From nobody Wed Apr 29 14:48:49 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g5Ktp3PlBz6bkV1 for ; Wed, 29 Apr 2026 14:48:50 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g5Ktp1hxhz4KBw for ; Wed, 29 Apr 2026 14:48:50 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777474130; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=5wC2TYnHc2wqMUfJOVssl0JrMZxDIZHvGAmIs5HwYN0=; b=PrmhiGRtr7vbhEJ+ipPQZX2iIbUdc5BrYqzC+qRSwx0Ya3uAsn5OPhcPTULdXto3Eh7ums q/ANQPU9bGHQJIjK+RqzcSed+bg6/+5a1e1v/cxYZsf+NA2yvy/l0v8IYOqGgUrad8iaXN bmZQ1n+WRnKI6ub8lVBVevV/ClSP06PSTwY/KBY+m9ZCpcu11li5MAi84a4hgWa+wD9Hq3 GxoyvF6dlpWbKD3JGhuQaJnV9/hLjzXXLq7f6+sccSMiZN5ZjzlVCwUCuWA+pD/XBOYS7V HIvk3ifw6DI+MtjYxDHuS2+DF3H+2Io9P2oJhn1cq2M24wFSUExsDkJCH7cqLg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777474130; a=rsa-sha256; cv=none; b=cTgIqo0kkPwZ70si7Ja5lFsGQRrojrWxlutcTSnyhnFG1IPWU7Rw4F9vKwu3u12jI9ZIqt 5IWuX28FGjP9SpLOkf2h4p8IAhKDlBdxWYNRZ9xYJvoM7TQ76vXx/hLLoLuX+1y8mDAp0u ucO+t/RDLypm2TuslQHUrG+ZRY6jcfDnaPSi/pS00Lzk1qvZ3B0SKamNmIjDWnb7zEXd3v OjJsJm6QkmCvKdUQXPXLOaOBP1Gpvy/mBtLXCxTObd6F6lPzsOtAG0Egbuwymk+FXSDwO6 VpgxSPVttRG8rewyzfMD0XEOZprfTpPJfky6edo7GhOUGWHRvyfGNtviUM5KsQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777474130; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=5wC2TYnHc2wqMUfJOVssl0JrMZxDIZHvGAmIs5HwYN0=; b=AYWEI9QF4y98s8bm8NmMNCQJMs01FSEb2+8sso0/Gql0J38gjTB7QWlq1yLB8zPutnsIMA EbBJLKwYFMPIl72+/VZr7QsFT3CmLBchdL+BXKIdypyG4+3ovh6vnjUJ2NprxtyJjNDMBb uzMLI9PsR8VJKYJeXRPtDLHSJ+ckWSO3+ZOycX9dwM04qwOhd9PcPQODVJK67CrzTYoXLB vDufYWrMPcK+oa6vZJA01aXUiDoHrPVUgrSzXJjmJ0lhJ26Qg0ciMtlg2bj6iUpF9vzAK+ AE1eRe7HpTctHVfpq2hAcEb1uU/3BEtHW96Bdfs/z6V082OLgXkMnh/CouP70g== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4g5Ktn6vxdzlbS for ; Wed, 29 Apr 2026 14:48:49 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3ad7c by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 29 Apr 2026 14:48:49 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: ae00a52921ca - stable/14 - execve: Fix an operator precedence bug List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: ae00a52921cafcedd04a240d444fec2076ea7771 Auto-Submitted: auto-generated Date: Wed, 29 Apr 2026 14:48:49 +0000 Message-Id: <69f21a51.3ad7c.7469ea2f@gitrepo.freebsd.org> The branch stable/14 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=ae00a52921cafcedd04a240d444fec2076ea7771 commit ae00a52921cafcedd04a240d444fec2076ea7771 Author: Mark Johnston AuthorDate: 2026-04-22 17:58:35 +0000 Commit: Mark Johnston CommitDate: 2026-04-29 14:45:04 +0000 execve: Fix an operator precedence bug The buggy version allowed userspace to overflow the copy into adjacent execve KVA regions, which enables, among other things, injecting environment variables into privileged processes. Approved by: so Security: FreeBSD-SA-26:13.exec Security: CVE-2026-7270 Reported by: Ryan Austin of Calif.io Reviewed by: brooks, kib Fixes: f373437a01a3 ("Add helper functions to copy strings into struct image_args.") Differential Revision: https://reviews.freebsd.org/D56665 --- sys/kern/kern_exec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index 7f6d9a85c6bc..349e13915b29 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -1622,7 +1622,7 @@ exec_args_adjust_args(struct image_args *args, size_t consume, ssize_t extend) if (args->stringspace < offset) return (E2BIG); memmove(args->begin_argv + extend, args->begin_argv + consume, - args->endp - args->begin_argv + consume); + args->endp - (args->begin_argv + consume)); if (args->envc > 0) args->begin_envv += offset; args->endp += offset;