From patchwork Fri Jun 12 12:18:15 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: "Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 89916 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B5C30CD8CA8 for ; Fri, 12 Jun 2026 12:18:30 +0000 (UTC) Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.69190.1781266706044966863 for ; Fri, 12 Jun 2026 05:18:26 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=VAzfZcAv; spf=pass (domain: cisco.com, ip: 173.37.86.72, mailfrom: asparmar@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=6720; q=dns/txt; s=iport01; t=1781266706; x=1782476306; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=5ujPcgOnj+L6XU68CBYenXPiImoJFr7I/Z+k24w+iRs=; b=VAzfZcAvLSVCa4z+776etLM5xy2YpNAssyj62PUydD9cA9YzMtqzUUNv MbHIr+HHSos8amY/UtTwsmNLoQxVoE4NmKMHo9Tb62ggG8GVB6fHXJ+aT Ri+2lMlg5RrzycT/4pSNuktodLNuZvDEvJ01FPFfg0PLlRXYiI08iPjig i52iPgdPkF0TrIGF3ccPg2BdG71gQAmh8YJF35kZplefJNbNaXPE36kte D7lBLQkHUXTDa6H6QMF42llfIL0SsfhuhurhAEHcB4UCiQN7isGqYnkm3 nVCvG9rYnlSVpGM1Hx27E6uaARiQcRoPYPScT63l7ptri/6VAkqt0O6BN A==; X-CSE-ConnectionGUID: tvKobB38TXSczUD1GXu9iw== X-CSE-MsgGUID: f9x4JK41QHeCJiubfOORtw== X-IPAS-Result: A0BKAgDf9ytq/4r/Ja1aglmCGD90X0JJA4RUkXSLZ4VmjFGBfg8BAQEPRA0EAQGFBgKNQAImNAkOAQIEAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4ZPDYZaAQIBJgQLAUYZEwMBAgMCJgIiCyMYCYIqWAGCOgM2AgERl1Oacxo3en8zgQGDaAJDUNhJDYJWAQUGFAEFgQUuhT+CfCABhQJbGAGDXYEfJxsbgXKBFYNpgQWBGkIFgTQBhAOCagSCIoEMgV0eUoFcggqKM0iBAhwDWSwBVRMNCgsHBYFmAzUSKhVuMh2BIz4XNFgbBwWBSoEraoEDhQ0jHwM5f4F0gShnaRUwNYEBARESAwsYDUgRLDcUGwQ9AW4HjEIXD4FLc4EOAStPLIECFxg6kleSZaAecQoog3WMIY8+hXwaM6psC5h9jgqECZErTFCEaIFoPIFZcBWDIlMZD1aNVwsLg2CFE8J+JDULAy8BAQcCBw4DC4FokAABJ4FVAQE IronPort-Data: A9a23:BpSUuK6fvHgmZ1rn9zrjQQxRtGnGchMFZxGqfqrLsTDasY5as4F+v mccDGmEMviIZGb8eo1wPIq/oUIOvJLUxtE1HAo/qnhnZn8b8sCt6fZ1gavT04J+CuWZESqLO u1HMoGowPgcFyGa/lH2dOC98RGQ7InQLpLkEunIJyttcgFtTSYlmHpLlvUw6mJSqYDR7zil5 5Wo/6UzBHf/g2QqajxNsfrawP9SlK2aVA0w7wRWic9j5Dcyp1FNZLoDKKe4KWfPQ4U8NoaSW +bZwbilyXjS9hErB8nNuu6TnpoiG+O60aCm0xK6aoD66vRwjnVaPpUTaJLwXXxqZwChxLid/ jniWauYEm/FNoWU8AgUvoIx/ytWZcWq85efSZSzXFD6I0DuKxPRL/tS4E4eIZM7/exdWjFyx ccTOg0hNz+zmrO33+fuIgVsrpxLwMjDJogTvDRkiDreF/tjGcmFSKTR7tge1zA17ixMNa+BP IxCNnw1MUmGOkYfUrsUIMpWcOOAj2LneiddoUi9rqss6G+Vxwt0uFToGIaEIYfaH5kIzi50o ErIrnSlIDJGbeW/xBGn82+miMjopz/kDdd6+LqQs6QCbEeo7msLBRsbUFG2rfW0hgu1XMhSA 0gV4TY1668q+UqmS9PwUxG1rDiDpBF0ZjZLO/cx5AfIzu/f5ByUQzBdCDVAc9ch8sQxQFTGy 2O0oj8gPhQ32JX9dJ5X3u38Qe+aUcTNEVI/WA== IronPort-HdrOrdr: A9a23:dsif+KHT3/r/4IMNpLqEyseALOsnbusQ8zAXPo5KJiC9Ffbo8/ xG/c5rsCMc5wxxZJhNo7290cq7MBHhHPxOgbX5VI3KNGKNhILCFu9fBOXZrwEIMheOkdK1rZ 0QEJRWOZnXEUVwi9r87U2TFtYtx8TCzYWT7N2uqUuEiWpRGtldB8ATMHfjLnFL X-Talos-CUID: 9a23:ZdVYKW7BRoTlA5ZAKNss6FA3HcoPKS3h/EzbMXKUUElZVeyUVgrF X-Talos-MUID: 9a23:LPFKzwwICrtyBzOrhJcSTLRUZfaaqKr/GBwvsslfgumJHg5xJj2TqxONXpByfw== X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.24,200,1774310400"; d="scan'208";a="493382458" Received: from rcdn-l-core-01.cisco.com ([173.37.255.138]) by rcdn-iport-1.