The branch stable/14 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=8eb0bbbd2e4681dd6dc4b8d0e894438d6d4deedb
commit 8eb0bbbd2e4681dd6dc4b8d0e894438d6d4deedb Author: Dag-Erling Smørgrav <[email protected]> AuthorDate: 2026-05-07 08:06:35 +0000 Commit: Mark Johnston <[email protected]> CommitDate: 2026-05-20 19:37:14 +0000 setcred: Fix buffer overflow Since groups is a pointer to a pointer to an array of gid_t, we should use sizeof(**groups) or sizeof(gid_t) when calculating how much to allocate and copy in. We were using sizeof(*groups) instead, which meant that on 64-bit platforms, we would allocate and copy in twice as much as we should. Unfortunately, in the smallgroups case, we copy into a preallocated buffer which has the correct size, which means that if sc_supp_groups_nb >= CRED_SMALLGROUPS_NB / 2, we overflow smallgroups. This is a direct commit to stable/14. Approved by: so Security: FreeBSD-SA-26:18.setcred Reported by: Ryan of Calif.io Fixes: ddb3eb4efe55 ("New setcred() system call and associated MAC hooks") --- sys/kern/kern_prot.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index 246413a54903..e2accd7f7729 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -527,10 +527,10 @@ kern_setcred_copyin_supp_groups(struct setcred *const wcred, */ *groups = wcred->sc_supp_groups_nb < CRED_SMALLGROUPS_NB ? smallgroups : malloc((wcred->sc_supp_groups_nb + 1) * - sizeof(*groups), M_TEMP, M_WAITOK); + sizeof(gid_t), M_TEMP, M_WAITOK); error = copyin(wcred->sc_supp_groups, *groups + 1, - wcred->sc_supp_groups_nb * sizeof(*groups)); + wcred->sc_supp_groups_nb * sizeof(gid_t)); if (error != 0) return (error); wcred->sc_supp_groups = *groups + 1;
