From nobody Wed Apr 29 14:50:05 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g5KwG3fbJz6bkhp for ; Wed, 29 Apr 2026 14:50:06 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g5KwF4LpVz4L05 for ; Wed, 29 Apr 2026 14:50:05 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777474205; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=erfC2wtM0EXhFyV+LVoJ6VmhyLjNsuPYUNCyh9oYCYk=; b=I1t4dCjGay19cEC1jOWebKkk7eu1D4/c/MijiNULEAz2qb0ntaO25QhuzfrDNN+NE3WaS3 z1X6EO0FUyiEct+6jMtTEajbBDEwsAaDGy+bwt2tBnebBCdmA8rYxPPRBQqM2Ir+xvLFak H89CY3hmOEt+M2tZ7vFYYqhjKMBaGwdWKG0ZxwtZ+Nuf2P4ZUNRSycuD3d1dsdahThHi72 tMb5y26CcEVlZe2wYFjjHCmmlmCVD2U9k0FKLsguxwdu2sagcros2QeNgq6CDCsimvo3u+ PEhB8ErGclTeZ13sCCWpqhh90Zh8Pu4rJJqLKkAxM77igqAT6SfjwXjBUvUOPA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777474205; a=rsa-sha256; cv=none; b=iLx2f22uwMpGXnmn7KTwSHTF5o7dSjI+7/D5j2MCJOu0DPqdBxic2L6q1TqogBvqUP9qAb u8TWk8siyOgCtYI5t2oL5f/gnorbjq+G48k2wD2WNHIH9ocFkksC7AkrTVYHLY1gSYBiaJ Ats+VSBd7iTxHJhzXrXURA8VoirjfspDAUzKEjsb/k8JWfxU51EOeHWOSSgvAfDtq4PvsU LVPN1igWb85Fv+M6SoJNn7g6UMUwUvDv5/63tLrnFpmNodMI1AUB69wvbn6qZBaY7yOEZi 4wyc49c/fdKE/HAVYosZM39n49zmHD5SN3ZkNQd2kfjNh+EaLjFdR4Cit0rH1w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777474205; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=erfC2wtM0EXhFyV+LVoJ6VmhyLjNsuPYUNCyh9oYCYk=; b=DBTDpf+BvTBfvE2d5RYmQjhrjg30oezC4Z+flfK7SHIlFTJTv1k3xBZWSi+ZiAVwQhrYlp vXHdtcDRS7TsyePOLPq7nTUGiRttx9ILY3lyvW3boanllPoi5V6Qqe0ZNFzj1NEFTK9sSN 3HX15j/rHHUE1/22bmCpW4rKZq5Q0xVnUFv4YKdJVFlClUxSvCiXBV7IkNOgsNXmIIBmv0 W/blFNDY/r8OSVqoMTJ2lfIysGlXjqAxpbiqv//RfHd3rObF+nNF2034Zn0j7KCz54oE2l l65pX2rU6HKEUeIdqcUwlHpHPPudLIdxn/JPskECgn/ZNZ5zgn6v2W1j+SqwmQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4g5KwF2kk1zlLM for ; Wed, 29 Apr 2026 14:50:05 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3cc31 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 29 Apr 2026 14:50:05 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: d619e3a3c0ec - stable/13 - execve: Fix an operator precedence bug List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: d619e3a3c0ecf1cda9d41d3aea2e424eb0ccfd89 Auto-Submitted: auto-generated Date: Wed, 29 Apr 2026 14:50:05 +0000 Message-Id: <69f21a9d.3cc31.6986c310@gitrepo.freebsd.org> The branch stable/13 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=d619e3a3c0ecf1cda9d41d3aea2e424eb0ccfd89 commit d619e3a3c0ecf1cda9d41d3aea2e424eb0ccfd89 Author: Mark Johnston AuthorDate: 2026-04-22 17:58:35 +0000 Commit: Mark Johnston CommitDate: 2026-04-28 15:46:24 +0000 execve: Fix an operator precedence bug The buggy version allowed userspace to overflow the copy into adjacent execve KVA regions, which enables, among other things, injecting environment variables into privileged processes. Approved by: so Security: FreeBSD-SA-26:13.exec Security: CVE-2026-7270 Reported by: Ryan Austin of Calif.io Reviewed by: brooks, kib Fixes: f373437a01a3 ("Add helper functions to copy strings into struct image_args.") Differential Revision: https://reviews.freebsd.org/D56665 --- sys/kern/kern_exec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index e8e3d8d8801d..2886965172c9 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -1669,7 +1669,7 @@ exec_args_adjust_args(struct image_args *args, size_t consume, ssize_t extend) if (args->stringspace < offset) return (E2BIG); memmove(args->begin_argv + extend, args->begin_argv + consume, - args->endp - args->begin_argv + consume); + args->endp - (args->begin_argv + consume)); if (args->envc > 0) args->begin_envv += offset; args->endp += offset;