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 12 Jun 2026 12:18:25 +0000 Received: from sjc-ads-20495.cisco.com (sjc-ads-20495.cisco.com [171.70.188.248]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-01.cisco.com (Postfix) with ESMTPS id 19F55180001CD; Fri, 12 Jun 2026 12:18:25 +0000 (GMT) Received: by sjc-ads-20495.cisco.com (Postfix, from userid 1877012) id 7D0AACC1611; Fri, 12 Jun 2026 05:18:24 -0700 (PDT) From: "Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, Ashishkumar Parmar Subject: [OE-core][scarthgap][PATCH 1/3] qemu: Fix CVE-2025-14876 Date: Fri, 12 Jun 2026 05:18:15 -0700 Message-ID: <20260612121820.2298565-1-asparmar@cisco.com> X-Mailer: git-send-email 2.44.1 MIME-Version: 1.0 X-Auto-Response-Suppress: DR, OOF, AutoReply X-Outbound-Client-TLS: VERIFIED;sjc-ads-20495.cisco.com [171.70.188.248];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.70.188.248, sjc-ads-20495.cisco.com X-Outbound-Node: rcdn-l-core-01.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 12 Jun 2026 12:18:30 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/238611 From: Ashishkumar Parmar This patch applies the upstream v10.0.8 stable backport for CVE-2025-14876. The upstream fix commit is referenced in [1], and the public CVE advisory is referenced in [2]. The individual backported commit links are recorded in the embedded patch headers when the fix expands to multiple commits. [1] https://gitlab.com/qemu-project/qemu/-/commit/e649201bb96ae7e91a69d57392c8907ec085111e [2] https://access.redhat.com/security/cve/CVE-2025-14876 Signed-off-by: Ashishkumar Parmar --- meta/recipes-devtools/qemu/qemu.inc | 2 + .../qemu/qemu/CVE-2025-14876_p1.patch | 52 +++++++++++++++++ .../qemu/qemu/CVE-2025-14876_p2.patch | 56 +++++++++++++++++++ 3 files changed, 110 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p2.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 54644dd924..26d10991a7 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -45,6 +45,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2025-12464.patch \ file://0001-python-backport-Remove-deprecated-get_event_loop-cal.patch \ file://0002-python-backport-avoid-creating-additional-event-loop.patch \ + file://CVE-2025-14876_p1.patch \ + file://CVE-2025-14876_p2.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p1.patch new file mode 100644 index 0000000000..1f47ff2ebc --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p1.patch @@ -0,0 +1,52 @@ +From 96ac1b4f958287776ec2199749beaaad60148a85 Mon Sep 17 00:00:00 2001 +From: zhenwei pi +Date: Sun, 21 Dec 2025 10:43:20 +0800 +Subject: [PATCH] hw/virtio/virtio-crypto: verify asym request size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The total lenght of request is limited by cryptodev config, verify it +to avoid unexpected request from guest. + +CVE: