Page MenuHomeFreeBSD
Paste P710

syslogd erratum
ActivePublic
Actions

Authored by dch on Tue, May 26, 9:20 PM.
Tags
None
Referenced Files
F157953916: syslogd erratum
Tue, May 26, 9:20 PM
Subscribers
cperciva
patmaddox
secteam
=============================================================================
FreeBSD-EN-26:XX.syslogd Errata Notice
The FreeBSD Project
Topic: syslogd memory leak in casper_ttymsg()
Category: core
Module: syslogd
Announced: 2026-XX-XX
Credits: Pat Maddox
Affects: FreeBSD 15.0 and 15.1
Corrected: 2026-05-22 21:45:30 UTC (main, 16.0-CURRENT)
2026-05-26 20:37:18 UTC (stable/15, 15.1-STABLE)
XX (releng/15.1, 15.1-RELEASE-pXX)
XX (releng/15.0, 15.0-RELEASE-pXX)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
syslogd(8) is the system log daemon, responsible for receiving log
messages from the kernel and from userland programs and dispatching
them according to syslog.conf(5). As of commit 61a29eca550b, syslogd
delegates the actual writing of messages to a libcasper(3) service
(syslogd.casper) running in a sandboxed process. Messages destined
for the console and for logged-in users' terminals are passed across the
Casper channel as nvlist(9) string arrays, and dispatched by
casper_ttymsg() and casper_wallmsg().
II. Problem Description
casper_ttymsg() and casper_wallmsg() retrieve the message string
array from the incoming nvlist using nvlist_take_string_array(9),
which transfers ownership of the array and its strings to the caller.
casper_ttymsg() never frees the returned storage, and casper_wallmsg()
frees only the per-string buffers, never the array itself in the success
path. Every console and tty message therefore leaks memory in the
syslogd.casper process.
III. Impact
On long-running systems that emit a steady stream of log messages routed
to /dev/console or to user terminals, the resident size of syslogd.casper
helper process grows without bound. This may eventually lead to memory
pressure, including swap usage, or process termination by the
out-of-memory killer. syslogd itself continues to function.
IV. Workaround
Periodically restarting syslogd will reclaim leaked memory. Systems that
do not direct syslog output to /dev/console, terminals, or wall
destinations are not affected.
V. Solution
Upgrade your system to a supported FreeBSD stable, release, or security
branch, dated after the correction date.
Perform one of the following:
1) To update your system installed from base system packages:
Systems running a 15.0-RELEASE or 15.1-RELEASE version of FreeBSD on the
amd64 or arm64 platforms, which were installed using base system packages,
can be updated via the pkg(8) utility:
# pkg upgrade -r FreeBSD-base
Restart syslogd (service syslogd restart), or reboot the system.
2) To update your system installed from binary distribution sets:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
which were not installed using base system packages can be updated via the
freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Restart syslogd (service syslogd restart), or reboot the system.
3) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-26:XX/syslogd.patch
# fetch https://security.FreeBSD.org/patches/EN-26:XX/syslogd.patch.asc
# gpg --verify syslogd.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart syslogd (service syslogd restart), or reboot the system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
-------------------------------------------------------------------------
main/ c783d7181d6a main/n286078
stable/15/ be03b0fb2241 stable/15-n283693
releng/15.0/ XXX releng/15.0-nXX
releng/15.1/ XXX releng/15.0-nXX
-------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat <commit hash>
Or visit the following URL, replacing NNNNNN with the hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
<URL:https://cgit.freebsd.org/src/commit/?id=c783d7181d6a71cb2453f06e40c08c892510c2f2>
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=295488>
<URL:https://github.com/freebsd/freebsd-src/pull/2222>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-26:XX.syslogd.asc>

Event Timeline

dch created this paste.Tue, May 26, 9:20 PM
dch created this object in space S1 Global.