[LTP] [PATCH] cve-2026-31431: Add page cache corruption reproducer
Avinesh Kumar
avinesh.kumar@suse.com
Thu Apr 30 14:12:13 CEST 2026
Hi Andrea,
> +static void run(void)
> +{
> + int file_fd;
> + uint8_t readback[OVERWRITE_SIZE];
> +
> + file_fd = SAFE_OPEN(TESTFILE, O_RDONLY);
> + try_corrupt(file_fd);
> + SAFE_CLOSE(file_fd);
> +
> + file_fd = SAFE_OPEN(TESTFILE, O_RDONLY);
> + SAFE_READ(1, file_fd, readback, sizeof(readback));
> + SAFE_CLOSE(file_fd);
> +
> + if (memcmp(readback, original, OVERWRITE_SIZE) != 0)
> + tst_res(TFAIL, "Page cache was corrupted via AF_ALG splice");
> + else
> + tst_res(TPASS, "Page cache was not corrupted");
> +}
> +
> +static void setup(void)
> +{
> + int fd;
> +
> + fd = SAFE_OPEN(TESTFILE, O_WRONLY | O_CREAT | O_TRUNC, 0644);
> + SAFE_WRITE(SAFE_WRITE_ALL, fd, original, OVERWRITE_SIZE);
> + SAFE_CLOSE(fd);
> +}
when running more than 1 iteration (i.e. -i2) on a vulnerable kernel, the
first iteration is overwriting the page cache with PWND, and subsequent
iterations are starting with a corrupted file already, we need to move
the setup part also to run() and we can drop setup().
with that:
Tested-by: Avinesh Kumar <avinesh.kumar@suse.com>
> +
> +static struct tst_test test = {
> + .test_all = run,
> + .setup = setup,
> + .needs_tmpdir = 1,
> + .tags = (const struct tst_tag[]) {
> + {"linux-git", "a664bf3d603d"},
> + {"CVE", "2026-31431"},
> + {}
> + },
> +};
>
> ---
Regards,
Avinesh
More information about the ltp
mailing list