Your message dated Tue, 14 Apr 2026 03:13:06 +0000
with message-id <[email protected]>
and subject line Bug#1132622: fixed in linux 7.0-1~exp1
has caused the Debian Bug report #1132622,
regarding CVE-2026-23417: fix BPF PROBE_MEM32 constant blinding
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1132622: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132622
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: linux
Version: 6.19.10-1
Severity: grave
Tags: patch security
X-Debbugs-Cc: [email protected], Debian Security Team
<[email protected]>
This is a backport for CVE-2026-23417 (BPF JIT Blinding bypass)
targeting the linux package in Sid (6.19.10-1).
I have verified the patch by successfully compiling kernel/bpf/core.o
in a Debian Sid environment. The patch follows DEP-3 standards and
addresses the issue where BPF_ST | BPF_PROBE_MEM32 instructions
were bypassing constant blinding.
The fix is based on the upstream commit by Linus Torvalds.
Attached is the DEP-3 formatted patch.
-- System Information:
Debian Release: forky/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.19.10+deb14-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=es_CL.UTF-8, LC_CTYPE=es_CL.UTF-8 (charmap=UTF-8),
LANGUAGE=es_CL:es
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Description: bpf: fix constant blinding for PROBE_MEM32
BPF_ST | BPF_PROBE_MEM32 immediate stores are not handled by
bpf_jit_blind_insn(), allowing user-controlled 32-bit immediates
to survive unblinded into JIT-compiled native code.
This backport addresses CVE-2026-23417 by manually constructing
the BPF_STX instruction to preserve the PROBE_MEM32 mode, which
would otherwise be lost if using the BPF_STX_MEM() macro.
Origin: upstream,
https://git.kernel.org/linus/2321a9596d2260310267622e0ad8fbfa6f95378f
Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-23417
Forwarded: not-needed
Author: Linus Torvalds <[email protected]>
Reviewed-by: Benjamin Leon Dubos <[email protected]>
Last-Update: 2026-04-03
Applied-Upstream: 7.0-rc5
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -1419,6 +1419,26 @@
*to++ = BPF_ALU64_IMM(BPF_XOR, BPF_REG_AX, imm_rnd);
*to++ = BPF_STX_MEM(from->code, from->dst_reg, BPF_REG_AX,
from->off);
break;
+
+ case BPF_ST | BPF_PROBE_MEM32 | BPF_DW:
+ case BPF_ST | BPF_PROBE_MEM32 | BPF_W:
+ case BPF_ST | BPF_PROBE_MEM32 | BPF_H:
+ case BPF_ST | BPF_PROBE_MEM32 | BPF_B:
+ *to++ = BPF_ALU64_IMM(BPF_MOV, BPF_REG_AX, imm_rnd ^ from->imm);
+ *to++ = BPF_ALU64_IMM(BPF_XOR, BPF_REG_AX, imm_rnd);
+ /*
+ * Cannot use BPF_STX_MEM() macro here as it
+ * hardcodes BPF_MEM mode, losing PROBE_MEM32
+ * and breaking arena addressing in the JIT.
+ */
+ *to++ = (struct bpf_insn) {
+ .code = BPF_STX | BPF_PROBE_MEM32 |
BPF_SIZE(from->code),
+ .dst_reg = from->dst_reg,
+ .src_reg = BPF_REG_AX,
+ .off = from->off,
+ };
+ break;
+
}
out:
return to - to_buff;
--- End Message ---
--- Begin Message ---
Source: linux
Source-Version: 7.0-1~exp1
Done: Ben Hutchings <[email protected]>
We believe that the bug you reported is fixed in the latest version of
linux, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ben Hutchings <[email protected]> (supplier of updated linux package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 13 Apr 2026 18:00:30 +0200
Source: linux
Architecture: source
Version: 7.0-1~exp1
Distribution: experimental
Urgency: medium
Maintainer: Debian Kernel Team <[email protected]>
Changed-By: Ben Hutchings <[email protected]>
Closes: 1113728 1113996 1122357 1127612 1130971 1131166 1131431 1131546 1132155
1132201 1132622 1132796 1132814
Changes:
linux (7.0-1~exp1) experimental; urgency=medium
.
