CVE-2026-46182
Description
In the Linux kernel, the following vulnerability has been resolved:
pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace
The hdr variable is allocated on the stack and only hdr.version and hdr.flags are initialized explicitly. Because the struct papr_hvpipe_hdr contains reserved padding bytes (reserved[3] and reserved2[40]), these could leak the uninitialized bytes to userspace after copy_to_user().
This patch fixes that by initializing the whole struct to 0.
Affected products
1Patches
6cefeed442962pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace
2 files changed · +2 −4
arch/powerpc/platforms/pseries/papr-hvpipe.c+1 −2 modifieddiff --git a/arch/powerpc/platforms/pseries/papr-hvpipe.c b/arch/powerpc/platforms/pseries/papr-hvpipe.c index c41d45e1986d14..3392874ebdf686 100644 --- a/arch/powerpc/platforms/pseries/papr-hvpipe.c +++ b/arch/powerpc/platforms/pseries/papr-hvpipe.c @@ -327,7 +327,7 @@ static ssize_t papr_hvpipe_handle_read(struct file *file, { struct hvpipe_source_info *src_info = file->private_data; - struct papr_hvpipe_hdr hdr; + struct papr_hvpipe_hdr hdr = {}; long ret; /* -- cgit 1.3-korg
arch/powerpc/platforms/pseries/papr-hvpipe.c+1 −2 modifieddiff --git a/arch/powerpc/platforms/pseries/papr-hvpipe.c b/arch/powerpc/platforms/pseries/papr-hvpipe.c index c41d45e1986d14..3392874ebdf686 100644 --- a/arch/powerpc/platforms/pseries/papr-hvpipe.c +++ b/arch/powerpc/platforms/pseries/papr-hvpipe.c @@ -327,7 +327,7 @@ static ssize_t papr_hvpipe_handle_read(struct file *file, { struct hvpipe_source_info *src_info = file->private_data; - struct papr_hvpipe_hdr hdr; + struct papr_hvpipe_hdr hdr = {}; long ret; /* -- cgit 1.3-korg
0479b6e9f999pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace
2 files changed · +2 −4
arch/powerpc/platforms/pseries/papr-hvpipe.c+1 −2 modifieddiff --git a/arch/powerpc/platforms/pseries/papr-hvpipe.c b/arch/powerpc/platforms/pseries/papr-hvpipe.c index 21a2f447c43fdc..a690bb15d4a90d 100644 --- a/arch/powerpc/platforms/pseries/papr-hvpipe.c +++ b/arch/powerpc/platforms/pseries/papr-hvpipe.c @@ -327,7 +327,7 @@ static ssize_t papr_hvpipe_handle_read(struct file *file, { struct hvpipe_source_info *src_info = file->private_data; - struct papr_hvpipe_hdr hdr; + struct papr_hvpipe_hdr hdr = {}; long ret; /* -- cgit 1.3-korg
arch/powerpc/platforms/pseries/papr-hvpipe.c+1 −2 modifieddiff --git a/arch/powerpc/platforms/pseries/papr-hvpipe.c b/arch/powerpc/platforms/pseries/papr-hvpipe.c index 21a2f447c43fdc..a690bb15d4a90d 100644 --- a/arch/powerpc/platforms/pseries/papr-hvpipe.c +++ b/arch/powerpc/platforms/pseries/papr-hvpipe.c @@ -327,7 +327,7 @@ static ssize_t papr_hvpipe_handle_read(struct file *file, { struct hvpipe_source_info *src_info = file->private_data; - struct papr_hvpipe_hdr hdr; + struct papr_hvpipe_hdr hdr = {}; long ret; /* -- cgit 1.3-korg
f88f8e4485b4pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace
2 files changed · +2 −4
