From nobody Wed Apr 29 14:50:17 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g5KwW2c0Nz6bkk9 for ; Wed, 29 Apr 2026 14:50:19 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g5KwV4bgNz4KvX for ; Wed, 29 Apr 2026 14:50:18 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777474218; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=RBLYOvCLbJom2x3Mr9H3IWDR2Llawz5gU6GXsKb1KJs=; b=KQ43BGx7RSwCw7dYTly+7MvoBG4/zjKtzlnG8Tm3BgtNp0ym3MG2M099WrCb1DVk88YFjR QOAOLLeK1WgRLz+d53sR731X/WMNrH6e9vL7nhQxFLcyAJb7Q5LyxeulKjelNCWpzdOsVy Prt9oTOiB6tRyxhaom1tZPzyRnK6A7lceLbrNAl7tgQVeocxHK+3JjKXtBHjDfrrzUTmOZ 0I8rSoZF6coRj/zBn5cTYGgv1ImxDt01T2Ga6KPEAxpn5jHErwblARzu6ahRt6PBphudkJ FWDG19lPhCqCoc3ogtq5szAHbZlCmtvAmdXs5H4/DreegQEhXNSoJQc02SIudw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777474218; a=rsa-sha256; cv=none; b=L33TajW29HAJ+e++3OQJ9dAG8saNRluN8fmcMkAdrDFkUvTPUQnLqyVAWPPJoI+7KBTVGN REO/kbJlGcx6dQ5sMyTI2VqbG942oV7u6F9HM0TFH/1gzRtsz5dLSpGIi5+YkhSzxkziJ3 KuvA78AtQI0w5JTvjdn8iy6UHC29jGHH7HcqnSn63WX/Da11U+y3DM7zZfZIpfqujCnmtD 1a13Dj1qU9T0QAtNmW2Le7c6gUnPnvFhaD7cIECFV9uoClBsJ9Yiem/XFdclTOjBtSHDXs Mxg1E83PngwiNMEHd5uU1rBKME8NTlyXP9e8/Ft+M+0Y8xNbWIwXhhD+0jAmHQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777474218; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=RBLYOvCLbJom2x3Mr9H3IWDR2Llawz5gU6GXsKb1KJs=; b=vzriqUa5rvDZjmykhRyDO2OOOLdp1+A7qxDy0iUegcoVj0VWU3fMP8WM56kjK9XXvbk+PO r2mccsyxR1D89Tyxd4ADMpfbuKoMnIAlch0v/FblcVkQf7gJCDVS5NF86/k5MQ0/CC1OWU zmkhcd/2fiVKKoKb82v/StY/Qk35aDuNzEdAeLVtg33JzjBnAcOkKAAh608nc7P4yq0Tzu WY5vGeH2cGgXpPlHxd4DszIaSKJC/sieSz/Wc1CTfpBKSDtS1Mic7jfHKJZn7vGkgrdKFp Necj2yyFnx7mgOAa9+eJtWQofZo8EZp/Oj+3z+K1I+Cf0Qvxying/0+D1KAvwQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4g5KwV1kJnzlbt for ; Wed, 29 Apr 2026 14:50:17 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3d8d9 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 29 Apr 2026 14:50:17 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 7c5c37ac8f8f - releng/13.5 - execve: Fix an operator precedence bug List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/13.5 X-Git-Reftype: branch X-Git-Commit: 7c5c37ac8f8fe9228e3f97b3876da3701a89b139 Auto-Submitted: auto-generated Date: Wed, 29 Apr 2026 14:50:17 +0000 Message-Id: <69f21aa9.3d8d9.62a22e8e@gitrepo.freebsd.org> The branch releng/13.5 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=7c5c37ac8f8fe9228e3f97b3876da3701a89b139 commit 7c5c37ac8f8fe9228e3f97b3876da3701a89b139 Author: Mark Johnston AuthorDate: 2026-04-22 17:58:35 +0000 Commit: Mark Johnston CommitDate: 2026-04-28 20:32:11 +0000 execve: Fix an operator precedence bug The buggy version allowed userspace to overflow the copy into adjacent execve KVA regions, which enables, among other things, injecting environment variables into privileged processes. Approved by: so Security: FreeBSD-SA-26:13.exec Security: CVE-2026-7270 Reported by: Ryan Austin of Calif.io Reviewed by: brooks, kib Fixes: f373437a01a3 ("Add helper functions to copy strings into struct image_args.") Differential Revision: https://reviews.freebsd.org/D56665 --- sys/kern/kern_exec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index e8e3d8d8801d..2886965172c9 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -1669,7 +1669,7 @@ exec_args_adjust_args(struct image_args *args, size_t consume, ssize_t extend) if (args->stringspace < offset) return (E2BIG); memmove(args->begin_argv + extend, args->begin_argv + consume, - args->endp - args->begin_argv + consume); + args->endp - (args->begin_argv + consume)); if (args->envc > 0) args->begin_envv += offset; args->endp += offset;