CVE-2025-14876 +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/e649201bb96ae7e91a69d57392c8907ec085111e] + +Fixes: CVE-2025-14876 +Fixes: 0e660a6f90a ("crypto: Introduce RSA algorithm") +Reported-by: 이재영 +Signed-off-by: zhenwei pi +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +Message-Id: <20251221024321.143196-2-zhenwei.pi@linux.dev> +(cherry picked from commit 91c6438caffc880e999a7312825479685d659b44) +Signed-off-by: Michael Tokarev +(cherry picked from commit e649201bb96ae7e91a69d57392c8907ec085111e) +Signed-off-by: Ashishkumar Parmar +--- + hw/virtio/virtio-crypto.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c +index 4aaced74b..6927f7d1a 100644 +--- a/hw/virtio/virtio-crypto.c ++++ b/hw/virtio/virtio-crypto.c +@@ -767,11 +767,18 @@ virtio_crypto_handle_asym_req(VirtIOCrypto *vcrypto, + uint32_t len; + uint8_t *src = NULL; + uint8_t *dst = NULL; ++ uint64_t max_len; + + asym_op_info = g_new0(CryptoDevBackendAsymOpInfo, 1); + src_len = ldl_le_p(&req->para.src_data_len); + dst_len = ldl_le_p(&req->para.dst_data_len); + ++ max_len = (uint64_t)src_len + dst_len; ++ if (unlikely(max_len > vcrypto->conf.max_size)) { ++ virtio_error(vdev, "virtio-crypto asym request is too large"); ++ goto err; ++ } ++ + if (src_len > 0) { + src = g_malloc0(src_len); + len = iov_to_buf(iov, out_num, 0, src, src_len); diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p2.patch new file mode 100644 index 0000000000..60432c8ebb --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p2.patch @@ -0,0 +1,56 @@ +From 17f89320724d16437a26a250c82b1649777387f1 Mon Sep 17 00:00:00 2001 +From: zhenwei pi +Date: Sun, 21 Dec 2025 10:43:21 +0800 +Subject: [PATCH] cryptodev-builtin: Limit the maximum size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This backend driver is used for demonstration purposes only, unlimited +size leads QEMU OOM. + +CVE: CVE-2025-14876 +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/3464e88bc98d72acc3a9674054b9ed0c3d4e9b90] + +Fixes: CVE-2025-14876 +Fixes: 1653a5f3fc7 ("cryptodev: introduce a new cryptodev backend") +Reported-by: 이재영 +Signed-off-by: zhenwei pi +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +Message-Id: <20251221024321.143196-3-zhenwei.pi@linux.dev> +(cherry picked from commit 7b913094c703641a0442bb1d1165323a019c591c) +Signed-off-by: Michael Tokarev +(cherry picked from commit 3464e88bc98d72acc3a9674054b9ed0c3d4e9b90) +Signed-off-by: Ashishkumar Parmar +--- + backends/cryptodev-builtin.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/backends/cryptodev-builtin.c b/backends/cryptodev-builtin.c +index 940104ee5..a4c544b6d 100644 +--- a/backends/cryptodev-builtin.c ++++ b/backends/cryptodev-builtin.c +@@ -53,6 +53,8 @@ typedef struct CryptoDevBackendBuiltinSession { + + #define CRYPTODEV_BUITLIN_MAX_AUTH_KEY_LEN 512 + #define CRYPTODEV_BUITLIN_MAX_CIPHER_KEY_LEN 64 ++/* demonstration purposes only, use a limited size