BSDSec

deadsimple BSD Security Advisories and Announcements

FreeBSD Errata Notice FreeBSD-EN-25:09.libc

2 July, 2025 by errata-notices@freebsd.org | freebsd 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-EN-25:09.libc                                           Errata Notice
                                                          The FreeBSD Project

Topic:          Dynamically-loaded C++ libraries crashing at exit

Category:       core
Module:         libc
Announced:      2025-07-02
Affects:        FreeBSD 13.5 and FreeBSD 14.2
Corrected:      2025-04-17 01:01:36 UTC (stable/14, 14.2-STABLE)
                2025-07-02 18:28:08 UTC (releng/14.2, 14.2-RELEASE-p4)
                2025-04-17 01:02:12 UTC (stable/13, 13.5-STABLE)
                2025-07-02 18:28:28 UTC (releng/13.5, 13.5-RELEASE-p2)

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.

I.   Background

In C++, global objects' destructors are called at unload or exit time.
Global objects may be created either as objects in a global scope, or as
objects in a function scope declared with the `static` keyword.

II.  Problem Description

Object destructors can create further global objects through the second
mechanism described above, function-scoped objects with the `static` keyword.

Creation of these objects adds more destructors that should be called at
unload or exit time while the application is already in the middle of
processing those destructors in reverse order from when they're added.  As a
result, these newly added destructors are not called at unload time when the
C++ library has been loaded dynamically via dlopen() and subsequently
unloaded with dlclose().

III. Impact

The destructors that are not called at unload time are later attempted to be
called when the program exits, which may result in a crash as the library's
code has already been unmapped from the program's address space.

IV.  Workaround

No workaround is available.  C++ libraries that do not create more objects in
destructors are not affected.

V.   Solution

Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date and restart any affected
services, or reboot the system.

Perform one of the following:

1) To update your system via a binary patch:

Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
utility:

# freebsd-update fetch
# freebsd-update install

2) To update your system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/EN-25:09/libc.patch
# fetch https://security.FreeBSD.org/patches/EN-25:09/libc.patch.asc
# gpg --verify libc.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.

Restart all daemons that use the library, or reboot the system.

VI.  Correction details

This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:

Branch/path                             Hash                     Revision
- -------------------------------------------------------------------------
stable/14/                              c43ae65b4b89    stable/14-n271080
releng/14.2/                            89a2823e17e5  releng/14.2-n269525
stable/13/                              04f7496f89e2    stable/13-n259249
releng/13.5/                            f936833911d7  releng/13.5-n259167
- -------------------------------------------------------------------------

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

VII. References

<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id(5870>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:09.libc.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmhlfSIACgkQbljekB8A
Gu8InA/6A0/ctlk0xDhDe7kMcu3NzV8lFmBz2d1577WU8E+A8F9KAEEGEHS1wPeK
qZL4YtcVQ4hGDKot5yg9Cvdmvqsvuv0sP7RmG2xyQKnx6THHezlzxXcKC+UYRgtg
9mDWB8/1zC/L8XYcBdJtog0HZnRRjQ8fVVJKVySItCz9rGCmc0XKX1PhKqR4ZQDL
ErfrUlymDCB8CW0NCeRUO5sPniT+dCf8Bv/OJdB3NFvuVYA6XqIlo397dDPGkltV
K4bDEbjuRi4ELuTlybEtzMDWrDb+YOAuFF8cWCzyJpkRiSZQAarIwBhxoqVdw6+p
9JN6i2p5RIis1DNCXomyip8JrgH8iDzUbGgehwEjhMbDi4YY6FK9ZQ5nTve5X/oX
o4q+oMIoCItAl4x1GqUNlZ/TP6Zk1fk9pObNb9IuM9W9kQJIWI/DQ3XMlYN57cTC
oS47PlJR+h09N6jA0Zfmek7ciFLGmhRpdc1MVfgTHNkT532HLpzHztckECWD0l7C
ni92CH7JW2rBI0AKDYGEA/s9fhhlkdyrQjASdSJwDFfpVQyuUWLja7NaFAmtPCEF
PjY+ZQsAQlZiusvHXDGNxlUE27LxFR44AdR4UhVGvkPfbjuQNPuxV+vsxZa743zt
GsVUwI4FmwaUf1IygAd9akFikRcS0s57wOHqcWh/B+iv/OW+MA4=VsbO
-----END PGP SIGNATURE-----