From nobody Tue Apr 21 15:46:01 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g0RXV2jNnz6WvBj for ; Tue, 21 Apr 2026 15:46:02 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g0RXV0njyz3SY6 for ; Tue, 21 Apr 2026 15:46:02 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1776786362; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=KeYaSyz+CJv2k8daCn+AvvobTcazMuemVHuTgYCrN+A=; b=t+f7fMOllhQZPsWyvpkRHJXj8riKUyT2l+VSWGrITlP2sIvL0bGmIQJOyS4dOXKxRqM0Rt 0bjktuf6227efuSKETKEmaVUXink8qUK/wh58EihzZUo6zLKcCZIW0CVHB/68eWuRbEcja lk9eP/7Grv3O5r8l2vgrmxdgZt1oTxbkbTWyuLwsZu1KkfjuIejOG7g1Q3mYn8O/QTWLDo /fsJNo1/BRP58pzBUUbPTD9Cs/xp/3R/kdi0MhbQvt/D+K/wPtK9c9qDfpRyu01vUzWfvX PkBHRaRuARd/aKaCcaYFrGdiJmQqcp2NDUXq1CN+8721LbvahsY5/CN6PH1fGw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1776786362; a=rsa-sha256; cv=none; b=I7/RJlIa+78NcJLtHVYw5ldmSGEeRufNMnjSNbPDlHpwW/rziGeSfoSETZiCQUQWWTQrpf 1xmbNguASDbSrtI7RKAIYQL29dJx1UyskiMLcxQRoNiH+yDLSjEkcy7IduTmIdXTZohsxD 61+arSgHvuHEaD7fF0Gk3+yGdnNhe26VeRkzoUmgoA63UYLzJTm6r5p5hMs26fRNIVjaG3 UMcin2ZUsdr6toYvepy57rybNA2bc9EOI1r5XZkG01ERylZ/PXgbMS2ACRhmqv2qiE1WJd YEBzjPmxBocwGziU16hkA1WpbZ2OjZHoBHM+8/iN0WpaYTNKK55Wl04hJQ5Y0g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1776786362; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=KeYaSyz+CJv2k8daCn+AvvobTcazMuemVHuTgYCrN+A=; b=K4oLaK7Pfq7v0C6zqviM48vduvI1M3lO+vcWih5m4cB/qtLYgN+vpaHCsjOSzrKR8VZbbh aucHUtv01va0YcKpZm60WLB9BiqJr1Agr2mLQTfBQct9L2/wl89Xo9E0rN3D1Tn6IEClXH XI0l6GqXvdtzxmd8ONu9VXEDVQY4vc0hEc7k6lwUiJCeQmnOsXSv7oamBBjFbnIzFfJOXF zn+JV4qC4So6uz78GqKVYhP30jdy+yW9rolvSYH/RTnlh4uOw8H6W9rO8gI7AVXQbYGbkW RBbe3dX/A1rST6bz8jJu7dJK7jNsw3SAk6Q+LEDGWqJqAwfDwTY6p5xbo9e/GA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4g0RXV06bwzqQF for ; Tue, 21 Apr 2026 15:46:02 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 36490 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 21 Apr 2026 15:46:01 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 44077c07f19f - releng/14.3 - tty: Avoid leaving dangling pointers in tty_drop_ctty() List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.3 X-Git-Reftype: branch X-Git-Commit: 44077c07f19f5e60593dcd87f7c2c33ea7e5ca69 Auto-Submitted: auto-generated Date: Tue, 21 Apr 2026 15:46:01 +0000 Message-Id: <69e79bb9.36490.77ca0740@gitrepo.freebsd.org> The branch releng/14.3 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=44077c07f19f5e60593dcd87f7c2c33ea7e5ca69 commit 44077c07f19f5e60593dcd87f7c2c33ea7e5ca69 Author: Mark Johnston AuthorDate: 2026-03-23 15:22:48 +0000 Commit: Mark Johnston CommitDate: 2026-04-21 15:45:50 +0000 tty: Avoid leaving dangling pointers in tty_drop_ctty() The TIOCNOTTY handler detaches the calling process from its controlling terminal. It clears the link from the session to the tty, but not the pointers from the tty to the session and process group. This means that sess_release() doesn't call tty_rel_sess(), and that pgdelete() doesn't call tty_rel_pgrp(), so the pointers are left dangling. Fix this by clearing pointers in tty_drop_ctty(). Add a standalone regression test. Approved by: so Security: FreeBSD-SA-26:10.tty Security: CVE-2026-5398 Reported by: Nicholas