version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=3fhQDRIXL4IyGTMIgxBFUfw/WoPwZkvAM+gfeEBX3F4=; b=HYfofGpWmlYGbsTYPxlCuDBcuCQyVdxapUE/Hb/QT0+c7/IsWMa24BtG7azP+LSrCoPw1b hsCqetLBdRVC+VI+HlLS4uCd7arfPGg8onrKZNbjaG24RlJDRlBFUGvJm8l1xY+sH5uo4Y fb1IOZRjT+42XdVWPhqLcaDNALpMXMph/JLskOj+NZOKhSeuWUZTg6J2zBLyhNegsty9Vn VcP4KzpRmJLuBpHc7Xi0nyRSYE2I5HukwWthzudLQvy3JSXn08Cj1ojGXTsiZ1OfAkwleS TMlX/BC22eXJRf39qBG6Ao68qQFDpiveuc7mhVwx9T46F8mxVcchlOJlP5ZFsA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777474181; a=rsa-sha256; cv=none; b=brqB8CKERZDEk12MUGjAOeZrWOa8IyRbf84RQdSYt4ua9MwJtnQrM9DLrjZe4qNVwByZ3D ZYMebyejAYv703A9sCusO13iueoIyXudnA7YWEWm07P3FsaEx0762nJtu68d678e0z4USg P/RIUvQ/2bsF6LpyGHuABUMDibFwENOOBzNjrqJzHMvgSg8tbtQ4MHD87suYTGnGItHMDf wYov15lM2bz9NR46fPTeiJTwCbf9hq7UYPXJ76oZ3UvOP42wJW7/C1P5xeOPvla7P1vygP vGTC8f6kVHEU59vZW5ta9b8tEKhUKm4p0RvXUw4IqLbe7+FnWmlYLiiAglPSZg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777474181; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=3fhQDRIXL4IyGTMIgxBFUfw/WoPwZkvAM+gfeEBX3F4=; b=hFVqfpebMU49bIeh6RaEWKAvpoQx3OAAiDPHM3k6gqniRswx4UEHyyZAZj+mwQMK9YBzj9 OR+l6924gwcD4schEJaExSUwKkSGEzyrbRWRYh5V9OPa2RDg0nRz5PDYWGEeOVHzWzpLnX ZGKUb7TDXOoBKRKE8j6QgIRmY6fwaYAEa9bGi+G6+gtSIkBOZ00KBa2vfO0YP8WS7lH8qQ pGsR+9LUwpNvcUEGLAYoLEsqopydBahTWQgWrt4zIj4gThVIZGVSHdi4ikpm5DUEpewOO7 gZEeWaz8GToPBmDToj/L/zrdg/7vtjcd7X00G0tqR3X1UrhGL0RUc4SPByu5Yg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4g5Kvn0HPBzlYJ for ; Wed, 29 Apr 2026 14:49:40 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3b7cc by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 29 Apr 2026 14:49:40 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 943aa64ba91a - releng/14.4 - execve: Fix an operator precedence bug List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.4 X-Git-Reftype: branch X-Git-Commit: 943aa64ba91a1a47d64959cd1a2d2073bfe797aa Auto-Submitted: auto-generated Date: Wed, 29 Apr 2026 14:49:40 +0000 Message-Id: <69f21a84.3b7cc.f1fdad9@gitrepo.freebsd.org> The branch releng/14.4 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=943aa64ba91a1a47d64959cd1a2d2073bfe797aa commit 943aa64ba91a1a47d64959cd1a2d2073bfe797aa Author: Mark Johnston AuthorDate: 2026-04-22 17:58:35 +0000 Commit: Mark Johnston CommitDate: 2026-04-28 20:33:58 +0000 execve: Fix an operator precedence bug The buggy version allowed userspace to overflow the copy into adjacent execve KVA regions, which enables, among other things, injecting environment variables into privileged processes. Approved by: so Security: FreeBSD-SA-26:13.exec Security: CVE-2026-7270 Reported by: Ryan Austin of Calif.io Reviewed by: brooks, kib Fixes: f373437a01a3 ("Add helper functions to copy strings into struct image_args.") Differential Revision: https://reviews.freebsd.org/D56665 --- sys/kern/kern_exec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index 7f6d9a85c6bc..349e13915b29 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -1622,7 +1622,7 @@ exec_args_adjust_args(struct image_args *args, size_t consume, ssize_t extend) if (args->stringspace < offset) return (E2BIG); memmove(args->begin_argv + extend, args->begin_argv + consume, - args->endp - args->begin_argv + consume); + args->endp - (args->begin_argv + consume)); if (args->envc > 0) args->begin_envv += offset; args->endp += offset;