HIGH Published 2026-05-01

crypto SEV GetID2 Overflow

CVE-2026-31697

CVSS 7.1 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

KernelScan AI7.1HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed When retrieving the ID for the CPU, don't attempt to copy the ID blob to userspace if the firmware command failed. If the failure was due to an invalid length, i.e. the userspace buffer+length was too small, copying the number of bytes _firmware_ requires will overflow the kernel-allocated buffer and leak data to userspace. BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 Read of size 64 at addr ffff8881867f5960 by task syz.0.906/24388 CPU: 130 UID: 0 PID: 24388 Comm: syz.0.906 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY Tainted: [U]=USER, [O]=OOT_MODULE Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025 Call Trace: <TASK> dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120 print_address_description ../mm/kasan/report.c:378 [inline] print_report+0xbc/0x260 ../mm/kasan/report.c:482 kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595 check_region_inline ../mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200 instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 copy_to_user ../include/linux/uaccess.h:236 [inline] sev_ioctl_do_get_id2+0x361/0x490 ../drivers/crypto/ccp/sev-dev.c:2222 sev_ioctl+0x25f/0x490 ../drivers/crypto/ccp/sev-dev.c:2575 vfs_ioctl ../fs/ioctl.c:51 [inline] __do_sys_ioctl ../fs/ioctl.c:597 [inline] __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583 do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> WARN if the driver says the command succeeded, but the firmware error code says otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any firwmware error.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A local attacker with access to the SEV device can trigger a kernel buffer overflow by providing an undersized buffer to the SEV_GET_ID2 ioctl. This causes the kernel to read beyond allocated memory boundaries when copying firmware data to userspace, potentially leaking sensitive kernel memory contents.

Affecteddrivers/crypto/ccp/sev-dev.c

Vulnerability analysis

Root Cause: The sev_ioctl_do_get_id2() function attempts to copy firmware-provided data to userspace even when the firmware command fails. When the failure is due to insufficient buffer size, the firmware returns the required length, which can exceed the kernel-allocated buffer size, causing a slab out-of-bounds read during copy_to_user().

Attack Surface: Local attack surface through ioctl interface on /dev/sev device. Requires local access and ability to open the SEV device file. The vulnerability is triggered via the SEV_GET_ID2 ioctl command with insufficient buffer size.

Fix Mechanism: The patch adds a check to prevent copying data to userspace if the firmware command failed (ret != 0) or if there's an inconsistent error state (argp->error set despite success). This ensures copy_to_user() is only called with valid, properly-sized data.

03Fix Versions

Branch	Fixed in	Patch commit
5.10	5.10.258	`99bae2e3c3f9`
5.15	5.15.209	`a21ae9f8769e`
6.1	6.1.175	`0f1f2f989489`
6.12	6.12.84	`1fbac0429a42`
6.18	6.18.25	`2937f17bbeef`
6.6	6.6.136	`09427bcb1715`
7.0	7.0.2	`06f06d88c05c`
mainline	7.1-rc1	`4f685dbfa87c`