From nobody Thu Mar 26 01:14:55 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fh5RN242Vz6X43V for ; Thu, 26 Mar 2026 01:14:56 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fh5RN0BQBz3K3v for ; Thu, 26 Mar 2026 01:14:56 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1774487696; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=9n1rq3RRY9r/IQjfHhDFttqK2hIq4bZaPDXCwaq5H/Q=; b=WzQsjblSdy7vL1rhw4tytbc9YWbE1pSC59gZK/YmTBdu7p4v461Nf4yyzvrnyX9Awk9JqA qejWhSCo9ORoSM/Xw6cNfkGMM0lVvUCIrPnGt/vDDX/S//0oSwliZbiVkqzugsZl5hfwQd RHzTvWDg5jlnYe80XqZUFEfAtgb7TV/rC9mr8/pX2uqPhlP3CxZc0mMNu3wN4eQPFhoAer v4FNNPUdK+/UIqwMUsi/LRlKzwO0ptsG8KwHtwX0Y4TWbfK5P2ighZXs3ErXChtiHaGI5c X/EXSkOW+hP8bNvxHPR+XuwSzfV9i/wq1TWKS6jG3krMOTXUHPIkVbHvFXpK5A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1774487696; a=rsa-sha256; cv=none; b=A9dXba1USXleK2U1qKuOypH0XcEhwA2OMNW47pthj0hZT5HykkNwzPWJQmEnlTi/zRRjDA M+Eh7d5IB1NUjHwjwcn7kYKrb9UfjAESK2DspJei/AuXgTcMY4gQvkSL2PdFff7CgF3eG8 KWZWccldRy5FQfc+OQciINCiw91+2KuiJmnjKs5RtCdsWmHk6ARqpT4055K+R5ua13kDFQ SWupNrcbsK3/Q7AbSthqxI52dPlPEdr3kPDEV4pZQ5CdjeJVNZBwyyC6HkGA7EVo8k2XsW CFBNv6cQnZPdwp8P15kqXZlX6NvbXVlAZ6ktun+iJiIruRiSdP8pMGdi0GFUbg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1774487696; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=9n1rq3RRY9r/IQjfHhDFttqK2hIq4bZaPDXCwaq5H/Q=; b=OcdFm5vWIYu25qZnldMCtIXbcKwdfopGpxG4R6I3hnvlOkUCPmW4C0LSwAZBhAwmd/cOvY K/38Cc3fRdeY3B9imC5nIOKty/VcL2dc+WhYvcFmXmfSQujFTyqth0kmjC7xjN4ZSJDN3V zBhfYW6Llz1EYOQqY4OYlrNo9uAyZkKJ1wLHj/3ydED99gIsMuIZvrX8CMHARTYlaugLSe Lch6itf8Om+n7tmq9TDu+yqnjKxnfxtJE9ww5MkoTEYrDMQ7MTovvYnJnR2aS7AvGqgDl7 lWGi179khHa1dlh5f1Igtk6Wn2X2MtlAa+WaYfUL5dAZBSmzsCaI2aYiEDfTwg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4fh5RM6p12zVfd for ; Thu, 26 Mar 2026 01:14:55 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 18ca9 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Thu, 26 Mar 2026 01:14:55 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Mark Johnston From: Philip Paeps Subject: git: 7ea03a4238e8 - releng/14.4 - rpcsec_gss: Fix a stack overflow in svc_rpc_gss_validate() List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: philip X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.4 X-Git-Reftype: branch X-Git-Commit: 7ea03a4238e8bf6b80824cd9a31e219020f4feb1 Auto-Submitted: auto-generated Date: Thu, 26 Mar 2026 01:14:55 +0000 Message-Id: <69c4888f.18ca9.17777f2@gitrepo.freebsd.org> The branch releng/14.4 has been updated by philip: URL: https://cgit.FreeBSD.org/src/commit/?id=7ea03a4238e8bf6b80824cd9a31e219020f4feb1 commit 7ea03a4238e8bf6b80824cd9a31e219020f4feb1 Author: Mark Johnston AuthorDate: 2026-03-24 02:12:42 +0000 Commit: Philip Paeps CommitDate: 2026-03-25 06:54:10 +0000 rpcsec_gss: Fix a stack overflow in