From nobody Thu Mar 26 01:16:01 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fh5Sf32KYz6X4Kc for ; Thu, 26 Mar 2026 01:16:02 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fh5Sf02lcz3LkD for ; Thu, 26 Mar 2026 01:16:02 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1774487762; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=3ecGHtpL3he87oisp1gQ63472MA0Hfnwji4h8nCsZL0=; b=NddxE2K3SO8ApmU+au91CtBjUWBE0nP0yVfhT/cxa+1c4HBgWpWtSCTn6YU84htfNEUJdf a2zN7a6Rq+njlYDH57pgS0obA2Of8Ddui0Vo0nNczQb3Vz82Cx4CpRFRz1MyxODSEijEQJ 22Fp8BIHLaF4PrzPFvfrJn/pgoPblaFLD6sDwHJF9eWhlGSUSBiCsUwryOcbS2O1k7TAhd dFWf5sIGgvgacLxPSx+r0Uc1Spc0o6kMgSEYPsi2bJ1FfuYG95FmRadJasjcAZNItDnYR1 yDrQsRWyvh1vxk3m1j9NDaJeSTKcSob5hCnZf3+B7MSor6rWmk05sRkxNCHbgw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1774487762; a=rsa-sha256; cv=none; b=gu8j9JN1h5HHLFw7lqF6xb7KY3NWP5fCVeIshv3LrsJF64lg6zYG9f6fq0kiPghLF/c58h VPAezJUEzRJQQiUHCA7nUlldl9pmFvPSfgLW326+cBN4Z5mdY9E+GOU1kbTvWa13iAdtLh uDJ2GJpkMF+JVSyUi7r8Av8Gdgr+QH1J3SsksEzpXB3KfJ7CMTRuvesBsb9FYWKsP/sMBH 0bI+mzRNz25AThQS87MvVXav6j5GQqfcFq5Me45VqSWUMGmbB40TFsJS7BkYoOV0t5i2HW qoN156/TO0xDJG2pJGsv7WkHZimQ71g2EtxpbMicIFLhMNIZCjpJkyKW6wYZAg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1774487762; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=3ecGHtpL3he87oisp1gQ63472MA0Hfnwji4h8nCsZL0=; b=oc4sk2jME64ZFfSBTRZXOHT4KZOeB8/CGkPw3forGMGSIwazbAu1/j9MvOxAO+TSwpSjSS i4nPvnFNDLxGs9ZNNc+t3rOpO5BNG6KMGcF4W0vIof90imsdvnZrXfKqfzPDMhd73vjiUE zAopQ013aZNjDTKLyr5+k+BKNDpxum7/pGxgxXutqQcYDpeTOzz+0IHXI2HbWg4nRrDR8H iCsutJXRqBoHiBBXJ4q5FDLk+IjGijFlz1CtCjhWtB3g5dMQui3IkL/dKK40OfEpnKGQ2x +Nhwuwz3yPNNC2XYc5gyylzQzaTZnU3MEa4oeiNbym2eEbRg3ToAXp4AQLj+RA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4fh5Sd6VfTzVXr for ; Thu, 26 Mar 2026 01:16:01 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 19bf0 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Thu, 26 Mar 2026 01:16:01 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Mark Johnston From: Philip Paeps Subject: git: b6ce88ab9a5f - releng/14.3 - rpcsec_gss: Fix a stack overflow in svc_rpc_gss_validate() List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: philip X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.3 X-Git-Reftype: branch X-Git-Commit: b6ce88ab9a5fd248cd3cf72d8e4b86f989291505 Auto-Submitted: auto-generated Date: Thu, 26 Mar 2026 01:16:01 +0000 Message-Id: <69c488d1.19bf0.3554fd2@gitrepo.freebsd.org> The branch releng/14.3 has been updated by philip: URL: https://cgit.FreeBSD.org/src/commit/?id=b6ce88ab9a5fd248cd3cf72d8e4b86f989291505 commit b6ce88ab9a5fd248cd3cf72d8e4b86f989291505 Author: Mark Johnston AuthorDate: 2026-03-24 02:12:42 +0000 Commit: Philip Paeps CommitDate: 2026-03-25 06:56:34 +0000 rpcsec_gss: Fix a stack overflow in