Re: FreeBSD Security Advisory FreeBSD-SA-26:18.setcred

Reply: Przemyslaw Frasunek : "Re: FreeBSD Security Advisory FreeBSD-SA-26:18.setcred"
In reply to: Przemyslaw Frasunek : "Re: FreeBSD Security Advisory FreeBSD-SA-26:18.setcred"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Olivier Certner <olce_at_freebsd.org>
Date: Thu, 21 May 2026 20:45:50 UTC

> As the reporter of this vulnerability, I am sharing a full write-up 
> demonstrating LPE with SMAP/SMEP enabled: https://fatgid.io/

This write-up is good for the vulnerability description.  Thanks!  (I just skimmed through the exploitation part.)

I'd just correct/complete this part:

> The underlying fix is the main-branch commit 000d5b52c19ff3858a6f0cbb405d47713c4267a4 from 2025-11-27 ("setcred(2): Fix a panic on too many groups from latest commit"), which refactored kern_setcred_copyin_supp_groups() into user_setcred_copyin_supp_groups(), changing the groups argument from gid_t ** to a local gid_t *, and replacing both sizeof(*groups) occurrences with sizeof(gid_t). 

The underlying fix is not the commit you mention, which is a followup of the simplification commit evoked in my previous answer, which is the right one: https://cgit.freebsd.org/src/commit/?id=4cd93df95e69.  It's where the sizeof(*groups) were replaced with sizeof(gid_t).

> The original commit message does not mention the stack overflow; the fix appears to be an unintentional side effect of the refactoring.

It's slightly more complex than that actually.  It's true I did not see the stack overflow back then, but was very close to.  I don't really recall how the sizeof(*groups) first appeared in commit https://cgit.freebsd.org/src/commit/?id=ddb3eb4efe55 (perhaps it came from an earlier development version where 'groups' was of type 'gid_t *'; or maybe it was a plain mistake from the start).  But, when I did the simplification commit, I clearly remember noticing the logical mistake (the missing '*').  Unfortunately, this is where I made a second mistake, that is, to assess that this logical mistake had no practical significance because I had somehow convinced myself that uid_t/gid_t had the natural size of the platform (which is not the case: they are 32-bit wide everywhere).  And that's why I did not bother fixing it in other branches and releases back then.

Thanks and regards.

-- 
Olivier Certner