The branch releng/14.3 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=bfff5c180193845664a0d9f56f94111214e7c80b
commit bfff5c180193845664a0d9f56f94111214e7c80b Author: Dag-Erling Smørgrav <[email protected]> AuthorDate: 2026-05-07 08:06:35 +0000 Commit: Mark Johnston <[email protected]> CommitDate: 2026-05-19 23:48:36 +0000 setcred: Fix buffer overflow Since groups is a pointer to a pointer to an array of gid_t, we should use sizeof(**groups) or sizeof(gid_t) when calculating how much to allocate and copy in. We were using sizeof(*groups) instead, which meant that on 64-bit platforms, we would allocate and copy in twice as much as we should. Unfortunately, in the smallgroups case, we copy into a preallocated buffer which has the correct size, which means that if sc_supp_groups_nb >= CRED_SMALLGROUPS_NB / 2, we overflow smallgroups. This is a direct commit to stable/14. Approved by: so Security: FreeBSD-SA-26:18.setcred Reported by: Ryan of Calif.io Fixes: ddb3eb4efe55 ("New setcred() system call and associated MAC hooks") --- sys/kern/kern_prot.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index d0f4c8cd6992..cec3fd829564 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -527,10 +527,10 @@ kern_setcred_copyin_supp_groups(struct setcred *const wcred, */ *groups = wcred->sc_supp_groups_nb < CRED_SMALLGROUPS_NB ? smallgroups : malloc((wcred->sc_supp_groups_nb + 1) * - sizeof(*groups), M_TEMP, M_WAITOK); + sizeof(gid_t), M_TEMP, M_WAITOK); error = copyin(wcred->sc_supp_groups, *groups + 1, - wcred->sc_supp_groups_nb * sizeof(*groups)); + wcred->sc_supp_groups_nb * sizeof(gid_t)); if (error != 0) return (error); wcred->sc_supp_groups = *groups + 1;
