Changelog in Linux kernel 6.18.26

 
Linux: Buffer overflow in drivers/xen/sys-hypervisor.c [+ + +] 
Author: Juergen Gross <jgross@suse.com>
Date:   Fri Mar 27 14:13:38 2026 +0100

    Buffer overflow in drivers/xen/sys-hypervisor.c
    
    commit 27fdbab4221b375de54bf91919798d88520c6e28 upstream.
    
    The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is
    neither NUL terminated nor a string.
    
    The first causes a buffer overflow as sprintf in buildid_show will
    read and copy till it finds a NUL.
    
    00000000  f4 91 51 f4 dd 38 9e 9d  65 47 52 eb 10 71 db 50  |..Q..8..eGR..q.P|
    00000010  b9 a8 01 42 6f 2e 32                              |...Bo.2|
    00000017
    
    So use a memcpy instead of sprintf to have the correct value:
    
    00000000  f4 91 51 f4 dd 00 9e 9d  65 47 52 eb 10 71 db 50  |..Q.....eGR..q.P|
    00000010  b9 a8 01 42                                       |...B|
    00000014
    
    (the above have a hack to embed a zero inside and check it's
    returned correctly).
    
    This is XSA-485 / CVE-2026-31786
    
    Fixes: 84b7625728ea ("xen: add sysfs node for hypervisor build id")
    Signed-off-by: Frediano Ziglio <frediano.ziglio@citrix.com>
    Reviewed-by: Juergen Gross <jgross@suse.com>
    Signed-off-by: Juergen Gross <jgross@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux: Linux 6.18.26 [+ + +] 
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Thu Apr 30 11:13:53 2026 +0200

    Linux 6.18.26
    
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 
xen/privcmd: fix double free via VMA splitting [+ + +] 
Author: Juergen Gross <jgross@suse.com>
Date:   Fri Apr 10 09:20:04 2026 +0200

    xen/privcmd: fix double free via VMA splitting
    
    commit 24daca4fc07f3ff8cd0e3f629cd982187f48436a upstream.
    
    privcmd_vm_ops defines .close (privcmd_close), but neither .may_split
    nor .open. When userspace does a partial munmap() on a privcmd mapping,
    the kernel splits the VMA via __split_vma(). Since may_split is NULL,
    the split is allowed. vm_area_dup() copies vm_private_data (a pages
    array allocated in alloc_empty_pages()) into the new VMA without any
    fixup, because there is no .open callback.
    
    Both VMAs now point to the same pages array. When the unmapped portion
    is closed, privcmd_close() calls:
        - xen_unmap_domain_gfn_range()
        - xen_free_unpopulated_pages()
        - kvfree(pages)
    
    The surviving VMA still holds the dangling pointer. When it is later
    destroyed, the same sequence runs again, which leads to a double free.
    
    Fix this issue by adding a .may_split callback denying the VMA split.
    
    This is XSA-487 / CVE-2026-31787
    
    Fixes: d71f513985c2 ("xen: privcmd: support autotranslated physmap guests.")
    Reported-by: Atharva Vartak <atharva.a.vartak@gmail.com>
    Suggested-by: Atharva Vartak <atharva.a.vartak@gmail.com>
    Signed-off-by: Juergen Gross <jgross@suse.com>
    Reviewed-by: Jan Beulich <jbeulich@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>