From nobody Wed Apr 29 14:48:27 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g5KtP5Bfkz6bkTf for ; Wed, 29 Apr 2026 14:48:29 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g5KtN6mmWz4JxP for ; Wed, 29 Apr 2026 14:48:27 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777474109; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=5aHHgm3b9JQTHw9RBtaVQ9wnP3X5gehcT1Rgr3vCXRY=; b=p3D3Lq0OmVFl7vukPzJDQYgtKNz72Y1vJ9Kl5fIBObSPoLCO3V8xUw3QVhFS3MAmtk5Y2h mmEBxLWMNTGhiYKCpIDQx+aGNblc5fQnUDYANCuTsRztix6x8/kao4N+90uB4RB3IfgGXI gd6FCRo+mXeiPwvPNl9STiS9X5XKZQaMV7m5Y60WlT4k8gOdTvHyF849ZvAaqfh+BOXxcr U0Rr3BAQGx9Vyt9gOEnwz2S4fibIpLFkxnt8SOqASTX6E02RL1CpZywe0qukeoKWLHLGWZ DWynZZYGTCNHwrt8kdsctT4TvlAc2EnNGCZSu40NmDldzV2cO/7kpe/xrxFyYg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777474109; a=rsa-sha256; cv=none; b=pIZt2Kz8AVSyxzfAHqRua6Few5ab4K6AedfszXkAkiXcVINSWlzhYf7ejI4TcWNHEHiyv5 4U01GXbmUhlsSkjtwEVJB+ulWdyJ7edakECUhcdIlHy9q/E7tCT9Bku+iNmZQOa7PL4SKT 7NoVK4gwSN9CUuJshY+m/fGbsE+rFrxNeDVBjn5tso5VX6qu644eePwJ30z3leVa5RCCa/ Ynkd8CmfnYxHhyLoYmJopLTCn0Ixhi0N36lfrpNhsWHFiiKkRz3Oigb0XIl/obM/0BFhcv 1oqYQMB35EAI9kGLkiP1L4lvT8YwSAUN1/J06IKyIxSdzfHWdkuzaUHI0Y8Waw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777474109; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=5aHHgm3b9JQTHw9RBtaVQ9wnP3X5gehcT1Rgr3vCXRY=; b=E9+LTFyKSY66vrL0drlFnaFHSc9tvx0ENWYAJXTRpZMbG1zZkpcjgp5iCTOJ3pTakoRwGe wAtTdEnxdJZNc5HjFU287GIqpOx0cHPkE9kZljxz0ngMsbV4Oez9SFoTpG+F4y5EPcCvsd DrVsHHFZtGYOEtmcuUlo22aFoIrzftcgzneXHlhnrAV8i6MvtxQ5X5IJahmgenDJ6oAjgE cN120aOD0BBAZazJv8iCSvnbYKj4v+hF1AG9V5bWBvJSdvCYFohMBXKtVvdlPF0JUmOg94 4VBf61uq4Iilsunzp0nc9nt0l/epuvzxHjkntBk1oZAhdRpDx8cPHLyNeXfiWw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4g5KtM4cPHzlKl for ; Wed, 29 Apr 2026 14:48:27 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3b7c8 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 29 Apr 2026 14:48:27 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 934b48683c4f - releng/15.0 - execve: Fix an operator precedence bug List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/15.0 X-Git-Reftype: branch X-Git-Commit: 934b48683c4f140cafd225518d9e056a00b46ee8 Auto-Submitted: auto-generated Date: Wed, 29 Apr 2026 14:48:27 +0000 Message-Id: <69f21a3b.3b7c8.6114f956@gitrepo.freebsd.org> The branch releng/15.0 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=934b48683c4f140cafd225518d9e056a00b46ee8 commit 934b48683c4f140cafd225518d9e056a00b46ee8 Author: Mark Johnston AuthorDate: 2026-04-22 17:58:35 +0000 Commit: Mark Johnston CommitDate: 2026-04-28 19:27:11 +0000 execve: Fix an operator precedence bug The buggy version allowed userspace to overflow the copy into adjacent execve KVA regions, which enables, among other things, injecting environment variables into privileged processes. Approved by: so Security: FreeBSD-SA-26:13.exec Security: CVE-2026-7270 Reported by: Ryan Austin of Calif.io Reviewed by: brooks, kib Fixes: f373437a01a3 ("Add helper functions to copy strings into struct image_args.") Differential Revision: https://reviews.freebsd.org/D56665 --- sys/kern/kern_exec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index b2c09b47f103..5b79b8d96fc8 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -1652,7 +1652,7 @@ exec_args_adjust_args(struct image_args *args, size_t consume, ssize_t extend) if (args->stringspace < offset) return (E2BIG); memmove(args->begin_argv + extend, args->begin_argv + consume, - args->endp - args->begin_argv + consume); + args->endp - (args->begin_argv + consume)); if (args->envc > 0) args->begin_envv += offset; args->endp += offset;