[scarthgap,2/3] qemu: Fix CVE-2026-0665

Message ID	20260612121820.2298565-2-asparmar@cisco.com
State	New
Headers	show Return-Path: <asparmar@cisco.com> ip: 173.37.86.79, mailfrom: asparmar@cisco.com) IronPort-Data: A9a23:FjQttKyOHN5sJHsW8vF6t+dmxyrEfRIJ4+MujC+fZmUNrF6WrkVRy 2dKC2CAafeOYzDxKNB/Oo/i/RsAvMTUztU2Hgs++FhgHilAwSbn6Xt1DatR0we6dJCroJdPt p1GAjX4BJlqCCea/VH1buSJQUBUjcmgXqD7BPPPJhd/TAplTDZJoR94kobVuKYw6TSCK13L4 4+aT/H3Ygf/hWYqazhMsspvlTs21BjMkGJA1rABTagjUG/2zxE9EJ8ZLKetGHr0KqE8NvK6X evK0Iai9Wrf+Ro3Yvv9+losWhRXKlJ6FVHmZkt+A8BOsDAbzsAB+vpT2M4nVKtio27hc+adZ zl6ncfYpQ8BZsUgkQmGOvVSO3kW0aZuoNcrLZUj2CCe5xWuTpfi/xlhJEQpBIg42L9lOHlL7 scCLzEhPh+NpP3jldpXSsE07igiBNPgMIVavjRryivUSK53B5vCWK7No9Rf2V/chOgXQq2YP JVfM2cyKk2cPXWjOX9PYH46tO6znnDldjRCgFmUvqEwpWPUyWSd1ZCxYIeMIILbHJs9ckCwj T/B+Un2LzIma/eVx2Cu1Wie3ODhknauMG4VPPjinhJwu3WU3mEVBRgcWFe3rPX8gUmkVvpbK lcI4WwptaU0+UmhQ9XxUhH+p2SL1iPwQPJKGOE8rQXIwa3O7kPBVy4PTyVKb5ots8peqSEW6 2JlVujBXVRH2IB5g1rEnltIhVte4RQoEFI= IronPort-HdrOrdr: A9a23:5irozarZsBa0B7OKeAV+1UkaV5rzeYIsimQD101hICG9vPb2qy nIpoV96faaslcssR0b9OxofZPwI080lqQFhbX5X43DYOCOggLBR+tfBMnZsljd8kbFmNK1u5 0NT0FWMqyXMbEDt7eY3CCIV/A93dKA7Kekwc3az3trUEVWTpsI1XYBNu5eeXcGPzWvwvECZe Kh2vY= From: "Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)" <asparmar@cisco.com> To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, Ashishkumar Parmar <asparmar@cisco.com> Subject: [OE-core][scarthgap][PATCH 2/3] qemu: Fix CVE-2026-0665 Date: Fri, 12 Jun 2026 05:18:16 -0700 Message-ID: <20260612121820.2298565-2-asparmar@cisco.com> In-Reply-To: <20260612121820.2298565-1-asparmar@cisco.com> References: <20260612121820.2298565-1-asparmar@cisco.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[scarthgap,1/3] qemu: Fix CVE-2025-14876 \| expand [scarthgap,1/3] qemu: Fix CVE-2025-14876 [scarthgap,2/3] qemu: Fix CVE-2026-0665 [scarthgap,3/3] qemu: Fix CVE-2026-2243

Message ID

20260612121820.2298565-2-asparmar@cisco.com

State

New

Headers

IronPort-Data: A9a23:FjQttKyOHN5sJHsW8vF6t+dmxyrEfRIJ4+MujC+fZmUNrF6WrkVRy
 2dKC2CAafeOYzDxKNB/Oo/i/RsAvMTUztU2Hgs++FhgHilAwSbn6Xt1DatR0we6dJCroJdPt
 p1GAjX4BJlqCCea/VH1buSJQUBUjcmgXqD7BPPPJhd/TAplTDZJoR94kobVuKYw6TSCK13L4
 4+aT/H3Ygf/hWYqazhMsspvlTs21BjMkGJA1rABTagjUG/2zxE9EJ8ZLKetGHr0KqE8NvK6X
 evK0Iai9Wrf+Ro3Yvv9+losWhRXKlJ6FVHmZkt+A8BOsDAbzsAB+vpT2M4nVKtio27hc+adZ
 zl6ncfYpQ8BZsUgkQmGOvVSO3kW0aZuoNcrLZUj2CCe5xWuTpfi/xlhJEQpBIg42L9lOHlL7
 scCLzEhPh+NpP3jldpXSsE07igiBNPgMIVavjRryivUSK53B5vCWK7No9Rf2V/chOgXQq2YP
 JVfM2cyKk2cPXWjOX9PYH46tO6znnDldjRCgFmUvqEwpWPUyWSd1ZCxYIeMIILbHJs9ckCwj
 T/B+Un2LzIma/eVx2Cu1Wie3ODhknauMG4VPPjinhJwu3WU3mEVBRgcWFe3rPX8gUmkVvpbK
 lcI4WwptaU0+UmhQ9XxUhH+p2SL1iPwQPJKGOE8rQXIwa3O7kPBVy4PTyVKb5ots8peqSEW6
 2JlVujBXVRH2IB5g1rEnltIhVte4RQoEFI=
IronPort-HdrOrdr: A9a23:5irozarZsBa0B7OKeAV+1UkaV5rzeYIsimQD101hICG9vPb2qy
 nIpoV96faaslcssR0b9OxofZPwI080lqQFhbX5X43DYOCOggLBR+tfBMnZsljd8kbFmNK1u5
 0NT0FWMqyXMbEDt7eY3CCIV/A93dKA7Kekwc3az3trUEVWTpsI1XYBNu5eeXcGPzWvwvECZe
 Kh2vY=
From: "Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)"
 <asparmar@cisco.com>
To: openembedded-core@lists.openembedded.org
Cc: xe-linux-external@cisco.com,
	Ashishkumar Parmar <asparmar@cisco.com>
Subject: [OE-core][scarthgap][PATCH 2/3] qemu: Fix CVE-2026-0665
Date: Fri, 12 Jun 2026 05:18:16 -0700
Message-ID: <20260612121820.2298565-2-asparmar@cisco.com>
In-Reply-To: <20260612121820.2298565-1-asparmar@cisco.com>
References: <20260612121820.2298565-1-asparmar@cisco.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[scarthgap,1/3] qemu: Fix CVE-2025-14876 | expand

