From nobody Sat Nov 02 20:39:31 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XgqN372hlz5chFq; Sat, 02 Nov 2024 20:39:31 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XgqN360RQz43tk; Sat, 2 Nov 2024 20:39:31 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1730579971; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=qP6+/07OH4PnCLOwpfBQkj13lnKDXFNyd5kcA4h5olA=; b=xdu3MHF3eL4nXOb7WqNLzK/QNT0ZGVqX1A1jckbb4H84174r0Cl1IpuLRlATb4whRI7WYl SjRttMBLrXtn5S9l1QxxvTZ103DXO/U5il1T9hJIqxgcXoWeTwoN9IKeJAvxDNc4z1Mww7 w6KFH1f4Vh0TbjXfIARVaymq3BFRxgnGMasXD4YQdAs+44WLiiO/D/wR1phxtiJhRU/oje LJP2k2pbxn+RnOjlZfOB3x3WRzZLUPVE3foN5azzq4j5bH3UclRQwMVT8gBH9Emg4jOq8B 7keoJi2zBGJkc4cQ4sAeanDA+K6Ye35cCxXaCruBzKKZhX7EMmrFKkTmPpCzdA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1730579971; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=qP6+/07OH4PnCLOwpfBQkj13lnKDXFNyd5kcA4h5olA=; b=uAU8z52qjDjpW39Bn13wrna5emZC91I+cEexjaFor5Udh1T0dFJqP1U4dzRXJ9nCl6F9vI s0uA66EYn0V5sh/U1ALEVXL3VCRVfs70ovG3zC6zLLXoyiHL3K/cYQAiF4vcjuLFEEPgTN crr615Xv3bjHrx5X3z9TTa8IbVQzCP8Tjn7VquDJyzlTrgN7yaoP3VbflueY9isUoCKfs9 x7gkD0C6/SVQfUNkd6u2MbMf/sABpQhTchsjUQssFfKBwkJmKbWYsS7fbU7uDmc0X74hUc ik1FIFTrl5CgCQwDzaTAXLbsgNPfXBx8b/aZmhNPuAdYxEbBw7XVvLfapdXg5Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1730579971; a=rsa-sha256; cv=none; b=jPJIAg2bQrzrShDD44Rol/4gagtxEbiYIL9PwKhBMX8wyGvhm/7FEEHhz4WMGjJhsfDLIm rb+ygqtnl26yWZAzD3Whg3W3SOJYNw6t64/pecI1hvExyL9kHktCXWA6pVEsD3pF0hd4hh CCJBCE154dJ2hKScRppn8eEDtj196BPzs8fJ2wQdQd7fyaehTZvPgTpJbHIN1Q70dHVniu 2Yk2T6DTD13fHVn/L8/jh4PtB0YZWyO2M/iiLjVqUIOiU3QOT+6yuQtzKqM04L7CO12i+Q /H+Yf52zyec5D9AhG6ncEr9raPWbmOOLaxYutHKd4LXoDQ2boZ7SRyWKhiFtxw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4XgqN35KqnzKFC; Sat, 2 Nov 2024 20:39:31 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 4A2KdVBw046332; Sat, 2 Nov 2024 20:39:31 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 4A2KdVe7046329; Sat, 2 Nov 2024 20:39:31 GMT (envelope-from git) Date: Sat, 2 Nov 2024 20:39:31 GMT Message-Id: <202411022039.4A2KdVe7046329@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Olivier Certner Subject: git: 580904d995d5 - main - cred: 'kern.ngroups' tunable: Limit it to avoid internal overflows List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: olce X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 580904d995d53ccd2492140a37107442d8b36dc0 Auto-Submitted: auto-generated The branch main has been updated by olce: URL: https://cgit.FreeBSD.org/src/commit/?id=580904d995d53ccd2492140a37107442d8b36dc0 commit 580904d995d53ccd2492140a37107442d8b36dc0 Author: Olivier Certner AuthorDate: 2024-10-01 17:00:43 +0000 Commit: Olivier Certner CommitDate: 2024-11-02 20:37:41 +0000 cred: 'kern.ngroups' tunable: Limit it to avoid internal overflows As the comment introduced with the tunable said (but the code didn't do), make sure that 'ngroups_max' can't be INT_MAX, as this would cause overflow in the usual 'ngroups_max + 1' computations (as we store the effective GID and supplementary groups' IDs in the same array, and 'ngroups_max' only applies to supplementary groups). Further, we limit the maximum number of groups somewhat arbitrarily to ~17M so as to avoid overflow when computing the size in bytes of the groups set's backing array and to avoid obvious configuration errors. We really don't think that more than ~17M groups will ever be needed (if I'm proven wrong one day, please drop me a note about your use case). While here, document more precisely why NGROUPS_MAX needs to be the minimum value for 'ngroups_max'. Reviewed by: mhorne (older version) Approved by: markj (mentor) MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D46913 --- sys/kern/subr_param.c | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/sys/kern/subr_param.c b/sys/kern/subr_param.c index 7d58208a461f..19169ba63061 100644 --- a/sys/kern/subr_param.c +++ b/sys/kern/subr_param.c @@ -228,14 +228,32 @@ init_param1(void) TUNABLE_ULONG_FETCH("kern.sgrowsiz", &sgrowsiz); /* - * Let the administrator set {NGROUPS_MAX}, but disallow values - * less than NGROUPS_MAX which would violate POSIX.1-2008 or - * greater than INT_MAX-1 which would result in overflow. + * Let the administrator set {NGROUPS_MAX}. + * + * Values less than NGROUPS_MAX would violate POSIX/SuS (see the + * specification for , paragraph "Runtime Increasable + * Values"). + * + * On the other hand, INT_MAX would result in an overflow for the common + * 'ngroups_max + 1' computation (to obtain the size of the internal + * groups array, its first element being reserved for the effective + * GID). Also, the number of allocated bytes for the group array must + * not overflow on 32-bit machines. For all these reasons, we limit the + * number of supplementary groups to some very high number that we + * expect will never be reached in all practical uses and ensures we + * avoid the problems just exposed, even if 'gid_t' was to be enlarged + * by a magnitude. */ ngroups_max = NGROUPS_MAX; TUNABLE_INT_FETCH("kern.ngroups", &ngroups_max); if (ngroups_max < NGROUPS_MAX) ngroups_max = NGROUPS_MAX; + else { + const int ngroups_max_max = (1 << 24) - 1; + + if (ngroups_max > ngroups_max_max) + ngroups_max = ngroups_max_max; + } /* * Only allow to lower the maximal pid.