Paths

Table of Contentst

cred: 'kern.ngroups' tunable: Limit it to avoid internal overflows
ClosedPublic
Actions

Authored by olce on Oct 4 2024, 8:07 AM.

Details

Reviewers

mhorne
mjg
emaste

Commits

rG580904d995d5: cred: 'kern.ngroups' tunable: Limit it to avoid internal overflows

Summary

As the comment introduced with the tunable said (but the code didn't
do), make sure that 'ngroups_max' can't be INT_MAX, as this would cause
overflow in the usual 'ngroups_max + 1' computations (as we store the
effective GID and supplementary groups' IDs in the same array, and
'ngroups_max' only applies to supplementary groups).

Further, we limit the maximum number of groups somewhat arbitrarily to
~17M so as to avoid overflow when computing the size in bytes of the
groups set's backing array and to avoid obvious configuration errors.
We really don't think that more than ~17M groups will ever be needed (if
I'm proven wrong one day, please drop me a note about your use case).

While here, document more precisely why NGROUPS_MAX needs to be the
minimum value for 'ngroups_max'.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 60262
Build 57146: arc lint + arc unit

Event Timeline

olce created this revision.Oct 4 2024, 8:07 AM

Herald added a subscriber: imp. · View Herald TranscriptOct 4 2024, 8:07 AM

olce requested review of this revision.Oct 4 2024, 8:07 AM

Harbormaster completed remote builds in B59724: Diff 144211.Oct 4 2024, 8:07 AM

olce added a subscriber: bapt.Oct 4 2024, 8:17 AM

olce added a parent revision: D46912: cred: kern_setgroups(): Internally use int as number of groups' type.Oct 4 2024, 8:30 AM

olce added a child revision: D46914: crsetgroups(): Improve and factor out groups normalization.

olce mentioned this in D46921: mountd(8): parsecred(): Groups limit: NGROUPS_MAX => NGROUPS_MAX + 1.Mon, Oct 14, 3:11 PM

You are too kind to the foot-shooters ;)

This revision is now accepted and ready to land.Mon, Oct 28, 5:33 PM

In D46913#1078959, @mhorne wrote:

You are too kind to the foot-shooters ;)

Yeah, I don't expect anyone to ever use a value close to INT_MAX, which in any case would probably cause memory problems in some places (e.g., NFS). But it didn't cost much to add that extra if.

The real value of this commit, IMO, is the existing comment's expansion about why ngroups_max cannot be smaller than NGROUPS_MAX with a reference to the standard.

olce mentioned this in D46915: cred: crextend(): Harden, simplify.Wed, Oct 30, 10:49 AM

Be stricter for the maximal value of kern.ngroups (see the updated commit message and inline comments).

This revision now requires review to proceed.Wed, Oct 30, 5:49 PM

Harbormaster completed remote builds in B60262: Diff 145677.Wed, Oct 30, 5:49 PM

This revision was not accepted when it landed; it landed in state Needs Review.Sat, Nov 2, 8:39 PM

Closed by commit rG580904d995d5: cred: 'kern.ngroups' tunable: Limit it to avoid internal overflows (authored by olce). · Explain Why

This revision was automatically updated to reflect the committed changes.

olce added a commit: rG580904d995d5: cred: 'kern.ngroups' tunable: Limit it to avoid internal overflows.

Revision Contents
Changeset List

Path

Size

sys/

kern/

subr_param.c

24 lines

Diff 145677

View Options

cred: 'kern.ngroups' tunable: Limit it to avoid internal overflowsClosedPublicActions