From nobody Tue Oct 14 12:22:47 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cmCzD1pz5z6CLWr; Tue, 14 Oct 2025 12:22:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4cmCzD0Fp1z3D9q; Tue, 14 Oct 2025 12:22:48 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1760444568; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=4Nzh9BuVfo+xHxFjR08gUFlQT6ctbZPvVxGh+gAEKqo=; b=wZX9hOmwoCATmF62g1E8oUioTm6hjWJswcvbUjt6IRVMbA7tbILutEqgORqZrWDa7609B1 WFvqqlt4eM5vFPBzXKQx1BQt2TkuF5YKrQPfj8tmGlXQQnvujLczOVnmw3InxCPTwXbx0Q UIkI9AllMyqDtoT/vtolQrIgSVgDMV33imPlAt1D58XAe5L6dtmHJ8uXooIS0kpe1V2fm0 ejqiE5Ci5ax/TgdGvyQ4Scicnka4SvWQjjqf5INTZgJA01jUqjb5uTaxoYUhytngwR/jnv IcHxEJ1UZiOj1RbBiRVRbJ/He1RpUYvFtAwn4Z4DR7LGHF63Y9q+6kMQt3HeYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1760444568; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=4Nzh9BuVfo+xHxFjR08gUFlQT6ctbZPvVxGh+gAEKqo=; b=RDkSwtVwsY6gGLUlY+sHvhB3ksyMALvHQtJDaf2gC8FJ2VLiY3n4dd2TmQWBoY5rsapVqI fVbWu5G5YZVSxwY8ozyCBRbaxaFPC/5nvPf+naR/74ybPpmQMX4Pg9dEQix7zI58mxJRWW VoQG3dX28Pol2zHqCm2R9D4PShbDElVxSq6/wUZFAveSccKGsLNR9J2FVcpQRSzngv74Rs hqJAC0l5otWRFrtzya1ama5g0DQSvLt0WPISR0zV5B5nJNspwPl9CBrLoSQR5nrAbiytio AO/jKmFX30ab5YogWDzFTAqB368nP5Z6/TLpEbiQeAPiC7hptMQY8SWuz6nJYw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1760444568; a=rsa-sha256; cv=none; b=U1pZ7ZjJvKT7Rn/04mrtdnWgL+rTFKd6JYItJHwdkEkFsjNS9hjrcbzzNOIdgEHR8PgM6q oJh3aCT71XpnE+4whpG1ppMpi0sFzlf3W6DzKa5xIjuUvbxwTg8hyPpk0Ey82ZEaTNzjyU BM+00CIVwI3eiIFb26TGHITn/x6VJVnSTU3dnoe/WAKMMWQW0rGCfkrp6TBkQ8yvai9yQ7 qlFXi9xocZRaXtGKLiYjmZmWKcBPFxCnKuwnERTPybOLFuid63X6j+OqL4SJZ6MrPgV5UC zuy8K4jOp/iKXVRzo2/Fm12ONYozFv9cDbS617S67G9jgHqXb0Lsr8V4CY+7kA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cmCzC6vmWzsNK; Tue, 14 Oct 2025 12:22:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 59ECMl9Z019543; Tue, 14 Oct 2025 12:22:47 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 59ECMluk019540; Tue, 14 Oct 2025 12:22:47 GMT (envelope-from git) Date: Tue, 14 Oct 2025 12:22:47 GMT Message-Id: <202510141222.59ECMluk019540@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Olivier Certner Subject: git: 47e9c81d4f13 - main - sys/rpc: UNIX auth: Fix OOB accesses, notably writes on decode List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: olce X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 47e9c81d4f1324674c624df02a51ad3a72aa7444 Auto-Submitted: auto-generated The branch main has been updated by olce: URL: https://cgit.FreeBSD.org/src/commit/?id=47e9c81d4f1324674c624df02a51ad3a72aa7444 commit 47e9c81d4f1324674c624df02a51ad3a72aa7444 Author: Olivier Certner AuthorDate: 2025-10-07 10:02:23 +0000 Commit: Olivier Certner CommitDate: 2025-10-14 12:21:48 +0000 sys/rpc: UNIX auth: Fix OOB accesses, notably writes on decode When the received