The branch stable/14 has been updated by markj:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=8eb0bbbd2e4681dd6dc4b8d0e894438d6d4deedb

commit 8eb0bbbd2e4681dd6dc4b8d0e894438d6d4deedb
Author:     Dag-Erling Smørgrav <[email protected]>
AuthorDate: 2026-05-07 08:06:35 +0000
Commit:     Mark Johnston <[email protected]>
CommitDate: 2026-05-20 19:37:14 +0000

    setcred: Fix buffer overflow
    
    Since groups is a pointer to a pointer to an array of gid_t, we should
    use sizeof(**groups) or sizeof(gid_t) when calculating how much to
    allocate and copy in.  We were using sizeof(*groups) instead, which
    meant that on 64-bit platforms, we would allocate and copy in twice as
    much as we should.  Unfortunately, in the smallgroups case, we copy
    into a preallocated buffer which has the correct size, which means that
    if sc_supp_groups_nb >= CRED_SMALLGROUPS_NB / 2, we overflow smallgroups.
    
    This is a direct commit to stable/14.
    
    Approved by:    so
    Security:       FreeBSD-SA-26:18.setcred
    Reported by:    Ryan of Calif.io
    Fixes:          ddb3eb4efe55 ("New setcred() system call and associated MAC 
hooks")
---
 sys/kern/kern_prot.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 246413a54903..e2accd7f7729 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -527,10 +527,10 @@ kern_setcred_copyin_supp_groups(struct setcred *const 
wcred,
                 */
                *groups = wcred->sc_supp_groups_nb < CRED_SMALLGROUPS_NB ?
                    smallgroups : malloc((wcred->sc_supp_groups_nb + 1) *
-                   sizeof(*groups), M_TEMP, M_WAITOK);
+                   sizeof(gid_t), M_TEMP, M_WAITOK);
 
                error = copyin(wcred->sc_supp_groups, *groups + 1,
-                   wcred->sc_supp_groups_nb * sizeof(*groups));
+                   wcred->sc_supp_groups_nb * sizeof(gid_t));
                if (error != 0)
                        return (error);
                wcred->sc_supp_groups = *groups + 1;

Reply via email to