Commit Message

Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco) June 12, 2026, 12:18 p.m. UTC

From: Ashishkumar Parmar <asparmar@cisco.com>

This patch applies the upstream v10.0.8 stable backport for
CVE-2026-0665. The upstream fix commit is referenced in [1],
and the public CVE advisory is referenced in [2]. The individual
backported commit links are recorded in the embedded patch headers
when the fix expands to multiple commits.

[1] https://gitlab.com/qemu-project/qemu/-/commit/4ba877461e6b1a8637b15ff1a8c77ba97639c927
[2] https://access.redhat.com/security/cve/CVE-2026-0665

Signed-off-by: Ashishkumar Parmar <asparmar@cisco.com>
---
 meta/recipes-devtools/qemu/qemu.inc           |  1 +
 .../qemu/qemu/CVE-2026-0665.patch             | 38 +++++++++++++++++++
 2 files changed, 39 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2026-0665.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 26d10991a7..3b5146e981 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -47,6 +47,7 @@  SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
            file://0002-python-backport-avoid-creating-additional-event-loop.patch \
            file://CVE-2025-14876_p1.patch \
            file://CVE-2025-14876_p2.patch \
+           file://CVE-2026-0665.patch \
            "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2026-0665.patch b/meta/recipes-devtools/qemu/qemu/CVE-2026-0665.patch
new file mode 100644
index 0000000000..9264ba38cc
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2026-0665.patch
@@ -0,0 +1,38 @@ 
+From 91e98ce0a879010ef5b5ab5778cc71c0e9e92a57 Mon Sep 17 00:00:00 2001
+From: Vulnerability Report <vr@darknavy.com>
+Date: Fri, 9 Jan 2026 10:35:48 +0800
+Subject: [PATCH] hw/i386/kvm: fix PIRQ bounds check in xen_physdev_map_pirq()
+
+Reject pirq == s->nr_pirqs in xen_physdev_map_pirq().
+
+CVE: CVE-2026-0665
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/4ba877461e6b1a8637b15ff1a8c77ba97639c927]
+
+Fixes: aa98ee38a5 ("hw/xen: Implement emulated PIRQ hypercall support")
+Fixes: CVE-2026-0665
+Reported-by: DARKNAVY (@DarkNavyOrg) <vr@darknavy.com>
+Reviewed-by: David Woodhouse <dwmw@amazon.co.uk>
+Signed-off-by: Vulnerability Report <vr@darknavy.com>
+Link: https://lore.kernel.org/r/13FE03BE60EA78D6+20260109023548.4047-1-vr@darknavy.com
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit c7504ba2a560fd884557f6e5142f03b491aad0c7)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+(cherry picked from commit 4ba877461e6b1a8637b15ff1a8c77ba97639c927)
+Signed-off-by: Ashishkumar Parmar <asparmar@cisco.com>
+---
+ hw/i386/kvm/xen_evtchn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/i386/kvm/xen_evtchn.c b/hw/i386/kvm/xen_evtchn.c
+index 02b8cbf8d..5a1ad3782 100644
+--- a/hw/i386/kvm/xen_evtchn.c
++++ b/hw/i386/kvm/xen_evtchn.c
+@@ -1843,7 +1843,7 @@ int xen_physdev_map_pirq(struct physdev_map_pirq *map)
+             return pirq;
+         }
+         map->pirq = pirq;
+-    } else if (pirq > s->nr_pirqs) {
++    } else if (pirq >= s->nr_pirqs) {
+         return -EINVAL;
+     } else {
+         /*

[scarthgap,2/3] qemu: Fix CVE-2026-0665

Commit Message

Patch