git: ae00a52921ca - stable/14 - execve: Fix an operator precedence bug
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 29 Apr 2026 14:48:49 UTC
The branch stable/14 has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=ae00a52921cafcedd04a240d444fec2076ea7771
commit ae00a52921cafcedd04a240d444fec2076ea7771
Author: Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-04-22 17:58:35 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-04-29 14:45:04 +0000
execve: Fix an operator precedence bug
The buggy version allowed userspace to overflow the copy into adjacent
execve KVA regions, which enables, among other things, injecting
environment variables into privileged processes.
Approved by: so
Security: FreeBSD-SA-26:13.exec
Security: CVE-2026-7270
Reported by: Ryan Austin of Calif.io
Reviewed by: brooks, kib
Fixes: f373437a01a3 ("Add helper functions to copy strings into struct image_args.")
Differential Revision: https://reviews.freebsd.org/D56665
---
sys/kern/kern_exec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c
index 7f6d9a85c6bc..349e13915b29 100644
--- a/sys/kern/kern_exec.c
+++ b/sys/kern/kern_exec.c
@@ -1622,7 +1622,7 @@ exec_args_adjust_args(struct image_args *args, size_t consume, ssize_t extend)
if (args->stringspace < offset)
return (E2BIG);
memmove(args->begin_argv + extend, args->begin_argv + consume,
- args->endp - args->begin_argv + consume);
+ args->endp - (args->begin_argv + consume));
if (args->envc > 0)
args->begin_envv += offset;
args->endp += offset;