From patchwork Mon Jun 29 12:44:29 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 91264 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8244BC43602 for ; Mon, 29 Jun 2026 12:44:44 +0000 (UTC) Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.36700.1782737079026797088 for ; Mon, 29 Jun 2026 05:44:39 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=iz8fP2jZ; spf=pass (domain: cisco.com, ip: 173.37.86.74, mailfrom: asparmar@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=3314; q=dns/txt; s=iport01; t=1782737079; x=1783946679; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=xpJmEdHeWbCEndKx61xjty1JKEXwSAsupop1yyxVIbQ=; b=iz8fP2jZLNnOClx1tOHoQYfM7TlEz6WqmVBrH8F23K71FYEPRGJ9qu79 Bg3H1k1pnr1kPtQh53KJy8yD0Xz9imOLnpyl/MFPyXIHki6C+dr19umRH 9/H0eLp8dfijBCb7u1BnEJk22yxNxs2An9hW12QMEjie9SambO23GGLtH lqIhzJPKZ4dFxJ00v34yLeKAmY1m7whgEjjm6I6utL6H4Xk2d0xocUNJs EPyCGGnoDr1YFqUZ1WCrnzhDH4ChJC6hJzdt652uQ4JUinpApixcc2zf/ xUDBxWhlS74sq6HONr/DJ0Oxh8cbUk8SgUmOaecvizv0qcnch6wuYZxCF A==; X-CSE-ConnectionGUID: z0LJuR+xRL+03Lph4GucCg== X-CSE-MsgGUID: Zm+lRIn8RMqlDOuZUFc29w== X-IPAS-Result: A0BFAgA6aEJq/4z/Ja1aglmCV3RfQkmWS4tnkjcUgWoPAQEBD0QNBAEBhQaNTQImNAkOAQIEAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4ZPDYZaAQIBKgsBRiwDAQIWOQsjIYMCAYI6AzYCARG2Kho3gXkzgQGEfdhJDYJWAQsUAQWBM4U/gnyFI1sYAYR8JxsbgXKBFYNpgQWBGkICA4EWgQaGBgSCIoEMgVoegXqCCIEYiXdIgR4DWSwBVRMNCgsHBYFmAzUSKhVuMh2BIz4XgQwbBwWBHYFpgQSEfSMfAzl/gTB1WGYVMDWBAgERHgqBUicDCxgNSBEsNxQbBD5uB4xeFw+CHSABgQ0BKyKBcqYOoB5xCiiDdYwhjz6FfBozhASBV5JAklGZCI4KhAmSR4RogWg8gVlwFYMiCUoZD444g2uFE8J3JDULMgEBBwIHDgMLgWiRfQEB IronPort-Data: A9a23:7kiLT6v/iEjud0ISeTw/XCDQL+fnVAdfMUV32f8akzHdYApBsoF/q tZmKT3UP/6NYzf2fo10O9y3/UgG7JaByNM1SgdkqioyFCsUgMeUXt7xwmUckM+xwmwvaGo9s q3yv/GZdJhcokf0/0nrav666yEgiclkf5KkYMbcICd9WAR4fykojBNnioYRj5Vh6TSDK1vlV eja/YuFZDdJ5xYuajhKs/zZ+Es11BjPkGpwUmIWNKgjUGD2zxH5PLpHTYmtIn3xRJVjH+LSb 47r0LGj82rFyAwmA9Wjn6yTWhVirmn6ZFXmZtJ+AsBOszAazsAA+v9T2Mk0NS+7vw60c+VZk 72hg3AfpTABZcUgkMxFO/VR/roX0aduoNcrKlDn2SCfItGvn3bEm51T4E8K0YIw6L5TI3x0t uwiDHNVNTSbh76Z3bmQRbw57igjBJGD0II3oHpsy3TdSP0hW52GG/6M7t5D1zB2jcdLdRrcT 5NGMnw0M1KaPkAJYwtPYH49tL/Aan3XeiZAoUiQrLAf6GnIxws327/oWDbQUoHSH5gIxBnD/ goq+UzLB1IeDv2ZmQCg63aAofL9oA3wAtMNQejQGvlCxQf7KnYoIBoOWF22pPO0hkKzV5dUL FYZ0i4vtrQpskuzQ9/wWhe1rHKJslgbQdU4LgEhwBuGxqyR50OSAXIJC2YaLtcnr8QxAzct0 zdlgu/UONCmi5XNIVr1y1tehWra1fQ9RYPaWRI5cA== IronPort-HdrOrdr: A9a23:8htFVq+bRx5AoFTB7tluk+D0I+orL9Y04lQ7vn2ZhyY7TiX+rb HKoB11737JYVoqNU3I+urwWpVoP0m9yXcd2+B4Vt2ftWLd1ldAQrsP0WLK+UyFJ8SHzJ8/6Y 5QN45jFdb3EV92yez+4AW+DpIc5ePvytHOuQ8bpE0dND2DrMpbnmFENjo= X-Talos-CUID: 9a23:kM1PXG4guxg66tvSMtss5hYwON0fMW3n6DSIeGugCTpGVba+RgrF X-Talos-MUID: 9a23:KShrQQ5hot4JzoO/X99KQT+oxoxa5ueqMmELwa8jos2oEjFCBhmW1mWoF9o= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.24,231,1774310400"; d="scan'208";a="502552730" Received: from rcdn-l-core-03.cisco.com ([173.37.255.140]) by rcdn-iport-3.