+++ /dev/null
-From 87069af79fcabd7861a132ae04ca7c808c927090 Mon Sep 17 00:00:00 2001
-From: Juergen Gross <jgross@suse.com>
-Date: Fri, 27 Mar 2026 14:13:38 +0100
-Subject: Buffer overflow in drivers/xen/sys-hypervisor.c
-
-From: Juergen Gross <jgross@suse.com>
-
-commit 27fdbab4221b375de54bf91919798d88520c6e28 upstream.
-
-The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is
-neither NUL terminated nor a string.
-
-The first causes a buffer overflow as sprintf in buildid_show will
-read and copy till it finds a NUL.
-
-00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 |..Q..8..eGR..q.P|
-00000010 b9 a8 01 42 6f 2e 32 |...Bo.2|
-00000017
-
-So use a memcpy instead of sprintf to have the correct value:
-
-00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50 |..Q.....eGR..q.P|
-00000010 b9 a8 01 42 |...B|
-00000014
-
-(the above have a hack to embed a zero inside and check it's
-returned correctly).
-
-This is XSA-485 / CVE-2026-31786
-
-Fixes: 84b7625728ea ("xen: add sysfs node for hypervisor build id")
-Signed-off-by: Frediano Ziglio <frediano.ziglio@citrix.com>
-Reviewed-by: Juergen Gross <jgross@suse.com>
-Signed-off-by: Juergen Gross <jgross@suse.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/xen/sys-hypervisor.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
---- a/drivers/xen/sys-hypervisor.c
-+++ b/drivers/xen/sys-hypervisor.c
-@@ -364,6 +364,8 @@ static ssize_t buildid_show(struct hyp_s
- ret = sprintf(buffer, "<denied>");
- return ret;
- }
-+ if (ret > PAGE_SIZE)
-+ return -ENOSPC;
-
- buildid = kmalloc(sizeof(*buildid) + ret, GFP_KERNEL);
- if (!buildid)
-@@ -371,8 +373,10 @@ static ssize_t buildid_show(struct hyp_s
-
- buildid->len = ret;
- ret = HYPERVISOR_xen_version(XENVER_build_id, buildid);
-- if (ret > 0)
-- ret = sprintf(buffer, "%s", buildid->buf);
-+ if (ret > 0) {
-+ /* Build id is binary, not a string. */
-+ memcpy(buffer, buildid->buf, ret);
-+ }
- kfree(buildid);
-
- return ret;
+++ /dev/null
-From 885290a37a84fd51c1466b08b32f9524a46e8087 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sun, 12 Apr 2026 13:32:21 +0800
-Subject: crypto: algif_aead - Fix minimum RX size check for decryption
-
-From: Herbert Xu <herbert@gondor.apana.org.au>
-
-[ Upstream commit 3d14bd48e3a77091cbce637a12c2ae31b4a1687c ]
-
-The check for the minimum receive buffer size did not take the
-tag size into account during decryption. Fix this by adding the
-required extra length.
-
-Reported-by: syzbot+aa11561819dc42ebbc7c@syzkaller.appspotmail.com
-Reported-by: Daniel Pouzzner <douzzer@mega.nu>
-Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management")
-Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- crypto/algif_aead.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c
-index 42493b4d8ce46..cb3959e2c435e 100644
---- a/crypto/algif_aead.c
-+++ b/crypto/algif_aead.c
-@@ -170,7 +170,7 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg,
- if (usedpages < outlen) {
- size_t less = outlen - usedpages;
-
-- if (used < less) {
-+ if (used < less + (ctx->enc ? 0 : as)) {
- err = -EINVAL;
- goto free;
- }
---
-2.53.0
-
netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch
af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch
l2tp-drop-large-packets-with-udp-encap.patch
-crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch
netfilter-conntrack-add-missing-netlink-policy-valid.patch
drm-i915-gt-fix-refcount-underflow-in-intel_engine_p.patch
mips-mm-kmalloc-tlb_vpn-array-to-avoid-stack-overflo.patch
padata-fix-pd-uaf-once-and-for-all.patch
padata-remove-comment-for-reorder_work.patch
driver-core-don-t-let-a-device-probe-until-it-s-read.patch
-buffer-overflow-in-drivers-xen-sys-hypervisor.c.patch
-xen-privcmd-fix-double-free-via-vma-splitting.patch
+++ /dev/null
-From ec411bb4cfd9df3df02df06bccdced9639b0601f Mon Sep 17 00:00:00 2001
-From: Juergen Gross <jgross@suse.com>
-Date: Fri, 10 Apr 2026 09:20:04 +0200
-Subject: xen/privcmd: fix double free via VMA splitting
-
-From: Juergen Gross <jgross@suse.com>
-
-commit 24daca4fc07f3ff8cd0e3f629cd982187f48436a upstream.
