> As the reporter of this vulnerability, I am sharing a full write-up > demonstrating LPE with SMAP/SMEP enabled: https://fatgid.io/
This write-up is good for the vulnerability description. Thanks! (I just
skimmed through the exploitation part.)
I'd just correct/complete this part:
> The underlying fix is the main-branch commit
> 000d5b52c19ff3858a6f0cbb405d47713c4267a4 from 2025-11-27 ("setcred(2): Fix a
> panic on too many groups from latest commit"), which refactored
> kern_setcred_copyin_supp_groups() into user_setcred_copyin_supp_groups(),
> changing the groups argument from gid_t ** to a local gid_t *, and replacing
> both sizeof(*groups) occurrences with sizeof(gid_t).
The underlying fix is not the commit you mention, which is a followup of the
simplification commit evoked in my previous answer, which is the right one:
https://cgit.freebsd.org/src/commit/?id=4cd93df95e69. It's where the
sizeof(*groups) were replaced with sizeof(gid_t).
> The original commit message does not mention the stack overflow; the fix
> appears to be an unintentional side effect of the refactoring.
It's slightly more complex than that actually. It's true I did not see the
stack overflow back then, but was very close to. I don't really recall how the
sizeof(*groups) first appeared in commit
https://cgit.freebsd.org/src/commit/?id=ddb3eb4efe55 (perhaps it came from an
earlier development version where 'groups' was of type 'gid_t *'; or maybe it
was a plain mistake from the start). But, when I did the simplification
commit, I clearly remember noticing the logical mistake (the missing '*').
Unfortunately, this is where I made a second mistake, that is, to assess that
this logical mistake had no practical significance because I had somehow
convinced myself that uid_t/gid_t had the natural size of the platform (which
is not the case: they are 32-bit wide everywhere). And that's why I did not
bother fixing it in other branches and releases back then.
Thanks and regards.
--
Olivier Certner
signature.asc
Description: This is a digitally signed message part.
