git: 4acc2b5c61a7 - stable/13 - libnv: switch fd_wait() from select(2) to poll(2)

The branch stable/13 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=4acc2b5c61a7be9bbd88fe601a9bc0a044060d79

commit 4acc2b5c61a7be9bbd88fe601a9bc0a044060d79
Author:     Mariusz Zaborski <oshogbo@FreeBSD.org>
AuthorDate: 2026-04-28 14:35:10 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-04-28 19:36:05 +0000

    libnv: switch fd_wait() from select(2) to poll(2)
    
    The previous implementation used FD_SET() on a stack-allocated fd_set,
    which is an out-of-bounds write whenever the socket fd is >= FD_SETSIZE
    (1024).
    
    Approved by:    so
    Security:       FreeBSD-SA-26:16.libnv
    Security:       CVE-2026-39457
    Reported by:    Joshua Rogers of AISLE Research Team (https://aisle.com/)
    Reviewed by:    markj
    Differential Revision:  https://reviews.freebsd.org/D56689
---
 lib/libnv/msgio.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/lib/libnv/msgio.c b/lib/libnv/msgio.c
index afc02dba7a46..e73484878ae7 100644
--- a/lib/libnv/msgio.c
+++ b/lib/libnv/msgio.c
@@ -33,10 +33,10 @@
 #include <sys/cdefs.h>
 #include <sys/param.h>
 #include <sys/socket.h>
-#include <sys/select.h>
 
 #include <errno.h>
 #include <fcntl.h>
+#include <poll.h>
 #include <stdbool.h>
 #include <stdint.h>
 #include <stdlib.h>
@@ -87,14 +87,14 @@ msghdr_add_fd(struct cmsghdr *cmsg, int fd)
 static void
 fd_wait(int fd, bool doread)
 {
-	fd_set fds;
+	struct pollfd pfd;
 
 	PJDLOG_ASSERT(fd >= 0);
 
-	FD_ZERO(&fds);
-	FD_SET(fd, &fds);
-	(void)select(fd + 1, doread ? &fds : NULL, doread ? NULL : &fds,
-	    NULL, NULL);
+	pfd.fd = fd;
+	pfd.events = doread ? POLLIN : POLLOUT;
+	pfd.revents = 0;
+	(void)poll(&pfd, 1, -1);
 }
 
 static int