JJz72R for ; Tue, 24 Feb 2026 16:01:32 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 27e9c by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 24 Feb 2026 16:01:32 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: fbc35b3e6615 - releng/14.3 - unix: Set O_RESOLVE_BENEATH on fds transferred between jails List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.3 X-Git-Reftype: branch X-Git-Commit: fbc35b3e6615e6ff2866a9aeba67ed236f9bdb98 Auto-Submitted: auto-generated Date: Tue, 24 Feb 2026 16:01:32 +0000 Message-Id: <699dcb5c.27e9c.7c8c9279@gitrepo.freebsd.org> The branch releng/14.3 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=fbc35b3e6615e6ff2866a9aeba67ed236f9bdb98 commit fbc35b3e6615e6ff2866a9aeba67ed236f9bdb98 Author: Mark Johnston AuthorDate: 2025-06-24 20:05:37 +0000 Commit: Mark Johnston CommitDate: 2026-02-23 16:00:13 +0000 unix: Set O_RESOLVE_BENEATH on fds transferred between jails If a pair of jails with different filesystem roots is able to exchange SCM_RIGHTS messages (e.g., using a unix socket in a shared nullfs mount), a process in one jail can open a directory outside of the root of the second jail and then pass the fd to that second jail, allowing the receiving process to escape the jail chroot. Address this using the new FD_RESOLVE_BENEATH flag. When externalizing an SCM_RIGHTS message into the receiving process, automatically set this flag on all new fds where a jail boundary is crossed. This ensures that the receiver cannot do more than access files underneath the directory; in particular, the received fd cannot be used to access vnodes not accessible by the sender. Approved by: so Security: FreeBSD-SA-26:04.jail Security: CVE-2025-15576 PR: 262179 Reviewed by: kib MFC after: 3 weeks Differential Revision: https://reviews.freebsd.org/D50371 (cherry picked from commit 350ba9672a7f4f16e30534a603df577dfd083b3f) (cherry picked from commit 3ad3ab5f9b6e91efc923bae9799697a823eb7227) --- sys/amd64/conf/SYZKALLER | 5 +++++ sys/kern/uipc_usrreq.c | 31 +++++++++++++++++++++++-------- 2 files changed, 28 insertions(+), 8 deletions(-) diff --git a/sys/amd64/conf/SYZKALLER b/sys/amd64/conf/SYZKALLER new file mode 100644 index 000000000000..965841313616 --- /dev/null +++ b/sys/amd64/conf/SYZKALLER @@ -0,0 +1,5 @@ +include GENERIC-KASAN +ident SYZKALLER + +options COVERAGE +options KCOV diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c index 80ac5cc0b775..4df36221bc6a 100644 --- a/sys/kern/uipc_usrreq.c +++ b/sys/kern/uipc_usrreq.c @@ -58,7 +58,6 @@ * need a proper out-of-band */ -#include #include "opt_ddb.h" #include @@ -68,6 +67,7 @@ #include #include #include +#include #include #include #include @@ -2433,22 +2433,34 @@ unp_freerights(struct filedescent **fdep, int fdcount) free(fdep[0], M_FILECAPS); } +static bool +restrict_rights(struct file *fp, struct thread *td) +{ + struct prison *prison1, *prison2; + + prison1 = fp->f_cred->cr_prison; + prison2 = td->td_ucred->cr_prison; + return (prison1 != prison2 && prison1->pr_root != prison2->pr_root && + prison2 != &prison0); +} + static int unp_externalize(struct mbuf *control, struct mbuf **controlp, int flags) { struct thread *td = curthread; /* XXX */ struct cmsghdr *cm = mtod(control, struct cmsghdr *); - int i; int *fdp; struct filedesc *fdesc = td->td_proc->p_fd; struct filedescent **fdep; void *data; socklen_t clen = control->m_len, datalen; - int error, newfds; + int error, fdflags, newfds; u_int newlen; UNP_LINK_UNLOCK_ASSERT(); + fdflags = (flags & MSG_CMSG_CLOEXEC) ? O_CLOEXEC : 0; + error = 0; if (controlp != NULL) /* controlp == NULL => free control messages */ *controlp = NULL; @@ -2490,11 +2502,14 @@ unp_externalize(struct mbuf *control, struct mbuf **controlp, int flags) *controlp = NULL; goto next; } - for (i = 0; i < newfds; i++, fdp++) { - _finstall(fdesc, fdep[i]->fde_file, *fdp, - (flags & MSG_CMSG_CLOEXEC) != 0 ? O_CLOEXEC : 0, - &fdep[i]->fde_caps); - unp_externalize_fp(fdep[i]->fde_file); + for (int i = 0; i < newfds; i++, fdp++) { + struct file *fp; + + fp = fdep[i]->fde_file; + _finstall(fdesc, fp, *fdp, fdflags | + (restrict_rights(fp, td) ? + O_RESOLVE_BENEATH : 0), &fdep[i]->fde_caps); + unp_externalize_fp(fp); } /*