From nobody Thu Mar 26 01:11:20 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fh5MD6wPSz6X3xr for ; Thu, 26 Mar 2026 01:11:20 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fh5MD5Zpxz3FG2 for ; Thu, 26 Mar 2026 01:11:20 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1774487480; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=rHVN7IGv5vBfXQtyGJuo37zSx1iOdzKMKxtGrvsL5X4=; b=NLxoY/L+Om8jbhf7aD+YGsnCAT+woYjeWQXBlFwKtZbWM71Ookrm7vmH49PzUWHpaOtKQN jllG9X7fGyMr7V+LVHKcXP7RXnVxFRsVrO9/e8tNFnw7vMsedwjXpXOlWl9udDS5Qemzb6 OXA6Ok2qbTcV6Ol3bH4sRgwR6hLsCTFZPSox3tZIjf01P7VZ0oso82AhmG6Cqi0D2uOv8X r+imc099JZ2D0wvzYv5x4lt1CnJUQ8VQVb/BVJdlXj9PvXi4IQnr4ToD4/YLRDv0wZg8Xx FNPXvjgAQxZi3lH8fCJO5rgdwaOM/YGCVdd7DbBVgpX6oEbEitL9mU8QNrVCeA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1774487480; a=rsa-sha256; cv=none; b=m3QGF1bxN0gzqR+9/XxnB+FbSRI/6NKPb09fDOZymIB2opFXnoeGo8BtQiQG1N4wudN+rd aNexHOdEtHPFJnoQ/9B8wPNaOpQydkDTBnw+bGo8g2dyKidTs+PaBEZfVSLG6WXM6nKml5 ET2MNwqe+X5qB2wRgk8Q4iw9iMGmr44qus3SeyXGoh2HL0a696jMZpl8NyNCkwEK0TP/D+ rgckqf4CDobmUU9t3H4CKlJd9lZQRA5Xolh7u4eTxW+VaA0NVNkrUoqcsnEcLTd6KDLbve T327aFhbU2tR0pH4jUBkZG/1ofCuP9IN10jZNbxGRV+g3OHtGlOmlGO57eM9Kw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1774487480; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=rHVN7IGv5vBfXQtyGJuo37zSx1iOdzKMKxtGrvsL5X4=; b=XVo0oMg8w8I7heOmSSgrIg5S/VOhU5D0Qv2g5asbsT6mtqYCPCPPNJ+VwpG30K55y4zKQe 9DgzBQesHPFxaSf5ZhoZPTEHMkC7rxWC3RSvlzph+XK/18Jtwc8fuEL79BLbCIQ9kBL7EJ /5nmwYZ6BDxUuXWDgtXCtG7BPVCZhLctb5hIkSH9rVmkTNW6wyAuDBldm6WsiVE0O1GBZo Hte0CFr3BjIH8tchJPW3Ghb6dHHxj9HFkbdwf+krxOZhillzw8Q03lPtbbKS18W8fJ1BL6 5VjcxJOCyBViTY8mpLJH+kxaVJ6jKIqmGDzOHaas3UgLTlvsyy1WuGcoSziljQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4fh5MD4jx2zVMf for ; Thu, 26 Mar 2026 01:11:20 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 196b1 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Thu, 26 Mar 2026 01:11:20 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Mark Johnston From: Philip Paeps Subject: git: 4ec1b6213463 - releng/15.0 - rpcsec_gss: Fix a stack overflow in svc_rpc_gss_validate() List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: philip X-Git-Repository: src X-Git-Refname: refs/heads/releng/15.0 X-Git-Reftype: branch X-Git-Commit: 4ec1b621346337ae97089d85430d8439afe85806 Auto-Submitted: auto-generated Date: Thu, 26 Mar 2026 01:11:20 +0000 Message-Id: <69c487b8.196b1.6057ebe0@gitrepo.freebsd.org> The branch releng/15.0 has been updated by philip: URL: https://cgit.FreeBSD.org/src/commit/?id=4ec1b621346337ae97089d85430d8439afe85806 commit 4ec1b621346337ae97089d85430d8439afe85806 Author: Mark Johnston AuthorDate: 2026-03-24 02:12:42 +0000 Commit: Philip Paeps CommitDate: 2026-03-25 06:51:29 +0000 rpcsec_gss: Fix a stack overflow in