git: bfff5c180193 - releng/14.3 - setcred: Fix buffer overflow
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 20 May 2026 19:40:32 UTC
The branch releng/14.3 has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=bfff5c180193845664a0d9f56f94111214e7c80b
commit bfff5c180193845664a0d9f56f94111214e7c80b
Author: Dag-Erling Smørgrav <des@FreeBSD.org>
AuthorDate: 2026-05-07 08:06:35 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-05-19 23:48:36 +0000
setcred: Fix buffer overflow
Since groups is a pointer to a pointer to an array of gid_t, we should
use sizeof(**groups) or sizeof(gid_t) when calculating how much to
allocate and copy in. We were using sizeof(*groups) instead, which
meant that on 64-bit platforms, we would allocate and copy in twice as
much as we should. Unfortunately, in the smallgroups case, we copy
into a preallocated buffer which has the correct size, which means that
if sc_supp_groups_nb >= CRED_SMALLGROUPS_NB / 2, we overflow smallgroups.
This is a direct commit to stable/14.
Approved by: so
Security: FreeBSD-SA-26:18.setcred
Reported by: Ryan of Calif.io
Fixes: ddb3eb4efe55 ("New setcred() system call and associated MAC hooks")
---
sys/kern/kern_prot.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index d0f4c8cd6992..cec3fd829564 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -527,10 +527,10 @@ kern_setcred_copyin_supp_groups(struct setcred *const wcred,
*/
*groups = wcred->sc_supp_groups_nb < CRED_SMALLGROUPS_NB ?
smallgroups : malloc((wcred->sc_supp_groups_nb + 1) *
- sizeof(*groups), M_TEMP, M_WAITOK);
+ sizeof(gid_t), M_TEMP, M_WAITOK);
error = copyin(wcred->sc_supp_groups, *groups + 1,
- wcred->sc_supp_groups_nb * sizeof(*groups));
+ wcred->sc_supp_groups_nb * sizeof(gid_t));
if (error != 0)
return (error);
wcred->sc_supp_groups = *groups + 1;