HIGH Published 2026-05-01

crypto SEV PEK CSR Buffer Overflow

CVE-2026-31699

CVSS 7.1 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

KernelScan AI7.1HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed When retrieving the PEK CSR, don't attempt to copy the blob to userspace if the firmware command failed. If the failure was due to an invalid length, i.e. the userspace buffer+length was too small, copying the number of bytes _firmware_ requires will overflow the kernel-allocated buffer and leak data to userspace. BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 Read of size 2084 at addr ffff898144612e20 by task syz.9.219/21405 CPU: 14 UID: 0 PID: 21405 Comm: syz.9.219 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY Tainted: [U]=USER, [O]=OOT_MODULE Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025 Call Trace: <TASK> dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120 print_address_description ../mm/kasan/report.c:378 [inline] print_report+0xbc/0x260 ../mm/kasan/report.c:482 kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595 check_region_inline ../mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200 instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 copy_to_user ../include/linux/uaccess.h:236 [inline] sev_ioctl_do_pek_csr+0x31f/0x590 ../drivers/crypto/ccp/sev-dev.c:1872 sev_ioctl+0x3a4/0x490 ../drivers/crypto/ccp/sev-dev.c:2562 vfs_ioctl ../fs/ioctl.c:51 [inline] __do_sys_ioctl ../fs/ioctl.c:597 [inline] __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583 do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> WARN if the driver says the command succeeded, but the firmware error code says otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any firwmware error.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

An attacker with access to the SEV device can trigger a kernel buffer overflow by providing an undersized buffer to the PEK CSR ioctl. This causes the kernel to read beyond allocated memory boundaries and leak sensitive kernel data to userspace, potentially exposing cryptographic keys or other privileged information.

Affecteddrivers/crypto/ccp/sev-dev.c

Vulnerability analysis

Root Cause: The sev_ioctl_do_pek_csr function attempts to copy firmware response data to userspace even when the PSP firmware command fails. When the failure is due to insufficient buffer size, the firmware returns the required length which exceeds the kernel-allocated buffer size, causing a slab out-of-bounds read during copy_to_user.

Attack Surface: Local attack surface through ioctl interface. Requires access to the SEV device file (/dev/sev) which typically requires root privileges or membership in specific groups. The vulnerability is triggered via the SEV_PEK_CSR ioctl command on AMD SEV-enabled systems.

Fix Mechanism: The patch adds a check to skip the copy_to_user operation if the PSP command failed (ret != 0) or if there's a firmware error (argp->error != 0). This prevents attempting to copy more data than was allocated in the kernel buffer.

03Fix Versions

Branch	Fixed in	Patch commit
5.10	5.10.258	`502d10a1d9d4`
5.15	5.15.209	`0fb87e44b813`
6.1	6.1.175	`372116eece15`
6.12	6.12.84	`59e9ae81f867`
6.18	6.18.25	`111dcc6d0f01`
6.6	6.6.136	`607ba280f2ad`
7.0	7.0.2	`3b4fd8f15765`
mainline	7.1-rc1	`abe4a6d6f606`