-
-privcmd_vm_ops defines .close (privcmd_close), but neither .may_split
-nor .open. When userspace does a partial munmap() on a privcmd mapping,
-the kernel splits the VMA via __split_vma(). Since may_split is NULL,
-the split is allowed. vm_area_dup() copies vm_private_data (a pages
-array allocated in alloc_empty_pages()) into the new VMA without any
-fixup, because there is no .open callback.
-
-Both VMAs now point to the same pages array. When the unmapped portion
-is closed, privcmd_close() calls:
- - xen_unmap_domain_gfn_range()
- - xen_free_unpopulated_pages()
- - kvfree(pages)
-
-The surviving VMA still holds the dangling pointer. When it is later
-destroyed, the same sequence runs again, which leads to a double free.
-
-Fix this issue by adding a .may_split callback denying the VMA split.
-
-This is XSA-487 / CVE-2026-31787
-
-Fixes: d71f513985c2 ("xen: privcmd: support autotranslated physmap guests.")
-Reported-by: Atharva Vartak <atharva.a.vartak@gmail.com>
-Suggested-by: Atharva Vartak <atharva.a.vartak@gmail.com>
-Signed-off-by: Juergen Gross <jgross@suse.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/xen/privcmd.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
---- a/drivers/xen/privcmd.c
-+++ b/drivers/xen/privcmd.c
-@@ -935,6 +935,12 @@ static void privcmd_close(struct vm_area
- kfree(pages);
- }
-
-+static int privcmd_may_split(struct vm_area_struct *area, unsigned long addr)
-+{
-+ /* Forbid splitting, avoids double free via privcmd_close(). */
-+ return -EINVAL;
-+}
-+
- static vm_fault_t privcmd_fault(struct vm_fault *vmf)
- {
- printk(KERN_DEBUG "privcmd_fault: vma=%p %lx-%lx, pgoff=%lx, uv=%p\n",
-@@ -946,6 +952,7 @@ static vm_fault_t privcmd_fault(struct v
-
- static const struct vm_operations_struct privcmd_vm_ops = {
- .close = privcmd_close,
-+ .split = privcmd_may_split,
- .fault = privcmd_fault
- };
-
+++ /dev/null
-From c4766f7754a4c3dd5d9765aa773bb89013c9c703 Mon Sep 17 00:00:00 2001
-From: Juergen Gross <jgross@suse.com>
-Date: Fri, 27 Mar 2026 14:13:38 +0100
-Subject: Buffer overflow in drivers/xen/sys-hypervisor.c
-
-From: Juergen Gross <jgross@suse.com>
-
-commit 27fdbab4221b375de54bf91919798d88520c6e28 upstream.
-
-The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is
-neither NUL terminated nor a string.
-
-The first causes a buffer overflow as sprintf in buildid_show will
-read and copy till it finds a NUL.
-
-00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 |..Q..8..eGR..q.P|
-00000010 b9 a8 01 42 6f 2e 32 |...Bo.2|
-00000017
-
-So use a memcpy instead of sprintf to have the correct value:
-
-00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50 |..Q.....eGR..q.P|
-00000010 b9 a8 01 42 |...B|
-00000014
-
-(the above have a hack to embed a zero inside and check it's
-returned correctly).
-
-This is XSA-485 / CVE-2026-31786
-
-Fixes: 84b7625728ea ("xen: add sysfs node for hypervisor build id")
-Signed-off-by: Frediano Ziglio <frediano.ziglio@citrix.com>
-Reviewed-by: Juergen Gross <jgross@suse.com>
-Signed-off-by: Juergen Gross <jgross@suse.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/xen/sys-hypervisor.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
---- a/drivers/xen/sys-hypervisor.c
-+++ b/drivers/xen/sys-hypervisor.c
-@@ -364,6 +364,8 @@ static ssize_t buildid_show(struct hyp_s
- ret = sprintf(buffer, "<denied>");
- return ret;
- }
-+ if (ret > PAGE_SIZE)
-+ return -ENOSPC;
-
- buildid = kmalloc(sizeof(*buildid) + ret, GFP_KERNEL);
- if (!buildid)
-@@ -371,8 +373,10 @@ static ssize_t buildid_show(struct hyp_s
-
- buildid->len = ret;
- ret = HYPERVISOR_xen_version(XENVER_build_id, buildid);
-- if (ret > 0)
-- ret = sprintf(buffer, "%s", buildid->buf);
-+ if (ret > 0) {
-+ /* Build id is binary, not a string. */
-+ memcpy(buffer, buildid->buf, ret);
-+ }
- kfree(buildid);
-
- return ret;
+++ /dev/null
-From f6ae8b47a19b534a5ee12a0eda3717f2cf48635d Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sun, 12 Apr 2026 13:32:21 +0800
-Subject: crypto: algif_aead - Fix minimum RX size check for decryption
-
-From: Herbert Xu <herbert@gondor.apana.org.au>
-
-[ Upstream commit 3d14bd48e3a77091cbce637a12c2ae31b4a1687c ]
-
-The check for the minimum receive buffer size did not take the
-tag size into account during decryption. Fix this by adding the
-required extra length.
