From nobody Tue Feb 10 17:56:11 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4f9Tkz3B94z6RhSh for ; Tue, 10 Feb 2026 17:56:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4f9Tkz1FxXz3fgC for ; Tue, 10 Feb 2026 17:56:11 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1770746171; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=aHvFp/aYwyGtGeg88zOdUP/n2exu+ZamCETetrgmXaE=; b=snTgqKY6OcmwmlxRk7SSgqjwnImMTYpJrtVwjqVTLthOuW3nobdZPF3ey0pU402QsuH/UN b4lFoZaeuFJud3xuXDHiRj4JKRgcoqVNv+HnAwkX/+fdwEAtzrEY0VKDCQieQoOuQUtPaX /DVpPmkL76lFLs/+Ev8w3Naidwzb3+9NsXhcALbwSWhw92bQPqgeUHa3C5IbT5zr9tLlcf aXhMs71zLPgK4kHLL5NWNGO98Neu2vLgexlFzuokoB1ZLGm7mATM0R84wHhMhLA/V1/RgA Ugr2J+FrMg1Cy4NVz3SghftUYiP1ufSCReOllsjm+L/Fe7hxUkU1Er1sp2jTiw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1770746171; a=rsa-sha256; cv=none; b=Uh62Bzd7R+yC+4kooaKMWi6fHgAbpEjfMyOxJXY5wyBsIPQk4xPNriC7KUJn5ghk5NQTlg eSpLKVAIfr8MzSQsEoeokZn3hGHJ0kTLLMp7geLF/wf0atM2FP0oem4qXUc9AHl0B5+cfS ofHd8kUZw9sPBAwdXR5DEJ13FfDjLIOgV20/KbPzCSjCjuDZHaXg0brorIpTN6CbE4Ka5g vgNjkK1DRZL1f8WuXI6Lbn2hTcKsqsrPOXUGDERyIDFhMK5nZx1ogGS/nOzLHRuLK3BZ/U qPjblz9h2Yde08gPFD5OexV/xASzooWBqzGamgpHAR06oG/bcHBiud8NGZz+Qw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1770746171; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=aHvFp/aYwyGtGeg88zOdUP/n2exu+ZamCETetrgmXaE=; b=xr5kiOxMcy8T9M126kvYnMNJsqOhKYKqfZMEuJGrifXEO9ewDAJ1SZj6c9D2cfBr/5QRUI KjETFrakMkBQZEVY9MKs0vYlVzOsH59Gaa5XLIxlhx+Hr2g6ygqh8Bv/rtCSkyORPp/wcT xubSIGhCmGlknuZj/a2j2kR8/7Q0U7UIRPxA3pHLUisPLX7vQtEPxylVVpeYBhquIpH0aN ibTQCVf2USJarW+YX/6mNMMJDNqqiaV1bFNUsmgHpSdfBpD3fvLJ8mXl3IDoNGJTlnH21r Zgiewszv4ENSmvII2iIniHOUcuGC6XYGkBVXK7Od4L81P6PcGaPM/T+hwoiWMQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4f9Tkz0p7Qz1SFH for ; Tue, 10 Feb 2026 17:56:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 264d7 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 10 Feb 2026 17:56:11 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Dag-Erling=?utf-8?Q? Sm=C3=B8rg?=rav From: Mark Johnston Subject: git: e4781e4e6d88 - releng/15.0 - blocklistd: Fix multiple bugs List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/15.0 X-Git-Reftype: branch X-Git-Commit: e4781e4e6d88f73d6fe266eb520c240a343fafcf Auto-Submitted: auto-generated Date: Tue, 10 Feb 2026 17:56:11 +0000 Message-Id: <698b713b.264d7.6229df2d@gitrepo.freebsd.org> The branch releng/15.0 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=e4781e4e6d88f73d6fe266eb520c240a343fafcf commit e4781e4e6d88f73d6fe266eb520c240a343fafcf Author: Dag-Erling Smørgrav AuthorDate: 2026-02-07 14:38:34 +0000 Commit: Mark Johnston CommitDate: 2026-02-09 17:54:29 +0000 blocklistd: Fix multiple bugs * Fix file descriptor leak in the server * Fix race between parent and child in popenve() * Don't assume fdopen() can't fail Approved by: so Security: FreeBSD-SA-26:03.blocklistd Security: CVE-2026-2261 --- contrib/blocklist/bin/blacklistd.c | 8 +++-- contrib/blocklist/bin/blocklistd.c | 8 +++-- contrib/blocklist/port/popenve.c | 61 ++++++++++++++++++++------------------ 3 files changed, 42 insertions(+), 35 deletions(-) diff --git a/contrib/blocklist/bin/blacklistd.c b/contrib/blocklist/bin/blacklistd.c index cb6ce6578d9c..6021e70f214c 100644 --- a/contrib/blocklist/bin/blacklistd.c +++ b/contrib/blocklist/bin/blacklistd.c @@ -191,7 +191,7 @@ process(bl_t bl) } if (getremoteaddress(bi, &rss, &rsl) == -1) - return; + goto out; if (debug || bi->bi_msg[0]) { sockaddr_snprintf(rbuf, sizeof(rbuf), "%a:%p", (void *)&rss); @@ -204,12 +204,12 @@ process(bl_t bl) if (conf_find(bi->bi_fd, bi->bi_uid, &rss, &c) == NULL) { (*lfun)(LOG_DEBUG, "no rule matched"); - return; + goto