git: d98c0a494a42 - releng/15.0 - setcred: Fix buffer overflow
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 20 May 2026 19:39:28 UTC
The branch releng/15.0 has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=d98c0a494a421b40f727356bd892d25041c5f90d
commit d98c0a494a421b40f727356bd892d25041c5f90d
Author: Dag-Erling Smørgrav <des@FreeBSD.org>
AuthorDate: 2026-05-07 08:06:35 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-05-19 23:51:24 +0000
setcred: Fix buffer overflow
Since groups is a pointer to a pointer to an array of gid_t, we should
use sizeof(**groups) or sizeof(gid_t) when calculating how much to
allocate and copy in. We were using sizeof(*groups) instead, which
meant that on 64-bit platforms, we would allocate and copy in twice as
much as we should. Unfortunately, in the smallgroups case, we copy
into a preallocated buffer which has the correct size, which means that
if sc_supp_groups_nb >= CRED_SMALLGROUPS_NB / 2, we overflow smallgroups.
This is a direct commit to releng/15.0.
Approved by: so
Security: FreeBSD-SA-26:18.setcred
Reported by: Ryan of Calif.io
Fixes: ddb3eb4efe55 ("New setcred() system call and associated MAC hooks")
---
sys/kern/kern_prot.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 0b7dc2169335..02f83360885e 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -554,10 +554,10 @@ kern_setcred_copyin_supp_groups(struct setcred *const wcred,
*/
*groups = wcred->sc_supp_groups_nb <= CRED_SMALLGROUPS_NB ?
smallgroups : malloc(wcred->sc_supp_groups_nb *
- sizeof(*groups), M_TEMP, M_WAITOK);
+ sizeof(gid_t), M_TEMP, M_WAITOK);
error = copyin(wcred->sc_supp_groups, *groups,
- wcred->sc_supp_groups_nb * sizeof(*groups));
+ wcred->sc_supp_groups_nb * sizeof(gid_t));
if (error != 0)
return (error);
wcred->sc_supp_groups = *groups;