FatGid: FreeBSD 14.x kernel local privilege escalation

Summary

Vulnerability details File: sys/kern/kern_prot.c Function: kern_setcred_copyin_supp_groups() Lines: 528-533 The function signature uses a double pointer for the groups argument: static int kern_setcred_copyin_supp_groups(struct setcred *const wcred, const u_int flags, gid_t *const smallgroups, gid_t **const groups) Because groups has type gid_t **, the expression sizeof(*groups) evaluates to sizeof(gid_t *) == 8 on LP64, rather than the intended sizeof(gid_t) == 4. This sizeof expression is used in two places: /* line 528-530: allocation */ *groups = wcred->sc_supp_groups_nb < CRED_SMALLGROUPS_NB ? smallgroups : malloc((wcred->sc_supp_groups_nb + 1) * sizeof(*groups), M_TEMP, M_WAITOK); /* sizeof(*groups) == 8 */ /* line 532-533: copyin */ error = copyin(wcred->sc_supp_groups, *groups + 1, wcred->sc_supp_groups_nb * sizeof(*groups)); /* sizeof(*groups) == 8 */ The allocation on the heap path is 2× oversized, which is safe. However, for the stack path (when sc_supp_groups_nb < CRED_SMALLGROUPS_NB == 16), *groups is set to smallgroups, a gid_t[CRED_SMALLGROUPS_NB] array declared as a local variable in the caller user_setcred(): gid_t smallgroups[CRED_SMALLGROUPS_NB]; /* 16 * 4 = 64 bytes */ The copyin destination is *groups + 1 == &smallgroups[1], which leaves 15 * 4 == 60 bytes of usable space. The copyin copies sc_supp_groups_nb * sizeof(*groups) == sc_supp_groups_nb * 8 bytes. With the maximum stack-path value of sc_supp_groups_nb == 15: Bytes written: 15 * 8 = 120 Buffer capacity: 15 * 4 = 60 Overflow: 60 bytes past the end of smallgroups[] The overflow is written with fully attacker-controlled data from user space (wcred->sc_supp_groups points to an attacker-supplied buffer). Trigger path and privilege-check ordering The overflow happens in kern_setcred_copyin_supp_groups(), which is called from user_setcred() at line 604 -- before the privilege check. The privilege check (priv_check_cred(PRIV_CRED_SETCRED)) does not occur until kern_setcred() is called at line 6...