From nobody Fri Dec 19 09:19:06 2025 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dXhmq3thWz6L9tr for ; Fri, 19 Dec 2025 09:19:07 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dXhmp4bQzz44WF for ; Fri, 19 Dec 2025 09:19:06 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1766135946; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ZzHiS1p9n7MKsLarHNOl+ulqDLVhJwjbqVuPFkz+JMA=; b=bRH29ljH8Eu5Ocwt8OIwk5A8GONXpEoW9Z+SSXLKDHpDa0MzGiArfKbAuw5dyO/AHy4onS 4PaLf2cjiQT139+wzx5tSiYQfKXzNN4w2fWmLSAH567Pn7iPDORY9E8ZhDWD/HELh0BuI9 ZVFSaq+KNf+d19bPtJCfjzVoK4+ARUEHEuSRE4fXXFjDfUvMZA+jS4/lRtR05B1GTXFjkt CxqmAJpF0Sx6GC4WgET2T80yiYxtpIsaYvIdy3HvpqRyNHbL9Sj8zM/DGxu46YgiBxTY8i vzUHfmx3OTSKSKT+/VYhIwD5SPjJ6fyiooR0xnmkG3VIf758LdTFaH+wci5wJQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1766135946; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ZzHiS1p9n7MKsLarHNOl+ulqDLVhJwjbqVuPFkz+JMA=; b=Ezax/kEaV8AS2zRPTNThxM9wYyg8PRCuLiYbmIYiDbtWqLWJchTXpqRcr9ZrMGrsP4jX+m rG4xZR1FMy16echfIcXj82hJoNHaAu4Df6RFOa8tuaK4EnlLCKISMEoAHxa0sZsbTm5gaE o5BtRn59gNCmO/3ces6eAfsILltr7nUCtFxczbB5Mb5Dpclmx8rP5p4V5h6+9e8FiyrBav 7lsNss0WHzT6JFe3w+qNsSQhRBjgugJo7CNXbJAvtibYipWQtEBQHT87e7W6oofnHotqbe Y1TW4vBeHeZjT3Yg9nhXbKtSCuWKDgxF9k1AGvcODKXuFoRkT1bVD1FddXT0dg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1766135946; a=rsa-sha256; cv=none; b=bWk82AcUuiLoIbQrm/jBkL5E7bsGDiEtHVIKyIwkCHS5NgBaMIRc3AfgGvL5BCzCmaSikf o3xaLoSlvGrHMbZRpuDkYI7F37aoER24FpRUzqY5e7FMreZgyH0DPArhStps4RKIo5TPVy Nyuy8gmur70kozoN9P3y1rhNCyorTfl3z6/F78cwiFmxnvG+oR/wvlnLsj28dLAS+88R5u h/RF9b8I2HbjKG6zj3Ip7aE213IPXr87QLnANI62J8NuEcWTBSxlnTEaRNiCL3/QZlS8wi tUD9s/N7mA6iMqOwNWMYzMShi8sQyqOKTctkTGazjiB7mufbflJXWpgZtB4bXw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4dXhmp1qXSz1GWw for ; Fri, 19 Dec 2025 09:19:06 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3dd50 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Fri, 19 Dec 2025 09:19:06 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Olivier Certner Subject: git: 0574fca39fb3 - stable/14 - sys/rpc: UNIX auth: Fix OOB accesses, notably writes on decode List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: olce X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 0574fca39fb3fa8fef062b74e82f359b99f1bee0 Auto-Submitted: auto-generated Date: Fri, 19 Dec 2025 09:19:06 +0000 Message-Id: <6945188a.3dd50.6b3a964a@gitrepo.freebsd.org> The branch stable/14 has been updated by olce: URL: https://cgit.FreeBSD.org/src/commit/?id=0574fca39fb3fa8fef062b74e82f359b99f1bee0 commit 0574fca39fb3fa8fef062b74e82f359b99f1bee0 Author: Olivier Certner AuthorDate: 2025-10-07 10:02:23 +0000 Commit: Olivier Certner CommitDate: 2025-12-19 09:16:44 +0000 sys/rpc: UNIX auth: Fix OOB accesses, notably writes on decode When the received authentication message had more than XU_NGROUPS, we