Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 20 May 2026 19:40:32 +0000
From:      Mark Johnston <markj@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Cc:        Dag-Erling=?utf-8?Q? Sm=C3=B8rg?=rav <des@FreeBSD.org>
Subject:   git: bfff5c180193 - releng/14.3 - setcred: Fix buffer overflow
Message-ID:  <6a0e0e30.3932c.516f7981@gitrepo.freebsd.org>
index | next in thread | raw e-mail 

The branch releng/14.3 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=bfff5c180193845664a0d9f56f94111214e7c80b

commit bfff5c180193845664a0d9f56f94111214e7c80b
Author:     Dag-Erling Smørgrav <des@FreeBSD.org>
AuthorDate: 2026-05-07 08:06:35 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-05-19 23:48:36 +0000

    setcred: Fix buffer overflow
    
    Since groups is a pointer to a pointer to an array of gid_t, we should
    use sizeof(**groups) or sizeof(gid_t) when calculating how much to
    allocate and copy in.  We were using sizeof(*groups) instead, which
    meant that on 64-bit platforms, we would allocate and copy in twice as
    much as we should.  Unfortunately, in the smallgroups case, we copy
    into a preallocated buffer which has the correct size, which means that
    if sc_supp_groups_nb >= CRED_SMALLGROUPS_NB / 2, we overflow smallgroups.
    
    This is a direct commit to stable/14.
    
    Approved by:    so
    Security:       FreeBSD-SA-26:18.setcred
    Reported by:    Ryan of Calif.io
    Fixes:          ddb3eb4efe55 ("New setcred() system call and associated MAC hooks")
---
 sys/kern/kern_prot.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index d0f4c8cd6992..cec3fd829564 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -527,10 +527,10 @@ kern_setcred_copyin_supp_groups(struct setcred *const wcred,
 		 */
 		*groups = wcred->sc_supp_groups_nb < CRED_SMALLGROUPS_NB ?
 		    smallgroups : malloc((wcred->sc_supp_groups_nb + 1) *
-		    sizeof(*groups), M_TEMP, M_WAITOK);
+		    sizeof(gid_t), M_TEMP, M_WAITOK);
 
 		error = copyin(wcred->sc_supp_groups, *groups + 1,
-		    wcred->sc_supp_groups_nb * sizeof(*groups));
+		    wcred->sc_supp_groups_nb * sizeof(gid_t));
 		if (error != 0)
 			return (error);
 		wcred->sc_supp_groups = *groups + 1;
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a0e0e30.3932c.516f7981>