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 29 Jun 2026 12:44:38 +0000 Received: from sjc-ads-20495.cisco.com (sjc-ads-20495.cisco.com [171.70.188.248]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-03.cisco.com (Postfix) with ESMTPS id 00989180005A1; Mon, 29 Jun 2026 12:44:38 +0000 (GMT) Received: by sjc-ads-20495.cisco.com (Postfix, from userid 1877012) id 9D1DFCC124B; Mon, 29 Jun 2026 05:44:37 -0700 (PDT) From: "Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, to@cisco.com, Ashishkumar Parmar Subject: [OE-core][wrynose][PATCH 1/3] qemu: Fix CVE-2026-2243 Date: Mon, 29 Jun 2026 05:44:29 -0700 Message-Id: <20260629124431.2000781-1-asparmar@cisco.com> X-Mailer: git-send-email 2.35.6 MIME-Version: 1.0 X-Auto-Response-Suppress: DR, OOF, AutoReply X-Outbound-Client-TLS: VERIFIED;sjc-ads-20495.cisco.com [171.70.188.248];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.70.188.248, sjc-ads-20495.cisco.com X-Outbound-Node: rcdn-l-core-03.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Jun 2026 12:44:44 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239769 From: Ashishkumar Parmar This patch applies the upstream stable-10.2 backport for CVE-2026-2243. The upstream fix commit is referenced in [1], and the public CVE advisory is referenced in [2]. [1] https://gitlab.com/qemu-project/qemu/-/commit/86b5130fefbe476f3c0a85b9e136f9e3fd518689 [2] https://github.com/advisories/GHSA-cw9w-w7fx-35q6 Signed-off-by: Ashishkumar Parmar --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2026-2243.patch | 45 +++++++++++++++++++ 2 files changed, 46 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2026-2243.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 4b6c2252b7..1d493ee1a3 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -37,6 +37,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://qemu-guest-agent.init \ file://qemu-guest-agent.udev \ file://CVE-2024-6519.patch \ + file://CVE-2026-2243.patch \ " # file index at download.qemu.org isn't reliable: https://gitlab.com/qemu-project/qemu-web/-/issues/9 UPSTREAM_CHECK_URI = "https://www.qemu.org" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2026-2243.patch b/meta/recipes-devtools/qemu/qemu/CVE-2026-2243.patch new file mode 100644 index 0000000000..bb2cb63b91 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2026-2243.patch @@ -0,0 +1,45 @@ +From 1633b8cd69483ed6c481aa596d3c760c09257c27 Mon Sep 17 00:00:00 2001 +From: "Halil Oktay (oblivionsage)" +Date: Tue, 10 Feb 2026 13:33:25 +0100 +Subject: [PATCH] block/vmdk: fix OOB read in vmdk_read_extent() + +Bounds check for marker.size doesn't account for the 12-byte marker +header, allowing zlib to read past the allocated buffer. + +Move the check inside the has_marker block and subtract the marker size. + +CVE: CVE-2026-2243 +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/86b5130fefbe476f3c0a85b9e136f9e3fd518689] + +Fixes: CVE-2026-2243 +Reported-by: Halil Oktay (oblivionsage) +Signed-off-by: Halil Oktay (oblivionsage) +Reviewed-by: Kevin Wolf +Signed-off-by: Kevin Wolf +(cherry picked from commit cfda94eddb6c9c49b66461c950b22845a46a75c9) +Signed-off-by: Michael Tokarev +(cherry picked from commit 86b5130fefbe476f3c0a85b9e136f9e3fd518689) +Signed-off-by: Ashishkumar Parmar +--- + block/vmdk.