out; } if (state_get(state, &c, &dbi) == -1) - return; + goto out; if (debug) { char b1[128], b2[128]; @@ -269,6 +269,8 @@ process(bl_t bl) state_put(state, &c, &dbi); out: + close(bi->bi_fd); + if (debug) { char b1[128], b2[128]; (*lfun)(LOG_DEBUG, "%s: final db state for %s: count=%d/%d " diff --git a/contrib/blocklist/bin/blocklistd.c b/contrib/blocklist/bin/blocklistd.c index 47c145c7aae1..ffa2ff2d74a6 100644 --- a/contrib/blocklist/bin/blocklistd.c +++ b/contrib/blocklist/bin/blocklistd.c @@ -191,7 +191,7 @@ process(bl_t bl) } if (getremoteaddress(bi, &rss, &rsl) == -1) - return; + goto out; if (debug || bi->bi_msg[0]) { sockaddr_snprintf(rbuf, sizeof(rbuf), "%a:%p", (void *)&rss); @@ -204,12 +204,12 @@ process(bl_t bl) if (conf_find(bi->bi_fd, bi->bi_uid, &rss, &c) == NULL) { (*lfun)(LOG_DEBUG, "no rule matched"); - return; + goto out; } if (state_get(state, &c, &dbi) == -1) - return; + goto out; if (debug) { char b1[128], b2[128]; @@ -269,6 +269,8 @@ process(bl_t bl) state_put(state, &c, &dbi); out: + close(bi->bi_fd); + if (debug) { char b1[128], b2[128]; (*lfun)(LOG_DEBUG, "%s: final db state for %s: count=%d/%d " diff --git a/contrib/blocklist/port/popenve.c b/contrib/blocklist/port/popenve.c index bdff8cdc1de4..e80058a8599a 100644 --- a/contrib/blocklist/port/popenve.c +++ b/contrib/blocklist/port/popenve.c @@ -111,11 +111,25 @@ pdes_get(int *pdes, const char **type) #endif } - if ((cur = malloc(sizeof(*cur))) != NULL) - return cur; + if ((cur = malloc(sizeof(*cur))) != NULL) { + if (**type == 'r') { + cur->fp = fdopen(pdes[0], *type); +#ifdef _REENTRANT + cur->fd = pdes[0]; +#endif + } else { + cur->fp = fdopen(pdes[1], *type); +#ifdef _REENTRANT + cur->fd = pdes[1]; +#endif + } + if (cur->fp != NULL) + return cur; + } serrno = errno; (void)close(pdes[0]); (void)close(pdes[1]); + free(cur); errno = serrno; return NULL; } @@ -125,16 +139,6 @@ pdes_child(int *pdes, const char *type) { struct pid *old; - /* POSIX.2 B.3.2.2 "popen() shall ensure that any streams - from previous popen() calls that remain open in the - parent process are closed in the new child process. */ - for (old = pidlist; old; old = old->next) -#ifdef _REENTRANT - (void)close(old->fd); /* don't allow a flush */ -#else - (void)close(fileno(old->fp)); /* don't allow a flush */ -#endif - if (type[0] == 'r') { (void)close(pdes[0]); if (pdes[1] != STDOUT_FILENO) { @@ -150,31 +154,30 @@ pdes_child(int *pdes, const char *type) (void)close(pdes[0]); } } + + /* POSIX.2 B.3.2.2 "popen() shall ensure that any streams + from previous popen() calls that remain open in the + parent process are closed in the new child process. */ + for (old = pidlist; old; old = old->next) { +#ifdef _REENTRANT + (void)close(old->fd); /* don't allow a flush */ +#else + (void)close(fileno(old->fp)); /* don't allow a flush */ +#endif + } } static void pdes_parent(int *pdes, struct pid *cur, pid_t pid, const char *type) { - FILE *iop; - - /* Parent; assume fdopen can't fail. */ - if (*type == 'r') { - iop = fdopen(pdes[0], type); -#ifdef _REENTRANT - cur->fd = pdes[0]; -#endif + /* Parent */ + if (*type == 'r') (void)close(pdes[1]); - } else { - iop = fdopen(pdes[1], type); -#ifdef _REENTRANT - cur->fd = pdes[1]; -#endif + else (void)close(pdes[0]); - } /* Link into list of file descriptors. */ - cur->fp = iop; - cur->pid = pid; + cur->pid = pid; cur->next = pidlist; pidlist = cur; } @@ -200,7 +203,7 @@ popenve(const char *cmd, char *const *argv, char *const *envp, const char *type) #ifdef _REENTRANT (void)rwlock_rdlock(&pidlist_lock); #endif - switch (pid = vfork()) { + switch (pid = fork()) { case -1: /* Error. */ serrno = errno; #ifdef _REENTRANT