setcred: Fix buffer overflow

Since groups is a pointer to a pointer to an array of gid_t, we should
use sizeof(**groups) or sizeof(gid_t) when calculating how much to
allocate and copy in.  We were using sizeof(*groups) instead, which
meant that on 64-bit platforms, we would allocate and copy in twice as
much as we should.  Unfortunately, in the smallgroups case, we copy
into a preallocated buffer which has the correct size, which means that
if sc_supp_groups_nb >= CRED_SMALLGROUPS_NB / 2, we overflow smallgroups.

This is a direct commit to stable/14.

Approved by:	so
Security:	FreeBSD-SA-26:18.setcred
Reported by:	Ryan of Calif.io
Fixes:		ddb3eb4efe55 ("New setcred() system call and associated MAC hooks")

sys/kern/kern_prot.c

@@ -527,10 +527,10 @@ kern_setcred_copyin_supp_groups(struct setcred *const wcred,
 		 */
 		*groups = wcred->sc_supp_groups_nb < CRED_SMALLGROUPS_NB ?
 		    smallgroups : malloc((wcred->sc_supp_groups_nb + 1) *
-		    sizeof(*groups), M_TEMP, M_WAITOK);
+		    sizeof(gid_t), M_TEMP, M_WAITOK);
 
 		error = copyin(wcred->sc_supp_groups, *groups + 1,
-		    wcred->sc_supp_groups_nb * sizeof(*groups));
+		    wcred->sc_supp_groups_nb * sizeof(gid_t));
 		if (error != 0)
 			return (error);
 		wcred->sc_supp_groups = *groups + 1;