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/block/vmdk.c b/block/vmdk.c +index 89e89cd10..cd8b4ec7c 100644 +--- a/block/vmdk.c ++++ b/block/vmdk.c +@@ -1951,10 +1951,10 @@ vmdk_read_extent(VmdkExtent *extent, int64_t cluster_offset, + marker = (VmdkGrainMarker *)cluster_buf; + compressed_data = marker->data; + data_len = le32_to_cpu(marker->size); +- } +- if (!data_len || data_len > buf_bytes) { +- ret = -EINVAL; +- goto out; ++ if (!data_len || data_len > buf_bytes - sizeof(VmdkGrainMarker)) { ++ ret = -EINVAL; ++ goto out; ++ } + } + ret = uncompress(uncomp_buf, &buf_len, compressed_data, data_len); + if (ret != Z_OK) { From patchwork Mon Jun 29 12:44:30 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 91266 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 88A71C43638 for ; Mon, 29 Jun 2026 12:44:44 +0000 (UTC) Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.36701.1782737079056422195 for ; Mon, 29 Jun 2026 05:44:39 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=ZC4WX+Z+; spf=pass (domain: cisco.com, ip: 173.37.86.75, mailfrom: asparmar@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=3083; q=dns/txt; s=iport01; t=1782737079; x=1783946679; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=7Y0g9w4yo0um5MdLyZs4/e0LsStvKlFvu6Pg0VhefK8=; b=ZC4WX+Z+nl4kotmmEJ+FgdY8i1G9jyKxWIrB6yBORiExjrTHte6RpRSO tyikJjqfKuzv7cfK3u6xsoDcf0NNFGyRSZ4UMqv/TbsobSUT7qvqCW2s7 XhnT+0lK+0GNo7lnXBxTnmzooZAfSHLxS0yu6mfzyrL53XSKdzy1toN2K fcl+3JWrwuUy03ZY+xphw00Neg2Hrj8oWY1fsZ1FaLRHaVMpvvzUMCUau Kd2E1cAHMyGZlE8QpOWJ2xrudjei3SJwte8A1RVPoKJICd9TVoUHi3Zqa uRG6nXnmcrPcO/Soqnzw1UI3FazUJ+Q1YyaR6INYuVh1rErgaG8f1Prlt A==; X-CSE-ConnectionGUID: z37uPiTBTUeLi+BgQad6EQ== X-CSE-MsgGUID: WZFqfYgEQGG2qgPWbhsP6Q== X-IPAS-Result: A0BGAgBFZ0Jq/4r/Ja1aglmCV3RfQkmWSwOeG4F+DwEBAQ9EDQQBAYUGAo1LAiY0CQ4BAgQDAgMBAQEBAQEBAQEBAQsBAQUBAQECAQcFgQ4Thk8NhloBAgEDJwsBRhAcAwECLysjCBmDAgGCcwIBEQa2MBo3gXkzgQGEfdssAQsUAQWBM4U/iB9bGAGEfCcbG4FygRWDaYEFgVwCA4Ekhn4EgiKBDIFaHoF6ggiBGIl3SIEeA1ksAVUTDQoLBwWBZgM1EioVbjIdgSM+F4EMGwcFgR2BaYEEhH0jHwM5f4EwdVhmFTA1gQIBER4KgVInAwsYDUgRLDcUGwQ+bgeMXhcPgWlUAYENASsiLoFEKaVloQ8KKIN1jCGVOhozhVulEZkIjgqWUIRogWg8gVlwFYMiCQpAGQ+OOINrhRPCcSQ1AgEIMgEBBwIHDgMLgWiQAIF9AQE IronPort-Data: A9a23:492hfKpohYdFyP4WMsjuulViQVleBmJJZBIvgKrLsJaIsI4StFCzt garIBnQPazeM2bxLd8nPtnl9BkFvZSDzd5lSQNr/nw3RX4S+ePIVI+TRqvS04x+DSFioGZPt Zh2hgzodZhsJpPkjk7zdOCn9j8kif3gqoPUUIbsIjp2SRJvVBAvgBdin/9RqoNziLBVOSvV0 T/Ji5OZYgPNNwJcaDpOtfrd8kM35pwehRtB1rAATaET1LPhvyF94KI3fcmZM3b+S49IKe+2L 86r5K255G7Q4yA2AdqjlLvhGmVSKlIFFVHT4pb+c/HKbilq/kTe4I5iXBYvQRs/ZwGyojxE4 