Carlini Reviewed by: kib, kevans Fixes: 1b50b999f9b5 ("tty: implement TIOCNOTTY") Differential Revision: https://reviews.freebsd.org/D56046 --- sys/kern/tty.c | 4 +++ tests/sys/kern/Makefile | 1 + tests/sys/kern/tiocnotty.c | 82 ++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 87 insertions(+) diff --git a/sys/kern/tty.c b/sys/kern/tty.c index b1b3b268d0e9..a968762d6167 100644 --- a/sys/kern/tty.c +++ b/sys/kern/tty.c @@ -1262,6 +1262,10 @@ tty_drop_ctty(struct tty *tp, struct proc *p) session->s_ttydp = NULL; SESS_UNLOCK(session); + if (tp->t_session == session) { + tp->t_session = NULL; + tp->t_pgrp = NULL; + } tp->t_sessioncnt--; p->p_flag &= ~P_CONTROLT; PROC_UNLOCK(p); diff --git a/tests/sys/kern/Makefile b/tests/sys/kern/Makefile index eb5ea8c3c549..ac7e4898dfa0 100644 --- a/tests/sys/kern/Makefile +++ b/tests/sys/kern/Makefile @@ -41,6 +41,7 @@ ATF_TESTS_C+= subr_physmem_test PLAIN_TESTS_C+= subr_unit_test ATF_TESTS_C+= sysctl_kern_proc ATF_TESTS_C+= sys_getrandom +PLAIN_TESTS_C+= tiocnotty ATF_TESTS_C+= tty_pts ATF_TESTS_C+= unix_dgram ATF_TESTS_C+= unix_passfd_dgram diff --git a/tests/sys/kern/tiocnotty.c b/tests/sys/kern/tiocnotty.c new file mode 100644 index 000000000000..2581f976b2ef --- /dev/null +++ b/tests/sys/kern/tiocnotty.c @@ -0,0 +1,82 @@ +/* + * Copyright (c) 2026 Mark Johnston + * + * SPDX-License-Identifier: BSD-2-Clause + */ + +/* + * A regression test that exercises a bug where TIOCNOTTY would leave some + * dangling pointers behind in the controlling terminal structure. + */ + +#include +#include + +#include +#include +#include +#include +#include + +int +main(void) +{ + int master, slave, status; + pid_t child; + + master = posix_openpt(O_RDWR | O_NOCTTY); + if (master < 0) + err(1, "posix_openpt"); + if (grantpt(master) < 0) + err(1, "grantpt"); + if (unlockpt(master) < 0) + err(1, "unlockpt"); + + child = fork(); + if (child < 0) + err(1, "fork"); + if (child == 0) { + if (setsid() < 0) + err(1, "setsid"); + slave = open(ptsname(master), O_RDWR | O_NOCTTY); + if (slave < 0) + err(2, "open"); + if (ioctl(slave, TIOCSCTTY, 0) < 0) + err(3, "ioctl(TIOCSCTTY)"); + /* Detach ourselves from the controlling terminal. */ + if (ioctl(slave, TIOCNOTTY, 0) < 0) + err(4, "ioctl(TIOCNOTTY)"); + _exit(0); + } + + if (waitpid(child, &status, 0) < 0) + err(1, "waitpid"); + if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) + errx(1, "child exited with status %d", WEXITSTATUS(status)); + + child = fork(); + if (child < 0) + err(1, "fork"); + if (child == 0) { + struct winsize winsz; + + if (setsid() < 0) + err(1, "setsid"); + slave = open(ptsname(master), O_RDWR | O_NOCTTY); + if (slave < 0) + err(2, "open"); + /* Dereferences dangling t_pgrp pointer in the terminal. */ + memset(&winsz, 0xff, sizeof(winsz)); + if (ioctl(slave, TIOCSWINSZ, &winsz) < 0) + err(3, "ioctl(TIOCSWINSZ)"); + /* Dereferences dangling t_session pointer in the terminal. */ + if (ioctl(slave, TIOCSCTTY, 0) < 0) + err(4, "ioctl(TIOCSCTTY)"); + _exit(0); + } + + if (waitpid(child, &status, 0) < 0) + err(1, "waitpid"); + if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) + errx(1, "child exited with status %d", WEXITSTATUS(status)); +}