From nobody Fri Nov 15 10:48:57 2024 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XqYff4Vmxz5d096; Fri, 15 Nov 2024 10:48:58 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XqYff06H9z4Wmy; Fri, 15 Nov 2024 10:48:58 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1731667738; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=wojtemnxgDbAN37Cj1IAiCN/Rw39//2IAhNjJ/yY9TI=; b=FSadsN8gTmJ3a0OW/7cwAsA4dGZ+a3QtoRnUZSLnnlmgXczpuLlVf95a0A8rvY2HWbv9YE RBhZkRLtBKA6zX9H/u1dQzxGQX43vS/gEIi+b7lkxrmptAOYzES5TKL8CbgGnpXCcImo04 jo9wrmGBODD3pBqpzaoN8btm2DvE6X+W+yZXh5DUytFyqc6mbZUlY5moiT/YUiuBAzNf8m +OgKE53BtEq1LscKdfcdvlasXoPeI1IsHnt2ymN5gj1di123RnAPmUoOrDsvmeFAHnmFsQ pwHXA5IJAjCj4PKufFfBymgTnsLLMkuf9Am57UbA9YHEXZFkRu3qcpGGv6cv1A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1731667738; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=wojtemnxgDbAN37Cj1IAiCN/Rw39//2IAhNjJ/yY9TI=; b=NdKtFYaDvZWloTDtllNZpobSZ7KF8ApMG31dErp2GDumyE5AMkMfAK0kViC95BSzij+XWC E/HpLOwWJwYYzErzXiRCEVFvqL0MVSwEHcMgbMrG6oz9rs7E2nHNXvM+AesHmCSBATToG2 Pd61V1lFdbaukqAClYA+IutXvGASsZpXIM7LpZcLZtmu7uI6Hcgy9+7zDqsbRjP0tORvnB 9uWhqWn4tjecLpbflytF0G5gk8u197PZsJ3sLqmYRuznoIfrH21jKwu6lh0PNtr02TjPlv 8AfP0vF0KG88/Ym9nIeCGib8MupIZGSm9WnTdFvfSx7D0TRZjNY/wRpsr4k3+Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1731667738; a=rsa-sha256; cv=none; b=TTnXlcz1GuH3OgaLGA3i8pjJVTom4sEHAHfyEFFOwoukJG1Tva/CgiDS2msSo5IzceCnae veDXGrQ+eypV//FT7tMfFF94BbO+3SzcuNX8G9w5Mb70tu5NZP+MSD/06Ovv0dswnycrAf vT9aAUSnd7swqAgFe5yVXeY/Uw9XL6qAmcfjPU9p88K6YeGZ8YHWCKIaHHq3QDzGJc5szr AxYjA2RUHhQ7rkz3Ud48+1jetRPkRRMQz8z559HLKR5NKdcG3bChsHWjgddEaCAPXEOX4z XKP5oGaQitZt4mORwjah5oEHhszZi3l/YPlMhA+F/v+6hlvMeJo0CDejpjnJHg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4XqYfd6YzQzKQr; Fri, 15 Nov 2024 10:48:57 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 4AFAmvMN017954; Fri, 15 Nov 2024 10:48:57 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 4AFAmvdJ017951; Fri, 15 Nov 2024 10:48:57 GMT (envelope-from git) Date: Fri, 15 Nov 2024 10:48:57 GMT Message-Id: <202411151048.4AFAmvdJ017951@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Olivier Certner Subject: git: e657e1e95062 - stable/14 - cred: 'kern.ngroups' tunable: Limit it to avoid internal overflows List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: olce X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: e657e1e95062c7d06ac6c5dd128a270a4ac0d72a Auto-Submitted: auto-generated The branch stable/14 has been updated by olce: URL: https://cgit.FreeBSD.org/src/commit/?id=e657e1e95062c7d06ac6c5dd128a270a4ac0d72a commit e657e1e95062c7d06ac6c5dd128a270a4ac0d72a Author: Olivier Certner AuthorDate: 2024-10-01 17:00:43 +0000 Commit: Olivier Certner CommitDate: 2024-11-15 10:47:42 +0000 cred: 'kern.ngroups' tunable: Limit it to avoid internal overflows As the comment introduced with the tunable said (but the code didn't do), make sure that 'ngroups_max' can't be INT_MAX, as this would cause overflow in the usual 'ngroups_max + 1' computations (as we store the effective GID and supplementary groups' IDs in the same array, and 'ngroups_max' only applies to supplementary groups). Further, we limit the maximum number of groups somewhat arbitrarily to ~17M so as to avoid overflow when computing the size in bytes of the groups set's backing array and to avoid obvious configuration errors. We really don't think that more than ~17M groups will ever be needed (if I'm proven wrong one day, please drop me a note about your use case). While here, document more precisely why NGROUPS_MAX needs to be the minimum value for 'ngroups_max'. Reviewed by: mhorne (older version) Approved by: markj (mentor) MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D46913 (cherry picked from commit 580904d995d53ccd2492140a37107442d8b36dc0) Approved by: markj (mentor) --- sys/kern/subr_param.c | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/sys/kern/subr_param.c b/sys/kern/subr_param.c index c0a4ac747d00..cee70a842735 100644 --- a/sys/kern/subr_param.c +++ b/sys/kern/subr_param.c @@ -229,14 +229,32 @@ init_param1(void) TUNABLE_ULONG_FETCH("kern.sgrowsiz", &sgrowsiz); /* - * Let the administrator set {NGROUPS_MAX}, but disallow values - * less than NGROUPS_MAX which would violate POSIX.1-2008 or - * greater than INT_MAX-1 which would result in overflow. + * Let the administrator set {NGROUPS_MAX}. + * + * Values less than NGROUPS_MAX would violate POSIX/SuS (see the + * specification for , paragraph "Runtime Increasable + * Values"). + * + * On the other hand, INT_MAX would result in an overflow for the common + * 'ngroups_max + 1' computation (to obtain the size of the internal + * groups array, its first element being reserved for the effective + * GID). Also, the number of allocated bytes for the group array must + * not overflow on 32-bit machines. For all these reasons, we limit the + * number of supplementary groups to some very high number that we + * expect will never be reached in all practical uses and ensures we + * avoid the problems just exposed, even if 'gid_t' was to be enlarged + * by a magnitude. */ ngroups_max = NGROUPS_MAX; TUNABLE_INT_FETCH("kern.ngroups", &ngroups_max); if (ngroups_max < NGROUPS_MAX) ngroups_max = NGROUPS_MAX; + else { + const int ngroups_max_max = (1 << 24) - 1; + + if (ngroups_max > ngroups_max_max) + ngroups_max = ngroups_max_max; + } /* * Only allow to lower the maximal pid.