I4lWapc5useFvakdOw1C3G0GszlVEFM0OevzXOX6aR/w6BaGpfh660GMa04AWEX0vQsXnx29 MAyFA0AShHAre2Pyb7lZ9A506zPLOGzVG8ekmtrwTecCbMtRorOBv2To9RZxzw3wMtJGJ4yZ eJANmEpN0uGOUASfA5MWPrSn8/w7pX7WzRDsFuPoKMty2PS1wd2lrPqNbI5f/TXHZ8MxBjA9 z+uE2LRPSM0LdKuxhe83V32n+D3oin7Q7pMLejtnhJtqBjJroAJMzURTVa9rPyzh0KyVt4aI EsO9wIqrLMu7wqsVtT7UhiyrXKIsxJaXMBfe9DW8ymXwabSpgLcDW8eQ3sZMZottdQ9Qnoh0 Vrhc87VOAGDeYa9ERq1nop4ZxvoUcTJBQfuvRM5cDY= IronPort-HdrOrdr: A9a23:T8BsJat+5ejgqvzOPTMjvhqT7skDrtV00zEX/kB9WHVpmwKj+P xG+85rsiMc5wxxZJhNo7290ey7MBHhHP1OkO0s1MmZPDUO0VHAROoJ0WKh+UyEJ8SUzIBgPM lbH5SWIeeAa2SS9fyKgzWQIpIH3MSN9ryuiKP1yndgShwvVoRbhj0Jczpy1iZNNXJ77V1TLu vl2vZ6 X-Talos-CUID: 9a23:Y/Nnvmies3Q7bnGwgyRgG6jI/jJuYCaC0U/RH2WENGtNSf6/RmaZ9P1Jqp87 X-Talos-MUID: 9a23:OnzpZgRky5ugA3jkRXTTth97OvZnzp2BJxoUnq05scmfDXJJbmI= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.24,231,1774310400"; d="scan'208";a="502126095" Received: from rcdn-l-core-01.cisco.com ([173.37.255.138]) by rcdn-iport-4.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 29 Jun 2026 12:44:38 +0000 Received: from sjc-ads-20495.cisco.com (sjc-ads-20495.cisco.com [171.70.188.248]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-01.cisco.com (Postfix) with ESMTPS id 027B4180001C2; Mon, 29 Jun 2026 12:44:38 +0000 (GMT) Received: by sjc-ads-20495.cisco.com (Postfix, from userid 1877012) id 9F16ECC1611; Mon, 29 Jun 2026 05:44:37 -0700 (PDT) From: "Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, to@cisco.com, Ashishkumar Parmar Subject: [OE-core][wrynose][PATCH 2/3] qemu: Fix CVE-2026-0665 Date: Mon, 29 Jun 2026 05:44:30 -0700 Message-Id: <20260629124431.2000781-2-asparmar@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260629124431.2000781-1-asparmar@cisco.com> References: <20260629124431.2000781-1-asparmar@cisco.com> MIME-Version: 1.0 X-Auto-Response-Suppress: DR, OOF, AutoReply X-Outbound-Client-TLS: VERIFIED;sjc-ads-20495.cisco.com [171.70.188.248];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.70.188.248, sjc-ads-20495.cisco.com X-Outbound-Node: rcdn-l-core-01.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Jun 2026 12:44:44 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239770 From: Ashishkumar Parmar This patch applies the upstream stable-10.2 backport for CVE-2026-0665. The upstream fix commit is referenced in [1], and the public CVE advisory is referenced in [2]. [1] https://gitlab.com/qemu-project/qemu/-/commit/058e1774d678031ec207441a51efcf8ae94cc6af [2] https://github.com/advisories/GHSA-4pq4-6gr5-cr69 Signed-off-by: Ashishkumar Parmar --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2026-0665.patch | 38 +++++++++++++++++++ 2 files changed, 39 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2026-0665.