Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 20 May 2026 19:39:28 +0000
From:      Mark Johnston <markj@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Cc:        Dag-Erling=?utf-8?Q? Sm=C3=B8rg?=rav <des@FreeBSD.org>
Subject:   git: d98c0a494a42 - releng/15.0 - setcred: Fix buffer overflow
Message-ID:  <6a0e0df0.368e7.1865b2c@gitrepo.freebsd.org>
index | next in thread | raw e-mail 

The branch releng/15.0 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=d98c0a494a421b40f727356bd892d25041c5f90d

commit d98c0a494a421b40f727356bd892d25041c5f90d
Author:     Dag-Erling Smørgrav <des@FreeBSD.org>
AuthorDate: 2026-05-07 08:06:35 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-05-19 23:51:24 +0000

    setcred: Fix buffer overflow
    
    Since groups is a pointer to a pointer to an array of gid_t, we should
    use sizeof(**groups) or sizeof(gid_t) when calculating how much to
    allocate and copy in.  We were using sizeof(*groups) instead, which
    meant that on 64-bit platforms, we would allocate and copy in twice as
    much as we should.  Unfortunately, in the smallgroups case, we copy
    into a preallocated buffer which has the correct size, which means that
    if sc_supp_groups_nb >= CRED_SMALLGROUPS_NB / 2, we overflow smallgroups.
    
    This is a direct commit to releng/15.0.
    
    Approved by:    so
    Security:       FreeBSD-SA-26:18.setcred
    Reported by:    Ryan of Calif.io
    Fixes:          ddb3eb4efe55 ("New setcred() system call and associated MAC hooks")
---
 sys/kern/kern_prot.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 0b7dc2169335..02f83360885e 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -554,10 +554,10 @@ kern_setcred_copyin_supp_groups(struct setcred *const wcred,
 		 */
 		*groups = wcred->sc_supp_groups_nb <= CRED_SMALLGROUPS_NB ?
 		    smallgroups : malloc(wcred->sc_supp_groups_nb *
-		    sizeof(*groups), M_TEMP, M_WAITOK);
+		    sizeof(gid_t), M_TEMP, M_WAITOK);
 
 		error = copyin(wcred->sc_supp_groups, *groups,
-		    wcred->sc_supp_groups_nb * sizeof(*groups));
+		    wcred->sc_supp_groups_nb * sizeof(gid_t));
 		if (error != 0)
 			return (error);
 		wcred->sc_supp_groups = *groups;
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a0e0df0.368e7.1865b2c>