to avoid QEMU OOM */ ++#define CRYPTODEV_BUITLIN_MAX_REQUEST_SIZE (1024 * 1024) + + struct CryptoDevBackendBuiltin { + CryptoDevBackend parent_obj; +@@ -98,12 +100,7 @@ static void cryptodev_builtin_init( + 1u << QCRYPTODEV_BACKEND_SERVICE_MAC; + backend->conf.cipher_algo_l = 1u << VIRTIO_CRYPTO_CIPHER_AES_CBC; + backend->conf.hash_algo = 1u << VIRTIO_CRYPTO_HASH_SHA1; +- /* +- * Set the Maximum length of crypto request. +- * Why this value? Just avoid to overflow when +- * memory allocation for each crypto request. +- */ +- backend->conf.max_size = LONG_MAX - sizeof(CryptoDevBackendOpInfo); ++ backend->conf.max_size = CRYPTODEV_BUITLIN_MAX_REQUEST_SIZE; + backend->conf.max_cipher_key_len = CRYPTODEV_BUITLIN_MAX_CIPHER_KEY_LEN; + backend->conf.max_auth_key_len = CRYPTODEV_BUITLIN_MAX_AUTH_KEY_LEN; + cryptodev_builtin_init_akcipher(backend); From patchwork Fri Jun 12 12:18:16 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 89918 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A010CCD98D9 for ; Fri, 12 Jun 2026 12:18:40 +0000 (UTC) Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.69119.1781266706208214585 for ; Fri, 12 Jun 2026 05:18:26 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=S+CjLM6A; spf=pass (domain: cisco.com, ip: 173.37.86.79, mailfrom: asparmar@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=3176; q=dns/txt; s=iport01; t=1781266706; x=1782476306; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=HRA8s9JHwMDnyTBYQOLxH15MusY4v8NJXzN5npqtYWk=; b=S+CjLM6Aa/3OBQV4rx+VA1PPkiaD64K4qxHV/058/wVGlZk6J3OF7Y0f BxabXNjXSom8HVhaFyU75UadscIwX6ksg5PQYyb4hpL6aWVVzN74oMH/o 0iYcBpv9GbgxBzqBgbR0GQ8FI0QNHiLPJPb18CvR5iyAfkKCdtLW+cb+b zqzW4+u6yD41uVG5Y09ujbte0B4k43pm9g44iESAiJzUSJTHHan+yselm kQVBpCTvJelmViFMbt1f5Sm+gsIP/Q5YOwSjNUisKly59vmf8V/OlR7lh Ul5JC1kngYfmGB1yP2sRFETXUxiItSZuvQt56fCkuXyCKlNbPCb8uiHTV Q==; X-CSE-ConnectionGUID: mwQmHJ1zQpmsSroiD8gfKw== X-CSE-MsgGUID: C5onEgEKT7Cbf2COrZ2gFg== X-IPAS-Result: A0BHAgDf9ytq/5L/Ja1aglmCGD90X0JJA5ZIA54bgX4PAQEBD0QNBAEBhQYCjUACJjQJDgECBAMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2GWgECAQMnCwFGEBwDAQIvKyMIGYIqWAGCcwIBEQayQBo3gXkzgQGDWgUJAkNQ2ywBBQYUAQWBM4U/iB9bGAGEfCcbG4FygRWDaYEFgVwFgSSGfgSCIoEMgV0eUoFcggqKM0iBHgNZLAFVEw0KCwcFgWYDNRIqFW4yHYEjPheBDBsHBYFKgStqgQOFDSMfAzl/gXSBKGdpFTA1gQEBERIDCxgNSBEsNxQbBD5uB4xCFw+BSx9UAYENAStQK4EZGBGTAJJloQ8KKIN1jCGVOhozqmyZCI4KlTSBHIRogWg8gVlwFYMiE0AZD1aNYoNrhRPCfiQ1AgEIAy8BAQcCBw4DC4FokACBfQEB IronPort-Data: A9a23:FjQttKyOHN5sJHsW8vF6t+dmxyrEfRIJ4+MujC+fZmUNrF6WrkVRy 2dKC2CAafeOYzDxKNB/Oo/i/RsAvMTUztU2Hgs++FhgHilAwSbn6Xt1DatR0we6dJCroJdPt p1GAjX4BJlqCCea/VH1buSJQUBUjcmgXqD7BPPPJhd/TAplTDZJoR94kobVuKYw6TSCK13L4 4+aT/H3Ygf/hWYqazhMsspvlTs21BjMkGJA1rABTagjUG/2zxE9EJ8ZLKetGHr0KqE8NvK6X evK0Iai9Wrf+Ro3Yvv9+losWhRXKlJ6FVHmZkt+A8BOsDAbzsAB+vpT2M4nVKtio27hc+adZ zl6ncfYpQ8BZsUgkQmGOvVSO3kW0aZuoNcrLZUj2CCe5xWuTpfi/xlhJEQpBIg42L9lOHlL7 