org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4g5KsZ6KLMzkK0
	for <dev-commits-src-branches@FreeBSD.org>; Wed, 29 Apr 2026 14:47:46 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 3b7c0
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Wed, 29 Apr 2026 14:47:46 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
From: Mark Johnston <markj@FreeBSD.org>
Subject: git: c3e943e78e06 - stable/15 - execve: Fix an operator precedence bug
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-branches@freebsd.org
Sender: owner-dev-commits-src-branches@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: markj
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/15
X-Git-Reftype: branch
X-Git-Commit: c3e943e78e0659724a3930e630ec35c4ef23cdf7
Auto-Submitted: auto-generated
Date: Wed, 29 Apr 2026 14:47:46 +0000
Message-Id: <69f21a12.3b7c0.1720abdc@gitrepo.freebsd.org>

The branch stable/15 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=c3e943e78e0659724a3930e630ec35c4ef23cdf7

commit c3e943e78e0659724a3930e630ec35c4ef23cdf7
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-04-22 17:58:35 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-04-29 14:40:57 +0000

    execve: Fix an operator precedence bug
    
    The buggy version allowed userspace to overflow the copy into adjacent
    execve KVA regions, which enables, among other things, injecting
    environment variables into privileged processes.
    
    Approved by:    so
    Security:       FreeBSD-SA-26:13.exec
    Security:       CVE-2026-7270
    Reported by:    Ryan Austin of Calif.io
    Reviewed by:    brooks, kib
    Fixes:          f373437a01a3 ("Add helper functions to copy strings into struct image_args.")
    Differential Revision:  https://reviews.freebsd.org/D56665
---
 sys/kern/kern_exec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c
index 2bdd6faa025a..0a9ae0aabb3e 100644
--- a/sys/kern/kern_exec.c
+++ b/sys/kern/kern_exec.c
@@ -1652,7 +1652,7 @@ exec_args_adjust_args(struct image_args *args, size_t consume, ssize_t extend)
 	if (args->stringspace < offset)
 		return (E2BIG);
 	memmove(args->begin_argv + extend, args->begin_argv + consume,
-	    args->endp - args->begin_argv + consume);
+	    args->endp - (args->begin_argv + consume));
 	if (args->envc > 0)
 		args->begin_envv += offset;
 	args->endp += offset;