From nobody Thu Oct 16 16:58:20 2025 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cnZ0D3N0Gz6Cnj4; Thu, 16 Oct 2025 16:58:20 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4cnZ0D2Vrzz3js4; Thu, 16 Oct 2025 16:58:20 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1760633900; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=+3/V49JVRpfThJoujR6KqodNfAv9ISWZaSqmqQXNlZo=; b=NyfBd5B9Pmz1MIPnMD1rwYrxSsg0dLmuFgNeNOf67o1K2WpdjIyHsef+xfKnqDff3bpwSh 7lY3H0BXmeDUM/nOFb0C0TQSihdBgeijIAmIWKT0iFCpITXnLPseJa7t07myWKEGJ0HGB6 DoND7jUHibozwgjgO0r4naY516CIxOwyDzX/x/FuyVW+oNM3QrdoJxdocdJg+Oamcx4cLA GSetu4aBYky6eqeIV+ZFOqGK90QPLtcbXS03H0N03PwxulNZfZM2A4HxfLzPL2Bqc22iLa 3o21WIdyTp/WKHiKdeYrZYzt318oKwUa7XFgASGBmzK9qH7H1R7/GKSN2rUncQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1760633900; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=+3/V49JVRpfThJoujR6KqodNfAv9ISWZaSqmqQXNlZo=; b=ejkPPOC/ysPIYR2WNd3XF1vm0vBWYYRRc7CANTO25tTZFQdax/eFwcALu9Ynd3jvUpp18j 9HoFsKpzFC7U0ADX8TZaH8Z0NYvR/ZpAYmNqAY0MLR7itefcpFvrxtsiSdUCKM0eFjc96b Xd3S55GGFJbSM6PD+QcJPPMgNtyLt+mgsTM48478yGNAwYW/qXAlqDVIr6AvGsLxydbZW7 mXGgIOrWL0WWg8IIjNvjH+QHvk6J0P8F7oXny8frce8qFmEyu2ROW7gXtFTo44BYfd6y8F 5+OfNASMCIMNdhD2x/6tdI9k9hS1hwhexxfypKzh5SrDErYSKeMsm+GeYZy7Sg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1760633900; a=rsa-sha256; cv=none; b=k87qPYH5uAorv7Dy316yw8ZPlPOcaQtoSKxRnDim8v/cpv58dY6/tNXoWb2PegPQlfFQZM fYHlepgR54pMZTsVgkDUyhPL0vhWMtNETHAbxV8yDxXm33OOXyQfoA65x5ijPDOKuihZkz Pv3xYyz2s+ew1YR5DFNF5ltdZbpkeYX/Pg0HEbCVjU2fmRSIc/9jjOTzG3hY/pT1jtTZU2 nKe4bCsXeTfPqEGPbphE7RT9dYxNojSXz2V2yENwXMQDbw6rcvpLHU6DObOnux2Y344dfd BLq5tKmTnx6Zl5PONrX5dJMZIhduhULgVoZnYDil6KYZSJmpgnqyym7Y3IQ8fg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cnZ0D22JFz25P; Thu, 16 Oct 2025 16:58:20 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 59GGwKw9055739; Thu, 16 Oct 2025 16:58:20 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 59GGwKsd055736; Thu, 16 Oct 2025 16:58:20 GMT (envelope-from git) Date: Thu, 16 Oct 2025 16:58:20 GMT Message-Id: <202510161658.59GGwKsd055736@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Olivier Certner Subject: git: 9492a1e27fb1 - stable/15 - sys/rpc: UNIX auth: Fix OOB accesses, notably writes on decode List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: olce X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 9492a1e27fb18fcd6122bbd9ddcd853ee7693417 Auto-Submitted: auto-generated The branch stable/15 has been updated by olce: URL: https://cgit.FreeBSD.org/src/commit/?id=9492a1e27fb18fcd6122bbd9ddcd853ee7693417 commit 9492a1e27fb18fcd6122bbd9ddcd853ee7693417 Author: Olivier Certner AuthorDate: 2025-10-07 10:02:23 +0000 Commit: Olivier Certner CommitDate: 2025-10-16 16:57:45 +0000 sys/rpc: UNIX auth: Fix OOB accesses, notably writes on decode When the received authentication message had