scCLzEhPh+NpP3jldpXSsE07igiBNPgMIVavjRryivUSK53B5vCWK7No9Rf2V/chOgXQq2YP JVfM2cyKk2cPXWjOX9PYH46tO6znnDldjRCgFmUvqEwpWPUyWSd1ZCxYIeMIILbHJs9ckCwj T/B+Un2LzIma/eVx2Cu1Wie3ODhknauMG4VPPjinhJwu3WU3mEVBRgcWFe3rPX8gUmkVvpbK lcI4WwptaU0+UmhQ9XxUhH+p2SL1iPwQPJKGOE8rQXIwa3O7kPBVy4PTyVKb5ots8peqSEW6 2JlVujBXVRH2IB5g1rEnltIhVte4RQoEFI= IronPort-HdrOrdr: A9a23:5irozarZsBa0B7OKeAV+1UkaV5rzeYIsimQD101hICG9vPb2qy nIpoV96faaslcssR0b9OxofZPwI080lqQFhbX5X43DYOCOggLBR+tfBMnZsljd8kbFmNK1u5 0NT0FWMqyXMbEDt7eY3CCIV/A93dKA7Kekwc3az3trUEVWTpsI1XYBNu5eeXcGPzWvwvECZe Kh2vY= X-Talos-CUID: 9a23:8pXcJG3HKYBLo1LRg8llGLxfH98cd13/lWXpO0qjMnxuSZHFRlGz5/Yx X-Talos-MUID: 9a23:mAGrHAqHA64b6WHeLQwezxo/M8FF7ImNNB8mm5tckO6eB3Z/FTjI2Q== X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.24,200,1774310400"; d="scan'208";a="485126916" Received: from rcdn-l-core-09.cisco.com ([173.37.255.146]) by rcdn-iport-8.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 12 Jun 2026 12:18:25 +0000 Received: from sjc-ads-20495.cisco.com (sjc-ads-20495.cisco.com [171.70.188.248]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-09.cisco.com (Postfix) with ESMTPS id 24AC518000233; Fri, 12 Jun 2026 12:18:25 +0000 (GMT) Received: by sjc-ads-20495.cisco.com (Postfix, from userid 1877012) id 9DD99CBF202; Fri, 12 Jun 2026 05:18:24 -0700 (PDT) From: "Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, Ashishkumar Parmar Subject: [OE-core][scarthgap][PATCH 2/3] qemu: Fix CVE-2026-0665 Date: Fri, 12 Jun 2026 05:18:16 -0700 Message-ID: <20260612121820.2298565-2-asparmar@cisco.com> X-Mailer: git-send-email 2.44.1 In-Reply-To: <20260612121820.2298565-1-asparmar@cisco.com> References: <20260612121820.2298565-1-asparmar@cisco.com> MIME-Version: 1.0 X-Auto-Response-Suppress: DR, OOF, AutoReply X-Outbound-Client-TLS: VERIFIED;sjc-ads-20495.cisco.com [171.70.188.248];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.70.188.248, sjc-ads-20495.cisco.com X-Outbound-Node: rcdn-l-core-09.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 12 Jun 2026 12:18:40 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/238612 From: Ashishkumar Parmar This patch applies the upstream v10.0.8 stable backport for CVE-2026-0665. The upstream fix commit is referenced in [1], and the public CVE advisory is referenced in [2]. The individual backported commit links are recorded in the embedded patch headers when the fix expands to multiple commits. [1] https://gitlab.com/qemu-project/qemu/-/commit/4ba877461e6b1a8637b15ff1a8c77ba97639c927 [2] https://access.redhat.com/security/cve/CVE-2026-0665 Signed-off-by: Ashishkumar Parmar --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2026-0665.patch | 38 +++++++++++++++++++ 2 files changed, 39 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2026-0665.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 26d10991a7..3b5146e981 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -47,6 +47,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://0002-python-backport-avoid-creating-additional-event-loop.patch \ file://CVE-2025-14876_p1.patch \ file://CVE-2025-14876_p2.patch \ + file://CVE-2026-0665.