From nobody Fri Nov 15 13:00:47 2024
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XqcZm3BrFz5d6tg;
	Fri, 15 Nov 2024 13:00:48 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4XqcZm0cSFz4pKC;
	Fri, 15 Nov 2024 13:00:48 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1731675648;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=G2f+f8NLeDkpYjvJ3OAYaq27Dz2vCwa2nivgjGVUeBs=;
	b=RVaKmGRzIoCVHSruPK8eIqPBR8gRKYSfeWke/FrbYpEeQGUIt02m+8/4vgFnQggGD1OJc3
	wRkbGmt3CULXAwXTRvAAGLSdB546OIXixnqSsT1+WeyBs2835ZZ5oKkWNr13AW/YG+nN9w
	wcxRb+25V1C7DWkEfqYRGLM6EfAnFn6fz8PpPcQQS+rJYDPX3j85hAksxSTHZsxR2T4PVp
	HEmKrTji97B8aiDUvBj4aPIr+6UYuLw9lnmrgfUb75CZwc0CFoC3v7/bSeG7CaQ6SrHAl0
	CBVPbTrAq7lZiTz6usr0zqLAKJC5kWpAY2JztSW7+FPMHg4J6YrIIPmz2O/9Mw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1731675648;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=G2f+f8NLeDkpYjvJ3OAYaq27Dz2vCwa2nivgjGVUeBs=;
	b=D1S6wbEN0NFzI2Y5eXX/E75apWy20hog7cywtV1SO2qM2UVXW0ZA7iqxFGevlqs38CFcOp
	bKv6DGbtly/7GPYW3SPV+P0DtDuUcQrtASVn0mYxBAknBsxz2UNoxzIR8ucTtz5Ym3bDNQ
	sbDP8+x7dP3s+kL70B0s2EyFOfOPqSBHzgthWSlKc+k1gJonUwGb7YUHzCUdFr499GK9js
	k8iuQxyffeS1RYzA3cQKVVNBlU+0h5E6kJSY/ilIwS7h7CLoWxjB3D/eWBa42mUdhrC1Sc
	gAsCa0xbnX28Ct0cGgFiCgRVZcmiBU1Ui7x8O+46HVwXRpktKJYOalTkyDZTvw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1731675648; a=rsa-sha256; cv=none;
	b=F4VZrzAZs62AsG1WS5aBkNNA5+78zhV7OvKzdkBB9FwXHja0+Ymb2s7Xl5IqDZ9DUkUW6X
	IaHJw0jIO3sIOROabDrW4IBTBgsQ2OVOPinjE18svBPzrgoACbDXXpwSj8Kd5qASYG+73U
	QmmGhDJ9dnr4e7G82g3ReJgPBkP51ldFVaGorJAdqsWd4HeGweAnZGRMmL0TZs6zI7kJIE
	R9bAvxkP9mjrmV97VKtxZ/IFgF+wAEq/R5T46ny0KweiDURFl0L4G08H81BH0AKWaHUlFX
	jByz2Pbsdh22/crtfMNz7D82LjdzsF0ir8kJ4zuB6x/TuEMTQ9R91FVpmQEMQw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4XqcZm01M3zPLG;
	Fri, 15 Nov 2024 13:00:48 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 4AFD0lex070926;
	Fri, 15 Nov 2024 13:00:47 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 4AFD0lgd070913;
	Fri, 15 Nov 2024 13:00:47 GMT
	(envelope-from git)
Date: Fri, 15 Nov 2024 13:00:47 GMT
Message-Id: <202411151300.4AFD0lgd070913@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Olivier Certner <olce@FreeBSD.org>
Subject: git: b8f857922806 - stable/13 - cred: kern_setgroups():
  Internally use int as number of groups' type
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: olce
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: b8f857922806570bef2e366c8d5277bc5260035c
Auto-Submitted: auto-generated

The branch stable/13 has been updated by olce:

URL: https://cgit.FreeBSD.org/src/commit/?id=b8f857922806570bef2e366c8d5277bc5260035c

commit b8f857922806570bef2e366c8d5277bc5260035c
Author:     Olivier Certner <olce@FreeBSD.org>
AuthorDate: 2024-10-01 16:46:46 +0000
Commit:     Olivier Certner <olce@FreeBSD.org>
CommitDate: 2024-11-15 12:59:08 +0000

    cred: kern_setgroups(): Internally use int as number of groups' type
    
    sys_setgroups() (and sys_getgroups()) was changed in commit "kern: fail
    getgroup and setgroup with negative int" (4bc2174a1b48) to take the
    number of groups as an 'int' (for sys_getgroups(), POSIX mandates this
    change; for sys_setgroups(), which it does not standardize, it's
    arguably for consistency).
    
    All our internal APIs related to groups on 'struct ucred', as well as
    related members on the latter, treat that number as an 'int' as well
    (and not a 'u_int').
    
    Consequently, to avoid surprises, change kern_setgroups() to behave the
    same, and fix audit_arg_groupset() accordingly.  With that change,
    everything is handled with signed integers internally.
    
