Linux Kernel PDH Certificate Export Buffer Overflow Vulnerability

A buffer overflow vulnerability has been identified in the Linux kernel's crypto subsystem, specifically within the CCP driver. This issue arises when the SEV_PDH_CERT_EXPORT ioctl command is used to retrieve the Platform Data Hub (PDH) certificate. If the firmware command fails, the kernel should not attempt to copy the certificate blobs to userspace. However, when the failure is due to an invalid length—meaning the userspace buffer is too small—attempting to copy the required number of bytes can overflow the kernel-allocated buffer, leading to a data leak. The vulnerability has been observed in Linux kernel version 7.0.0-smp-DEV.

Impact

Exploitation of this vulnerability can cause a heap-based buffer overflow, potentially leading to arbitrary code execution or memory corruption.

Reproduction

To reproduce this vulnerability, invoke the SEV_PDH_CERT_EXPORT ioctl command while the userspace buffer is insufficient to hold the required data. This will trigger the firmware command to fail, but the kernel will still attempt to copy the PDH certificate data to userspace, causing a buffer overflow.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed.