Date: Thu, 21 May 2026 22:45:50 +0200 From: Olivier Certner <olce@freebsd.org> To: Przemyslaw Frasunek <przemyslaw@frasunek.com> Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-26:18.setcred Message-ID: <2786573.XrqEPMHAR6@ravel> In-Reply-To: <832f02ee-9fdb-4eda-a06a-d3330ba9aa30@frasunek.com> References: <20260520222336.BA0F59B7A@freefall.freebsd.org> <13306571.xkLNZX5ndW@ravel> <832f02ee-9fdb-4eda-a06a-d3330ba9aa30@frasunek.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] > As the reporter of this vulnerability, I am sharing a full write-up > demonstrating LPE with SMAP/SMEP enabled: https://fatgid.io/ This write-up is good for the vulnerability description. Thanks! (I just skimmed through the exploitation part.) I'd just correct/complete this part: > The underlying fix is the main-branch commit 000d5b52c19ff3858a6f0cbb405d47713c4267a4 from 2025-11-27 ("setcred(2): Fix a panic on too many groups from latest commit"), which refactored kern_setcred_copyin_supp_groups() into user_setcred_copyin_supp_groups(), changing the groups argument from gid_t ** to a local gid_t *, and replacing both sizeof(*groups) occurrences with sizeof(gid_t). The underlying fix is not the commit you mention, which is a followup of the simplification commit evoked in my previous answer, which is the right one: https://cgit.freebsd.org/src/commit/?id=4cd93df95e69. It's where the sizeof(*groups) were replaced with sizeof(gid_t). > The original commit message does not mention the stack overflow; the fix appears to be an unintentional side effect of the refactoring. It's slightly more complex than that actually. It's true I did not see the stack overflow back then, but was very close to. I don't really recall how the sizeof(*groups) first appeared in commit https://cgit.freebsd.org/src/commit/?id=ddb3eb4efe55 (perhaps it came from an earlier development version where 'groups' was of type 'gid_t *'; or maybe it was a plain mistake from the start). But, when I did the simplification commit, I clearly remember noticing the logical mistake (the missing '*'). Unfortunately, this is where I made a second mistake, that is, to assess that this logical mistake had no practical significance because I had somehow convinced myself that uid_t/gid_t had the natural size of the platform (which is not the case: they are 32-bit wide everywhere). And that's why I did not bother fixing it in other branches and releases back then. Thanks and regards. -- Olivier Certner [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iQIzBAABCQAdFiEEmNCxHjkosai0LYIujKEwQJceJicFAmoPbv4ACgkQjKEwQJce JifiXQ//Y3OOpWTGL5k3skyzgzo2ApUscbP6FdRBt9rUp1HPina9tcDevj7ulxXs 40GSSmW2l/Ie5DvlImtzdb4dcy3CFiE9NxUEINBDX2VjTNdqp6iChUXofb/iv+29 nC1KxqvR3RzDmcFP3lk+RTFF96nhEWyV9A5NKNpwh+1BT0DGEhkmgOtijDigveGL U2yaf4yKQKyf6mdn6/5LaZmnpL3/a+M5d7qtJslM8wGCR8SiM89gj4G/JRTuK6wy S6bq00N4q58wdNQX3WVW+4hq34JvzykKaML+TmWMlIJdVzLnyCLvvbH37ZMDBHzU FEisOp+16rVghtVqcSrR6ed0zDP0/LoYA3TN/wIG08P8nHNzK1X2jJznZVw7tKMw DhQZ6f/EnpfXZob3Kh8klyqFUG41Vv3i7/k86p2WdeaYQRodG3br1b4qaDcNGELJ +nmSdvOCPdEs3EIgsz8TwQL5aVnQsj1nZTo7w0tC1VBBVyvVlf6TeAzENE6G/XXC K1EP0GGSRly/elqhAcppm778bIO29UVDAnoSQwsHcCCs0QuaAFuNC/zThxiF0iIA 8mCnIc6gCKmPrtczCwSLqw5+JAVcTzrNn9fMVOAgn2j63pY7LE24FRwldu0Umd0b hI/fCxK+5TO6zKXFJOptAK0jvwMEb8gdCbrAs6DGT8vtUyOdR5o= =118g -----END PGP SIGNATURE-----home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2786573.XrqEPMHAR6>