arch/powerpc/platforms/pseries/papr-hvpipe.c+1 −2 modifieddiff --git a/arch/powerpc/platforms/pseries/papr-hvpipe.c b/arch/powerpc/platforms/pseries/papr-hvpipe.c index c41d45e1986d14..3392874ebdf686 100644 --- a/arch/powerpc/platforms/pseries/papr-hvpipe.c +++ b/arch/powerpc/platforms/pseries/papr-hvpipe.c @@ -327,7 +327,7 @@ static ssize_t papr_hvpipe_handle_read(struct file *file, { struct hvpipe_source_info *src_info = file->private_data; - struct papr_hvpipe_hdr hdr; + struct papr_hvpipe_hdr hdr = {}; long ret; /* -- cgit 1.3-korg
arch/powerpc/platforms/pseries/papr-hvpipe.c+1 −2 modifieddiff --git a/arch/powerpc/platforms/pseries/papr-hvpipe.c b/arch/powerpc/platforms/pseries/papr-hvpipe.c index c41d45e1986d14..3392874ebdf686 100644 --- a/arch/powerpc/platforms/pseries/papr-hvpipe.c +++ b/arch/powerpc/platforms/pseries/papr-hvpipe.c @@ -327,7 +327,7 @@ static ssize_t papr_hvpipe_handle_read(struct file *file, { struct hvpipe_source_info *src_info = file->private_data; - struct papr_hvpipe_hdr hdr; + struct papr_hvpipe_hdr hdr = {}; long ret; /* -- cgit 1.3-korg
cefeed442962pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace
2 files changed · +2 −4
arch/powerpc/platforms/pseries/papr-hvpipe.c+1 −2 modifieddiff --git a/arch/powerpc/platforms/pseries/papr-hvpipe.c b/arch/powerpc/platforms/pseries/papr-hvpipe.c index c41d45e1986d14..3392874ebdf686 100644 --- a/arch/powerpc/platforms/pseries/papr-hvpipe.c +++ b/arch/powerpc/platforms/pseries/papr-hvpipe.c @@ -327,7 +327,7 @@ static ssize_t papr_hvpipe_handle_read(struct file *file, { struct hvpipe_source_info *src_info = file->private_data; - struct papr_hvpipe_hdr hdr; + struct papr_hvpipe_hdr hdr = {}; long ret; /* -- cgit 1.3-korg
arch/powerpc/platforms/pseries/papr-hvpipe.c+1 −2 modifieddiff --git a/arch/powerpc/platforms/pseries/papr-hvpipe.c b/arch/powerpc/platforms/pseries/papr-hvpipe.c index c41d45e1986d14..3392874ebdf686 100644 --- a/arch/powerpc/platforms/pseries/papr-hvpipe.c +++ b/arch/powerpc/platforms/pseries/papr-hvpipe.c @@ -327,7 +327,7 @@ static ssize_t papr_hvpipe_handle_read(struct file *file, { struct hvpipe_source_info *src_info = file->private_data; - struct papr_hvpipe_hdr hdr; + struct papr_hvpipe_hdr hdr = {}; long ret; /* -- cgit 1.3-korg
0479b6e9f999pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace
2 files changed · +2 −4
arch/powerpc/platforms/pseries/papr-hvpipe.c+1 −2 modifieddiff --git a/arch/powerpc/platforms/pseries/papr-hvpipe.c b/arch/powerpc/platforms/pseries/papr-hvpipe.c index 21a2f447c43fdc..a690bb15d4a90d 100644 --- a/arch/powerpc/platforms/pseries/papr-hvpipe.c +++ b/arch/powerpc/platforms/pseries/papr-hvpipe.c @@ -327,7 +327,7 @@ static ssize_t papr_hvpipe_handle_read(struct file *file, { struct hvpipe_source_info *src_info = file->private_data; - struct papr_hvpipe_hdr hdr; + struct papr_hvpipe_hdr hdr = {}; long ret; /* -- cgit 1.3-korg
arch/powerpc/platforms/pseries/papr-hvpipe.c+1 −2 modifieddiff --git a/arch/powerpc/platforms/pseries/papr-hvpipe.c b/arch/powerpc/platforms/pseries/papr-hvpipe.c index 21a2f447c43fdc..a690bb15d4a90d 100644 --- a/arch/powerpc/platforms/pseries/papr-hvpipe.c +++ b/arch/powerpc/platforms/pseries/papr-hvpipe.c @@ -327,7 +327,7 @@ static ssize_t papr_hvpipe_handle_read(struct file *file, { struct hvpipe_source_info *src_info = file->private_data; - struct papr_hvpipe_hdr hdr; + struct papr_hvpipe_hdr hdr = {}; long ret; /* -- cgit 1.3-korg
