From nobody Thu Mar 26 01:34:10 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fh5sh0GTKz6X5rC for ; Thu, 26 Mar 2026 01:34:16 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fh5sg6qdqz3V9t for ; Thu, 26 Mar 2026 01:34:15 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1774488856; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=BCPV+sSZ5qKo/xqje/8/lQHFj5swkV+D7SVxoQKI17k=; b=FvD07XM24zU+eZfhqAKHM8w3pBUPRCIdQIU8eYiMBzcoG3w3OCvspozB7d4mWVCVTW8AHD ef9jt33IMvd2m+/reiY10E57mcTegoqAlJ+c+RhFV2MoezLoyCDYpNd/lGW83KdYgEER9u VPV8wSCo3+ODNGRMemWLf/iweRumFNaV+khP6v7RWVgrGKs89gSaTj5eU2U2Zs2I37TmtA d0vq0xfFmVyNEdVjWg1pfn5emjV+eqVHLVN1b4AqTOb2hhwAxF0j526aibBI9AKu04jlme cZ37e6BiS4GSNmtfwjwVznHaaNHNPZzBYxPM/comQUrfKD3Ut2B1oZjrO13FeA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1774488856; a=rsa-sha256; cv=none; b=uo1LCCublR7avWqoNvqmHEKdr10MsuuQB9jxB6Wmlb1FLm8uYtZAfzo4GNGpGpB0roqN3E pYNn03Mxzi3EmRAKnKJ0ou9JQ6ts3Qsur38E4VNb7K7zh2AMuVH1KJQoZBJCFZkhqwjKY6 5wKNoVBAqbtnqEwTbRAVSPtjC3Bjr4QCRt0Fn+nMgGm08ngUkk2RhHPbSsPM5yFcgeiNQO WFBk8kau3cy1XgfREjKwzuYb+NEnMJqZxhN8yuZBRRiTYKrBru0XjPATdjliTbteWFsA8p htzukcQfNq3bofbplNImvcLd88Nx/QluqMjZZm1h0rZDcmGpMGwREJaiUy9qVQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1774488856; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=BCPV+sSZ5qKo/xqje/8/lQHFj5swkV+D7SVxoQKI17k=; b=RgowRUw3qp28H0p0HzH4r05cwVCs9Wah8BFFvTxLNeHJo+s+9BRUvA+1VDts9/eqBTzVWt xAR5z38hLR2+lcy92Q9j8acNpfj7/1NODYCHHcYJvS1s5NlCaYOjjyb7NQxJdZ1W4j7lMT xRXieyFT0lG3nR1nDgbZjwrlmvQ2q7+PCJeCDxxwKaFKj+W8Azq5ZW9UaEnClDVc833J9c HIzvziR9vsVix6AktbqZSaLqT+QnVdbUWPflCPjOm0JN4pjKVDmUy29MOQcMXqFYsgCc0+ yuhndfIOJFxbT3Xxz7L2+88g8GBLX0vmh1T2P+chCR6norpILfIByrqeku5njw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4fh5sg6BKCzWtJ for ; Thu, 26 Mar 2026 01:34:15 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 1c7b0 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Thu, 26 Mar 2026 01:34:10 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Mark Johnston From: Philip Paeps Subject: git: c4f53a1adbd4 - releng/13.5 - rpcsec_gss: Fix a stack overflow in svc_rpc_gss_validate() List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: philip X-Git-Repository: src X-Git-Refname: refs/heads/releng/13.5 X-Git-Reftype: branch X-Git-Commit: c4f53a1adbd4d5209b45043d25e590f0c27b5314 Auto-Submitted: auto-generated Date: Thu, 26 Mar 2026 01:34:10 +0000 Message-Id: <69c48d12.1c7b0.4f914cd2@gitrepo.freebsd.org> The branch releng/13.5 has been updated by philip: URL: https://cgit.FreeBSD.org/src/commit/?id=c4f53a1adbd4d5209b45043d25e590f0c27b5314 commit c4f53a1adbd4d5209b45043d25e590f0c27b5314 Author: Mark Johnston AuthorDate: 2026-03-24 02:12:42 +0000 Commit: Philip Paeps CommitDate: 2026-03-26 01:30:59 +0000 rpcsec_gss: Fix a stack overflow in