CVE-2026-31699

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: ccp: Don&amp;#39;t attempt to copy CSR to userspace if PSP command failed<br /> <br /> When retrieving the PEK CSR, don&amp;#39;t attempt to copy the blob to userspace<br /> if the firmware command failed. If the failure was due to an invalid<br /> length, i.e. the userspace buffer+length was too small, copying the number<br /> of bytes _firmware_ requires will overflow the kernel-allocated buffer and<br /> leak data to userspace.<br /> <br /> BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]<br /> BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]<br /> BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26<br /> Read of size 2084 at addr ffff898144612e20 by task syz.9.219/21405<br /> <br /> CPU: 14 UID: 0 PID: 21405 Comm: syz.9.219 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY<br /> Tainted: [U]=USER, [O]=OOT_MODULE<br /> Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025<br /> Call Trace:<br /> <br /> dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120<br /> print_address_description ../mm/kasan/report.c:378 [inline]<br /> print_report+0xbc/0x260 ../mm/kasan/report.c:482<br /> kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595<br /> check_region_inline ../mm/kasan/generic.c:-1 [inline]<br /> kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200<br /> instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]<br /> _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]<br /> _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26<br /> copy_to_user ../include/linux/uaccess.h:236 [inline]<br /> sev_ioctl_do_pek_csr+0x31f/0x590 ../drivers/crypto/ccp/sev-dev.c:1872<br /> sev_ioctl+0x3a4/0x490 ../drivers/crypto/ccp/sev-dev.c:2562<br /> vfs_ioctl ../fs/ioctl.c:51 [inline]<br /> __do_sys_ioctl ../fs/ioctl.c:597 [inline]<br /> __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583<br /> do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> <br /> WARN if the driver says the command succeeded, but the firmware error code<br /> says otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any<br /> firwmware error.