From nobody Tue Apr 21 15:45:31 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g0RWv68MHz6Wv3K for ; Tue, 21 Apr 2026 15:45:31 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g0RWv3FQ5z3RRx for ; Tue, 21 Apr 2026 15:45:31 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1776786331; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=+qJ7C7dPki2gvEdwrQWIdvxWxjMEvQ6jkPP063ZtQMA=; b=K8wYHEPc8LYdQ/9DKi6yzM+mBbAUPV8KNJvXId5tT3KvpPwTkBp/Mk84plTL05MMA8DKAY mX1BMbHqwqvViJvatOzC1WIK4NGeAp/jUYcw9rM4lzDp+dyNdDsRKQmF2kR/M5XGnPazMR fsLta4E8YXQkSe1qspw8m18fzcyuKopvCMPr8aNE7W0IHZsEkUS7c91NbIrSijGuBVrZFT 3thod2WpK13wzMu4Q4FXvV/Qqz/gVo2iCH1arfqFu7RudnN1fplT7b40t0k2Pmr8DZSoeL cNr44yDyVeyK+InNF+ppArbxs0UnpOHgTe5mp0raDuBTdiHoDusIG3xu9DLgAg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1776786331; a=rsa-sha256; cv=none; b=RxmNCwV+tDc0YhRmyF2Mk2tNSUc2iaFC9Y3bWGvgKD8cNMI8biIyba5JXhgNIvlR2kTJDN D2fMr97+u7dqEJcPkWI5b/wo4sQXbEULe80y3/q2pjjTCAqdZ0mmoopJ0f0Bbb+6QqhYS9 WCwvrIr4ssVBP8hAy9K4C+zCpBAorZnqHv1dPvzef804/HdbCkb3t1be7ygL6NU27KpD+m HsUmixL1RBiMPxRgmT1uKjQoS2wSNzfoY6CdkeGkkYKiaoD+magetIu/KkDodZ1bwhu5FF CiOzqmAmOSqE4uLkszGLmPT6jg7B2dLMaUmyPL362AUBwiGSDZTRlL2VWUWKZg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1776786331; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=+qJ7C7dPki2gvEdwrQWIdvxWxjMEvQ6jkPP063ZtQMA=; b=KxmUh2nEhxiOruTHi1k6fNxvdWBub1TGS+EfjmUYliqL4/eG9boacyt0gZxdNPjKSF+p/h iezefQfBwAeu8s4LH5NvJppQs/TQCLgbZ+3y/2nHnVJrpC6qHgPPq+5RTd1p6mMMfpSDEz JB710CyczTUlNGaN3lrCL9rRh1iAhqjyb1Iw6FYIeJKun+TLb+rU7nvgwJNxnznIFzHMWs dc0yjguz+QUTE0SaLdRUUqe2g5cVCXwGTV9Trp3UPagCJAQnZ2BFJY6PNvWYck3iH2NUFp CwwQqkFiJW3HMVN2A+3dlVGH9zxNvVa7j/N+6/vIjZ0ZBBvFpB8eLH0UVHv2PQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4g0RWv2pvnzqcF for ; Tue, 21 Apr 2026 15:45:31 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 34736 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 21 Apr 2026 15:45:31 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: af294329c57f - releng/14.4 - tty: Avoid leaving dangling pointers in tty_drop_ctty() List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.4 X-Git-Reftype: branch X-Git-Commit: af294329c57f9bb9874411bc603f4c46a85c68e9 Auto-Submitted: auto-generated Date: Tue, 21 Apr 2026 15:45:31 +0000 Message-Id: <69e79b9b.34736.1061de19@gitrepo.freebsd.org> The branch releng/14.4 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=af294329c57f9bb9874411bc603f4c46a85c68e9 commit af294329c57f9bb9874411bc603f4c46a85c68e9 Author: Mark Johnston AuthorDate: 2026-03-23 15:22:48 +0000 Commit: Mark Johnston CommitDate: 2026-04-21 15:45:06 +0000 tty: Avoid leaving dangling pointers in tty_drop_ctty() The TIOCNOTTY handler detaches the calling process from its controlling terminal. It clears the link from the session to the tty, but not the pointers from the tty to the session and process group. This means that sess_release() doesn't call tty_rel_sess(), and that pgdelete() doesn't call tty_rel_pgrp(), so the pointers are left dangling. Fix this by clearing pointers in tty_drop_ctty(). Add a standalone regression test. Approved by: so Security: FreeBSD-SA-26:10.tty Security: CVE-2026-5398 Reported by: Nicholas