From nobody Mon Nov 03 20:29:44 2025 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4d0jqs23j5z6Fj6j; Mon, 03 Nov 2025 20:29:45 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4d0jqr4Wphz3KX0; Mon, 03 Nov 2025 20:29:44 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1762201784; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=EcP/Q9CHTa55X86Z1TiJ2aiSNfaIuxE9pWrlFvLAIb4=; b=BplACFGqwiU+wCNLrNN+V9SOTEUvmCgRH7ONKm2Hj9M9nhGe1bZ5tvt4z8wfv5s+k7QccD MjCEIPNOxDAjOYncSXI4U2bJVsf4SmB7fhZjHPPOWJV0/PbsIIr0nrOwEEg1eLsZxsGnwy Kfibh1qBhuqTb+t5lZ8Yoe2MIM1Bh/B9Lto7Zg0GKzeHH4chiG0vDHTvtV8kw7W1G/7BYZ RWdR6oi9PoJXGyuKkZHGb4BLtB8J2Rhgskq0GMGYN+XZFONfRo+B335lLMvspr8ndjdorS vA5Pbg3AWjp9pFwzy3sUQeMZ/cEGR9cqph9xofmZw6GKS7ogqr2Uo2qwcRO7SA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1762201784; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=EcP/Q9CHTa55X86Z1TiJ2aiSNfaIuxE9pWrlFvLAIb4=; b=oktuej9jWqKPYIT09qdSuhaJrpVbk4YHDcUBrTWXEPuVwevPlII3YpA1LoCg4HTxG+A86q 9EaZRwXBwRId8KvjJ2gv2PHrShgY9PM8wcwhG9f21ydiu2NdMwGfExmiOp7TnDEJO0gIb3 BDkRnHIBRcdO/cgeuvEr/7xvQTaMV/EJ3bAKSnVhr/FVuyVnDKNhgVG12uMR2+LDaoDJ1X 4CVrJ9TcU6Yes5eDh7pmM7vUyqnjlj7kQOD3McPXpx0vlAc8v+XpVrqEdg8SBA/qFXmGnq VzPz4AThP4kpUu/cxLm4cAxAldOg5SSP9O9XAVkt3tjK62Y4gYiqOh2pd8wkAw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1762201784; a=rsa-sha256; cv=none; b=HjIZBHc72RLdU8JO6KdhfkJwWAQqoUeSkkGNEIM1xynP8bpapgjKvhNW3WTtNaf2VS5xTz cvSSB5lMTtll6ieBOxWUtmNfCIMdlYNe8w6ervy57vsJXYcIlwGwihBFbe2KhlmJXhci1o 7oSjfWpnUqmufu4v7WXiJRmJWA8hLlcekvfHnq4bk1oAEI0WQiOfFtcoSJPRMnPLGUfY7D FExIRtpILGVEM6nYnB1UNses2vzJK042cIjVmpyJzaesW5MfT5EIUzaaroBxAyS2yA11w3 bB/8K3mtthWFUAFZ/S/N28T9uS66TcKvcheDB4uzuCPPkAVirvOID+Bl0yVfGA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4d0jqr468kzB1D; Mon, 03 Nov 2025 20:29:44 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 5A3KTia7051055; Mon, 3 Nov 2025 20:29:44 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 5A3KTitA051052; Mon, 3 Nov 2025 20:29:44 GMT (envelope-from git) Date: Mon, 3 Nov 2025 20:29:44 GMT Message-Id: <202511032029.5A3KTitA051052@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Colin Percival Subject: git: e5fc5bc53fb8 - releng/15.0 - nfs_commonsubs.c: Add a sanity check for nid_ngroup List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: cperciva X-Git-Repository: src X-Git-Refname: refs/heads/releng/15.0 X-Git-Reftype: branch X-Git-Commit: e5fc5bc53fb83caea92ec9856aa4638ce7a97b46 Auto-Submitted: auto-generated The branch releng/15.0 has been updated by cperciva: URL: https://cgit.FreeBSD.org/src/commit/?id=e5fc5bc53fb83caea92ec9856aa4638ce7a97b46 commit e5fc5bc53fb83caea92ec9856aa4638ce7a97b46 Author: Rick Macklem AuthorDate: 2025-10-28 14:44:14 +0000 Commit: Colin Percival CommitDate: 2025-11-03 20:28:56 +0000 nfs_commonsubs.c: Add a sanity check for nid_ngroup The nfsuserd(8) daemon passes user credentials (uid + gids) into the kernel for users and groups identified by name (received from a NFSv4 server). This patch add a sanity check for the number of groups (nid_ngroup) passed in. It's only purpose is to protect against a bogus nfsuserd(8) running in a jail. Approved by: re (cperciva) (cherry picked from commit 4672adcea4cf3c0c626d186f1f41c69552d915f1) (cherry picked from commit 83a0732a4cfe9f2846e144b39ebe517cbe395fac) --- sys/fs/nfs/nfs_commonsubs.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/sys/fs/nfs/nfs_commonsubs.c b/sys/fs/nfs/nfs_commonsubs.c index 7f5b29ca2085..dd3b8b4f1708 100644 --- a/sys/fs/nfs/nfs_commonsubs.c +++ b/sys/fs/nfs/nfs_commonsubs.c @@ -4165,10 +4165,15 @@ nfssvc_idname(struct nfsd_idargs *nidp) nidp->nid_namelen); if (error == 0 && nidp->nid_ngroup > 0 && (nidp->nid_flag & NFSID_ADDUID) != 0) { - grps = malloc(sizeof(gid_t) * nidp->nid_ngroup, M_TEMP, - M_WAITOK); - error = copyin(nidp->nid_grps, grps, - sizeof(gid_t) * nidp->nid_ngroup); + grps = NULL; + if (nidp->nid_ngroup > NGROUPS_MAX) + error = EINVAL; + if (error == 0) { + grps = malloc(sizeof(gid_t) * nidp->nid_ngroup, M_TEMP, + M_WAITOK); + error = copyin(nidp->nid_grps, grps, + sizeof(gid_t) * nidp->nid_ngroup); + } if (error == 0) { /* * Create a credential just like svc_getcred(),