git.ipfire.org Git - thirdparty/shadow.git/commit

author	Alejandro Colomar <alx@kernel.org>
	Wed, 16 Jul 2025 12:49:26 +0000 (14:49 +0200)
committer	Serge Hallyn <serge@hallyn.com>
	Wed, 16 Jul 2025 13:36:01 +0000 (08:36 -0500)
commit	dc2c85d7540b6518afdd28622839e9e02cca1a0a
tree	b8c4d8a2fa8a5576fa7108325ac444afd0096604	tree \| snapshot
parent	eb71706b1c0aee13edcbcbded6fd4d0226832261	commit \| diff

lib/shadow/grp/: agetgroups(): Fix possible buffer overrun on non-Linux systems

Linux seems to at least write one group always from getgroups(2).
However, POSIX doesn't guarantee this, and a system might have 0 groups.

It is implementation‐defined whether getgroups() also returns
the effective group ID in the grouplist array.

Considering such a system, the call getgroups(0,NULL) could indeed
return 0, and the second call to getgroups might return a higher value,
if the group list has grown in between (race condition). If this is the
case, we'd return an array of 0 elements (or 1, due to the MALLOC()
trick to avoid calling it with 0), with no elements filled, but where
ngids has been updated to have a positive value. When the caller of
agetgroups() reads the array, they'd overrun the buffer.

Fixes: 05322ed89a1c (2025-01-24; "lib/shadow/grp/: agetgroups(): Add function")
Fixes: de941a7601f8 (2025-01-24; "lib/, src/: Simplify allocation of buffer")
Signed-off-by: Alejandro Colomar <alx@kernel.org>