* New upstream release: https://kernelnewbies.org/Linux_7.0
- [amd64] platform/x86: hp-bioscfg: Support allocations of larger data
(Closes: #1127612)
- [amd64] crypto: padlock-sha - Disable for Zhaoxin processor
(Closes: #1113996)
- iommu: Fix mapping check for 0x0 to avoid re-mapping it (Closes:
#1130971)
- bpf: Fix constant blinding for PROBE_MEM32 stores (CVE-2026-23417)
(Closes: #1132622)
- [loong64] KVM: Fix undefined behaviour found by UBSAN (Closes: #1131431):
+ Make kvm_get_vcpu_by_cpuid() more robust
+ Handle the case that EIOINTC's coremap is empty
+ Fix base address calculation in kvm_eiointc_regs_access()
.
[ Bastian Blank ]
* Merge kernel-wedge. This takes over maintenance of this code from the
installer team.
* Use non-aliases paths in udebs. (closes: #1122357)
.
[ Han Gao ]
* [riscv64] Enable RTC_DRV_EFI as module
* [riscv64] Enable SENSORS_PWM_FAN as module for Sophgo SG2042
* [riscv64] Enable SENSORS_MR75203 as module for THEAD TH1520
* [riscv64] Enable POWER_SEQUENCING as module for THEAD TH1520
* [riscv64] Enable POWER_SEQUENCING_TH1520_GPU as module for THEAD TH1520
* [riscv64] Enable SND_SOC_K1_I2S as module for Spacemit K1
* [riscv64] Enable CONFIG_PWM_TH1520 for THEAD TH1520
.
[ Salvatore Bonaccorso ]
* [amd64] drivers/platform/x86/uniwill: Enable X86_PLATFORM_DRIVERS_UNIWILL
* [amd64] drivers/platform/x86/uniwill: Enable UNIWILL_LAPTOP as module
(Closes: #1131166)
* [amd64] drivers/media/i2c: Enable VIDEO_OV02E10 as module (Closes:
#1132201)
* [amd64] drivers/staging/media/ipu7: Enable VIDEO_INTEL_IPU7 as module
(Closes: #1132814)
.
[ Ben Hutchings ]
* Fix ordering of kernel version strings for multiple Debian revisions
(Closes: #1113728)
* d/b/test-patches: Expect debian/control-real target to return 0
* d/b/test-patches: Disable signing so we build linux-image packages again
(Closes: #1131546)
* kernel-wedge: Fix find-dups to not look for kernel-image-di
* kernel-wedge: Remove handling of unset $SOURCEDIR
* kernel-wedge: Remove support for non-Linux kernels
* kernel-wedge: Remove support for separate config directories
* kernel-wedge: Remove support for non-modular kernel
* kernel-wedge: Remove support for exclude-packages
* kernel-wedge: Use cpio instead of tar in copy-files
* kernel-wedge: Rewrite copy-files in Perl
* kernel-wedge: Fix copy-files to skip softdeps in depmod output
* kernel-wedge: Combine gen-deps with copy-files
* kernel-wedge, udeb: Define which packages to build through package-list
* [mips*,sh4] udeb: Remove minix-modules package
* [mips*] udeb: Remove affs-modules package
* udeb: Build {jfs,loop,ppp,squashfs,uinput,xfs}-modules everywhere we can
(Closes: #1132155)
.
[ Aurelien Jarno ]
* [riscv64] Enable SPACEMIT_K3_CCU
* [riscv64] Enable PINCTRL_PIC64GX and PINCTRL_POLARFIRE_SOC
* [riscv64] Enable CV1800_MBOX, SND_SOC_CV1800B_TDM,
SND_SOC_CV1800B_ADC_CODEC and SND_SOC_CV1800B_DAC_CODEC as modules
.