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 1d493ee1a3..518ef69789 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -38,6 +38,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://qemu-guest-agent.udev \ file://CVE-2024-6519.patch \ file://CVE-2026-2243.patch \ + file://CVE-2026-0665.patch \ " # file index at download.qemu.org isn't reliable: https://gitlab.com/qemu-project/qemu-web/-/issues/9 UPSTREAM_CHECK_URI = "https://www.qemu.org" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2026-0665.patch b/meta/recipes-devtools/qemu/qemu/CVE-2026-0665.patch new file mode 100644 index 0000000000..ed8623c225 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2026-0665.patch @@ -0,0 +1,38 @@ +From 77705f3f91dc1ede803228a0eaf4593103466e3a Mon Sep 17 00:00:00 2001 +From: Vulnerability Report +Date: Fri, 9 Jan 2026 10:35:48 +0800 +Subject: [PATCH] hw/i386/kvm: fix PIRQ bounds check in xen_physdev_map_pirq() + +Reject pirq == s->nr_pirqs in xen_physdev_map_pirq(). + +CVE: CVE-2026-0665 +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/058e1774d678031ec207441a51efcf8ae94cc6af] + +Fixes: aa98ee38a5 ("hw/xen: Implement emulated PIRQ hypercall support") +Fixes: CVE-2026-0665 +Reported-by: DARKNAVY (@DarkNavyOrg) +Reviewed-by: David Woodhouse +Signed-off-by: Vulnerability Report +Link: https://lore.kernel.org/r/13FE03BE60EA78D6+20260109023548.4047-1-vr@darknavy.com +Signed-off-by: Paolo Bonzini +(cherry picked from commit c7504ba2a560fd884557f6e5142f03b491aad0c7) +Signed-off-by: Michael Tokarev +(cherry picked from commit 058e1774d678031ec207441a51efcf8ae94cc6af) +Signed-off-by: Ashishkumar Parmar +--- + hw/i386/kvm/xen_evtchn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/i386/kvm/xen_evtchn.c b/hw/i386/kvm/xen_evtchn.c +index dd566c496..173e0818c 100644 +--- a/hw/i386/kvm/xen_evtchn.c ++++ b/hw/i386/kvm/xen_evtchn.c +@@ -1877,7 +1877,7 @@ int xen_physdev_map_pirq(struct physdev_map_pirq *map) + return pirq; + } + map->pirq = pirq; +- } else if (pirq > s->nr_pirqs) { ++ } else if (pirq >= s->nr_pirqs) { + return -EINVAL; + } else { + /* From patchwork Mon Jun 29 12:44:31 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: "Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 91265 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 79FBCC43458 for ; Mon, 29 Jun 2026 12:44:44 +0000 (UTC) Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.91284.1782737079052694549 for ; Mon, 29 Jun 2026 05:44:39 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=AFqy93R/; spf=pass (domain: cisco.com, ip: 173.37.86.80, mailfrom: asparmar@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=6694; q=dns/txt; s=iport01; t=1782737079; x=1783946679; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=XuOmZhhHLhEwRE1s7F9PGuC9jexV1ZGPQOkWxrnzd+w=; b=AFqy93R/oTPyiIjlNimJBh6PC6h9d1ODqglfVNwlR1gwqpntiW/4FR/I pk3peDLIUqs8JFAcqgReV8J3CJ88oP92zXM1mf+VJpL2Rd8MoCBVZsOis PLbd+LbNZnVxeFa40htOzc2AJ1q8+kBjzDTjfG+kWqgBpu9Ne/DC9v6uM pREwjAiZsTbULE+VcB/5rVdQZVt/dn20Cqy/HXurqiJJRZN2wJuVCLz2J QzrySo4tMm3/HN6M7pKFrzMNwzlt/Z4pw0NPBdp7v+FfDjxoK8nFUt/Mr