svc_rpc_gss_validate() svc_rpc_gss_validate() copies the input message into a stack buffer without ensuring that the buffer is large enough. Sure enough, oa_length may be up to 400 bytes, much larger than the provided space. This enables an unauthenticated user to trigger an overflow and obtain remote code execution. Add a runtime check which verifies that the copy won't overflow. Approved by: so Security: FreeBSD-SA-26:08.rpcsec_gss Security: CVE-2026-4747 Reported by: Nicholas Carlini Reviewed by: rmacklem Fixes: a9148abd9da5d --- lib/librpcsec_gss/svc_rpcsec_gss.c | 9 ++++++++- sys/rpc/rpcsec_gss/svc_rpcsec_gss.c | 10 +++++++++- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/lib/librpcsec_gss/svc_rpcsec_gss.c b/lib/librpcsec_gss/svc_rpcsec_gss.c index e9d39a813f86..73b92371e6d0 100644 --- a/lib/librpcsec_gss/svc_rpcsec_gss.c +++ b/lib/librpcsec_gss/svc_rpcsec_gss.c @@ -758,6 +758,14 @@ svc_rpc_gss_validate(struct svc_rpc_gss_client *client, struct rpc_msg *msg, memset(rpchdr, 0, sizeof(rpchdr)); + oa = &msg->rm_call.cb_cred; + + if (oa->oa_length > sizeof(rpchdr) - 8 * BYTES_PER_XDR_UNIT) { + log_debug("auth length %d exceeds maximum", oa->oa_length); + client->cl_state = CLIENT_STALE; + return (FALSE); + } + /* Reconstruct RPC header for signing (from xdr_callmsg). */ buf = rpchdr; IXDR_PUT_LONG(buf, msg->rm_xid); @@ -766,7 +774,6 @@ svc_rpc_gss_validate(struct svc_rpc_gss_client *client, struct rpc_msg *msg, IXDR_PUT_LONG(buf, msg->rm_call.cb_prog); IXDR_PUT_LONG(buf, msg->rm_call.cb_vers); IXDR_PUT_LONG(buf, msg->rm_call.cb_proc); - oa = &msg->rm_call.cb_cred; IXDR_PUT_ENUM(buf, oa->oa_flavor); IXDR_PUT_LONG(buf, oa->oa_length); if (oa->oa_length) { diff --git a/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c b/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c index 64038240ab37..031e6af5c1b2 100644 --- a/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c +++ b/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c @@ -1107,6 +1107,15 @@ svc_rpc_gss_validate(struct svc_rpc_gss_client *client, struct rpc_msg *msg, memset(rpchdr, 0, sizeof(rpchdr)); + oa = &msg->rm_call.cb_cred; + + if (oa->oa_length > sizeof(rpchdr) - 8 * BYTES_PER_XDR_UNIT) { + rpc_gss_log_debug("auth length %d exceeds maximum", + oa->oa_length); + client->cl_state = CLIENT_STALE; + return (FALSE); + } + /* Reconstruct RPC header for signing (from xdr_callmsg). */ buf = rpchdr; IXDR_PUT_LONG(buf, msg->rm_xid); @@ -1115,7 +1124,6 @@ svc_rpc_gss_validate(struct svc_rpc_gss_client *client, struct rpc_msg *msg, IXDR_PUT_LONG(buf, msg->rm_call.cb_prog); IXDR_PUT_LONG(buf, msg->rm_call.cb_vers); IXDR_PUT_LONG(buf, msg->rm_call.cb_proc); - oa = &msg->rm_call.cb_cred; IXDR_PUT_ENUM(buf, oa->oa_flavor); IXDR_PUT_LONG(buf, oa->oa_length); if (oa->oa_length) {