aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMark Johnston <markj@FreeBSD.org>2026-04-22 17:58:35 +0000
committerMark Johnston <markj@FreeBSD.org>2026-04-29 14:39:27 +0000
commit8e8ddb05d07142e95cf84e32bf93b9ecb3f90283 (patch)
treec49ce6cac479762c74c548c4bb48b3a62d2c3f5b
parent6c09b7608905af2eaff4b5dfa6cbbd42ce286db6 (diff)
execve: Fix an operator precedence bug
The buggy version allowed userspace to overflow the copy into adjacent execve KVA regions, which enables, among other things, injecting environment variables into privileged processes. Approved by: so Security: FreeBSD-SA-26:13.exec Security: CVE-2026-7270 Reported by: Ryan Austin of Calif.io Reviewed by: brooks, kib Fixes: f373437a01a3 ("Add helper functions to copy strings into struct image_args.") Differential Revision: https://reviews.freebsd.org/D56665
Diffstat
-rw-r--r--sys/kern/kern_exec.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c
index df5a1c044643..8e3b41170cab 100644
--- a/sys/kern/kern_exec.c
+++ b/sys/kern/kern_exec.c
@@ -1650,7 +1650,7 @@ exec_args_adjust_args(struct image_args *args, size_t consume, ssize_t extend)
if (args->stringspace < offset)
return (E2BIG);
memmove(args->begin_argv + extend, args->begin_argv + consume,
- args->endp - args->begin_argv + consume);
+ args->endp - (args->begin_argv + consume));
if (args->envc > 0)
args->begin_envv += offset;
args->endp += offset;
generated by cgit v1.2.3 (git 2.25.1) at 2026-05-11 09:17:28 +0000