BSDSec

deadsimple BSD Security Advisories and Announcements

FreeBSD Errata Notice FreeBSD-EN-25:15.arm64

16 September, 2025 by errata-notices@freebsd.org | freebsd 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-EN-25:15.arm64                                          Errata Notice
                                                          The FreeBSD Project

Topic:          arm64 syscall(2) allows unprivileged user to panic kernel

Category:       core
Module:         arm64
Announced:      2025-09-16
Credits:        Juniper Networks, Inc.
Affects:        All supported versions of FreeBSD.
Corrected:      2025-08-25 15:23:01 UTC (stable/14, 14.3-STABLE)
                2025-09-16 16:31:06 UTC (releng/14.3, 14.3-RELEASE-p3)
                2025-09-16 16:31:17 UTC (releng/14.2, 14.2-RELEASE-p6)
                2025-08-25 15:23:22 UTC (stable/13, 13.5-STABLE)
                2025-09-16 16:31:26 UTC (releng/13.5, 13.5-RELEASE-p4)

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.

I.   Background

The FreeBSD arm64 kernel implements a 32-bit compatibility layer, enabling
execution of unmodified 32-bit arm binaries on a 64-bit system.

FreeBSD implements a pseudo system call, syscall(2), which lets the caller
invoke a system call selected using the first system call argument.

II.  Problem Description

The 32-bit compatibility layer implements syscall(2).  It performs some
validation of the system call parameters and explicitly calls panic() to
panic the system if an unexpected state is reached.

It is possible to construct a program which can reach this unexpected state,
resulting in a panic.  In particular, no particular privileges are required
to do so.

III. Impact

An unprivileged user may be able to trigger a panic.

IV.  Workaround

No workaround is available.  Non-arm64 platforms are unaffected.

V.   Solution

Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.

Perform one of the following:

1) To update your system via a binary patch:

Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"

2) To update your system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/EN-25:15/arm64.patch
# fetch https://security.FreeBSD.org/patches/EN-25:15/arm64.patch.asc
# gpg --verify arm64.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:

Branch/path                             Hash                     Revision
- -------------------------------------------------------------------------
stable/14/                              17d87881a363    stable/14-n272249
releng/14.3/                            99012995b4c6  releng/14.3-n271440
releng/14.2/                            722746b39e6e  releng/14.2-n269534
stable/13/                              98ac13c4baf5    stable/13-n259404
releng/13.5/                            751971e55454  releng/13.5-n259175
- -------------------------------------------------------------------------

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

VII. References

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:15.arm64.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmjJlBEACgkQbljekB8A
Gu+13w//fHfH1hAOg+FGwV3ZoMh2oEVd+VmkLg/CdghL9T+dGwqzIMOliXMKhaZq
Nzk++lmKlzdpuDEqaw1ikj+bJ+knhrZyAziTlxpB2uly6K119hchAU5TQK2M6D4W
8aQWxeJMPxobsfxi9JciVMWcQK9XsurwUzlCDuLvGgUMPPaMVdy89U86NnKo66eE
fjK2l1Mc730wtisTuTLkY1SHPBchvm20ehu8BVpx4eBEHnecqRaUxQHy2yxTi+/0
IKrwnpvz8S7/QLcED6TSCKsuLDY/uOx8x6N9PlHHvcLay/ImyvhTPavREld/b3nM
YC8fFb7bjguPZCC222nr/J+/YkD+2+EqVHPOAq7HxVT0uqss7BL9qwIywg0CIhvT
G3fw121L7cwXI/f/Hw6coVTFHnNXUB48FyIFkEXPdMxrNBUSE/KejYjkkJ2YaRir
kXZboMMOoxIf0NPNmv78v+PBj3jpbPP2epjhIk0I5D6uNzdjXEqRlRNgBhqc01Qn
veu+1tEox5Y0Zp4Mum0EipuTaZMjeT4hwmt9zwogsYEZFnyIvilzIOc3zEFRB4Y2
IB1EUkw49V/zzHn5KnVujaUiVOdVUxe6G8txFcPIT66mPdJZmKO1fbD3pR/0NDj6
Smj07jNL8PskCLuoe0MmMFiNJI3CHTh+6Ly39j5UpnSsPCPRTyMXzg
-----END PGP SIGNATURE-----