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2026-0665.patch b/meta/recipes-devtools/qemu/qemu/CVE-2026-0665.patch new file mode 100644 index 0000000000..9264ba38cc --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2026-0665.patch @@ -0,0 +1,38 @@ +From 91e98ce0a879010ef5b5ab5778cc71c0e9e92a57 Mon Sep 17 00:00:00 2001 +From: Vulnerability Report +Date: Fri, 9 Jan 2026 10:35:48 +0800 +Subject: [PATCH] hw/i386/kvm: fix PIRQ bounds check in xen_physdev_map_pirq() + +Reject pirq == s->nr_pirqs in xen_physdev_map_pirq(). + +CVE: CVE-2026-0665 +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/4ba877461e6b1a8637b15ff1a8c77ba97639c927] + +Fixes: aa98ee38a5 ("hw/xen: Implement emulated PIRQ hypercall support") +Fixes: CVE-2026-0665 +Reported-by: DARKNAVY (@DarkNavyOrg) +Reviewed-by: David Woodhouse +Signed-off-by: Vulnerability Report +Link: https://lore.kernel.org/r/13FE03BE60EA78D6+20260109023548.4047-1-vr@darknavy.com +Signed-off-by: Paolo Bonzini +(cherry picked from commit c7504ba2a560fd884557f6e5142f03b491aad0c7) +Signed-off-by: Michael Tokarev +(cherry picked from commit 4ba877461e6b1a8637b15ff1a8c77ba97639c927) +Signed-off-by: Ashishkumar Parmar +--- + hw/i386/kvm/xen_evtchn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/i386/kvm/xen_evtchn.c b/hw/i386/kvm/xen_evtchn.c +index 02b8cbf8d..5a1ad3782 100644 +--- a/hw/i386/kvm/xen_evtchn.c ++++ b/hw/i386/kvm/xen_evtchn.c +@@ -1843,7 +1843,7 @@ int xen_physdev_map_pirq(struct physdev_map_pirq *map) + return pirq; + } + map->pirq = pirq; +- } else if (pirq > s->nr_pirqs) { ++ } else if (pirq >= s->nr_pirqs) { + return -EINVAL; + } else { + /* From patchwork Fri Jun 12 12:18:17 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 89917 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 97888CD98CE for ; Fri, 12 Jun 2026 12:18:40 +0000 (UTC) Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.69120.1781266706209870303 for ; Fri, 12 Jun 2026 05:18:26 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=PrraaQDZ; spf=pass (domain: cisco.com, ip: 173.37.86.73, mailfrom: asparmar@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=3361; q=dns/txt; s=iport01; t=1781266706; x=1782476306; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=JR2C+eSvl0w5Sp5RSFjrc+twQ4f9ZVIWBCXXEfVyjWA=; b=PrraaQDZH2bhZixfsqmMiOGRrRRI6QA0tjiqEht1e75Hr3Jo1FxwJJMI m3u0cEKouUd59eINHRgl4qiX85axggkJL+qw2aXoiBUOYwUfMZ65Rv8Uw Nf3Dy64NzT+sR31FBnJHZCqp7NJ/WYb9vM8B/MZT6Jzs5HaM5PZRgCAd1 rZ3oQj2E2L3QU6UrzQXOaC2UcRpDzErwh6OCnRFdxBezI3YcQQAQlSuH4 uuwJ4Bwj2EAe/fAuYLWbo3LSNUIjDzr4yX/RcxULY6iTKEWdRUuhvs9wD +JrpopiVX69v7i3L7RNZO+4J2/7vMR/nvHQwH8esL2Y18RKr1TcBt13eF g==; X-CSE-ConnectionGUID: fElPrjO0S7aWn2UY54l43g== X-CSE-MsgGUID: 49EguB1aRRyTiykEqZJb4Q== X-IPAS-Result: A0BJAgDf9ytq/4r/Ja1aglmCV3RfQkkDlkgDi2SSNxSBag8BAQEPRA0EAQGFBgKNQAImNAkOAQIEAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4ZPDYZaAQIBAycLAUYQHAMBAhYZIAsjCBmDAgGCOgM2AgERskYaN4F5M4EBg1oFCQJDUNhJDYJWAQUGFAEFgTOFP4J8hSNbGAGEfCcbG4FyhH6BBYEaQgWBFoEGhgYEgiKBDIFdHoIuggqKM0iBHgNZLAFVEw0KCwcFgWYDNRIqFW4yHYEjPheBDBsHBYFKgStqgQOFDSMfAzl/gXSBKGdpFTA1gQEBERIDCxgNSBEsNxQbBD5uB4xCFw+CHiABgQ0BK3uBGRildqAecQoog3WMIY8+hXwaM4QElBeSUZkIjgqECZErgRyEaIFoPIFZcBWDIlMZD1aNYoNrhRPCfiQ1CwMvAQEHAgcOAwuBaJF9AQE IronPort-Data: A9a23:Qt/Fi6j6Jb41FVvDrbMLpKkbX161MREKZh0ujC45NGQN5FlHY01je htvXGzSOvuDN2rzc9gkb4TlpEhX65TSzNFlTwpr+X1jRntjpJueD7x1DKtf0wB+jyHnZBg6h ynLQoCYdKjYdleF+FH1dOOn9SUgvU2xbuKUIPbePSxsThNTRi4kiBZy88Y0mYcAbeKRW2thg vus5ZeDULOZ82QsaDxMtfvZ8EoHUMna4Vv0gHRvPZing3eG/5UlJMp3Db28KXL+Xr5VEoaSL 87fzKu093/u5BwkDNWoiN7TKiXmlZaLYGBiIlIPM0STqkAqSh4ai87XB9JAAatjsAhlqvgqo Dl7WTNcfi9yVkHEsLx1vxC1iEiSN4UekFPMCSDXXcB+UyQqflO0q8iCAn3aMqUW1+JPG2Npr cdHIQ8LNC2y2r6ynOm0H7wEasQLdKEHPasFsX1miDWcBvE8TNWbGuPB5MRT23E7gcUm8fT2P pVCL2EwKk6dPlsWYQd/5JEWxI9EglH2aCVRslecv4I84nPYy0p6172F3N/9JoPbGJ0EwB/Cz o7A1zioLx4HHoWW8wCUznO9hcLWrwHxBLtHQdVU8dYv2jV/3Fc7DwUbU1a+q/S1hkOyHtlYM UE8/is1sbN081SmSNT4VRC0rHOI+BkGVLJt//YS8gqBzO/Qpg2eHGVBFmcHY909v8hwTjsvv rOUo+7U6fVUmOX9YRqgGn2891te5QB9wbc+WBI5 IronPort-HdrOrdr: A9a23:glb8nq17F2kqDbvDBU9VSwqjBGokLtp133Aq2lEZdPWaSKOlfq eV7ZMmPHDP6Qr5NEtMpTnEAtjjfZq+z+8Q3WByB9eftWDd0QPCRr2Kr7GSpgEIcBeRygcy78 tdmoFFebvN5CBB/KXHyTj9Nco8y9+a963tr+Lfw3BxCTxOUchbnn5E4sLxKDwMeOGAbqBJbK ah2g== X-Talos-CUID: 9a23:RoG6k2lRhnejkJM74kDZ6PPrW+jXOXPwyE/KIWjgMjlgd7vPdG7NpKc4yMU7zg== X-Talos-MUID: 9a23:K1HHmgQnzUh17oZ7RXSw1RxtKe0x6p6UGXwMgJYrovumP3BJbmI= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.24,200,1774310400"; d="scan'208";a="479509612" Received: from rcdn-l-core-01.cisco.com ([173.37.255.138]) by rcdn-iport-2.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 12 Jun 2026 12:18:25 +0000 Received: from sjc-ads-20495.cisco.com (sjc-ads-20495.cisco.com [171.70.188.248]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-01.cisco.com (Postfix) with ESMTPS id 2B7D218000307; Fri, 12 Jun 2026 12:18:25 +0000 (GMT) Received: by sjc-ads-20495.cisco.com (Postfix, from userid 1877012) id B4662CBF203; Fri, 12 Jun 2026 05:18:24 -0700 (PDT) From: "Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, Ashishkumar Parmar Subject: [OE-core][scarthgap][PATCH 3/3] qemu: Fix CVE-2026-2243 Date: Fri, 12 Jun 2026 05:18:17 -0700 Message-ID: <20260612121820.2298565-3-asparmar@cisco.com> X-Mailer: git-send-email 2.44.1 In-Reply-To: <20260612121820.2298565-1-asparmar@cisco.com> References: <20260612121820.2298565-1-asparmar@cisco.com> MIME-Version: 1.0 X-Auto-Response-Suppress: DR, OOF, AutoReply X-Outbound-Client-TLS: VERIFIED;sjc-ads-20495.cisco.com [171.70.188.248];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.70.188.248, sjc-ads-20495.cisco.com X-Outbound-Node: rcdn-l-core-01.