LX0z8B+3HTkudu1UQatL+h/CKLk7ZLR+28DIcB7dOUOIJVXADdR6YnepX w==; X-CSE-ConnectionGUID: jgB/4ZlAQ6mtWCPqqfK0AQ== X-CSE-MsgGUID: M1ja/s26R+uiryMMaLeGfg== X-IPAS-Result: A0BoAwC3Z0Jq/43/Ja1aglmDS19CSYRXkXQDi2SSN4F+DwEBAQ9EDQQBAYUGAo1LAiY0CQ4BAgQDAgMBAQEBAQEBAQEBAQsBAQUBAQECAQcFgQ4Thk8NhloBAgEDIwQLAUYQCRMDAQIDAiYCAiALIwgQCYMCAYI6AzYCARGbQZpzGjd6fzOBAYR92EkNglcLFAEFgQUuhT+CfCABhQJbGAGDXYEfJxsbgXKBFYNpgQWBGkICA4E0AYQDgmoEgiKBDIFaHlCBKoIIgRiJd0iBAhwDWSwBVRMNCgsHBYFmAzUSKhVuMh2BIz4XNFgbBwWBHYFpgQSEfSMfAzl/gTB1WGYVMDWBAgERHgqBUicDCxgNSBEsNxQbBD0BbgeMXhcPgj2BDgErIi2BRVKSV5JloB5xCiiDdYwhjz6FfBozhVulEQuYfY4KhAmRd1CEaIFoPIFZcBWDIglKGQ+OLQsLg2CFE8J3JDULMgEBBwIHDgMLgWiQAAEngVUBAQ IronPort-Data: A9a23:yMvEAKrj9VR45eVM5AiPIMNf+wheBmJJZBIvgKrLsJaIsI4StFCzt garIBnVafeKZmL0c9EjaIqwphlVsZHdy9AwTFBvqC82RSgQo+PIVI+TRqvS04x+DSFioGZPt Zh2hgzodZhsJpPkjk7zdOCn9j8kif3gqoPUUIbsIjp2SRJvVBAvgBdin/9RqoNziLBVOSvV0 T/Ji5OZYgPNNwJcaDpOtfrd8kM35pwehRtB1rAATaET1LPhvyF94KI3fcmZM3b+S49IKe+2L 86r5K255G7Q4yA2AdqjlLvhGmVSKlIFFVHT4pb+c/HKbilq/kTe4I5iXBYvQRs/ZwGyojxE4 I4lWapc5useFvakdOw1C3G0GszlVEFM0OevzXOX6aR/w6BaGpfh660GMa04AWEX0uR4KyYSx /gxEW4Ici+ov/uvzpHjY9A506zPLOGzVG8ekmtrwTecCbMtRorOBv2Wo9RZxzw3wMtJGJ4yZ eJANmEpN0uGOUASfA5LUfrSn8/w7pX7WzRDsFuPoKMty2PS1wd2lrPqNbI5f/TXHZwMwBbF+ DuuE2LRJ0gYPZuEk2S/sW+tnP7quCrfVa0cG+jtnhJtqBjJroAJMzURTVa9rPyzh0KyVt4aI EsO9wIqrLMu7wqsVtT7UhiyrXKIsxJaXMBfe9DW8ymXwabSpgLcDW8eQ3sZNJottdQ9Qnoh0 Vrhc87VOAGDeYa9ERq1nop4ZxvrUcTJBQfuvRM5cDY= IronPort-HdrOrdr: A9a23:tcMINqGbvSJexgippLqENseALOsnbusQ8zAXPo5KJiC9Ffbo8f xG/c5rsiMc5wxxZJhNo7290ey7MBHhHP1OkO0s1MmZPDUO0VHAROoJ0WKh+UyEJ8SUzIBgPM lbH5SWIeeAdGSS9fyKgzWQIpIH3MSN9ryuiKP1yndgShwvVoRbhj0Jcjpy1iZNNXN77V1TLu vm2vZ6 X-Talos-CUID: 9a23:6gSTEmBQDbcDnrT6Eyto3glIKMQMSyPY0Ej7G1ahB0UxYYTAHA== X-Talos-MUID: 9a23:CjYRGQQNaXPvL9emRXTJ3TNrc9wyvZ7tFUEXgLAjsu2JGiJ/bmI= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.24,231,1774310400"; d="scan'208";a="501168561" Received: from rcdn-l-core-04.cisco.com ([173.37.255.141]) by rcdn-iport-9.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 29 Jun 2026 12:44:38 +0000 Received: from sjc-ads-20495.cisco.com (sjc-ads-20495.cisco.com [171.70.188.248]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-04.cisco.com (Postfix) with ESMTPS id 05899180001A2; Mon, 29 Jun 2026 12:44:38 +0000 (GMT) Received: by sjc-ads-20495.cisco.com (Postfix, from userid 1877012) id A1475CBF202; Mon, 29 Jun 2026 05:44:37 -0700 (PDT) From: "Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, to@cisco.com, Ashishkumar Parmar Subject: [OE-core][wrynose][PATCH 3/3] qemu: Fix CVE-2025-14876 Date: Mon, 29 Jun 2026 05:44:31 -0700 Message-Id: <20260629124431.2000781-3-asparmar@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260629124431.2000781-1-asparmar@cisco.com> References: <20260629124431.2000781-1-asparmar@cisco.com> MIME-Version: 1.0 X-Auto-Response-Suppress: DR, OOF, AutoReply X-Outbound-Client-TLS: VERIFIED;sjc-ads-20495.cisco.com [171.70.188.248];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.70.188.248, sjc-ads-20495.cisco.com X-Outbound-Node: rcdn-l-core-04.