isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

If sudo_getgrouplist2() returns -1, clamp ngroups based on max_groups.

Browse Source 
The ngroups parameter is an out parameter that is filled in with
the actual number of groups, which may be less than the static
number allocated when max_groups is set in sudo.conf.
Fixes a potential out of bounds read found by LLVM libFuzzer.
This commit is contained in:
Todd C. Miller
2021-02-13 11:54:21 -07:00
parent e89a8133ac
commit 41eae91206
2 changed files with 8 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
plugins/sudoers/pwutil_impl.c
View File

@@ -263,7 +263,9 @@ sudo_make_gidlist_item(const struct passwd *pw, char * const *unused1,
"unable to allocate memory");
debug_return_ptr(NULL);
}
(void)sudo_getgrouplist2(pw->pw_name, pw->pw_gid, &gids, &ngids);
/* Clamp to max_groups if insufficient space for all groups. */
if (sudo_getgrouplist2(pw->pw_name, pw->pw_gid, &gids, &ngids) == -1)
ngids = sudo_user.max_groups;
} else {
gids = NULL;
if (sudo_getgrouplist2(pw->pw_name, pw->pw_gid, &gids, &ngids) == -1) {

8
src/sudo.c
View File

@@ -396,9 +396,11 @@ fill_group_list(const char *user, struct sudo_cred *cred)
if (cred->ngroups > 0) {
cred->groups = reallocarray(NULL, cred->ngroups, sizeof(GETGROUPS_T));
if (cred->groups != NULL) {
/* No error on insufficient space if user specified max_groups. */
(void)sudo_getgrouplist2(user, cred->gid,
&cred->groups, &cred->ngroups);
/* Clamp to max_groups if insufficient space for all groups. */
if (sudo_getgrouplist2(user, cred->gid, &cred->groups,
&cred->ngroups) == -1) {
cred->ngroups = sudo_conf_max_groups();
}
ret = 0;
}
} else {