svc_rpc_gss_validate() svc_rpc_gss_validate() copies the input message into a stack buffer without ensuring that the buffer is large enough. Sure enough, oa_length may be up to 400 bytes, much larger than the provided space. This enables an unauthenticated user to trigger an overflow and obtain remote code execution. Add a runtime check which verifies that the copy won't overflow. Approved by: so Security: FreeBSD-SA-26:08.rpcsec_gss Security: CVE-2026-4747 Reported by: Nicholas Carlini Reviewed by: rmacklem Fixes: a9148abd9da5d --- lib/librpcsec_gss/svc_rpcsec_gss.c | 9 ++++++++- sys/rpc/rpcsec_gss/svc_rpcsec_gss.c | 10 +++++++++- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/lib/librpcsec_gss/svc_rpcsec_gss.c b/lib/librpcsec_gss/svc_rpcsec_gss.c index e9d39a813f86..73b92371e6d0 100644 --- a/lib/librpcsec_gss/svc_rpcsec_gss.c +++ b/lib/librpcsec_gss/svc_rpcsec_gss.c @@ -758,6 +758,14 @@ svc_rpc_gss_validate(struct svc_rpc_gss_client *client, struct rpc_msg *msg, memset(rpchdr, 0, sizeof(rpchdr)); + oa = &msg->rm_call.cb_cred; + + if (oa->oa_length > sizeof(rpchdr) - 8 * BYTES_PER_XDR_UNIT) { + log_debug("auth length %d exceeds maximum", oa->oa_length); + client->cl_state = CLIENT_STALE; + return (FALSE); + } + /* Reconstruct RPC header for signing (from xdr_callmsg). */ buf = rpchdr; IXDR_PUT_LONG(buf, msg->rm_xid); @@ -766,7 +774,6 @@ svc_rpc_gss_validate(struct svc_rpc_gss_client *client, struct rpc_msg *msg, IXDR_PUT_LONG(buf, msg->rm_call.cb_prog); IXDR_PUT_LONG(buf, msg->rm_call.cb_vers); IXDR_PUT_LONG(buf, msg->rm_call.cb_proc); - oa = &msg->rm_call.cb_cred; IXDR_PUT_ENUM(buf, oa->oa_flavor); IXDR_PUT_LONG(buf, oa->oa_length); if (oa->oa_length) { diff --git a/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c b/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c index 64038240ab37..031e6af5c1b2 100644 --- a/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c +++ b/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c @@ -1107,6 +1107,15 @@ svc_rpc_gss_validate(struct svc_rpc_gss_client *client, struct rpc_msg *msg, memset(rpchdr, 0, sizeof(rpchdr)); + oa = &msg->rm_call.cb_cred; + + if (oa->oa_length > sizeof(rpchdr) - 8 * BYTES_PER_XDR_UNIT) { + rpc_gss_log_debug("auth length %d exceeds maximum", + oa->oa_length); + client->cl_state = CLIENT_STALE; + return (FALSE); + } + /* Reconstruct RPC header for signing (from xdr_callmsg). */ buf = rpchdr; IXDR_PUT_LONG(buf, msg->rm_xid); @@ -1115,7 +1124,6 @@ svc_rpc_gss_validate(struct svc_rpc_gss_client *client, struct rpc_msg *msg, IXDR_PUT_LONG(buf, msg->rm_call.cb_prog); IXDR_PUT_LONG(buf, msg->rm_call.cb_vers); IXDR_PUT_LONG(buf, msg->rm_call.cb_proc); - oa = &msg->rm_call.cb_cred; IXDR_PUT_ENUM(buf, oa->oa_flavor); IXDR_PUT_LONG(buf, oa->oa_length); if (oa->oa_length) {