-
-Reported-by: syzbot+aa11561819dc42ebbc7c@syzkaller.appspotmail.com
-Reported-by: Daniel Pouzzner <douzzer@mega.nu>
-Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management")
-Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- crypto/algif_aead.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c
-index 42493b4d8ce46..cb3959e2c435e 100644
---- a/crypto/algif_aead.c
-+++ b/crypto/algif_aead.c
-@@ -170,7 +170,7 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg,
- if (usedpages < outlen) {
- size_t less = outlen - usedpages;
-
-- if (used < less) {
-+ if (used < less + (ctx->enc ? 0 : as)) {
- err = -EINVAL;
- goto free;
- }
---
-2.53.0
-
l2tp-drop-large-packets-with-udp-encap.patch
gpio-tegra-fix-irq_release_resources-calling-enable-.patch
perf-x86-intel-uncore-skip-discovery-table-for-offli.patch
-crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch
i3c-fix-uninitialized-variable-use-in-i2c-setup.patch
netfilter-conntrack-add-missing-netlink-policy-valid.patch
mips-mm-kmalloc-tlb_vpn-array-to-avoid-stack-overflo.patch
padata-fix-pd-uaf-once-and-for-all.patch
padata-remove-comment-for-reorder_work.patch
driver-core-don-t-let-a-device-probe-until-it-s-read.patch
-buffer-overflow-in-drivers-xen-sys-hypervisor.c.patch
-xen-privcmd-fix-double-free-via-vma-splitting.patch
+++ /dev/null
-From 44dbba7706ec59e8d13abb107f568faf779a05a9 Mon Sep 17 00:00:00 2001
-From: Juergen Gross <jgross@suse.com>
-Date: Fri, 10 Apr 2026 09:20:04 +0200
-Subject: xen/privcmd: fix double free via VMA splitting
-
-From: Juergen Gross <jgross@suse.com>
-
-commit 24daca4fc07f3ff8cd0e3f629cd982187f48436a upstream.
-
-privcmd_vm_ops defines .close (privcmd_close), but neither .may_split
-nor .open. When userspace does a partial munmap() on a privcmd mapping,
-the kernel splits the VMA via __split_vma(). Since may_split is NULL,
-the split is allowed. vm_area_dup() copies vm_private_data (a pages
-array allocated in alloc_empty_pages()) into the new VMA without any
-fixup, because there is no .open callback.
-
-Both VMAs now point to the same pages array. When the unmapped portion
-is closed, privcmd_close() calls:
- - xen_unmap_domain_gfn_range()
- - xen_free_unpopulated_pages()
- - kvfree(pages)
-
-The surviving VMA still holds the dangling pointer. When it is later
-destroyed, the same sequence runs again, which leads to a double free.
-
-Fix this issue by adding a .may_split callback denying the VMA split.
-
-This is XSA-487 / CVE-2026-31787
-
-Fixes: d71f513985c2 ("xen: privcmd: support autotranslated physmap guests.")
-Reported-by: Atharva Vartak <atharva.a.vartak@gmail.com>
-Suggested-by: Atharva Vartak <atharva.a.vartak@gmail.com>
-Signed-off-by: Juergen Gross <jgross@suse.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/xen/privcmd.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
---- a/drivers/xen/privcmd.c
-+++ b/drivers/xen/privcmd.c
-@@ -934,6 +934,12 @@ static void privcmd_close(struct vm_area
- kvfree(pages);
- }
-
-+static int privcmd_may_split(struct vm_area_struct *area, unsigned long addr)
-+{
-+ /* Forbid splitting, avoids double free via privcmd_close(). */
-+ return -EINVAL;
-+}
-+
- static vm_fault_t privcmd_fault(struct vm_fault *vmf)
- {
- printk(KERN_DEBUG "privcmd_fault: vma=%p %lx-%lx, pgoff=%lx, uv=%p\n",
-@@ -945,6 +951,7 @@ static vm_fault_t privcmd_fault(struct v
-
- static const struct vm_operations_struct privcmd_vm_ops = {
- .close = privcmd_close,
-+ .may_split = privcmd_may_split,
- .fault = privcmd_fault
- };
-
+++ /dev/null
-From dbc10c174fbadb68b2d3e5fd7e4b2c432576b643 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sun, 12 Apr 2026 13:32:21 +0800
-Subject: crypto: algif_aead - Fix minimum RX size check for decryption
-
-From: Herbert Xu <herbert@gondor.apana.org.au>
-
-[ Upstream commit 3d14bd48e3a77091cbce637a12c2ae31b4a1687c ]
-
-The check for the minimum receive buffer size did not take the
-tag size into account during decryption. Fix this by adding the
-required extra length.
