git: 8eb0bbbd2e46 - stable/14 - setcred: Fix buffer overflow
Date: Wed, 20 May 2026 19:37:54 UTC
The branch stable/14 has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=8eb0bbbd2e4681dd6dc4b8d0e894438d6d4deedb
commit 8eb0bbbd2e4681dd6dc4b8d0e894438d6d4deedb
Author: Dag-Erling Smørgrav <des@FreeBSD.org>
AuthorDate: 2026-05-07 08:06:35 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-05-20 19:37:14 +0000
setcred: Fix buffer overflow
Since groups is a pointer to a pointer to an array of gid_t, we should
use sizeof(**groups) or sizeof(gid_t) when calculating how much to
allocate and copy in. We were using sizeof(*groups) instead, which
meant that on 64-bit platforms, we would allocate and copy in twice as
much as we should. Unfortunately, in the smallgroups case, we copy
into a preallocated buffer which has the correct size, which means that
if sc_supp_groups_nb >= CRED_SMALLGROUPS_NB / 2, we overflow smallgroups.
This is a direct commit to stable/14.
Approved by: so
Security: FreeBSD-SA-26:18.setcred
Reported by: Ryan of Calif.io
Fixes: ddb3eb4efe55 ("New setcred() system call and associated MAC hooks")
---
sys/kern/kern_prot.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 246413a54903..e2accd7f7729 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -527,10 +527,10 @@ kern_setcred_copyin_supp_groups(struct setcred *const wcred,
*/
*groups = wcred->sc_supp_groups_nb < CRED_SMALLGROUPS_NB ?
smallgroups : malloc((wcred->sc_supp_groups_nb + 1) *
- sizeof(*groups), M_TEMP, M_WAITOK);
+ sizeof(gid_t), M_TEMP, M_WAITOK);
error = copyin(wcred->sc_supp_groups, *groups + 1,
- wcred->sc_supp_groups_nb * sizeof(*groups));
+ wcred->sc_supp_groups_nb * sizeof(gid_t));
if (error != 0)
return (error);
wcred->sc_supp_groups = *groups + 1;