    Update sanity checks accordingly.
    
    Reviewed by:    mhorne
    Approved by:    markj (mentor)
    MFC after:      3 days
    Differential Revision:  https://reviews.freebsd.org/D46912
    
    (cherry picked from commit abd39811cd7e4bb928da503f4a5c79364ac8d0f5)
    
    Approved by:    markj (mentor)
---
 sys/kern/kern_prot.c           | 16 ++++++++++++++--
 sys/security/audit/audit.h     |  2 +-
 sys/security/audit/audit_arg.c |  8 ++++----
 sys/sys/syscallsubr.h          |  2 +-
 4 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index cb9a2f3c5ae7..901753f1e5b7 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -811,6 +811,15 @@ sys_setgroups(struct thread *td, struct setgroups_args *uap)
 	gid_t *groups;
 	int gidsetsize, error;
 
+	/*
+	 * Sanity check size now to avoid passing too big a value to copyin(),
+	 * even if kern_setgroups() will do it again.
+	 *
+	 * Ideally, the 'gidsetsize' argument should have been a 'u_int' (and it
+	 * was, in this implementation, for a long time), but POSIX standardized
+	 * getgroups() to take an 'int' and it would be quite entrapping to have
+	 * setgroups() differ.
+	 */
 	gidsetsize = uap->gidsetsize;
 	if (gidsetsize > ngroups_max + 1 || gidsetsize < 0)
 		return (EINVAL);
@@ -839,13 +848,16 @@ gidp_cmp(const void *p1, const void *p2)
 }
 
 int
-kern_setgroups(struct thread *td, u_int ngrp, gid_t *groups)
+kern_setgroups(struct thread *td, int ngrp, gid_t *groups)
 {
 	struct proc *p = td->td_proc;
 	struct ucred *newcred, *oldcred;
 	int error;
 
-	MPASS(ngrp <= ngroups_max + 1);
+	/* Sanity check size. */
+	if (ngrp < 0 || ngrp > ngroups_max + 1)
+		return (EINVAL);
+
 	AUDIT_ARG_GROUPSET(groups, ngrp);
 	newcred = crget();
 	crextend(newcred, ngrp);
diff --git a/sys/security/audit/audit.h b/sys/security/audit/audit.h
index e7a9c83afbb3..b87dd52e0773 100644
--- a/sys/security/audit/audit.h
+++ b/sys/security/audit/audit.h
@@ -98,7 +98,7 @@ void	 audit_arg_rgid(gid_t rgid);
 void	 audit_arg_ruid(uid_t ruid);
 void	 audit_arg_sgid(gid_t sgid);
 void	 audit_arg_suid(uid_t suid);
-void	 audit_arg_groupset(gid_t *gidset, u_int gidset_size);
+void	 audit_arg_groupset(gid_t *gidset, int gidset_size);
 void	 audit_arg_login(char *login);
 void	 audit_arg_ctlname(int *name, int namelen);
 void	 audit_arg_mask(int mask);
diff --git a/sys/security/audit/audit_arg.c b/sys/security/audit/audit_arg.c
index 7b7fe34ccda9..db621db1574f 100644
--- a/sys/security/audit/audit_arg.c
+++ b/sys/security/audit/audit_arg.c
@@ -264,13 +264,13 @@ audit_arg_suid(uid_t suid)
 }
 
 void
-audit_arg_groupset(gid_t *gidset, u_int gidset_size)
+audit_arg_groupset(gid_t *gidset, int gidset_size)
 {
-	u_int i;
+	int i;
 	struct kaudit_record *ar;
 
-	KASSERT(gidset_size <= ngroups_max + 1,
-	    ("audit_arg_groupset: gidset_size > (kern.ngroups + 1)"));
+	KASSERT(gidset_size >= 0 && gidset_size <= ngroups_max + 1,
+	    ("audit_arg_groupset: gidset_size < 0 or > (kern.ngroups + 1)"));
 
 	ar = currecord();
 	if (ar == NULL)
diff --git a/sys/sys/syscallsubr.h b/sys/sys/syscallsubr.h
index 4710c3cf1406..9edd62729c38 100644
--- a/sys/sys/syscallsubr.h
+++ b/sys/sys/syscallsubr.h
@@ -287,7 +287,7 @@ int	kern_select(struct thread *td, int nd, fd_set *fd_in, fd_set *fd_ou,
 	    fd_set *fd_ex, struct timeval *tvp, int abi_nfdbits);
 int	kern_sendit(struct thread *td, int s, struct msghdr *mp, int flags,
 	    struct mbuf *control, enum uio_seg segflg);
-int	kern_setgroups(struct thread *td, u_int ngrp, gid_t *groups);
+int	kern_setgroups(struct thread *td, int ngrp, gid_t *groups);
 int	kern_setitimer(struct thread *, u_int, struct itimerval *,
 	    struct itimerval *);
 int	kern_setpriority(struct thread *td, int which, int who, int prio);