-
-Reported-by: syzbot+aa11561819dc42ebbc7c@syzkaller.appspotmail.com
-Reported-by: Daniel Pouzzner <douzzer@mega.nu>
-Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management")
-Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- crypto/algif_aead.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c
-index 42493b4d8ce46..cb3959e2c435e 100644
---- a/crypto/algif_aead.c
-+++ b/crypto/algif_aead.c
-@@ -170,7 +170,7 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg,
- if (usedpages < outlen) {
- size_t less = outlen - usedpages;
-
-- if (used < less) {
-+ if (used < less + (ctx->enc ? 0 : as)) {
- err = -EINVAL;
- goto free;
- }
---
-2.53.0
-
l2tp-drop-large-packets-with-udp-encap.patch
gpio-tegra-fix-irq_release_resources-calling-enable-.patch
perf-x86-intel-uncore-skip-discovery-table-for-offli.patch
-crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch
revert-drm-fix-use-after-free-on-framebuffers-and-pr.patch
netfilter-conntrack-add-missing-netlink-policy-valid.patch
alsa-usb-audio-improve-focusrite-sample-rate-filteri.patch
+++ /dev/null
-From e3f1fffa2599582af75c7d368e9658b2d27708fb Mon Sep 17 00:00:00 2001
-From: Juergen Gross <jgross@suse.com>
-Date: Fri, 27 Mar 2026 14:13:38 +0100
-Subject: Buffer overflow in drivers/xen/sys-hypervisor.c
-
-From: Juergen Gross <jgross@suse.com>
-
-commit 27fdbab4221b375de54bf91919798d88520c6e28 upstream.
-
-The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is
-neither NUL terminated nor a string.
-
-The first causes a buffer overflow as sprintf in buildid_show will
-read and copy till it finds a NUL.
-
-00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 |..Q..8..eGR..q.P|
-00000010 b9 a8 01 42 6f 2e 32 |...Bo.2|
-00000017
-
-So use a memcpy instead of sprintf to have the correct value:
-
-00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50 |..Q.....eGR..q.P|
-00000010 b9 a8 01 42 |...B|
-00000014
-
-(the above have a hack to embed a zero inside and check it's
-returned correctly).
-
-This is XSA-485 / CVE-2026-31786
-
-Fixes: 84b7625728ea ("xen: add sysfs node for hypervisor build id")
-Signed-off-by: Frediano Ziglio <frediano.ziglio@citrix.com>
-Reviewed-by: Juergen Gross <jgross@suse.com>
-Signed-off-by: Juergen Gross <jgross@suse.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/xen/sys-hypervisor.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
---- a/drivers/xen/sys-hypervisor.c
-+++ b/drivers/xen/sys-hypervisor.c
-@@ -366,6 +366,8 @@ static ssize_t buildid_show(struct hyp_s
- ret = sprintf(buffer, "<denied>");
- return ret;
- }
-+ if (ret > PAGE_SIZE)
-+ return -ENOSPC;
-
- buildid = kmalloc(sizeof(*buildid) + ret, GFP_KERNEL);
- if (!buildid)
-@@ -373,8 +375,10 @@ static ssize_t buildid_show(struct hyp_s
-
- buildid->len = ret;
- ret = HYPERVISOR_xen_version(XENVER_build_id, buildid);
-- if (ret > 0)
-- ret = sprintf(buffer, "%s", buildid->buf);
-+ if (ret > 0) {
-+ /* Build id is binary, not a string. */
-+ memcpy(buffer, buildid->buf, ret);
-+ }
- kfree(buildid);
-
- return ret;
drm-amdgpu-limit-bo-list-entry-count-to-prevent-reso.patch
device-property-make-modifications-of-fwnode-flags-thread-safe.patch
ocfs2-split-transactions-in-dio-completion-to-avoid-credit-exhaustion.patch
-buffer-overflow-in-drivers-xen-sys-hypervisor.c.patch
-xen-privcmd-fix-double-free-via-vma-splitting.patch
+++ /dev/null
-From 75fbb2133406db20964cbe925fcff0c107af787f Mon Sep 17 00:00:00 2001
-From: Juergen Gross <jgross@suse.com>
-Date: Fri, 10 Apr 2026 09:20:04 +0200
-Subject: xen/privcmd: fix double free via VMA splitting
-
-From: Juergen Gross <jgross@suse.com>
-
-commit 24daca4fc07f3ff8cd0e3f629cd982187f48436a upstream.
