From nobody Wed Apr 29 14:47:46 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g5Ksb4Q0Vz6bkWk for ; Wed, 29 Apr 2026 14:47:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g5Ksb0gKqz4JSX for ; Wed, 29 Apr 2026 14:47:47 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777474067; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Fq6djyp3gyKPViU89l7HxJodcNKwPhWSiSEOI5Vg0Lk=; b=i+MNXb6VrKGYsS2SQ5FAK4HYrgPSBaVEvPcxwiLZh6DdNAMEZxXfhvlic9cIZe7TOV2xVC Rp62AZOzBYBGY1ILIK73+4R1F8tG8FuNNrH4KHHWyM0o9GBcEMSumPGSv1A7Bz7QsAwLQc i2AZsvwRitAtMcuipNp0/GB6xVm645AyyzbnKMnmuOLvsnQXwGL3K0ohSyMJZo5rvCdTJh yB8RTc/Ne/zA54k4ueRbZlf1624urge0QuwZfVrcSDo0AMgyLKiqTk8R3TXbfT1LCGG27W BQ5eyfCCtvhiPngWgwOOaFrSsedJAYWVFY3xGd4KSvBsG054+5gcoISNRtNitw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777474067; a=rsa-sha256; cv=none; b=c9ba91fm0ONyE5sJEQj+z5JWUD4RycmEAguhcAql2NDrNvin9i8AiYV87IN9f32JIA3jYt WnWVhrgVHGVWd5y5nQqU6lKeBZ/+hQ3+Twy8badwx/Lg41nO5TTxUtl+jsFsLOKCoXkMEl cIRJCk1SVmw2yPx4FoIrQsk8K1cP/lX0MgusU/VbzcY/obCtYAr6YO3NKJpyC4VYd2FoQf vYy7M1xphoJpWMjMCiXI6oWMVFwUKgmn7UrO8q/GkLwDJxOAfOI9GiNEgpAUtb/7zLsrMp HcvRvfkSyQ1P2lGo0ivNbI5xCMBCjK/paVrjEq4c36Zn0vbi3OGG8HCJDt7vmg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777474067; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Fq6djyp3gyKPViU89l7HxJodcNKwPhWSiSEOI5Vg0Lk=; b=TG8WZMLClvPwjIGxKm0MbijjtzyODzvUoC+8eV6TrdDJA5y9HkMmzWamNSdvL24+w3jnH/ 7ZeEPukAfbTmdGmLgH6xWqZG+lTVJYlWk4OGzVrpJMXSI3Z6xSullPdXH+Uj94aJCerxcC 6BW5c11sVNBhnEEZJ4fdhq7NUMXE0oYZCq1iAobr+Si/L0ePXbS3YPJKBcF2Y1pv1NfBCt bmmVHu4r1sSBHJfP09dABKjCyEbyZoTfBgBroewzTV6c6BXmc2sitRpy/NWHDdXv/HYBNb CgHlhnCvat/ADvN9MZNmO3Tqfn/AUZHPr6RMwfgxeGJVb5BdEXl97SH5ZZqWOg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4g5KsZ6WFpzkK2 for ; Wed, 29 Apr 2026 14:47:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3b7c0 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 29 Apr 2026 14:47:46 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: c3e943e78e06 - stable/15 - execve: Fix an operator precedence bug List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: c3e943e78e0659724a3930e630ec35c4ef23cdf7 Auto-Submitted: auto-generated Date: Wed, 29 Apr 2026 14:47:46 +0000 Message-Id: <69f21a12.3b7c0.1720abdc@gitrepo.freebsd.org> The branch stable/15 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=c3e943e78e0659724a3930e630ec35c4ef23cdf7 commit c3e943e78e0659724a3930e630ec35c4ef23cdf7 Author: Mark Johnston AuthorDate: 2026-04-22 17:58:35 +0000 Commit: Mark Johnston CommitDate: 2026-04-29 14:40:57 +0000 execve: Fix an operator precedence bug The buggy version allowed userspace to overflow the copy into adjacent execve KVA regions, which enables, among other things, injecting environment variables into privileged processes. Approved by: so Security: FreeBSD-SA-26:13.exec Security: CVE-2026-7270 Reported by: Ryan Austin of Calif.io Reviewed by: brooks, kib Fixes: f373437a01a3 ("Add helper functions to copy strings into struct image_args.") Differential Revision: https://reviews.freebsd.org/D56665 --- sys/kern/kern_exec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index 2bdd6faa025a..0a9ae0aabb3e 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -1652,7 +1652,7 @@ exec_args_adjust_args(struct image_args *args, size_t consume, ssize_t extend) if (args->stringspace < offset) return (E2BIG); memmove(args->begin_argv + extend, args->begin_argv + consume, - args->endp - args->begin_argv + consume); + args->endp - (args->begin_argv + consume)); if (args->envc > 0) args->begin_envv += offset; args->endp += offset;