svc_rpc_gss_validate() svc_rpc_gss_validate() copies the input message into a stack buffer without ensuring that the buffer is large enough. Sure enough, oa_length may be up to 400 bytes, much larger than the provided space. This enables an unauthenticated user to trigger an overflow and obtain remote code execution. Add a runtime check which verifies that the copy won't overflow. Approved by: so Security: FreeBSD-SA-26:08.rpcsec_gss Security: CVE-2026-4747 Reported by: Nicholas Carlini Reviewed by: rmacklem Fixes: a9148abd9da5d --- lib/librpcsec_gss/svc_rpcsec_gss.c | 9 ++++++++- sys/rpc/rpcsec_gss/svc_rpcsec_gss.c | 10 +++++++++- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/lib/librpcsec_gss/svc_rpcsec_gss.c b/lib/librpcsec_gss/svc_rpcsec_gss.c index e9d39a813f86..73b92371e6d0 100644 --- a/lib/librpcsec_gss/svc_rpcsec_gss.c +++ b/lib/librpcsec_gss/svc_rpcsec_gss.c @@ -758,6 +758,14 @@ svc_rpc_gss_validate(struct svc_rpc_gss_client *client, struct rpc_msg *msg, memset(rpchdr, 0, sizeof(rpchdr)); + oa = &msg->rm_call.cb_cred; + + if (oa->oa_length > sizeof(rpchdr) - 8 * BYTES_PER_XDR_UNIT) { + log_debug("auth length %d exceeds maximum", oa->oa_length); + client->cl_state = CLIENT_STALE; + return (FALSE); + } + /* Reconstruct RPC header for signing (from xdr_callmsg). */ buf = rpchdr; IXDR_PUT_LONG(buf, msg->rm_xid); @@ -766,7 +774,6 @@ svc_rpc_gss_validate(struct svc_rpc_gss_client *client, struct rpc_msg *msg, IXDR_PUT_LONG(buf, msg->rm_call.cb_prog); IXDR_PUT_LONG(buf, msg->rm_call.cb_vers); IXDR_PUT_LONG(buf, msg->rm_call.cb_proc); - oa = &msg->rm_call.cb_cred; IXDR_PUT_ENUM(buf, oa->oa_flavor); IXDR_PUT_LONG(buf, oa->oa_length); if (oa->oa_length) { diff --git a/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c b/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c index 35c904560836..528112d5642a 100644 --- a/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c +++ b/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c @@ -1170,6 +1170,15 @@ svc_rpc_gss_validate(struct svc_rpc_gss_client *client, struct rpc_msg *msg, memset(rpchdr, 0, sizeof(rpchdr)); + oa = &msg->rm_call.cb_cred; + + if (oa->oa_length > sizeof(rpchdr) - 8 * BYTES_PER_XDR_UNIT) { + rpc_gss_log_debug("auth length %d exceeds maximum", + oa->oa_length); + client->cl_state = CLIENT_STALE; + return (FALSE); + } + /* Reconstruct RPC header for signing (from xdr_callmsg). */ buf = rpchdr; IXDR_PUT_LONG(buf, msg->rm_xid); @@ -1178,7 +1187,6 @@ svc_rpc_gss_validate(struct svc_rpc_gss_client *client, struct rpc_msg *msg, IXDR_PUT_LONG(buf, msg->rm_call.cb_prog); IXDR_PUT_LONG(buf, msg->rm_call.cb_vers); IXDR_PUT_LONG(buf, msg->rm_call.cb_proc); - oa = &msg->rm_call.cb_cred; IXDR_PUT_ENUM(buf, oa->oa_flavor); IXDR_PUT_LONG(buf, oa->oa_length); if (oa->oa_length) {