From nobody Mon Aug 04 23:10:10 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bwshz2kSgz63drr; Mon, 04 Aug 2025 23:10:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bwshz1zxQz3XyV; Mon, 04 Aug 2025 23:10:11 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1754349011; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=/tYHXJ+rqND1leDokLRe45v8PB2O3/hZjRpbUtYDLEM=; b=yc4crea153hbCAPtKO4hr0Z3mnRfjajWQ7sXal6MYkJQWjsiBEMTN3E5YSgYNekxrbkNIQ cfMDjjElKgIgGb9PJpvjBMZWAUY2DZyzy2BkumkRJtVpygIoEnEu5fD+d8bEuoWwzgbRnr 5KAECepY2L2YVT5BmVmjMcKmv+h0jcJFJTp6FycCU9eitIsl1/+dzMM8z60PUpPmev1ByE 5D31sJ1lgow1FhlzusfN7bgPqRKqIa96/0sDDnEO6Rk+3w6h02Pub5IBWfR6sRtijI+kRV UG9wyAClDXlUUspxo/o/CYDsH8mvsY1D7V2iGjnhtycsaZW13bu1yDraos2FTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1754349011; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=/tYHXJ+rqND1leDokLRe45v8PB2O3/hZjRpbUtYDLEM=; b=or0R7Um56DGVJEtPjAGcQ0G8n4PKRV/yURy1wPui1R/LtuKfzl3o3z+el/5SxhO4m/Orvt IlZ99JaInPZWWxeqFXceXuJ9zFtFz+MSWcfB3cZ45D2iPXNbS3Z+MFfLo1v7jWOGphVL21 ZHDH4IMjssdj28dFmI3FCQbPa7KG3nFA0/auU6K9q8nZ7qeLlXc3NpC+FIKFglbAx1CW8i axkbGHOnClStc0fQRQhtEmkne2TW1vP0nKwa/9fX8RdrGQDJjEFf9RulCEA4/+cmwhSTBv RIHi5DwA2oQWhvsU+TyYlg8BkAvzOvAcnj50EQ03qSqe7Qj/tCG4foXEvide0g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1754349011; a=rsa-sha256; cv=none; b=Qt4ka87wC+qJU4+yL6gt76tk+4gE6zufKr9TP7DmajUh0lAN+HJTb1bbVVRIvVKXnn3l6Z ZQkCOadkqnkEnZPglT4G+KV/0w5ey0r9GtHUfBCbRn+ANc2SzUPra6hCqokeTgLrGl4376 3GPNFLopcI6c0CmBEYD27mx/sevYjlxxpAWw21N7Esa3s4wADRYc1xOxf1BOfJ96P4EjvQ 9LqyJRop6cCDblhQ13n9NrXIxteRlS7cpYe97X/YcKac4pL4EDUI+OyWYOnUFFVfjbvjFT mXrs57V2tTfevAzyLagBdsU9tqsyFfI/NULiiKOtwkpzwTqa+2Uf+bMHcYfIZQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bwshz0nQyz18FK; Mon, 04 Aug 2025 23:10:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 574NAAUA082016; Mon, 4 Aug 2025 23:10:10 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 574NAAYB082004; Mon, 4 Aug 2025 23:10:10 GMT (envelope-from git) Date: Mon, 4 Aug 2025 23:10:10 GMT Message-Id: <202508042310.574NAAYB082004@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kyle Evans Subject: git: 28f618fcc2b4 - main - kern: fix a panic in crcopysafe() found by syzkaller List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 28f618fcc2b42066f68a9459e4178adffe08d35b Auto-Submitted: auto-generated The branch main has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=28f618fcc2b42066f68a9459e4178adffe08d35b commit 28f618fcc2b42066f68a9459e4178adffe08d35b Author: Kyle Evans AuthorDate: 2025-08-04 23:09:58 +0000 Commit: Kyle Evans CommitDate: 2025-08-04 23:09:58 +0000 kern: fix a panic in crcopysafe() found by syzkaller crcopysafe() attempts to crextend() the new ucred's group allocation with the number of allocated group slots (`cr_asize`) from the ucred to copy rather than the latter's actual number of supplementary groups. However, the number of allocated group slots can exceed `ngroups_max` for certain values of it (because of rounding to the next power-of-2 or page on allocation), making `crextend()` trip on a check that the passed value should be lower than `ngroups_max`. This was not a problem before be1f7435ef218b1 because the effective max storage was NGROUPS_MAX + 1 (1024) to account for the egid being included in cr_groups. Now that we're back down to NGROUPS_MAX, the max allocation will tend to be 1024 and exceed our max groups. Switch crcopysafe() to extend until we have enough allocated to fit the previous group set, and call crextend() with the number of groups that the old ucred had. This avoids relying on implementation details of crextend() up-sizing our requests and ensures we only have as large of an allocation as we need to fulfill the request. Reviewed by: olce Reported by: syzbot+4e68da43c26f357a2b7e@syzkaller.appspotmail.com Fixes: be1f7435ef218b1 ("kern: start tracking cr_gid outside [...]") Differential Revision: https://reviews.freebsd.org/D51660 --- sys/kern/kern_prot.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index 6bdef84a34c1..bbb622547598 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -2773,8 +2773,8 @@ crcopysafe(struct proc *p, struct ucred *cr) PROC_LOCK_ASSERT(p, MA_OWNED); oldcred = p->p_ucred; - while (cr->cr_agroups < oldcred->cr_agroups) { - groups = oldcred->cr_agroups; + while (cr->cr_agroups < oldcred->cr_ngroups) { + groups = oldcred->cr_ngroups; PROC_UNLOCK(p); crextend(cr, groups); PROC_LOCK(p);