GoKawiilVulnerability details
File: sys/kern/kern_prot.c
Function: kern_setcred_copyin_supp_groups()
Lines: 528-533
The function signature uses a double pointer for the groups argument:
static int kern_setcred_copyin_supp_groups( struct setcred * const wcred, const u_int flags, gid_t * const smallgroups, gid_t ** const groups)
Because groups has type gid_t ** , the expression sizeof(*groups) evaluates to sizeof(gid_t *) == 8 on LP64, rather than the intended sizeof(gid_t) == 4 . This sizeof expression is used in two places:
/* line 528-530: allocation */ *groups = wcred->sc_supp_groups_nb < CRED_SMALLGROUPS_NB ? smallgroups : malloc((wcred->sc_supp_groups_nb + 1) * sizeof(*groups) , M_TEMP, M_WAITOK); /* sizeof(*groups) == 8 */ /* line 532-533: copyin */ error = copyin(wcred->sc_supp_groups, *groups + 1, wcred->sc_supp_groups_nb * sizeof(*groups) ); /* sizeof(*groups) == 8 */
The allocation on the heap path is 2× oversized, which is safe. However, for the stack path (when sc_supp_groups_nb < CRED_SMALLGROUPS_NB == 16 ), *groups is set to smallgroups , a gid_t[CRED_SMALLGROUPS_NB] array declared as a local variable in the caller user_setcred() :
gid_t smallgroups[CRED_SMALLGROUPS_NB]; /* 16 * 4 = 64 bytes */
... continue reading