suer "R12" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4cncTR4qdsz3G4j;
	Thu, 16 Oct 2025 18:50:19 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1760640619;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=KWV7wjHtnbioqmoZTuZEhFKevpfoA6x44Jlhn6Hc/iA=;
	b=LtERT7VKPU5hLnvtkE9zYvVZ1qBANRd+pZrNY2JqHeiOIGs9/hKtulau8fHogKgdg5GHxM
	msyjaNc5/mJsHrJmH+juaXTrlJwIIhrV6YCwiWglnKO/o5WKJKcbjTVWjH7wsPcIXnKXNE
	e2Ki09TdXskU1qIPrWEARD75fkh9I4g1LhV2/J2/vUa38oQloxYm4OrKoYPm31tUR4DEXe
	u6fHp6o4DAkjubSEvczVxZnuugRsn94MDC4r5O0Gxo5KUDK5ebHN0k7zQLWJ6bbJZP2Fjd
	7k0Y9MjLhOiWxFcpvlqgovVZ56ysrbvLkX3afeV1kdHlikfYUVP2JI8ll5ghOg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1760640619;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=KWV7wjHtnbioqmoZTuZEhFKevpfoA6x44Jlhn6Hc/iA=;
	b=KI7YP7rlhyNyurY7mRKd5/haN8nfCdZSPkMiLB8taIyIMi3tcA+xvzSRnWT5p1kovScp2s
	fxu9F2YLMjD5pAcE2iPv2NdUrJr/qXcpfQwMT2uVFf7fMo0ss6GCqmltmdPZaLlHU5gtPM
	qhOXNdq7wRUlvtLw0D7jPtK/hVimF9XcyTh3G0TUOET0usippD2GVk1uqLmhZgUhunwcrV
	HMgVYHts6h8c7W82/ma6VPCUY9K/TZoerI7h9jVegC1lkxtP7acY3kxJ+m1S08b3+ZIf7f
	8mj5RNYaaU9uZAsHjKDQMevoWToKPS81oTMXpYRUp3hCCa0g7C8R1NecePvIqQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1760640619; a=rsa-sha256; cv=none;
	b=jsl6ZRA6IbfJFDP1Qa5lC7FF9ZuAP8TGu71t4pwQQ3PHnfNLrBU5oxZQZvWWoJQV8gpJBb
	Td6iZMDJ2P90IOQbFd+TuUeeXQLtzCf7eQ+Hd9uaQy+MPHpzRPx2Op3meMc/ApIb2a5ejO
	VyT15fNvDClLGh63NfiUOO98IdxKRqE6GsxDsamfMy6tdi7RYJxxD8QuOVL+7imR9OVJkJ
	ln+4wnRitHSmuSkS1a0RjzfYMxQ6cwTkc/VK8j0jNDPnRFmRffOFjqvJosk88Bpjcfokqd
	5tX0EfHuF8j03XkZLcnJNqiNTSqO8WIxoGvl6XdQomc0J1qL3sQ/Kec0cGGU+g==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cncTR4Rjvz54w;
	Thu, 16 Oct 2025 18:50:19 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 59GIoJqK075095;
	Thu, 16 Oct 2025 18:50:19 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 59GIoJeH075092;
	Thu, 16 Oct 2025 18:50:19 GMT
	(envelope-from git)
Date: Thu, 16 Oct 2025 18:50:19 GMT
Message-Id: <202510161850.59GIoJeH075092@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Colin Percival <cperciva@FreeBSD.org>
Subject: git: f647564f3ff6 - releng/15.0 - sys/rpc: UNIX auth: Fix
  OOB accesses, notably writes on decode
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: cperciva
X-Git-Repository: src
X-Git-Refname: refs/heads/releng/15.0
X-Git-Reftype: branch
X-Git-Commit: f647564f3ff637699d7e13ef6adf3659e254cbf7
Auto-Submitted: auto-generated

The branch releng/15.0 has been updated by cperciva:

URL: https://cgit.FreeBSD.org/src/commit/?id=f647564f3ff637699d7e13ef6adf3659e254cbf7

commit f647564f3ff637699d7e13ef6adf3659e254cbf7
Author:     Olivier Certner <olce@FreeBSD.org>
AuthorDate: 2025-10-07 10:02:23 +0000
Commit:     Colin Percival <cperciva@FreeBSD.org>
CommitDate: 2025-10-16 18:48:00 +0000

    sys/rpc: UNIX auth: Fix OOB accesses, notably writes on decode
    
    When the received authentication message had more than XU_NGROUPS, we
    would write group IDs beyond the end of cr_groups[] in the 'struct
    xucred' being filled (as 'ngroups_max' is always greater than
    XU_NGROUPS).
    
