From nobody Tue Jan 6 13:34:31 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dlsbD1wq0z6NdyR for ; Tue, 06 Jan 2026 13:34:32 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dlsbC6n2Cz3SyD for ; Tue, 06 Jan 2026 13:34:31 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1767706472; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=OJ3nW57XTfO7P8FNEAd3gu3ZS8DhjJDVKYYaSj4b4Ds=; b=DRgBbxxBEQ0R0iSojqm4O1K/9Agz3FlayxcMJL57yf3gNfu6DFKzRUrXGIqZYJJcytux0U fBz/kYp0BHPYdak0ps2cE1rWvQvE9XM9SVMEVT69VNWUHsTIDSxtTJbIrEfyBhUo/MMguy gzMlizmZyxhWNobyGguqtDecUa4WKgH2cRi0JL9O/dq2eAaZ4WzWnmEy1sNM9emtcuicYh w+jeybPQBT0/k3zfiAsXvhOIG00/C7MQRhhFtieNDOrgLOOKDv3gOkiSph5n6w4C0xCFaC AbRxkuW+8RHLwBp7GLrL50LTz2GL5JQLdSFGr+Xul4Y9wGM0IdG30azxSFebxA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1767706472; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=OJ3nW57XTfO7P8FNEAd3gu3ZS8DhjJDVKYYaSj4b4Ds=; b=e22hKrKvq+sLWO2MHezOueAtVB4MuZ4d0AIg40OWiZ3dXLXcXLv3vyU0QuqRafFEhMkLzR Vyj0GlFA2RVsA0M4vZUJTbdKsHZhEOt6rmwkgvCpAhU93mWYbM4VlGr9p5cSAK/6ezWIxq aSY0+qX8TmazHg3G4Q2ADDjcj0QlJr+atZEdKpA2GF1RUhda9Wi+OGDP+PZmJH4K+5hDwf cajH9TDhmFAKL3GTBl38c6Vjjw+6RcoO370uxDTPPP7TToHh8YAROjHdze9VSUAMP6GXf9 Y2c81ShX6I7Fir3sfVC0OaAJLxcW1Hv6VfT0kXOakRZSfpzp1d5cCu7YFCS/nw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1767706472; a=rsa-sha256; cv=none; b=LPFQkQHjoZQylp9Ov6bTVKQQx1BRYpOnyUG4lNCfb6qNt9uGhWd3IO5pozWwOpYom12kY2 zFwsBB6x+VUjejpZJtKHwHqOSUAX+MrblFER7gFXIAxHQtDPLDlqAp5S0xr53oG2eWfueU WHQylsLWEIkGqCgeZ4IQWoYp9UOkE8KM5FFqbqnJOcDCc0zl5RvwmiZArlUmlQW3K5Q+vg M3ay/AJQxo/LJXr9LGPJNgu5NhfbvojcHjRyQzvttc5YdSrEtuHjHhzrbT028TSH421csZ KoQ/jJ/c2md6JXmwqQKfVbslH0gpdCkM8AhvW3l3/oEppRPD8IIEHyiNtRPbjg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4dlsbC6GXpz17nj for ; Tue, 06 Jan 2026 13:34:31 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3e4da by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 06 Jan 2026 13:34:31 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Olivier Certner Subject: git: cd588aa5fe08 - stable/15 - setcred(2): Fix a panic on too many groups from latest commit List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: olce X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: cd588aa5fe088f2d63479eea31d24367896d96b8 Auto-Submitted: auto-generated Date: Tue, 06 Jan 2026 13:34:31 +0000 Message-Id: <695d0f67.3e4da.183b230@gitrepo.freebsd.org> The branch stable/15 has been updated by olce: URL: https://cgit.FreeBSD.org/src/commit/?id=cd588aa5fe088f2d63479eea31d24367896d96b8 commit cd588aa5fe088f2d63479eea31d24367896d96b8 Author: Olivier Certner AuthorDate: 2025-11-27 09:04:50 +0000 Commit: Olivier Certner CommitDate: 2026-01-06 13:33:26 +0000 setcred(2): Fix a panic on too many groups from latest commit kern_setcred_copyin_supp_groups() is documented to always set 'sc_supp_groups', but did not do it if there are more supplementary groups than 'ngroups_max'. Also, that case was omitted from the herald comment. Add it there, also including it as a case where 'sc_supp_groups_nb' is reset to 0 as a security measure. Initially, kern_setcred_copyin_supp_groups() had the usual property that nothing had to be freed on it returning an error, but was then converted to relying on the caller to free() even on error, and this part was missed during the conversion. The