From dc2c85d7540b6518afdd28622839e9e02cca1a0a Mon Sep 17 00:00:00 2001 From: Alejandro Colomar Date: Wed, 16 Jul 2025 14:49:26 +0200 Subject: [PATCH] lib/shadow/grp/: agetgroups(): Fix possible buffer overrun on non-Linux systems MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Linux seems to at least write one group always from getgroups(2). However, POSIX doesn't guarantee this, and a system might have 0 groups. It is implementation‐defined whether getgroups() also returns the effective group ID in the grouplist array. Considering such a system, the call getgroups(0,NULL) could indeed return 0, and the second call to getgroups might return a higher value, if the group list has grown in between (race condition). If this is the case, we'd return an array of 0 elements (or 1, due to the MALLOC() trick to avoid calling it with 0), with no elements filled, but where ngids has been updated to have a positive value. When the caller of agetgroups() reads the array, they'd overrun the buffer. Fixes: 05322ed89a1c (2025-01-24; "lib/shadow/grp/: agetgroups(): Add function") Fixes: de941a7601f8 (2025-01-24; "lib/, src/: Simplify allocation of buffer") Signed-off-by: Alejandro Colomar --- lib/shadow/grp/agetgroups.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/shadow/grp/agetgroups.h b/lib/shadow/grp/agetgroups.h index f5529a1ad..a1014dd76 100644 --- a/lib/shadow/grp/agetgroups.h +++ b/lib/shadow/grp/agetgroups.h @@ -34,6 +34,8 @@ agetgroups(size_t *ngids) if (n == -1) return NULL; + n = n ?: 1; + gids = MALLOC(n, gid_t); if (gids == NULL) return NULL; -- 2.47.2