-
-privcmd_vm_ops defines .close (privcmd_close), but neither .may_split
-nor .open. When userspace does a partial munmap() on a privcmd mapping,
-the kernel splits the VMA via __split_vma(). Since may_split is NULL,
-the split is allowed. vm_area_dup() copies vm_private_data (a pages
-array allocated in alloc_empty_pages()) into the new VMA without any
-fixup, because there is no .open callback.
-
-Both VMAs now point to the same pages array. When the unmapped portion
-is closed, privcmd_close() calls:
- - xen_unmap_domain_gfn_range()
- - xen_free_unpopulated_pages()
- - kvfree(pages)
-
-The surviving VMA still holds the dangling pointer. When it is later
-destroyed, the same sequence runs again, which leads to a double free.
-
-Fix this issue by adding a .may_split callback denying the VMA split.
-
-This is XSA-487 / CVE-2026-31787
-
-Fixes: d71f513985c2 ("xen: privcmd: support autotranslated physmap guests.")
-Reported-by: Atharva Vartak <atharva.a.vartak@gmail.com>
-Suggested-by: Atharva Vartak <atharva.a.vartak@gmail.com>
-Signed-off-by: Juergen Gross <jgross@suse.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/xen/privcmd.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
---- a/drivers/xen/privcmd.c
-+++ b/drivers/xen/privcmd.c
-@@ -1639,6 +1639,12 @@ static void privcmd_close(struct vm_area
- kvfree(pages);
- }
-
-+static int privcmd_may_split(struct vm_area_struct *area, unsigned long addr)
-+{
-+ /* Forbid splitting, avoids double free via privcmd_close(). */
-+ return -EINVAL;
-+}
-+
- static vm_fault_t privcmd_fault(struct vm_fault *vmf)
- {
- printk(KERN_DEBUG "privcmd_fault: vma=%p %lx-%lx, pgoff=%lx, uv=%p\n",
-@@ -1650,6 +1656,7 @@ static vm_fault_t privcmd_fault(struct v
-
- static const struct vm_operations_struct privcmd_vm_ops = {
- .close = privcmd_close,
-+ .may_split = privcmd_may_split,
- .fault = privcmd_fault
- };
-
+++ /dev/null
-From 45d6d2dd7ae32bc230890e733a926bce7dbe09bf Mon Sep 17 00:00:00 2001
-From: Juergen Gross <jgross@suse.com>
-Date: Fri, 27 Mar 2026 14:13:38 +0100
-Subject: Buffer overflow in drivers/xen/sys-hypervisor.c
-
-From: Juergen Gross <jgross@suse.com>
-
-commit 27fdbab4221b375de54bf91919798d88520c6e28 upstream.
-
-The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is
-neither NUL terminated nor a string.
-
-The first causes a buffer overflow as sprintf in buildid_show will
-read and copy till it finds a NUL.
-
-00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 |..Q..8..eGR..q.P|
-00000010 b9 a8 01 42 6f 2e 32 |...Bo.2|
-00000017
-
-So use a memcpy instead of sprintf to have the correct value:
-
-00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50 |..Q.....eGR..q.P|
-00000010 b9 a8 01 42 |...B|
-00000014
-
-(the above have a hack to embed a zero inside and check it's
-returned correctly).
-
-This is XSA-485 / CVE-2026-31786
-
-Fixes: 84b7625728ea ("xen: add sysfs node for hypervisor build id")
-Signed-off-by: Frediano Ziglio <frediano.ziglio@citrix.com>
-Reviewed-by: Juergen Gross <jgross@suse.com>
-Signed-off-by: Juergen Gross <jgross@suse.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/xen/sys-hypervisor.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
---- a/drivers/xen/sys-hypervisor.c
-+++ b/drivers/xen/sys-hypervisor.c
-@@ -366,6 +366,8 @@ static ssize_t buildid_show(struct hyp_s
- ret = sprintf(buffer, "<denied>");
- return ret;
- }
-+ if (ret > PAGE_SIZE)
-+ return -ENOSPC;
-
- buildid = kmalloc(sizeof(*buildid) + ret, GFP_KERNEL);
- if (!buildid)
-@@ -373,8 +375,10 @@ static ssize_t buildid_show(struct hyp_s
-
- buildid->len = ret;
- ret = HYPERVISOR_xen_version(XENVER_build_id, buildid);
-- if (ret > 0)
-- ret = sprintf(buffer, "%s", buildid->buf);
-+ if (ret > 0) {
-+ /* Build id is binary, not a string. */
-+ memcpy(buffer, buildid->buf, ret);
-+ }
- kfree(buildid);
-
- return ret;
arm64-mm-enable-batched-tlb-flush-in-unmap_hotplug_range.patch
mm-migrate-requeue-destination-folio-on-deferred-split-queue.patch
ocfs2-split-transactions-in-dio-completion-to-avoid-credit-exhaustion.patch
-buffer-overflow-in-drivers-xen-sys-hypervisor.c.patch
-xen-privcmd-fix-double-free-via-vma-splitting.patch
+++ /dev/null
-From 4ad984ad2a76e59f285d3f73ce0198aad2c24890 Mon Sep 17 00:00:00 2001
-From: Juergen Gross <jgross@suse.com>
-Date: Fri, 10 Apr 2026 09:20:04 +0200
-Subject: xen/privcmd: fix double free via VMA splitting
-
-From: Juergen Gross <jgross@suse.com>
-
-commit 24daca4fc07f3ff8cd0e3f629cd982187f48436a upstream.
