diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -815,6 +815,15 @@ gid_t *groups; int gidsetsize, error; + /* + * Sanity check size now to avoid passing too big a value to copyin(), + * even if kern_setgroups() will do it again. + * + * Ideally, the 'gidsetsize' argument should have been a 'u_int' (and it + * was, in this implementation, for a long time), but POSIX standardized + * getgroups() to take an 'int' and it would be quite entrapping to have + * setgroups() differ. + */ gidsetsize = uap->gidsetsize; if (gidsetsize > ngroups_max + 1 || gidsetsize < 0) return (EINVAL); @@ -843,13 +852,16 @@ } int -kern_setgroups(struct thread *td, u_int ngrp, gid_t *groups) +kern_setgroups(struct thread *td, int ngrp, gid_t *groups) { struct proc *p = td->td_proc; struct ucred *newcred, *oldcred; int error; - MPASS(ngrp <= ngroups_max + 1); + /* Sanity check size. */ + if (ngrp < 0 || ngrp > ngroups_max + 1) + return (EINVAL); + AUDIT_ARG_GROUPSET(groups, ngrp); newcred = crget(); crextend(newcred, ngrp); diff --git a/sys/security/audit/audit.h b/sys/security/audit/audit.h --- a/sys/security/audit/audit.h +++ b/sys/security/audit/audit.h @@ -98,7 +98,7 @@ void audit_arg_ruid(uid_t ruid); void audit_arg_sgid(gid_t sgid); void audit_arg_suid(uid_t suid); -void audit_arg_groupset(gid_t *gidset, u_int gidset_size); +void audit_arg_groupset(gid_t *gidset, int gidset_size); void audit_arg_login(char *login); void audit_arg_ctlname(int *name, int namelen); void audit_arg_mask(int mask); diff --git a/sys/security/audit/audit_arg.c b/sys/security/audit/audit_arg.c --- a/sys/security/audit/audit_arg.c +++ b/sys/security/audit/audit_arg.c @@ -263,13 +263,13 @@ } void -audit_arg_groupset(gid_t *gidset, u_int gidset_size) +audit_arg_groupset(gid_t *gidset, int gidset_size) { - u_int i; + int i; struct kaudit_record *ar; - KASSERT(gidset_size <= ngroups_max + 1, - ("audit_arg_groupset: gidset_size > (kern.ngroups + 1)")); + KASSERT(gidset_size >= 0 && gidset_size <= ngroups_max + 1, + ("audit_arg_groupset: gidset_size < 0 or > (kern.ngroups + 1)")); ar = currecord(); if (ar == NULL) diff --git a/sys/sys/syscallsubr.h b/sys/sys/syscallsubr.h --- a/sys/sys/syscallsubr.h +++ b/sys/sys/syscallsubr.h @@ -320,7 +320,7 @@ fd_set *fd_ex, struct timeval *tvp, int abi_nfdbits); int kern_sendit(struct thread *td, int s, struct msghdr *mp, int flags, struct mbuf *control, enum uio_seg segflg); -int kern_setgroups(struct thread *td, u_int ngrp, gid_t *groups); +int kern_setgroups(struct thread *td, int ngrp, gid_t *groups); int kern_setitimer(struct thread *, u_int, struct itimerval *, struct itimerval *); int kern_setpriority(struct thread *td, int which, int who, int prio);