more than XU_NGROUPS, we would write group IDs beyond the end of cr_groups[] in the 'struct xucred' being filled (as 'ngroups_max' is always greater than XU_NGROUPS). For robustness, prevent various OOB accesses that would result from a change of value of XU_NGROUPS or a 'struct xucred' with an invalid 'cr_ngroups' field, even if these cases are unlikely. Reviewed by: rmacklem Fixes: dfdcada31e79 ("Add the new kernel-mode NFS Lock Manager.") MFC after: 2 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D52960 (cherry picked from commit 47e9c81d4f1324674c624df02a51ad3a72aa7444) --- sys/rpc/authunix_prot.c | 40 +++++++++++++++++++++------------------- 1 file changed, 21 insertions(+), 19 deletions(-) diff --git a/sys/rpc/authunix_prot.c b/sys/rpc/authunix_prot.c index f63a6d3f9dc6..89f0ab3ed44e 100644 --- a/sys/rpc/authunix_prot.c +++ b/sys/rpc/authunix_prot.c @@ -75,7 +75,6 @@ xdr_authunix_parms(XDR *xdrs, uint32_t *time, struct xucred *cred) } else { namelen = 0; } - junk = 0; if (!xdr_uint32_t(xdrs, time) || !xdr_uint32_t(xdrs, &namelen)) @@ -93,15 +92,25 @@ xdr_authunix_parms(XDR *xdrs, uint32_t *time, struct xucred *cred) if (!xdr_uint32_t(xdrs, &cred->cr_uid)) return (FALSE); + + /* + * Safety check: The protocol needs at least one group (access to + * 'cr_gid', decrementation of 'cr_ngroups' below). + */ + if (xdrs->x_op == XDR_ENCODE && cred->cr_ngroups == 0) + return (FALSE); if (!xdr_uint32_t(xdrs, &cred->cr_gid)) return (FALSE); if (xdrs->x_op == XDR_ENCODE) { /* - * Note that this is a `struct xucred`, which maintains its - * historical layout of preserving the egid in cr_ngroups and - * cr_groups[0] == egid. + * Note that this is a 'struct xucred', which still has the + * historical layout where the effective GID is in cr_groups[0] + * and is accounted in 'cr_ngroups'. We substract 1 to obtain + * the number of "supplementary" groups, passed in the AUTH_SYS + * credentials variable-length array called gids[] in RFC 5531. */ + MPASS(cred->cr_ngroups <= XU_NGROUPS); supp_ngroups = cred->cr_ngroups - 1; if (supp_ngroups > NGRPS) supp_ngroups = NGRPS; @@ -109,22 +118,15 @@ xdr_authunix_parms(XDR *xdrs, uint32_t *time, struct xucred *cred) if (!xdr_uint32_t(xdrs, &supp_ngroups)) return (FALSE); - for (i = 0; i < supp_ngroups; i++) { - if (i < ngroups_max) { - if (!xdr_uint32_t(xdrs, &cred->cr_groups[i + 1])) - return (FALSE); - } else { - if (!xdr_uint32_t(xdrs, &junk)) - return (FALSE); - } - } - if (xdrs->x_op == XDR_DECODE) { - if (supp_ngroups > ngroups_max) - cred->cr_ngroups = ngroups_max + 1; - else - cred->cr_ngroups = supp_ngroups + 1; - } + junk = 0; + for (i = 0; i < supp_ngroups; ++i) + if (!xdr_uint32_t(xdrs, i < XU_NGROUPS - 1 ? + &cred->cr_sgroups[i] : &junk)) + return (FALSE); + + if (xdrs->x_op != XDR_ENCODE) + cred->cr_ngroups = MIN(supp_ngroups + 1, XU_NGROUPS); return (TRUE); }