benefits of this unusual convention are that we can zero or NULLify groups-related attributes in advance, preventing inadvertent use of stale data (defensive security measure), and we can avoid some small code duplication (no need to have two same calls to free()). This makes sense as kern_setcred_copyin_supp_groups() is meant to be a private sub-routine of user_setcred() only. While here, rename kern_setcred_copyin_supp_groups() => user_setcred_copyin_supp_groups(). Reported by: pho Fixes: 4cd93df95e69 ("setcred(): Remove an optimization for when cr_groups[0] was the egid") Sponsored by: The FreeBSD Foundation (cherry picked from commit 000d5b52c19ff3858a6f0cbb405d47713c4267a4) --- sys/kern/kern_prot.c | 34 ++++++++++++++++++++++------------ 1 file changed, 22 insertions(+), 12 deletions(-) diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index 34d68927be71..b1e4b731145e 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -529,44 +529,54 @@ gidp_cmp(const void *p1, const void *p2) * 'smallgroups' must be an (uninitialized) array of length CRED_SMALLGROUPS_NB. * Always sets 'sc_supp_groups', either to a valid kernel-space groups array * (which may or may not be 'smallgroups'), or NULL if SETCREDF_SUPP_GROUPS was - * not specified, or a buffer containing garbage on copyin() failure. In the - * last two cases, 'sc_supp_groups_nb' is additionally set to 0 as a security - * measure. 'sc_supp_groups' must be freed (M_TEMP) if not equal to - * 'smallgroups' even on failure. + * not specified or there are too many groups, or a buffer containing garbage on + * copyin() failure. In the last two cases, 'sc_supp_groups_nb' is additionally + * set to 0 as a security measure. 'sc_supp_groups' must be freed (M_TEMP) if + * not equal to 'smallgroups' even on failure. */ static int -kern_setcred_copyin_supp_groups(struct setcred *const wcred, +user_setcred_copyin_supp_groups(struct setcred *const wcred, const u_int flags, gid_t *const smallgroups) { gid_t *groups; int error; if ((flags & SETCREDF_SUPP_GROUPS) == 0) { - wcred->sc_supp_groups_nb = 0; - wcred->sc_supp_groups = NULL; - return (0); + error = 0; + goto reset_groups_exit; } /* * Check the number of groups' limit right now in order to limit the * amount of bytes to copy. */ - if (wcred->sc_supp_groups_nb > ngroups_max) - return (EINVAL); + if (wcred->sc_supp_groups_nb > ngroups_max) { + error = EINVAL; + goto reset_groups_exit; + } groups = wcred->sc_supp_groups_nb <= CRED_SMALLGROUPS_NB ? smallgroups : malloc(wcred->sc_supp_groups_nb * sizeof(gid_t), M_TEMP, M_WAITOK); - error = copyin(wcred->sc_supp_groups, groups, wcred->sc_supp_groups_nb * sizeof(gid_t)); wcred->sc_supp_groups = groups; + if (error != 0) { wcred->sc_supp_groups_nb = 0; + /* + * 'sc_supp_groups' must be freed by caller if not + * 'smallgroups'. + */ return (error); } return (0); + +reset_groups_exit: + wcred->sc_supp_groups_nb = 0; + wcred->sc_supp_groups = NULL; + return (error); } int @@ -601,7 +611,7 @@ user_setcred(struct thread *td, const u_int flags, struct setcred *const wcred) * alternative for 32-bit compatibility as 'gid_t' has the same size * everywhere. */ - error = kern_setcred_copyin_supp_groups(wcred, flags, smallgroups); + error = user_setcred_copyin_supp_groups(wcred, flags, smallgroups); if (error != 0) goto free_groups;