From nobody Fri Dec 19 09:19:23 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dXhn83NSmz6LBQy for ; Fri, 19 Dec 2025 09:19:24 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dXhn80rzXz451W for ; Fri, 19 Dec 2025 09:19:24 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1766135964; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=SuvQ4wZkPZF9ygXBXd4/2e2s+USNqWzi5E0j7KZeHQM=; b=DrbV1EUcxZYqRYbCX2XNQx+6GI3sC27m9Us0N2yjvPmRAZviwZb2Em1qx6yFnWEemI3MYw otsYDrim1ielgTcn1HEHLpy0d7NmvD7z41fUlfN2LcWEEyIbLNzbpj4fWZCXdQI8CUUNK7 60P3TJlQ56vK4tnitCH/SKmTqkjSejG4C52z4AvyDSmBLhgywASqx4e4fBNTIbjH3c8fl9 8JdT1OZSFf4KzgQ07R/zqsTkxht3+aoAEoYE1tuV66hs2m+7p0mD7N7shhFHYHAYZek9Md vb0EpiO3pKBQ28YV9KOmpVQWJ/gx4u4nSIwtUYuDTR9RfUKyIYe/M04S/D2JMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1766135964; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=SuvQ4wZkPZF9ygXBXd4/2e2s+USNqWzi5E0j7KZeHQM=; b=dQiVnANOlGWYUOjQ4yrzNQiuTibdEdLoFGcnWjKTiZ/os8Ia/CK90mA+fa2mgOhV0rm5AI So+LWJZFXSxx7IN4mj8ZEfAKTbto/zO0R3ilgKbhiUOU8KiKMIn3bYU7LePV4HO+d7bo0Q 0SCSF5fzz+vmtmZN6tlTGBCDRS47MjzLSfixKXFUrxUX9kOEjwF5JFUwXrpaLtakLQ8z0Q EuOgXzLcxeZOIcXmMren6iiPDZrmUiatw0GP7G/50XXWC47qOEmJdj9V71CT+Y3uT19KSu Kzoxg1YQQRG1qUkF8wUPgFzVgKtl1mOYrlc+C1GnvdHncEVuTQ3N0TZeN9qt1Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1766135964; a=rsa-sha256; cv=none; b=PfZLvbQPWb6LuR00tdLlUK4mWxaKN2dK1i89coPltDi0UzxW5pk0zQrMJ/PevmzQ+MAohF xwudiirjKvvJtEFRIf8yhEeBQqc94xvvtqFiXMsEkSabYGP0kEsxo7nEUhLcRohG3jVSjy qAzZKB0ygmpGhfPIYJ1RokXKL00FQs6+C55Z5EPy1E0uYKqw1eK9NkV0XdMHfIdlyzzMb0 o0r5sQh5yYyz7nBIegRUN92RuEafKMWLsrv3RhufLWVTQKtS+0ijFMNnS7morn+Ng757qs 2TV1kJKQV2f2uhFYxJ8jIrV46+ai+ympNuQoXBxT+7nMiWv0FiSNqBPVd8oTRA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4dXhn76mqCz1GNV for ; Fri, 19 Dec 2025 09:19:23 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3f889 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Fri, 19 Dec 2025 09:19:23 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Olivier Certner Subject: git: 2815d86103ae - stable/14 - setcred(): Fix 32-bit compatibility copy-in List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: olce X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 2815d86103ae1b0e871c0dd68bb8b3c3090a2264 Auto-Submitted: auto-generated Date: Fri, 19 Dec 2025 09:19:23 +0000 Message-Id: <6945189b.3f889.1a299a8a@gitrepo.freebsd.org> The branch stable/14 has been updated by olce: URL: https://cgit.FreeBSD.org/src/commit/?id=2815d86103ae1b0e871c0dd68bb8b3c3090a2264 commit 2815d86103ae1b0e871c0dd68bb8b3c3090a2264 Author: Olivier Certner AuthorDate: 2025-11-14 20:20:12 +0000 Commit: Olivier Certner CommitDate: 2025-12-19 09:16:48 +0000 setcred(): Fix 32-bit compatibility copy-in For 32-bit processes on 64-bit architectures, a difference of 'int' pointers was wrongly used as a number of bytes to copy in a memcpy() used to internally construct a 64-bit 'struct setcred' from the 32-bit variant, leading to copying only part of the 32-bit structure, and thus to requesting credentials with garbage IDs except for the real and effective user IDs. This bug was spotted by jhb@, who produced a slightly more invasive fix in D53757 (a switch to using CP() on all fields). In the interest of minimizing the diff for possible inclusion in 15.0, the commit here just limits itself to fixing the number of bytes to copy. Tested successfully on a VM with 32-bit mdo(1) (and in passing also tested that the same executable on a kernel without this change exhibits the bug in practice, in the form of setcred() failing with EINVAL). Reported by: jhb Reviewed by: jhb Fixes: ddb3eb4efe55 ("New setcred() system call and associated MAC hooks") MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D53767 (cherry picked from commit 4872b48b175cc637ee38f645d68b8207d9335474) --- sys/kern/kern_prot.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index c8fea2672565..9edc1fa3f02c 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -576,8 +576,8 @@ user_setcred(struct thread *td, const u_int flags, if (error != 0) return (error); /* These fields have exactly the same sizes and positions. */ - memcpy(&wcred, &wcred32, &wcred32.setcred32_copy_end - - &wcred32.setcred32_copy_start); + memcpy(&wcred, &wcred32, __rangeof(struct setcred32, + setcred32_copy_start, setcred32_copy_end)); /* Remaining fields are pointers and need PTRIN*(). */ PTRIN_CP(wcred32, wcred, sc_supp_groups); PTRIN_CP(wcred32, wcred, sc_label);