git: 97e7c06af75e - stable/15 - fuse: Fix GID when sending FUSE_INTERRUPT to a FUSE daemon

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Olivier Certner <olce_at_FreeBSD.org>
Date: Tue, 23 Sep 2025 12:03:27 UTC
The branch stable/15 has been updated by olce:

URL: https://cgit.FreeBSD.org/src/commit/?id=97e7c06af75ef7899b925027ee779c9ee50de208

commit 97e7c06af75ef7899b925027ee779c9ee50de208
Author:     Olivier Certner <olce@FreeBSD.org>
AuthorDate: 2025-08-26 12:39:16 +0000
Commit:     Olivier Certner <olce@FreeBSD.org>
CommitDate: 2025-09-23 12:02:41 +0000

    fuse: Fix GID when sending FUSE_INTERRUPT to a FUSE daemon
    
    Due to the partial-only changes of commit 46c07316f906 ("kern: adopt the
    cr_gid macro for cr_groups[0] more widely"), subsequent commit
    be1f7435ef218b1d ("kern: start tracking cr_gid outside of cr_groups[]")
    caused a mismatch between filling cr_groups[0] in 'reused_creds' in
    fuse_interrupt_send() and reading 'cr_gid' from it in
    fuse_setup_ihead(), with the consequence that the kernel would send
    a FUSE_INTERRUPT message to the FUSE deamon with an uninitialized GID in
    its header (which, besides being wrong, would disclose 4 bytes from its
    stack).
    
    Fixes:          be1f7435ef218b1d ("kern: start tracking cr_gid outside of cr_groups[]")
    MFC after:      5 days
    MFC to:         stable/15
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D52255
    
    (cherry picked from commit d22592cd6fd2d39432add376dad460a66488a846)
---
 sys/fs/fuse/fuse_ipc.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/sys/fs/fuse/fuse_ipc.c b/sys/fs/fuse/fuse_ipc.c
index a751c09159ff..7f754ab7f1d4 100644
--- a/sys/fs/fuse/fuse_ipc.c
+++ b/sys/fs/fuse/fuse_ipc.c
@@ -193,7 +193,6 @@ fuse_interrupt_send(struct fuse_ticket *otick, int err)
 	struct fuse_data *data = otick->tk_data;
 	struct fuse_ticket *tick, *xtick;
 	struct ucred reused_creds;
-	gid_t reused_groups[1];
 
 	if (otick->irq_unique == 0) {
 		/* 
@@ -237,8 +236,7 @@ fuse_interrupt_send(struct fuse_ticket *otick, int err)
 		 */
 		ftick_hdr = fticket_in_header(otick);
 		reused_creds.cr_uid = ftick_hdr->uid;
-		reused_groups[0] = ftick_hdr->gid;
-		reused_creds.cr_groups = reused_groups;
+		reused_creds.cr_gid = ftick_hdr->gid;
 		fdisp_init(&fdi, sizeof(*fii));
 		fdisp_make_pid(&fdi, FUSE_INTERRUPT, data, ftick_hdr->nodeid,
 			ftick_hdr->pid, &reused_creds);