-
-privcmd_vm_ops defines .close (privcmd_close), but neither .may_split
-nor .open. When userspace does a partial munmap() on a privcmd mapping,
-the kernel splits the VMA via __split_vma(). Since may_split is NULL,
-the split is allowed. vm_area_dup() copies vm_private_data (a pages
-array allocated in alloc_empty_pages()) into the new VMA without any
-fixup, because there is no .open callback.
-
-Both VMAs now point to the same pages array. When the unmapped portion
-is closed, privcmd_close() calls:
- - xen_unmap_domain_gfn_range()
- - xen_free_unpopulated_pages()
- - kvfree(pages)
-
-The surviving VMA still holds the dangling pointer. When it is later
-destroyed, the same sequence runs again, which leads to a double free.
-
-Fix this issue by adding a .may_split callback denying the VMA split.
-
-This is XSA-487 / CVE-2026-31787
-
-Fixes: d71f513985c2 ("xen: privcmd: support autotranslated physmap guests.")
-Reported-by: Atharva Vartak <atharva.a.vartak@gmail.com>
-Suggested-by: Atharva Vartak <atharva.a.vartak@gmail.com>
-Signed-off-by: Juergen Gross <jgross@suse.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/xen/privcmd.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
---- a/drivers/xen/privcmd.c
-+++ b/drivers/xen/privcmd.c
-@@ -1619,6 +1619,12 @@ static void privcmd_close(struct vm_area
- kvfree(pages);
- }
-
-+static int privcmd_may_split(struct vm_area_struct *area, unsigned long addr)
-+{
-+ /* Forbid splitting, avoids double free via privcmd_close(). */
-+ return -EINVAL;
-+}
-+
- static vm_fault_t privcmd_fault(struct vm_fault *vmf)
- {
- printk(KERN_DEBUG "privcmd_fault: vma=%p %lx-%lx, pgoff=%lx, uv=%p\n",
-@@ -1630,6 +1636,7 @@ static vm_fault_t privcmd_fault(struct v
-
- static const struct vm_operations_struct privcmd_vm_ops = {
- .close = privcmd_close,
-+ .may_split = privcmd_may_split,
- .fault = privcmd_fault
- };
-
+++ /dev/null
-From b48b4a0fe9c892182fa6c2b209f720e06a2da2e4 Mon Sep 17 00:00:00 2001
-From: Juergen Gross <jgross@suse.com>
-Date: Fri, 27 Mar 2026 14:13:38 +0100
-Subject: Buffer overflow in drivers/xen/sys-hypervisor.c
-
-From: Juergen Gross <jgross@suse.com>
-
-commit 27fdbab4221b375de54bf91919798d88520c6e28 upstream.
-
-The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is
-neither NUL terminated nor a string.
-
-The first causes a buffer overflow as sprintf in buildid_show will
-read and copy till it finds a NUL.
-
-00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 |..Q..8..eGR..q.P|
-00000010 b9 a8 01 42 6f 2e 32 |...Bo.2|
-00000017
-
-So use a memcpy instead of sprintf to have the correct value:
-
-00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50 |..Q.....eGR..q.P|
-00000010 b9 a8 01 42 |...B|
-00000014
-
-(the above have a hack to embed a zero inside and check it's
-returned correctly).
