Konstantin Bogomolov

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the Linux kernel's handling of the xsave buffer, where the expected size of the user space buffer was taken from `fx sw->xstate size`. This could be changed from user-space, allowing for the construction of a sigreturn frame where `fx sw->xstate size` is smaller than the size required by valid bits in `fx sw->xfeatures`, or where user-space unmaps parts of the sigrame fpu buffer, making it inaccessible to `xrstor`. As a result, `xrstor` tries to restore and access the unmapped area, leading to a fault. However, `fault in readable` succeeds because `buf + fx sw->xstate size` is within the still mapped area, causing it to try `xrstor` again and spin in an infinite loop. The fix involves faulting in the maximum size that can be touched by `XRSTOR`, taken from `fpstate->user size`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.