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 12 Jun 2026 12:18:40 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/238613 From: Ashishkumar Parmar This patch applies the upstream v10.0.9 stable backport for CVE-2026-2243. The upstream fix commit is referenced in [1], and the public CVE advisory is referenced in [2]. The individual backported commit links are recorded in the embedded patch headers when the fix expands to multiple commits. [1] https://gitlab.com/qemu-project/qemu/-/commit/37ff880a1252de304985c7e8493765014012ed2f [2] https://access.redhat.com/security/cve/CVE-2026-2243 Signed-off-by: Ashishkumar Parmar --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2026-2243.patch | 45 +++++++++++++++++++ 2 files changed, 46 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2026-2243.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 3b5146e981..9357a8c6f0 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -48,6 +48,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2025-14876_p1.patch \ file://CVE-2025-14876_p2.patch \ file://CVE-2026-0665.patch \ + file://CVE-2026-2243.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2026-2243.patch b/meta/recipes-devtools/qemu/qemu/CVE-2026-2243.patch new file mode 100644 index 0000000000..f67dae85dc --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2026-2243.patch @@ -0,0 +1,45 @@ +From 8480e4b3718302e7f63efb87e07720f70509c8c7 Mon Sep 17 00:00:00 2001 +From: "Halil Oktay (oblivionsage)" +Date: Tue, 10 Feb 2026 13:33:25 +0100 +Subject: [PATCH] block/vmdk: fix OOB read in vmdk_read_extent() + +Bounds check for marker.size doesn't account for the 12-byte marker +header, allowing zlib to read past the allocated buffer. + +Move the check inside the has_marker block and subtract the marker size. + +CVE: CVE-2026-2243 +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/37ff880a1252de304985c7e8493765014012ed2f] + +Fixes: CVE-2026-2243 +Reported-by: Halil Oktay (oblivionsage) +Signed-off-by: Halil Oktay (oblivionsage) +Reviewed-by: Kevin Wolf +Signed-off-by: Kevin Wolf +(cherry picked from commit cfda94eddb6c9c49b66461c950b22845a46a75c9) +Signed-off-by: Michael Tokarev +(cherry picked from commit 37ff880a1252de304985c7e8493765014012ed2f) +Signed-off-by: Ashishkumar Parmar +--- + block/vmdk.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/block/vmdk.c b/block/vmdk.c +index d6971c706..7f63d0947 100644 +--- a/block/vmdk.c ++++ b/block/vmdk.c +@@ -1949,10 +1949,10 @@ vmdk_read_extent(VmdkExtent *extent, int64_t cluster_offset, + marker = (VmdkGrainMarker *)cluster_buf; + compressed_data = marker->data; + data_len = le32_to_cpu(marker->size); +- } +- if (!data_len || data_len > buf_bytes) { +- ret = -EINVAL; +- goto out; ++ if (!data_len || data_len > buf_bytes - sizeof(VmdkGrainMarker)) { ++ ret = -EINVAL; ++ goto out; ++ } + } + ret = uncompress(uncomp_buf, &buf_len, compressed_data, data_len); + if (ret != Z_OK) {