authentication message had more than XU_NGROUPS, we would write group IDs beyond the end of cr_groups[] in the 'struct xucred' being filled (as 'ngroups_max' is always greater than XU_NGROUPS). For robustness, prevent various OOB accesses that would result from a change of value of XU_NGROUPS or a 'struct xucred' with an invalid 'cr_ngroups' field, even if these cases are unlikely. Reviewed by: rmacklem Fixes: dfdcada31e79 ("Add the new kernel-mode NFS Lock Manager.") MFC after: 2 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D52960 --- sys/rpc/authunix_prot.c | 40 +++++++++++++++++++++------------------- 1 file changed, 21 insertions(+), 19 deletions(-) diff --git a/sys/rpc/authunix_prot.c b/sys/rpc/authunix_prot.c index f63a6d3f9dc6..89f0ab3ed44e 100644 --- a/sys/rpc/authunix_prot.c +++ b/sys/rpc/authunix_prot.c @@ -75,7 +75,6 @@ xdr_authunix_parms(XDR *xdrs, uint32_t *time, struct xucred *cred) } else { namelen = 0; } - junk = 0; if (!xdr_uint32_t(xdrs, time) || !xdr_uint32_t(xdrs, &namelen)) @@ -93,15 +92,25 @@ xdr_authunix_parms(XDR *xdrs, uint32_t *time, struct xucred *cred) if (!xdr_uint32_t(xdrs, &cred->cr_uid)) return (FALSE); + + /* + * Safety check: The protocol needs at least one group (access to + * 'cr_gid', decrementation of 'cr_ngroups' below). + */ + if (xdrs->x_op == XDR_ENCODE && cred->cr_ngroups == 0) + return (FALSE); if (!xdr_uint32_t(xdrs, &cred->cr_gid)) return (FALSE); if (xdrs->x_op == XDR_ENCODE) { /* - * Note that this is a `struct xucred`, which maintains its - * historical layout of preserving the egid in cr_ngroups and - * cr_groups[0] == egid. + * Note that this is a 'struct xucred', which still has the + * historical layout where the effective GID is in cr_groups[0] + * and is accounted in 'cr_ngroups'. We substract 1 to obtain + * the number of "supplementary" groups, passed in the AUTH_SYS + * credentials variable-length array called gids[] in RFC 5531. */ + MPASS(cred->cr_ngroups <= XU_NGROUPS); supp_ngroups = cred->cr_ngroups - 1; if (supp_ngroups > NGRPS) supp_ngroups = NGRPS; @@ -109,22 +118,15 @@ xdr_authunix_parms(XDR *xdrs, uint32_t *time, struct xucred *cred) if (!xdr_uint32_t(xdrs, &supp_ngroups)) return (FALSE); - for (i = 0; i < supp_ngroups; i++) { - if (i < ngroups_max) { - if (!xdr_uint32_t(xdrs, &cred->cr_groups[i + 1])) - return (FALSE); - } else { - if (!xdr_uint32_t(xdrs, &junk)) - return (FALSE); - } - } - if (xdrs->x_op == XDR_DECODE) { - if (supp_ngroups > ngroups_max) - cred->cr_ngroups = ngroups_max + 1; - else - cred->cr_ngroups = supp_ngroups + 1; - } + junk = 0; + for (i = 0; i < supp_ngroups; ++i) + if (!xdr_uint32_t(xdrs, i < XU_NGROUPS - 1 ? + &cred->cr_sgroups[i] : &junk)) + return (FALSE); + + if (xdrs->x_op != XDR_ENCODE) + cred->cr_ngroups = MIN(supp_ngroups + 1, XU_NGROUPS); return (TRUE); }