From nobody Thu Mar 26 01:28:47 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fh5lM3X6bz6X5RD for ; Thu, 26 Mar 2026 01:28:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fh5lM2JZlz3S88 for ; Thu, 26 Mar 2026 01:28:47 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1774488527; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=+kFw9oIQO6YLpNO5tc8BU03x9eCWA61fGq3jRvYSCek=; b=usTB8VHwoKpOEjP4JcD6OeM3Ju8pc6xS8oKjXzuKoQhRFHad740lnHRqxeD9UucKgxc7+n GJhsILcVHEMhQaohCRXta3A4oT+EUzT7zp5K13HXO9i1i4D9r3lu+Q8UbUUm/j5nY3rNGI ilJjG28id+rHRIRROkOpEq530doy5hygeTToJwrcr4t5jtf+MK8a+2av+pKH8Rqh93DvfE XAZscrMPdfFboRxfSDO+ltzufGxIKXuqOt1G6tE5MpM8CUM2+Y2yIuuNm+7lcR6/HkOy7Q //Hj3pcmrGosqcJIkVvYr+8xuxHQ5CaQHVcNQJJMCR5SqsacXwkE5mr5ygbcWg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1774488527; a=rsa-sha256; cv=none; b=MY3IL9NlcOruR91evvS3DK0Fp9QoWppQV662eHBCzLG4MnFiOiDiYohaZ9D1ez7pSE2wbM oLSVi6UnGnsuv11uM4iBuwvO7fuNjM4pMdepqvftelCgeHn0/DFgvLpy75c8HxiesDjn18 mGluTT/hCrZibLc7m9E/2ua6YH1QKKUb7tFroWQCuW40oshHPHDfQ/M8TfhIc5DuscqDob y6bInHPqxg4jqjHE7zJfEHl4YFEOeHZ6m8DFdeKRPpuM7Ezs6SXSQmFKSJX7eBCIjQiTEI mMNW3VP4ZhUWICDx3uBZZ/M/P+X9VLaZaxMJntnx5UL/kuA81875EjhFOAOu/g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1774488527; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=+kFw9oIQO6YLpNO5tc8BU03x9eCWA61fGq3jRvYSCek=; b=tYQ06i94pYtOniW4HU1lYBS7Gn6usF7ymVFK5m1SuZD4VcRPvaRF5wRAHDTdhhJmaJ58+Q X6oaWq0A6WIZBnYBBa0hv1y0XbNuLWfJCx2FBysn7er+iClLldkqCj7DrKbkda/i4au1cM G7Og+M3DpLdxiBZRF08zbq/gz+4uVNkRdvb83MB2A78a2UKAr7bUZ97xKGw75fQEiBIsfC sTGrlNORWOs8HdmkvfHtdrN2LBOJAJPg9yiNcdG3uH82i3Xn0x8nANAoA1A/GyR/Vp3O0y M9J8JD+pft6/KqTZvoG3XjPafrQxJl87WK6ZXnic2Qe7wBCDBpUaxrMYvLta4w== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4fh5lM1m9HzWGW for ; Thu, 26 Mar 2026 01:28:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 190b9 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Thu, 26 Mar 2026 01:28:47 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Mark Johnston From: Gordon Tetlow Subject: git: e5ed09ffd592 - stable/14 - rpcsec_gss: Fix a stack overflow in svc_rpc_gss_validate() List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: gordon X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: e5ed09ffd5927040a789b4333a856279181cef4a Auto-Submitted: auto-generated Date: Thu, 26 Mar 2026 01:28:47 +0000 Message-Id: <69c48bcf.190b9.598a9ef2@gitrepo.freebsd.org> The branch stable/14 has been updated by gordon: URL: https://cgit.FreeBSD.org/src/commit/?id=e5ed09ffd5927040a789b4333a856279181cef4a commit e5ed09ffd5927040a789b4333a856279181cef4a Author: Mark Johnston AuthorDate: 2026-03-24 02:12:42 +0000 Commit: Gordon Tetlow CommitDate: 2026-03-26 01:28:31 +0000 rpcsec_gss: Fix a stack overflow in svc_rpc_gss_validate() svc_rpc_gss_validate() copies the