tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Buffer overflow in drivers/xen/sys-hypervisor.c

The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is
neither NUL terminated nor a string.

The first causes a buffer overflow as sprintf in buildid_show will
read and copy till it finds a NUL.

00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 |..Q..8..eGR..q.P|
00000010 b9 a8 01 42 6f 2e 32 |...Bo.2|
00000017

So use a memcpy instead of sprintf to have the correct value:

00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50 |..Q.....eGR..q.P|
00000010 b9 a8 01 42 |...B|
00000014

(the above have a hack to embed a zero inside and check it's
returned correctly).

This is XSA-485 / CVE-2026-31786

Fixes: 84b7625728ea ("xen: add sysfs node for hypervisor build id")
Signed-off-by: Frediano Ziglio <frediano.ziglio@citrix.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Juergen Gross <jgross@suse.com>

Juergen Gross 27fdbab4 2e680392

+6 -2
+6 -2
drivers/xen/sys-hypervisor.c
··· 366 366 ret = sprintf(buffer, "<denied>"); 367 367 return ret; 368 368 } 369 + if (ret > PAGE_SIZE) 370 + return -ENOSPC; 369 371 370 372 buildid = kmalloc(sizeof(*buildid) + ret, GFP_KERNEL); 371 373 if (!buildid) ··· 375 373 376 374 buildid->len = ret; 377 375 ret = HYPERVISOR_xen_version(XENVER_build_id, buildid); 378 - if (ret > 0) 379 - ret = sprintf(buffer, "%s", buildid->buf); 376 + if (ret > 0) { 377 + /* Build id is binary, not a string. */ 378 + memcpy(buffer, buildid->buf, ret); 379 + } 380 380 kfree(buildid); 381 381 382 382 return ret;