From nobody Wed Apr 29 14:47:20 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g5KsB1hVsz6bkMw for ; Wed, 29 Apr 2026 14:47:26 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g5Ks93SzYz4J9R for ; Wed, 29 Apr 2026 14:47:25 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777474045; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=AcXcBKbyjTeQbH4qSn0tRQcqZ9l4vpdse7Z1//c6tHo=; b=L5H/OILAW8svGAcXg1E0gsCj7MmQPfHw0izCcrTAesvxVyp7XEcWx9Hlp2gy78ZUIJSpTo 39Z0+3o/m7mWhrt/ljg2YCWPwd1ObHYKg7cA8LsJcd73iItDnJRhRZWoSnhIRDCe/6S02I S8mtabYfOmDcY7/PfCtINzqzKje3aI5Q/d9LOfQjDYf5jKMT1Jj1Do3nmNx1ZVm5mhZnT8 vdgxQ9GNcL/yGaeqHocBDvii2OHmJbMVdKZbgto+1BWkSgVADAvKA58knOBeMpck+VaYt6 ReBxzxuMMOABzDlb+zMaJe6nDb6O6whMIXLNKFk8eA9h2wEZJbJBZchKM82LCg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777474045; a=rsa-sha256; cv=none; b=bTykNiAH2Y13pJxt74U+XtyvdnWcx0LMZ4PzuJ1HTvRzdGHiosGsa3LSTgt1HGdgWIiDg0 6e7EIHD3c+PRsASvnME8TT2W0cnHPpqfi8RlTUBeqbsthFsEWfv5fTyi1/odousP2FlG66 Ed61WAVsPlZ5/pbZr+uQQkKQpByvVWg1wt88C4JUaMGRx1TAs8Zve1qctRuv32Gf70Q0kz xXDx4p8r9lV8HJ4iyCiU8qq/sGgT1MzebmPcNBo5aQWknVa9gsh0U49TLIvd7366oedJ/R xK1/I2pVOEhbM2uZlKIi0KkufWsaUv5jP+aiilNul60YdUxIyvB6lq5sreIGuw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777474045; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=AcXcBKbyjTeQbH4qSn0tRQcqZ9l4vpdse7Z1//c6tHo=; b=kSv5BpUAlgUJje2CgKhCFajyknH6JeJQbsJQ4hz363fUDI+mB+eJeBcKMWCFOtBF89y4sc MHIQvAhOkaRQ4T9XqHT7Bj13TaIHccGdA/w3y1YdKxrA2YLKbCxA/WM8olcJtcDDzjd4yr Lk10PQYSy0pQ8ACPUFZ7ySfvipqnbXEc+VtQoCuDT1/iFV9v3NdA5gMzs3KNd8gvU4mWkw XvFTYBZroW/w3f+8E1+KH/H4GNI3+biyytF39YMzeDmYexHDfTgPP3Bv9jg8BGWOvk+vzY TqVqYFh/aJddtfgHB5VxcTQpN77w+36odbw7XRtw4KYQ5DE1NyqJia9ptxNVjw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4g5Ks932Qfzkrg for ; Wed, 29 Apr 2026 14:47:25 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3cc0f by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 29 Apr 2026 14:47:20 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Mark Johnston Subject: git: 8e8ddb05d071 - main - execve: Fix an operator precedence bug List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 8e8ddb05d07142e95cf84e32bf93b9ecb3f90283 Auto-Submitted: auto-generated Date: Wed, 29 Apr 2026 14:47:20 +0000 Message-Id: <69f219f8.3cc0f.79010041@gitrepo.freebsd.org> The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=8e8ddb05d07142e95cf84e32bf93b9ecb3f90283 commit 8e8ddb05d07142e95cf84e32bf93b9ecb3f90283 Author: Mark Johnston AuthorDate: 2026-04-22 17:58:35 +0000 Commit: Mark Johnston CommitDate: 2026-04-29 14:39:27 +0000 execve: Fix an operator precedence bug The buggy version allowed userspace to overflow the copy into adjacent execve KVA regions, which enables, among other things, injecting environment variables into privileged processes. Approved by: so Security: FreeBSD-SA-26:13.exec Security: CVE-2026-7270 Reported by: Ryan Austin of Calif.io Reviewed by: brooks, kib Fixes: f373437a01a3 ("Add helper functions to copy strings into struct image_args.") Differential Revision: https://reviews.freebsd.org/D56665 --- sys/kern/kern_exec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index df5a1c044643..8e3b41170cab 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -1650,7 +1650,7 @@ exec_args_adjust_args(struct image_args *args, size_t consume, ssize_t extend) if (args->stringspace < offset) return (E2BIG); memmove(args->begin_argv + extend, args->begin_argv + consume, - args->endp - args->begin_argv + consume); + args->endp - (args->begin_argv + consume)); if (args->envc > 0) args->begin_envv += offset; args->endp += offset;