Date: Wed, 29 Apr 2026 14:49:40 +0000 From: Mark Johnston <markj@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 943aa64ba91a - releng/14.4 - execve: Fix an operator precedence bug Message-ID: <69f21a84.3b7cc.f1fdad9@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch releng/14.4 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=943aa64ba91a1a47d64959cd1a2d2073bfe797aa commit 943aa64ba91a1a47d64959cd1a2d2073bfe797aa Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2026-04-22 17:58:35 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2026-04-28 20:33:58 +0000 execve: Fix an operator precedence bug The buggy version allowed userspace to overflow the copy into adjacent execve KVA regions, which enables, among other things, injecting environment variables into privileged processes. Approved by: so Security: FreeBSD-SA-26:13.exec Security: CVE-2026-7270 Reported by: Ryan Austin of Calif.io Reviewed by: brooks, kib Fixes: f373437a01a3 ("Add helper functions to copy strings into struct image_args.") Differential Revision: https://reviews.freebsd.org/D56665 --- sys/kern/kern_exec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index 7f6d9a85c6bc..349e13915b29 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -1622,7 +1622,7 @@ exec_args_adjust_args(struct image_args *args, size_t consume, ssize_t extend) if (args->stringspace < offset) return (E2BIG); memmove(args->begin_argv + extend, args->begin_argv + consume, - args->endp - args->begin_argv + consume); + args->endp - (args->begin_argv + consume)); if (args->envc > 0) args->begin_envv += offset; args->endp += offset;home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69f21a84.3b7cc.f1fdad9>