-
-This is XSA-485 / CVE-2026-31786
-
-Fixes: 84b7625728ea ("xen: add sysfs node for hypervisor build id")
-Signed-off-by: Frediano Ziglio <frediano.ziglio@citrix.com>
-Reviewed-by: Juergen Gross <jgross@suse.com>
-Signed-off-by: Juergen Gross <jgross@suse.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/xen/sys-hypervisor.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
---- a/drivers/xen/sys-hypervisor.c
-+++ b/drivers/xen/sys-hypervisor.c
-@@ -366,6 +366,8 @@ static ssize_t buildid_show(struct hyp_s
- ret = sprintf(buffer, "<denied>");
- return ret;
- }
-+ if (ret > PAGE_SIZE)
-+ return -ENOSPC;
-
- buildid = kmalloc(sizeof(*buildid) + ret, GFP_KERNEL);
- if (!buildid)
-@@ -373,8 +375,10 @@ static ssize_t buildid_show(struct hyp_s
-
- buildid->len = ret;
- ret = HYPERVISOR_xen_version(XENVER_build_id, buildid);
-- if (ret > 0)
-- ret = sprintf(buffer, "%s", buildid->buf);
-+ if (ret > 0) {
-+ /* Build id is binary, not a string. */
-+ memcpy(buffer, buildid->buf, ret);
-+ }
- kfree(buildid);
-
- return ret;
ocfs2-split-transactions-in-dio-completion-to-avoid-credit-exhaustion.patch
driver-core-don-t-let-a-device-probe-until-it-s-read.patch
loongarch-add-spectre-boundry-for-syscall-dispatch-t.patch
-buffer-overflow-in-drivers-xen-sys-hypervisor.c.patch
-xen-privcmd-fix-double-free-via-vma-splitting.patch
+++ /dev/null
-From 02c742b226a483d487a851ead1759b8529292c64 Mon Sep 17 00:00:00 2001
-From: Juergen Gross <jgross@suse.com>
-Date: Fri, 10 Apr 2026 09:20:04 +0200
-Subject: xen/privcmd: fix double free via VMA splitting
-
-From: Juergen Gross <jgross@suse.com>
-
-commit 24daca4fc07f3ff8cd0e3f629cd982187f48436a upstream.
-
-privcmd_vm_ops defines .close (privcmd_close), but neither .may_split
-nor .open. When userspace does a partial munmap() on a privcmd mapping,
-the kernel splits the VMA via __split_vma(). Since may_split is NULL,
-the split is allowed. vm_area_dup() copies vm_private_data (a pages
-array allocated in alloc_empty_pages()) into the new VMA without any
-fixup, because there is no .open callback.
-
-Both VMAs now point to the same pages array. When the unmapped portion
-is closed, privcmd_close() calls:
- - xen_unmap_domain_gfn_range()
- - xen_free_unpopulated_pages()
- - kvfree(pages)
-
-The surviving VMA still holds the dangling pointer. When it is later
-destroyed, the same sequence runs again, which leads to a double free.
-
-Fix this issue by adding a .may_split callback denying the VMA split.
-
-This is XSA-487 / CVE-2026-31787
-
-Fixes: d71f513985c2 ("xen: privcmd: support autotranslated physmap guests.")
-Reported-by: Atharva Vartak <atharva.a.vartak@gmail.com>
-Suggested-by: Atharva Vartak <atharva.a.vartak@gmail.com>
-Signed-off-by: Juergen Gross <jgross@suse.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/xen/privcmd.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
---- a/drivers/xen/privcmd.c
-+++ b/drivers/xen/privcmd.c
-@@ -1213,6 +1213,12 @@ static void privcmd_close(struct vm_area
- kvfree(pages);
- }
-
-+static int privcmd_may_split(struct vm_area_struct *area, unsigned long addr)
-+{
-+ /* Forbid splitting, avoids double free via privcmd_close(). */
-+ return -EINVAL;
-+}
-+
- static vm_fault_t privcmd_fault(struct vm_fault *vmf)
- {
- printk(KERN_DEBUG "privcmd_fault: vma=%p %lx-%lx, pgoff=%lx, uv=%p\n",
-@@ -1224,6 +1230,7 @@ static vm_fault_t privcmd_fault(struct v
-
- static const struct vm_operations_struct privcmd_vm_ops = {
- .close = privcmd_close,
-+ .may_split = privcmd_may_split,
- .fault = privcmd_fault
- };
-
+++ /dev/null
-From 2605bd8aa92807c3047545a639680c545aeb61a7 Mon Sep 17 00:00:00 2001
-From: Juergen Gross <jgross@suse.com>
-Date: Fri, 27 Mar 2026 14:13:38 +0100
-Subject: Buffer overflow in drivers/xen/sys-hypervisor.c
-
-From: Juergen Gross <jgross@suse.com>
-
-commit 27fdbab4221b375de54bf91919798d88520c6e28 upstream.
-
-The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is
-neither NUL terminated nor a string.
-
-The first causes a buffer overflow as sprintf in buildid_show will
-read and copy till it finds a NUL.