[ Morgwai Kotarbinski ]
* linux-kbuild: Include scripts/gen-btf.sh (Closes: #1132796)
Checksums-Sha1:
b7c0aa04b26599087cd3b320622747e8228b7fdf 183105 linux_7.0-1~exp1.dsc
0805573ce39c5657affaaadfe45e7e79c1b68944 160332840 linux_7.0.orig.tar.xz
3ed69a3345ad92384c6614d59ecb2afacc744f02 1451976 linux_7.0-1~exp1.debian.tar.xz
02d303b4cb1e903375d5f1b4e5ddfcb92231a480 6962 linux_7.0-1~exp1_source.buildinfo
Checksums-Sha256:
d18ff76532ab4dfe10a64d6d6068c78ab750ec53b4b5860a9171945b76afc5c8 183105
linux_7.0-1~exp1.dsc
84aabcbd9039469613e74fd735a5e9680c1958a9ff63f093ebd9e580f403d06f 160332840
linux_7.0.orig.tar.xz
569e4e3e998d48247dce25aaca1dd067a83773c1b5c7961c0422154b06d6ac51 1451976
linux_7.0-1~exp1.debian.tar.xz
95dcfcd511aca951b67f9b2b8ed51f926fdc04e95eb7cc0578c8b2744aea2794 6962
linux_7.0-1~exp1_source.buildinfo
Files:
483aae11d5269bc3be731565733ae3ba 183105 kernel optional linux_7.0-1~exp1.dsc
7ffdb1d8b58227d54d348b9bb9586821 160332840 kernel optional
linux_7.0.orig.tar.xz
3107a8ea51576df21d858367afb6c960 1451976 kernel optional
linux_7.0-1~exp1.debian.tar.xz
77feae1584d60399a450169007fdf84b 6962 kernel optional
linux_7.0-1~exp1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAmndjiwACgkQ57/I7JWG
EQmMKw/+IvmVy8jrjGonjuXCtEZ3a+nyCf6tWmV9YmKP+THJUQlo2RX+bpwM3CA6
gPO1sQBAs3g12ZatCT2qZUnrnyri+FH5NTXiPZkStMP2l0ShftP35lmHQbKPb+CD
iQOYN98DtRleQi6mZkgkhKqrGU8nZmz0fHfxF0eMcQLu1Q6qBxhcxAWcIPWg+zwl
crnNqZk2UQSB/ALbIfoPPyOFBilEpb39oYJ4LNz4aVAbJynhinGNB3CH+hnOj9yf
Dn7ry+rwkz/eRtJoy3eFShFi2n+WOdndTrDTKmf51zRN7X0cdfsI0vWa/6tyVNWy
SOZtZUAirKDyBPsGh4z8RLAUGLj5HoShE6x1nbxCb9TgcBYOlntWSL9RgmstNKZN
GzOzgWqiuUaURMsNaHAjElaXiU2G/XlZTQkjrpf/WLfZKEn3Sy5BX+JdcsV3W0Vc
4Y2NTziQVbxxs6yv8KlmP/hMZM6eNGZBu8owm70LGQe+rlzWImCRrAPRkyjzj0SY
hDyzM0buwWJbFk5HMex2nDt6PfvyviHXk90cWqUormDBsHDpdkBWHTOMtntWym9f
vnZUtH+siHxmtdulMH3OL6Y+UL+pVofWUaaAhWTKxtGOjaC0jtRaqnL3hidcezA5
rsbPdUAbHYUcT84rwo2cYe39GZu7S8yAFTt7Doojzv9FBp7bAdc=
=blsv
-----END PGP SIGNATURE-----
pgpNLmoZBCcee.pgp
Description: PGP signature
--- End Message ---