Carlini Reviewed by: kib, kevans Fixes: 1b50b999f9b5 ("tty: implement TIOCNOTTY") Differential Revision: https://reviews.freebsd.org/D56046 --- sys/kern/tty.c | 4 +++ tests/sys/kern/tty/Makefile | 1 + tests/sys/kern/tty/tiocnotty.c | 82 ++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 87 insertions(+) diff --git a/sys/kern/tty.c b/sys/kern/tty.c index 47f9f25cec37..508fa10fdd62 100644 --- a/sys/kern/tty.c +++ b/sys/kern/tty.c @@ -1262,6 +1262,10 @@ tty_drop_ctty(struct tty *tp, struct proc *p) session->s_ttydp = NULL; SESS_UNLOCK(session); + if (tp->t_session == session) { + tp->t_session = NULL; + tp->t_pgrp = NULL; + } tp->t_sessioncnt--; p->p_flag &= ~P_CONTROLT; PROC_UNLOCK(p); diff --git a/tests/sys/kern/tty/Makefile b/tests/sys/kern/tty/Makefile index 8628ab79875f..d134b3337a21 100644 --- a/tests/sys/kern/tty/Makefile +++ b/tests/sys/kern/tty/Makefile @@ -5,6 +5,7 @@ PLAIN_TESTS_PORCH+= test_canon PLAIN_TESTS_PORCH+= test_canon_fullbuf PLAIN_TESTS_PORCH+= test_ncanon PLAIN_TESTS_PORCH+= test_recanon +PLAIN_TESTS_C+= tiocnotty ATF_TESTS_C+= test_sti PROGS+= fionread diff --git a/tests/sys/kern/tty/tiocnotty.c b/tests/sys/kern/tty/tiocnotty.c new file mode 100644 index 000000000000..2581f976b2ef --- /dev/null +++ b/tests/sys/kern/tty/tiocnotty.c @@ -0,0 +1,82 @@ +/* + * Copyright (c) 2026 Mark Johnston + * + * SPDX-License-Identifier: BSD-2-Clause + */ + +/* + * A regression test that exercises a bug where TIOCNOTTY would leave some + * dangling pointers behind in the controlling terminal structure. + */ + +#include +#include + +#include +#include +#include +#include +#include + +int +main(void) +{ + int master, slave, status; + pid_t child; + + master = posix_openpt(O_RDWR | O_NOCTTY); + if (master < 0) + err(1, "posix_openpt"); + if (grantpt(master) < 0) + err(1, "grantpt"); + if (unlockpt(master) < 0) + err(1, "unlockpt"); + + child = fork(); + if (child < 0) + err(1, "fork"); + if (child == 0) { + if (setsid() < 0) + err(1, "setsid"); + slave = open(ptsname(master), O_RDWR | O_NOCTTY); + if (slave < 0) + err(2, "open"); + if (ioctl(slave, TIOCSCTTY, 0) < 0) + err(3, "ioctl(TIOCSCTTY)"); + /* Detach ourselves from the controlling terminal. */ + if (ioctl(slave, TIOCNOTTY, 0) < 0) + err(4, "ioctl(TIOCNOTTY)"); + _exit(0); + } + + if (waitpid(child, &status, 0) < 0) + err(1, "waitpid"); + if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) + errx(1, "child exited with status %d", WEXITSTATUS(status)); + + child = fork(); + if (child < 0) + err(1, "fork"); + if (child == 0) { + struct winsize winsz; + + if (setsid() < 0) + err(1, "setsid"); + slave = open(ptsname(master), O_RDWR | O_NOCTTY); + if (slave < 0) + err(2, "open"); + /* Dereferences dangling t_pgrp pointer in the terminal. */ + memset(&winsz, 0xff, sizeof(winsz)); + if (ioctl(slave, TIOCSWINSZ, &winsz) < 0) + err(3, "ioctl(TIOCSWINSZ)"); + /* Dereferences dangling t_session pointer in the terminal. */ + if (ioctl(slave, TIOCSCTTY, 0) < 0) + err(4, "ioctl(TIOCSCTTY)"); + _exit(0); + } + + if (waitpid(child, &status, 0) < 0) + err(1, "waitpid"); + if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) + errx(1, "child exited with status %d", WEXITSTATUS(status)); +}