From nobody Wed Apr 29 14:47:20 2026 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g5Ks467TTz6bkMn for ; Wed, 29 Apr 2026 14:47:20 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g5Ks459cpz4JGM for ; Wed, 29 Apr 2026 14:47:20 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777474040; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=AcXcBKbyjTeQbH4qSn0tRQcqZ9l4vpdse7Z1//c6tHo=; b=M9JvdhtHYKgrp81EzQ93tMUvPGe2N7zUOpl35skccqRDhpyGQ0G5N6TAtWEnJjVSaD2LkQ ban+E0I4kwJ9Yb5XCQfRuUV+Rc7FbiJvBXFGzym6HRA7beuJyI1u9IiCAz8jNGhFGVgh5L ly9ToI7TR4mJGkiqpIvGXR8vefi/Hl/gHL2IF1a60GmgFQzeiUcaCUJ2VPKRy1qIu2rhjh aWSILNQiZ8qkLl/OV6o9z0vrDvZtmJRrlml42psyNna66oe+sfBOmh+ugW3zvE0HS7FFj5 b61W/txuslQzQ1Ndg1SqLHpQc5i9OJ4WhMr2PbmcWC9Osu6nfDNIgaYfVk9y9g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777474040; a=rsa-sha256; cv=none; b=bx/o9knLpGXcQK8yRXWXJ1iZp/0ib7N3HZhGtMWN5yuD/L0MIGC3OvvC4HdFAMykXIuKro j4dP9mxk0w+O3dEpLZiiwDTHS9pIHz1lZ2inxUq5pJWmTBdXwx+3k9akPsOtPb8pzwK61T KEjZV1P/CM9a565rU+VqX/fEGH2qw6sVg0glYVHwDwXwCosaKP5ybDkEAYZ9u/jqie/F/9 thTlRHxw5R9pKhOflUt01bNoURbv2c0IMVpCi0bD38NfCbHrZH4W/+UFioeAwnBZWdlmKj b9h8hV/hf0TRiJOO1dU7+xDPrAzChgHzchWHu5jUgkpA3ICa9gfByuCNYG/JTQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777474040; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=AcXcBKbyjTeQbH4qSn0tRQcqZ9l4vpdse7Z1//c6tHo=; b=Rhu0KadkhAVwJP1fZk4U0FPiSmzOwsOvhFYzATC8WeOWLJX5NIlblhDMaDdzTkH4QEyGn6 t39OzVbxEcB5fgxLx10I+imxu3xxIcYaRJzYU6s8K+G3MtW7wpX58kizBtKRf9DcsxMUfY WR7b9ED85XdmIEi56igYWT+uEwq/MccrGjlnphvkjZw+cOjrho9rC6l1AX8W7cmCCVVfDW Rt6Ii5PHD/gfhkeTvv9B+OLWO/mAOI2cKMEU8JQQMYd30K3s25VY+KO0N+MSkS/uSuP7pW TLHJV2h9eB6V5ceeBBeu5s2LNgILZTis0d8ZHltXVlu5XzROAPNxcAeysVyJMA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4g5Ks42myrzlJ5 for ; Wed, 29 Apr 2026 14:47:20 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3cc0f by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 29 Apr 2026 14:47:20 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Mark Johnston Subject: git: 8e8ddb05d071 - main - execve: Fix an operator precedence bug List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 8e8ddb05d07142e95cf84e32bf93b9ecb3f90283 Auto-Submitted: auto-generated Date: Wed, 29 Apr 2026 14:47:20 +0000 Message-Id: <69f219f8.3cc0f.79010041@gitrepo.freebsd.org> The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=8e8ddb05d07142e95cf84e32bf93b9ecb3f90283 commit 8e8ddb05d07142e95cf84e32bf93b9ecb3f90283 Author: Mark Johnston AuthorDate: 2026-04-22 17:58:35 +0000 Commit: Mark Johnston CommitDate: 2026-04-29 14:39:27 +0000 execve: Fix an operator precedence bug The buggy version allowed userspace to overflow the copy into adjacent execve KVA regions, which enables, among other things, injecting environment variables into privileged processes. Approved by: so Security: FreeBSD-SA-26:13.exec Security: CVE-2026-7270 Reported by: Ryan Austin of Calif.io Reviewed by: brooks, kib Fixes: f373437a01a3 ("Add helper functions to copy strings into struct image_args.") Differential Revision: https://reviews.freebsd.org/D56665 --- sys/kern/kern_exec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index df5a1c044643..8e3b41170cab 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -1650,7 +1650,7 @@ exec_args_adjust_args(struct image_args *args, size_t consume, ssize_t extend) if (args->stringspace < offset) return (E2BIG); memmove(args->begin_argv + extend, args->begin_argv + consume, - args->endp - args->begin_argv + consume); + args->endp - (args->begin_argv + consume)); if (args->envc > 0) args->begin_envv += offset; args->endp += offset;