f88f8e4485b4pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace
2 files changed · +2 −4
arch/powerpc/platforms/pseries/papr-hvpipe.c+1 −2 modifieddiff --git a/arch/powerpc/platforms/pseries/papr-hvpipe.c b/arch/powerpc/platforms/pseries/papr-hvpipe.c index c41d45e1986d14..3392874ebdf686 100644 --- a/arch/powerpc/platforms/pseries/papr-hvpipe.c +++ b/arch/powerpc/platforms/pseries/papr-hvpipe.c @@ -327,7 +327,7 @@ static ssize_t papr_hvpipe_handle_read(struct file *file, { struct hvpipe_source_info *src_info = file->private_data; - struct papr_hvpipe_hdr hdr; + struct papr_hvpipe_hdr hdr = {}; long ret; /* -- cgit 1.3-korg
arch/powerpc/platforms/pseries/papr-hvpipe.c+1 −2 modifieddiff --git a/arch/powerpc/platforms/pseries/papr-hvpipe.c b/arch/powerpc/platforms/pseries/papr-hvpipe.c index c41d45e1986d14..3392874ebdf686 100644 --- a/arch/powerpc/platforms/pseries/papr-hvpipe.c +++ b/arch/powerpc/platforms/pseries/papr-hvpipe.c @@ -327,7 +327,7 @@ static ssize_t papr_hvpipe_handle_read(struct file *file, { struct hvpipe_source_info *src_info = file->private_data; - struct papr_hvpipe_hdr hdr; + struct papr_hvpipe_hdr hdr = {}; long ret; /* -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Uninitialized stack variable `hdr` in `papr_hvpipe_handle_read()` leaves reserved padding bytes (reserved[3] and reserved2[40]) uninitialized, which are then copied to userspace via `copy_to_user()`."
Attack vector
An attacker with access to the `/dev/hvpipe` character device can invoke a read operation that triggers `papr_hvpipe_handle_read()` [patch_id=2897979]. The function allocates a `struct papr_hvpipe_hdr` on the stack and only initializes `hdr.version` and `hdr.flags`. The struct contains reserved padding fields (`reserved[3]` and `reserved2[40]`) that remain uninitialized. When the function calls `copy_to_user()` to return the header to userspace, these uninitialized stack bytes are copied out, potentially leaking sensitive kernel stack data. No special privileges beyond read access to the device file are required.
Affected code
The vulnerable code is in `arch/powerpc/platforms/pseries/papr-hvpipe.c` in the function `papr_hvpipe_handle_read()` at line 330 [patch_id=2897979]. The stack-allocated `struct papr_hvpipe_hdr hdr` was declared without an initializer, leaving reserved padding bytes (`reserved[3]` and `reserved2[40]`) uninitialized before being passed to `copy_to_user()`.
What the fix does
The patch changes the declaration of `hdr` from `struct papr_hvpipe_hdr hdr;` to `struct papr_hvpipe_hdr hdr = {};` in `arch/powerpc/platforms/pseries/papr-hvpipe.c` [patch_id=2897979]. This zero-initializes the entire struct, including all reserved padding bytes, before any fields are explicitly set. By ensuring every byte of the struct is initialized, the fix prevents any uninitialized kernel stack memory from being copied to userspace via `copy_to_user()`.
Preconditions
- accessAttacker must have read access to the /dev/hvpipe character device on a PowerPC pseries system.
- configThe kernel must have the papr-hvpipe driver compiled and the device node must be accessible.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.