execve: Fix an operator precedence bug

The buggy version allowed userspace to overflow the copy into adjacent
execve KVA regions, which enables, among other things, injecting
environment variables into privileged processes.

Approved by:	so
Security:	FreeBSD-SA-26:13.exec
Security:	CVE-2026-7270
Reported by:	Ryan Austin of Calif.io
Reviewed by:	brooks, kib
Fixes:		f373437a01 ("Add helper functions to copy strings into struct image_args.")
Differential Revision:	https://reviews.freebsd.org/D56665
This commit is contained in:
Mark Johnston
2026-04-22 17:58:35 +00:00
parent 6c09b76089
commit 8e8ddb05d0
+1 -1
View File
@@ -1650,7 +1650,7 @@ exec_args_adjust_args(struct image_args *args, size_t consume, ssize_t extend)
if (args->stringspace < offset)
return (E2BIG);
memmove(args->begin_argv + extend, args->begin_argv + consume,
args->endp - args->begin_argv + consume);
args->endp - (args->begin_argv + consume));
if (args->envc > 0)
args->begin_envv += offset;
args->endp += offset;