-
-00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 |..Q..8..eGR..q.P|
-00000010 b9 a8 01 42 6f 2e 32 |...Bo.2|
-00000017
-
-So use a memcpy instead of sprintf to have the correct value:
-
-00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50 |..Q.....eGR..q.P|
-00000010 b9 a8 01 42 |...B|
-00000014
-
-(the above have a hack to embed a zero inside and check it's
-returned correctly).
-
-This is XSA-485 / CVE-2026-31786
-
-Fixes: 84b7625728ea ("xen: add sysfs node for hypervisor build id")
-Signed-off-by: Frediano Ziglio <frediano.ziglio@citrix.com>
-Reviewed-by: Juergen Gross <jgross@suse.com>
-Signed-off-by: Juergen Gross <jgross@suse.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/xen/sys-hypervisor.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
---- a/drivers/xen/sys-hypervisor.c
-+++ b/drivers/xen/sys-hypervisor.c
-@@ -366,6 +366,8 @@ static ssize_t buildid_show(struct hyp_s
- ret = sprintf(buffer, "<denied>");
- return ret;
- }
-+ if (ret > PAGE_SIZE)
-+ return -ENOSPC;
-
- buildid = kmalloc(sizeof(*buildid) + ret, GFP_KERNEL);
- if (!buildid)
-@@ -373,8 +375,10 @@ static ssize_t buildid_show(struct hyp_s
-
- buildid->len = ret;
- ret = HYPERVISOR_xen_version(XENVER_build_id, buildid);
-- if (ret > 0)
-- ret = sprintf(buffer, "%s", buildid->buf);
-+ if (ret > 0) {
-+ /* Build id is binary, not a string. */
-+ memcpy(buffer, buildid->buf, ret);
-+ }
- kfree(buildid);
-
- return ret;
mm-prevent-droppable-mappings-from-being-locked.patch
mm-fix-deferred-split-queue-races-during-migration.patch
ocfs2-split-transactions-in-dio-completion-to-avoid-credit-exhaustion.patch
-buffer-overflow-in-drivers-xen-sys-hypervisor.c.patch
-xen-privcmd-fix-double-free-via-vma-splitting.patch
+++ /dev/null
-From e8787a0c1618a1a4d594eaaf907c36d372bdb5a1 Mon Sep 17 00:00:00 2001
-From: Juergen Gross <jgross@suse.com>
-Date: Fri, 10 Apr 2026 09:20:04 +0200
-Subject: xen/privcmd: fix double free via VMA splitting
-
-From: Juergen Gross <jgross@suse.com>
-
-commit 24daca4fc07f3ff8cd0e3f629cd982187f48436a upstream.
-
-privcmd_vm_ops defines .close (privcmd_close), but neither .may_split
-nor .open. When userspace does a partial munmap() on a privcmd mapping,
-the kernel splits the VMA via __split_vma(). Since may_split is NULL,
-the split is allowed. vm_area_dup() copies vm_private_data (a pages
-array allocated in alloc_empty_pages()) into the new VMA without any
-fixup, because there is no .open callback.
-
-Both VMAs now point to the same pages array. When the unmapped portion
-is closed, privcmd_close() calls:
- - xen_unmap_domain_gfn_range()
- - xen_free_unpopulated_pages()
- - kvfree(pages)
-
-The surviving VMA still holds the dangling pointer. When it is later
-destroyed, the same sequence runs again, which leads to a double free.
-
-Fix this issue by adding a .may_split callback denying the VMA split.
-
-This is XSA-487 / CVE-2026-31787
-
-Fixes: d71f513985c2 ("xen: privcmd: support autotranslated physmap guests.")
-Reported-by: Atharva Vartak <atharva.a.vartak@gmail.com>
-Suggested-by: Atharva Vartak <atharva.a.vartak@gmail.com>
-Signed-off-by: Juergen Gross <jgross@suse.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/xen/privcmd.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
---- a/drivers/xen/privcmd.c
-+++ b/drivers/xen/privcmd.c
-@@ -1620,6 +1620,12 @@ static void privcmd_close(struct vm_area
- kvfree(pages);
- }
-
-+static int privcmd_may_split(struct vm_area_struct *area, unsigned long addr)
-+{
-+ /* Forbid splitting, avoids double free via privcmd_close(). */
-+ return -EINVAL;
-+}
-+
- static vm_fault_t privcmd_fault(struct vm_fault *vmf)
- {
- printk(KERN_DEBUG "privcmd_fault: vma=%p %lx-%lx, pgoff=%lx, uv=%p\n",
-@@ -1631,6 +1637,7 @@ static vm_fault_t privcmd_fault(struct v
-
- static const struct vm_operations_struct privcmd_vm_ops = {
- .close = privcmd_close,
-+ .may_split = privcmd_may_split,
- .fault = privcmd_fault
- };
-
projects / thirdparty / kernel / stable-queue.git / commitdiff