svc_rpc_gss_validate() svc_rpc_gss_validate() copies the input message into a stack buffer without ensuring that the buffer is large enough. Sure enough, oa_length may be up to 400 bytes, much larger than the provided space. This enables an unauthenticated user to trigger an overflow and obtain remote code execution. Add a runtime check which verifies that the copy won't overflow. Approved by: so Security: FreeBSD-SA-26:08.rpcsec_gss Security: CVE-2026-4747 Reported by: Nicholas Carlini Reviewed by: rmacklem Fixes: a9148abd9da5d --- lib/librpcsec_gss/svc_rpcsec_gss.c | 9 ++++++++- sys/rpc/rpcsec_gss/svc_rpcsec_gss.c | 10 +++++++++- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/lib/librpcsec_gss/svc_rpcsec_gss.c b/lib/librpcsec_gss/svc_rpcsec_gss.c index e9d39a813f86..73b92371e6d0 100644 --- a/lib/librpcsec_gss/svc_rpcsec_gss.c +++ b/lib/librpcsec_gss/svc_rpcsec_gss.c @@ -758,6 +758,14 @@ svc_rpc_gss_validate(struct svc_rpc_gss_client *client, struct rpc_msg *msg, memset(rpchdr, 0, sizeof(rpchdr)); + oa = &msg->rm_call.cb_cred; + + if (oa->oa_length > sizeof(rpchdr) - 8 * BYTES_PER_XDR_UNIT) { + log_debug("auth length %d exceeds maximum", oa->oa_length); + client->cl_state = CLIENT_STALE; + return (FALSE); + } + /* Reconstruct RPC header for signing (from xdr_callmsg). */ buf = rpchdr; IXDR_PUT_LONG(buf, msg->rm_xid); @@ -766,7 +774,6 @@ svc_rpc_gss_validate(struct svc_rpc_gss_client *client, struct rpc_msg *msg, IXDR_PUT_LONG(buf, msg->rm_call.cb_prog); IXDR_PUT_LONG(buf, msg->rm_call.cb_vers); IXDR_PUT_LONG(buf, msg->rm_call.cb_proc); - oa = &msg->rm_call.cb_cred; IXDR_PUT_ENUM(buf, oa->oa_flavor); IXDR_PUT_LONG(buf, oa->oa_length); if (oa->oa_length) { diff --git a/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c b/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c index 93a41dc045cc..8e98a87b36be 100644 --- a/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c +++ b/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c @@ -1079,6 +1079,15 @@ svc_rpc_gss_validate(struct svc_rpc_gss_client *client, struct rpc_msg *msg, memset(rpchdr, 0, sizeof(rpchdr)); + oa = &msg->rm_call.cb_cred; + + if (oa->oa_length > sizeof(rpchdr) - 8 * BYTES_PER_XDR_UNIT) { + rpc_gss_log_debug("auth length %d exceeds maximum", + oa->oa_length); + client->cl_state = CLIENT_STALE; + return (FALSE); + } + /* Reconstruct RPC header for signing (from xdr_callmsg). */ buf = rpchdr; IXDR_PUT_LONG(buf, msg->rm_xid); @@ -1087,7 +1096,6 @@ svc_rpc_gss_validate(struct svc_rpc_gss_client *client, struct rpc_msg *msg, IXDR_PUT_LONG(buf, msg->rm_call.cb_prog); IXDR_PUT_LONG(buf, msg->rm_call.cb_vers); IXDR_PUT_LONG(buf, msg->rm_call.cb_proc); - oa = &msg->rm_call.cb_cred; IXDR_PUT_ENUM(buf, oa->oa_flavor); IXDR_PUT_LONG(buf, oa->oa_length); if (oa->oa_length) {