Call crextend() before copying old credentials to the new credentials

and replace crcopysafe by crcopy as crcopysafe is is not intended to be safe in a threaded environment, it drops PROC_LOCK() in while() that can lead to unexpected results, such as overwrite kernel memory. In my POV crcopysafe() needs special attention. For now I do not see any problems with this function, but who knows. Submitted by: dchagin Found by: trinity Security: SA-16:04.linux
author: glebius <glebius@FreeBSD.org> 2016-01-14 10:16:25 +0000
committer: glebius <glebius@FreeBSD.org> 2016-01-14 10:16:25 +0000
commit: 796cbcc7388ed25b7353bd9266556844d1f346b7 (patch)
tree: 6673dc280aed0d93302ee0dd4aaf8da05c536c44 /sys/compat
parent: f65cb2db641567983c348e31026d5e1199fe3fdb (diff)
download: FreeBSD-src-796cbcc7388ed25b7353bd9266556844d1f346b7.zip
FreeBSD-src-796cbcc7388ed25b7353bd9266556844d1f346b7.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/sys/compat/linux/linux_misc.c b/sys/compat/linux/linux_misc.c
index de91869..fe4dbf6 100644
--- a/sys/compat/linux/linux_misc.c
+++ b/sys/compat/linux/linux_misc.c
@@ -1304,9 +1304,11 @@ linux_setgroups(struct thread *td, struct linux_setgroups_args *args)
 	if (error)
 		goto out;
 	newcred = crget();
+	crextend(newcred, ngrp + 1);
 	p = td->td_proc;
 	PROC_LOCK(p);
-	oldcred = crcopysafe(p, newcred);
+	oldcred = p->p_ucred;
+	crcopy(newcred, oldcred);
 
 	/*
 	 * cr_groups[0] holds egid. Setting the whole set from
author	glebius <glebius@FreeBSD.org>	2016-01-14 10:16:25 +0000
committer	glebius <glebius@FreeBSD.org>	2016-01-14 10:16:25 +0000
commit	796cbcc7388ed25b7353bd9266556844d1f346b7 (patch)
tree	6673dc280aed0d93302ee0dd4aaf8da05c536c44 /sys/compat
parent	f65cb2db641567983c348e31026d5e1199fe3fdb (diff)
download	FreeBSD-src-796cbcc7388ed25b7353bd9266556844d1f346b7.zip FreeBSD-src-796cbcc7388ed25b7353bd9266556844d1f346b7.tar.gz