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Jun 2026 12:44:44 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239771 From: Ashishkumar Parmar This patch applies the upstream stable-10.2 backport for CVE-2025-14876. The upstream fix commits are referenced in [1] and [2], and the public CVE advisory is referenced in [3]. [1] https://gitlab.com/qemu-project/qemu/-/commit/2ac11c1d9370423ccdc527f9159ddd2ba4a2ea77 [2] https://gitlab.com/qemu-project/qemu/-/commit/51514aa3c2f1e072c9728c975865e0b247b2619b [3] https://github.com/advisories/GHSA-gq25-pccv-6q8j Signed-off-by: Ashishkumar Parmar --- meta/recipes-devtools/qemu/qemu.inc | 2 + .../qemu/qemu/CVE-2025-14876_p1.patch | 52 +++++++++++++++++ .../qemu/qemu/CVE-2025-14876_p2.patch | 56 +++++++++++++++++++ 3 files changed, 110 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p2.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 518ef69789..60a5c62fe9 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -39,6 +39,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2024-6519.patch \ file://CVE-2026-2243.patch \ file://CVE-2026-0665.patch \ + file://CVE-2025-14876_p1.patch \ + file://CVE-2025-14876_p2.patch \ " # file index at download.qemu.org isn't reliable: https://gitlab.com/qemu-project/qemu-web/-/issues/9 UPSTREAM_CHECK_URI = "https://www.qemu.org" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p1.patch new file mode 100644 index 0000000000..44e0b0f1a9 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p1.patch @@ -0,0 +1,52 @@ +From 1a7c7a0066f2bdb4ddb0d4f689d4949ca70bb8c4 Mon Sep 17 00:00:00 2001 +From: zhenwei pi +Date: Sun, 21 Dec 2025 10:43:20 +0800 +Subject: [PATCH] hw/virtio/virtio-crypto: verify asym request size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The total lenght of request is limited by cryptodev config, verify it +to avoid unexpected request from guest. + +CVE: CVE-2025-14876 +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/2ac11c1d9370423ccdc527f9159ddd2ba4a2ea77] + +Fixes: CVE-2025-14876 +Fixes: 0e660a6f90a ("crypto: Introduce RSA algorithm") +Reported-by: 이재영 +Signed-off-by: zhenwei pi +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +Message-Id: <20251221024321.143196-2-zhenwei.pi@linux.dev> +(cherry picked from commit 91c6438caffc880e999a7312825479685d659b44) +Signed-off-by: Michael Tokarev +(cherry picked from commit 2ac11c1d9370423ccdc527f9159ddd2ba4a2ea77) +Signed-off-by: Ashishkumar Parmar +--- + hw/virtio/virtio-crypto.