git: f04c40607b8f - releng/14.3 - execve: Fix an operator precedence bug

The branch releng/14.3 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=f04c40607b8fb38720d57631c674f07d4207c976

commit f04c40607b8fb38720d57631c674f07d4207c976
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-04-22 17:58:35 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-04-28 20:33:04 +0000

    execve: Fix an operator precedence bug
    
    The buggy version allowed userspace to overflow the copy into adjacent
    execve KVA regions, which enables, among other things, injecting
    environment variables into privileged processes.
    
    Approved by:    so
    Security:       FreeBSD-SA-26:13.exec
    Security:       CVE-2026-7270
    Reported by:    Ryan Austin of Calif.io
    Reviewed by:    brooks, kib
    Fixes:          f373437a01a3 ("Add helper functions to copy strings into struct image_args.")
    Differential Revision:  https://reviews.freebsd.org/D56665
---
 sys/kern/kern_exec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c
index 6727872b5b10..484adaac91ec 100644
--- a/sys/kern/kern_exec.c
+++ b/sys/kern/kern_exec.c
@@ -1625,7 +1625,7 @@ exec_args_adjust_args(struct image_args *args, size_t consume, ssize_t extend)
 	if (args->stringspace < offset)
 		return (E2BIG);
 	memmove(args->begin_argv + extend, args->begin_argv + consume,
-	    args->endp - args->begin_argv + consume);
+	    args->endp - (args->begin_argv + consume));
 	if (args->envc > 0)
 		args->begin_envv += offset;
 	args->endp += offset;