From dbcb565ad612889628579a39e87ea5632a60ee34 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dag-Erling=20Sm=C3=B8rgrav?= Date: Thu, 7 May 2026 10:06:35 +0200 Subject: [PATCH] setcred: Fix buffer overflow Since groups is a pointer to a pointer to an array of gid_t, we should use sizeof(**groups) or sizeof(gid_t) when calculating how much to allocate and copy in. We were using sizeof(*groups) instead, which meant that on 64-bit platforms, we would allocate and copy in twice as much as we should. Unfortunately, in the smallgroups case, we copy into a preallocated buffer which has the correct size, which means that if sc_supp_groups_nb >= CRED_SMALLGROUPS_NB / 2, we overflow smallgroups. This is a direct commit to stable/14. Approved by: so Security: FreeBSD-SA-26:18.setcred Reported by: Ryan of Calif.io Fixes: ddb3eb4efe55 ("New setcred() system call and associated MAC hooks") --- sys/kern/kern_prot.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index 09d51f20fcb..ed62abe0e4e 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -527,10 +527,10 @@ kern_setcred_copyin_supp_groups(struct setcred *const wcred, */ *groups = wcred->sc_supp_groups_nb < CRED_SMALLGROUPS_NB ? smallgroups : malloc((wcred->sc_supp_groups_nb + 1) * - sizeof(*groups), M_TEMP, M_WAITOK); + sizeof(gid_t), M_TEMP, M_WAITOK); error = copyin(wcred->sc_supp_groups, *groups + 1, - wcred->sc_supp_groups_nb * sizeof(*groups)); + wcred->sc_supp_groups_nb * sizeof(gid_t)); if (error != 0) return (error); wcred->sc_supp_groups = *groups + 1;