    For robustness, prevent various OOB accesses that would result from
    a change of value of XU_NGROUPS or a 'struct xucred' with an invalid
    'cr_ngroups' field, even if these cases are unlikely.
    
    Approved by:    re (cperciva)
    Reviewed by:    rmacklem
    Fixes:          dfdcada31e79 ("Add the new kernel-mode NFS Lock Manager.")
    MFC after:      2 days
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D52960
    
    (cherry picked from commit 47e9c81d4f1324674c624df02a51ad3a72aa7444)
    (cherry picked from commit 9492a1e27fb18fcd6122bbd9ddcd853ee7693417)
---
 sys/rpc/authunix_prot.c | 40 +++++++++++++++++++++-------------------
 1 file changed, 21 insertions(+), 19 deletions(-)

diff --git a/sys/rpc/authunix_prot.c b/sys/rpc/authunix_prot.c
index f63a6d3f9dc6..89f0ab3ed44e 100644
--- a/sys/rpc/authunix_prot.c
+++ b/sys/rpc/authunix_prot.c
@@ -75,7 +75,6 @@ xdr_authunix_parms(XDR *xdrs, uint32_t *time, struct xucred *cred)
 	} else {
 		namelen = 0;
 	}
-	junk = 0;
 
 	if (!xdr_uint32_t(xdrs, time)
 	    || !xdr_uint32_t(xdrs, &namelen))
@@ -93,15 +92,25 @@ xdr_authunix_parms(XDR *xdrs, uint32_t *time, struct xucred *cred)
 
 	if (!xdr_uint32_t(xdrs, &cred->cr_uid))
 		return (FALSE);
+
+	/*
+	 * Safety check: The protocol needs at least one group (access to
+	 * 'cr_gid', decrementation of 'cr_ngroups' below).
+	 */
+	if (xdrs->x_op == XDR_ENCODE && cred->cr_ngroups == 0)
+		return (FALSE);
 	if (!xdr_uint32_t(xdrs, &cred->cr_gid))
 		return (FALSE);
 
 	if (xdrs->x_op == XDR_ENCODE) {
 		/*
-		 * Note that this is a `struct xucred`, which maintains its
-		 * historical layout of preserving the egid in cr_ngroups and
-		 * cr_groups[0] == egid.
+		 * Note that this is a 'struct xucred', which still has the
+		 * historical layout where the effective GID is in cr_groups[0]
+		 * and is accounted in 'cr_ngroups'.  We substract 1 to obtain
+		 * the number of "supplementary" groups, passed in the AUTH_SYS
+		 * credentials variable-length array called gids[] in RFC 5531.
 		 */
+		MPASS(cred->cr_ngroups <= XU_NGROUPS);
 		supp_ngroups = cred->cr_ngroups - 1;
 		if (supp_ngroups > NGRPS)
 			supp_ngroups = NGRPS;
@@ -109,22 +118,15 @@ xdr_authunix_parms(XDR *xdrs, uint32_t *time, struct xucred *cred)
 
 	if (!xdr_uint32_t(xdrs, &supp_ngroups))
 		return (FALSE);
-	for (i = 0; i < supp_ngroups; i++) {
-		if (i < ngroups_max) {
-			if (!xdr_uint32_t(xdrs, &cred->cr_groups[i + 1]))
-				return (FALSE);
-		} else {
-			if (!xdr_uint32_t(xdrs, &junk))
-				return (FALSE);
-		}
-	}
 
-	if (xdrs->x_op == XDR_DECODE) {
-		if (supp_ngroups > ngroups_max)
-			cred->cr_ngroups = ngroups_max + 1;
-		else
-			cred->cr_ngroups = supp_ngroups + 1;
-	}
+	junk = 0;
+	for (i = 0; i < supp_ngroups; ++i)
+		if (!xdr_uint32_t(xdrs, i < XU_NGROUPS - 1 ?
+		    &cred->cr_sgroups[i] : &junk))
+			return (FALSE);
+
+	if (xdrs->x_op != XDR_ENCODE)
+		cred->cr_ngroups = MIN(supp_ngroups + 1, XU_NGROUPS);
 
 	return (TRUE);
 }