input message into a stack buffer without ensuring that the buffer is large enough. Sure enough, oa_length may be up to 400 bytes, much larger than the provided space. This enables an unauthenticated user to trigger an overflow and obtain remote code execution. Add a runtime check which verifies that the copy won't overflow. Approved by: so Security: FreeBSD-SA-26:08.rpcsec_gss Security: CVE-2026-4747 Reported by: Nicholas Carlini Reviewed by: rmacklem Fixes: a9148abd9da5d (cherry picked from commit 143293c14f8de00c6d3de88cd23fc224e7014206) --- lib/librpcsec_gss/svc_rpcsec_gss.c | 9 ++++++++- sys/rpc/rpcsec_gss/svc_rpcsec_gss.c | 10 +++++++++- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/lib/librpcsec_gss/svc_rpcsec_gss.c b/lib/librpcsec_gss/svc_rpcsec_gss.c index e9d39a813f86..73b92371e6d0 100644 --- a/lib/librpcsec_gss/svc_rpcsec_gss.c +++ b/lib/librpcsec_gss/svc_rpcsec_gss.c @@ -758,6 +758,14 @@ svc_rpc_gss_validate(struct svc_rpc_gss_client *client, struct rpc_msg *msg, memset(rpchdr, 0, sizeof(rpchdr)); + oa = &msg->rm_call.cb_cred; + + if (oa->oa_length > sizeof(rpchdr) - 8 * BYTES_PER_XDR_UNIT) { + log_debug("auth length %d exceeds maximum", oa->oa_length); + client->cl_state = CLIENT_STALE; + return (FALSE); + } + /* Reconstruct RPC header for signing (from xdr_callmsg). */ buf = rpchdr; IXDR_PUT_LONG(buf, msg->rm_xid); @@ -766,7 +774,6 @@ svc_rpc_gss_validate(struct svc_rpc_gss_client *client, struct rpc_msg *msg, IXDR_PUT_LONG(buf, msg->rm_call.cb_prog); IXDR_PUT_LONG(buf, msg->rm_call.cb_vers); IXDR_PUT_LONG(buf, msg->rm_call.cb_proc); - oa = &msg->rm_call.cb_cred; IXDR_PUT_ENUM(buf, oa->oa_flavor); IXDR_PUT_LONG(buf, oa->oa_length); if (oa->oa_length) { diff --git a/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c b/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c index 64038240ab37..031e6af5c1b2 100644 --- a/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c +++ b/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c @@ -1107,6 +1107,15 @@ svc_rpc_gss_validate(struct svc_rpc_gss_client *client, struct rpc_msg *msg, memset(rpchdr, 0, sizeof(rpchdr)); + oa = &msg->rm_call.cb_cred; + + if (oa->oa_length > sizeof(rpchdr) - 8 * BYTES_PER_XDR_UNIT) { + rpc_gss_log_debug("auth length %d exceeds maximum", + oa->oa_length); + client->cl_state = CLIENT_STALE; + return (FALSE); + } + /* Reconstruct RPC header for signing (from xdr_callmsg). */ buf = rpchdr; IXDR_PUT_LONG(buf, msg->rm_xid); @@ -1115,7 +1124,6 @@ svc_rpc_gss_validate(struct svc_rpc_gss_client *client, struct rpc_msg *msg, IXDR_PUT_LONG(buf, msg->rm_call.cb_prog); IXDR_PUT_LONG(buf, msg->rm_call.cb_vers); IXDR_PUT_LONG(buf, msg->rm_call.cb_proc); - oa = &msg->rm_call.cb_cred; IXDR_PUT_ENUM(buf, oa->oa_flavor); IXDR_PUT_LONG(buf, oa->oa_length); if (oa->oa_length) {