HomeFreeBSD
Diffusion FreeBSD src repository f647564f3ff6

sys/rpc: UNIX auth: Fix OOB accesses, notably writes on decode
f647564f3ff6
Actions

Description

sys/rpc: UNIX auth: Fix OOB accesses, notably writes on decode

When the received authentication message had more than XU_NGROUPS, we
would write group IDs beyond the end of cr_groups[] in the 'struct
xucred' being filled (as 'ngroups_max' is always greater than
XU_NGROUPS).

For robustness, prevent various OOB accesses that would result from
a change of value of XU_NGROUPS or a 'struct xucred' with an invalid
'cr_ngroups' field, even if these cases are unlikely.

Approved by: re (cperciva)
Reviewed by: rmacklem
Fixes: dfdcada31e79 ("Add the new kernel-mode NFS Lock Manager.")
MFC after: 2 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52960

(cherry picked from commit 47e9c81d4f1324674c624df02a51ad3a72aa7444)
(cherry picked from commit 9492a1e27fb18fcd6122bbd9ddcd853ee7693417)

Details

Provenance
olceAuthored on Oct 7 2025, 10:02 AM
cpercivaCommitted on Oct 16 2025, 6:48 PM
Reviewer
rmacklem
Differential Revision
D52960: sys/rpc: UNIX auth: Fix OOB accesses, notably writes on decode
Parents
rG330b91854917: sys/rpc: UNIX auth: Rename 'ngroups' => 'supp_ngroups' for clarity
Branches
Unknown
Tags
Unknown

Changes (1)

PathSize
sys/
rpc/

rGf647564f3ff6

View Options

sys/rpc/authunix_prot.c

Loading...