CVE-2026-31697

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: ccp: Don&amp;#39;t attempt to copy ID to userspace if PSP command failed<br /> <br /> When retrieving the ID for the CPU, don&amp;#39;t attempt to copy the ID blob to<br /> userspace if the firmware command failed. If the failure was due to an<br /> invalid length, i.e. the userspace buffer+length was too small, copying<br /> the number of bytes _firmware_ requires will overflow the kernel-allocated<br /> buffer and leak data to userspace.<br /> <br /> BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]<br /> BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]<br /> BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26<br /> Read of size 64 at addr ffff8881867f5960 by task syz.0.906/24388<br /> <br /> CPU: 130 UID: 0 PID: 24388 Comm: syz.0.906 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY<br /> Tainted: [U]=USER, [O]=OOT_MODULE<br /> Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025<br /> Call Trace:<br /> <br /> dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120<br /> print_address_description ../mm/kasan/report.c:378 [inline]<br /> print_report+0xbc/0x260 ../mm/kasan/report.c:482<br /> kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595<br /> check_region_inline ../mm/kasan/generic.c:-1 [inline]<br /> kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200<br /> instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]<br /> _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]<br /> _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26<br /> copy_to_user ../include/linux/uaccess.h:236 [inline]<br /> sev_ioctl_do_get_id2+0x361/0x490 ../drivers/crypto/ccp/sev-dev.c:2222<br /> sev_ioctl+0x25f/0x490 ../drivers/crypto/ccp/sev-dev.c:2575<br /> vfs_ioctl ../fs/ioctl.c:51 [inline]<br /> __do_sys_ioctl ../fs/ioctl.c:597 [inline]<br /> __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583<br /> do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> <br /> WARN if the driver says the command succeeded, but the firmware error code<br /> says otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any<br /> firwmware error.