From nobody Wed Apr 29 14:49:21 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g5KvR4qrlz6bkcg for ; Wed, 29 Apr 2026 14:49:23 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g5KvR2WX8z4KK1 for ; Wed, 29 Apr 2026 14:49:23 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777474163; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=SSU1zrBR4yFk/7lszo6SkeaJSOnEShlnia/zVnpU//s=; b=u9bHME04vdQKNn4aTEkHsmf4hTXBNpMH4/fiEeXRfGf0/CbQdhMQb6TaZZ1qKxc9no0RvS CiUVu8deomjYl6uJq63ljSpgjFfwbXGzq53g4lDEnik9+EXOewr1ACWLeDKz4zDl+lkkm/ Um+Jg5ZrRjvnaD5AlkSwSRoKV4f96vaqr3jBC+JSZ71J5Ube82t+HCFuMuqTrWLWHc7q7W eVG1cpVQ2IGENtBW9onOreJ2GMbOwkHz5F5ESPULf8d2Ni9WY8lZfgAdZkPwQylYdz3hOQ r/GLk1zw3RFPf3+3DYToxqB1YEUsm1sxkfmo1AbNFde3hd4gW0c251STIy5rFQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777474163; a=rsa-sha256; cv=none; b=v/3cW9317YUowCqsIjCbf/sEl2U6HtDSbKvQNSWYtJH6lwOOlpgEpkCLal/7aPd6j0qtxr dP8h92IO9lHuz0YtWG1zOvGw8ZywswiOfIEE+/MOtmVVQvHM3qDGwdhg8QvMxSw0vOONSq hJKmLl05VYaLIBoxUZwQl+yr+afl2DT+zGH2LAKMphubEIi04DZj5ieFxS3o2Nm2tCBRni HA/eYl4xL4Ffs28RKwgpSIjsI0zDRoUG/lXlcp6WLM+RpMX89HL/oUYqaSDqK9f8u6s3gK wJxpmbDHlOLrurg91Ppq+ovt2lWtee/0WwOK5RaFwVpPGclWMpMz4afFie1Khg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777474163; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=SSU1zrBR4yFk/7lszo6SkeaJSOnEShlnia/zVnpU//s=; b=WPWwDv4C1SrG06MW2LZcXwD/hEx6QMxFWZf4dPjxfx/0T69fI7hEb4hDHG7ozIVy03QnRh f61Rm9Qn+54u0dA3B3mktllCh77TLrvUeWlAljKRgL6EXEt9iVtom38lkc3yRwtI0x3ZjM fs6YY3Onb/4acNVekJBAPSEl+dKyxhZQxumUtYxO2Q1HpQcx1UtV/XjcvO4ri5l4nYimdX 8fwhrK1lXQjIbj45HNsxj7vcp5aJp9pmVGFiULfGGHWcJm02S9rhAC+Th8PBRSWv4psps6 +FBB8MX8TCdJQKMIVSJPG+kIvgsrWL2QUdT626lTkBmJsgq0nIS5UOHvENMYwA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4g5KvQ2VPmzlWv for ; Wed, 29 Apr 2026 14:49:22 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3ae6f by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 29 Apr 2026 14:49:21 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: f04c40607b8f - releng/14.3 - execve: Fix an operator precedence bug List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.3 X-Git-Reftype: branch X-Git-Commit: f04c40607b8fb38720d57631c674f07d4207c976 Auto-Submitted: auto-generated Date: Wed, 29 Apr 2026 14:49:21 +0000 Message-Id: <69f21a71.3ae6f.7016221a@gitrepo.freebsd.org> The branch releng/14.3 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=f04c40607b8fb38720d57631c674f07d4207c976 commit f04c40607b8fb38720d57631c674f07d4207c976 Author: Mark Johnston AuthorDate: 2026-04-22 17:58:35 +0000 Commit: Mark Johnston CommitDate: 2026-04-28 20:33:04 +0000 execve: Fix an operator precedence bug The buggy version allowed userspace to overflow the copy into adjacent execve KVA regions, which enables, among other things, injecting environment variables into privileged processes. Approved by: so Security: FreeBSD-SA-26:13.exec Security: CVE-2026-7270 Reported by: Ryan Austin of Calif.io Reviewed by: brooks, kib Fixes: f373437a01a3 ("Add helper functions to copy strings into struct image_args.") Differential Revision: https://reviews.freebsd.org/D56665 --- sys/kern/kern_exec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index 6727872b5b10..484adaac91ec 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -1625,7 +1625,7 @@ exec_args_adjust_args(struct image_args *args, size_t consume, ssize_t extend) if (args->stringspace < offset) return (E2BIG); memmove(args->begin_argv + extend, args->begin_argv + consume, - args->endp - args->begin_argv + consume); + args->endp - (args->begin_argv + consume)); if (args->envc > 0) args->begin_envv += offset; args->endp += offset;