would write group IDs beyond the end of cr_groups[] in the 'struct xucred' being filled (as 'ngroups_max' is always greater than XU_NGROUPS). For robustness, prevent various OOB accesses that would result from a change of value of XU_NGROUPS or a 'struct xucred' with an invalid 'cr_ngroups' field, even if these cases are unlikely. Reviewed by: rmacklem Fixes: dfdcada31e79 ("Add the new kernel-mode NFS Lock Manager.") MFC after: 2 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D52960 (cherry picked from commit 47e9c81d4f1324674c624df02a51ad3a72aa7444) --- sys/rpc/authunix_prot.c | 40 +++++++++++++++++++++------------------- 1 file changed, 21 insertions(+), 19 deletions(-) diff --git a/sys/rpc/authunix_prot.c b/sys/rpc/authunix_prot.c index 42822a5d01c6..f2749e68e763 100644 --- a/sys/rpc/authunix_prot.c +++ b/sys/rpc/authunix_prot.c @@ -79,7 +79,6 @@ xdr_authunix_parms(XDR *xdrs, uint32_t *time, struct xucred *cred) } else { namelen = 0; } - junk = 0; if (!xdr_uint32_t(xdrs, time) || !xdr_uint32_t(xdrs, &namelen)) @@ -97,15 +96,25 @@ xdr_authunix_parms(XDR *xdrs, uint32_t *time, struct xucred *cred) if (!xdr_uint32_t(xdrs, &cred->cr_uid)) return (FALSE); + + /* + * Safety check: The protocol needs at least one group (access to + * 'cr_gid', decrementation of 'cr_ngroups' below). + */ + if (xdrs->x_op == XDR_ENCODE && cred->cr_ngroups == 0) + return (FALSE); if (!xdr_uint32_t(xdrs, &cred->cr_gid)) return (FALSE); if (xdrs->x_op == XDR_ENCODE) { /* - * Note that this is a `struct xucred`, which maintains its - * historical layout of preserving the egid in cr_ngroups and - * cr_groups[0] == egid. + * Note that this is a 'struct xucred', which still has the + * historical layout where the effective GID is in cr_groups[0] + * and is accounted in 'cr_ngroups'. We substract 1 to obtain + * the number of "supplementary" groups, passed in the AUTH_SYS + * credentials variable-length array called gids[] in RFC 5531. */ + MPASS(cred->cr_ngroups <= XU_NGROUPS); supp_ngroups = cred->cr_ngroups - 1; if (supp_ngroups > NGRPS) supp_ngroups = NGRPS; @@ -113,22 +122,15 @@ xdr_authunix_parms(XDR *xdrs, uint32_t *time, struct xucred *cred) if (!xdr_uint32_t(xdrs, &supp_ngroups)) return (FALSE); - for (i = 0; i < supp_ngroups; i++) { - if (i < ngroups_max) { - if (!xdr_uint32_t(xdrs, &cred->cr_groups[i + 1])) - return (FALSE); - } else { - if (!xdr_uint32_t(xdrs, &junk)) - return (FALSE); - } - } - if (xdrs->x_op == XDR_DECODE) { - if (supp_ngroups > ngroups_max) - cred->cr_ngroups = ngroups_max + 1; - else - cred->cr_ngroups = supp_ngroups + 1; - } + junk = 0; + for (i = 0; i < supp_ngroups; ++i) + if (!xdr_uint32_t(xdrs, i < XU_NGROUPS - 1 ? + &cred->cr_groups[i + 1] : &junk)) + return (FALSE); + + if (xdrs->x_op != XDR_ENCODE) + cred->cr_ngroups = MIN(supp_ngroups + 1, XU_NGROUPS); return (TRUE); }