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c +index 517f2089c..b20f29993 100644 +--- a/hw/virtio/virtio-crypto.c ++++ b/hw/virtio/virtio-crypto.c +@@ -767,11 +767,18 @@ virtio_crypto_handle_asym_req(VirtIOCrypto *vcrypto, + uint32_t len; + uint8_t *src = NULL; + uint8_t *dst = NULL; ++ uint64_t max_len; + + asym_op_info = g_new0(CryptoDevBackendAsymOpInfo, 1); + src_len = ldl_le_p(&req->para.src_data_len); + dst_len = ldl_le_p(&req->para.dst_data_len); + ++ max_len = (uint64_t)src_len + dst_len; ++ if (unlikely(max_len > vcrypto->conf.max_size)) { ++ virtio_error(vdev, "virtio-crypto asym request is too large"); ++ goto err; ++ } ++ + if (src_len > 0) { + src = g_malloc0(src_len); + len = iov_to_buf(iov, out_num, 0, src, src_len); diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p2.patch new file mode 100644 index 0000000000..580440f900 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p2.patch @@ -0,0 +1,56 @@ +From baff597605a973ca92d57a1a728db98d9c2b680e Mon Sep 17 00:00:00 2001 +From: zhenwei pi +Date: Sun, 21 Dec 2025 10:43:21 +0800 +Subject: [PATCH] cryptodev-builtin: Limit the maximum size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This backend driver is used for demonstration purposes only, unlimited +size leads QEMU OOM. + +CVE: CVE-2025-14876 +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/51514aa3c2f1e072c9728c975865e0b247b2619b] + +Fixes: CVE-2025-14876 +Fixes: 1653a5f3fc7 ("cryptodev: introduce a new cryptodev backend") +Reported-by: 이재영 +Signed-off-by: zhenwei pi +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +Message-Id: <20251221024321.143196-3-zhenwei.pi@linux.dev> +(cherry picked from commit 7b913094c703641a0442bb1d1165323a019c591c) +Signed-off-by: Michael Tokarev +(cherry picked from commit 51514aa3c2f1e072c9728c975865e0b247b2619b) +Signed-off-by: Ashishkumar Parmar +--- + backends/cryptodev-builtin.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/backends/cryptodev-builtin.c b/backends/cryptodev-builtin.c +index 0414c01e0..55a3fbd27 100644 +--- a/backends/cryptodev-builtin.c ++++ b/backends/cryptodev-builtin.c +@@ -53,6 +53,8 @@ typedef struct CryptoDevBackendBuiltinSession { + + #define CRYPTODEV_BUITLIN_MAX_AUTH_KEY_LEN 512 + #define CRYPTODEV_BUITLIN_MAX_CIPHER_KEY_LEN 64 ++/* demonstration purposes only, use a limited size to avoid QEMU OOM */ ++#define CRYPTODEV_BUITLIN_MAX_REQUEST_SIZE (1024 * 1024) + + struct CryptoDevBackendBuiltin { + CryptoDevBackend parent_obj; +@@ -98,12 +100,7 @@ static void cryptodev_builtin_init( + 1u << QCRYPTODEV_BACKEND_SERVICE_TYPE_MAC; + backend->conf.cipher_algo_l = 1u << VIRTIO_CRYPTO_CIPHER_AES_CBC; + backend->conf.hash_algo = 1u << VIRTIO_CRYPTO_HASH_SHA1; +- /* +- * Set the Maximum length of crypto request. +- * Why this value? Just avoid to overflow when +- * memory allocation for each crypto request. +- */ +- backend->conf.max_size = LONG_MAX - sizeof(CryptoDevBackendOpInfo); ++ backend->conf.max_size = CRYPTODEV_BUITLIN_MAX_REQUEST_SIZE; + backend->conf.max_cipher_key_len = CRYPTODEV_BUITLIN_MAX_CIPHER_KEY_LEN; + backend->conf.max_auth_key_len = CRYPTODEV_BUITLIN_MAX_AUTH_KEY_LEN; + cryptodev_builtin_init_akcipher(backend);