From: "Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)" <asparmar@cisco.com>
To: openembedded-core@lists.openembedded.org
Cc: xe-linux-external@cisco.com, to@cisco.com,
Ashishkumar Parmar <asparmar@cisco.com>
Subject: [OE-core][wrynose][PATCH 2/3] qemu: Fix CVE-2026-0665
Date: Mon, 29 Jun 2026 05:44:30 -0700 [thread overview]
Message-ID: <20260629124431.2000781-2-asparmar@cisco.com> (raw)
In-Reply-To: <20260629124431.2000781-1-asparmar@cisco.com>
From: Ashishkumar Parmar <asparmar@cisco.com>
This patch applies the upstream stable-10.2 backport for CVE-2026-0665.
The upstream fix commit is referenced in [1], and the public CVE advisory
is referenced in [2].
[1] https://gitlab.com/qemu-project/qemu/-/commit/058e1774d678031ec207441a51efcf8ae94cc6af
[2] https://github.com/advisories/GHSA-4pq4-6gr5-cr69
Signed-off-by: Ashishkumar Parmar <asparmar@cisco.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2026-0665.patch | 38 +++++++++++++++++++
2 files changed, 39 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2026-0665.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 1d493ee1a3..518ef69789 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -38,6 +38,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://qemu-guest-agent.udev \
file://CVE-2024-6519.patch \
file://CVE-2026-2243.patch \
+ file://CVE-2026-0665.patch \
"
# file index at download.qemu.org isn't reliable: https://gitlab.com/qemu-project/qemu-web/-/issues/9
UPSTREAM_CHECK_URI = "https://www.qemu.org"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2026-0665.patch b/meta/recipes-devtools/qemu/qemu/CVE-2026-0665.patch
new file mode 100644
index 0000000000..ed8623c225
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2026-0665.patch
@@ -0,0 +1,38 @@
+From 77705f3f91dc1ede803228a0eaf4593103466e3a Mon Sep 17 00:00:00 2001
+From: Vulnerability Report <vr@darknavy.com>
+Date: Fri, 9 Jan 2026 10:35:48 +0800
+Subject: [PATCH] hw/i386/kvm: fix PIRQ bounds check in xen_physdev_map_pirq()
+
+Reject pirq == s->nr_pirqs in xen_physdev_map_pirq().
+
+CVE: CVE-2026-0665
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/058e1774d678031ec207441a51efcf8ae94cc6af]
+
+Fixes: aa98ee38a5 ("hw/xen: Implement emulated PIRQ hypercall support")
+Fixes: CVE-2026-0665
+Reported-by: DARKNAVY (@DarkNavyOrg) <vr@darknavy.com>
+Reviewed-by: David Woodhouse <dwmw@amazon.co.uk>
+Signed-off-by: Vulnerability Report <vr@darknavy.com>
+Link: https://lore.kernel.org/r/13FE03BE60EA78D6+20260109023548.4047-1-vr@darknavy.com
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit c7504ba2a560fd884557f6e5142f03b491aad0c7)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+(cherry picked from commit 058e1774d678031ec207441a51efcf8ae94cc6af)
+Signed-off-by: Ashishkumar Parmar <asparmar@cisco.com>
+---
+ hw/i386/kvm/xen_evtchn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/i386/kvm/xen_evtchn.c b/hw/i386/kvm/xen_evtchn.c
+index dd566c496..173e0818c 100644
+--- a/hw/i386/kvm/xen_evtchn.c
++++ b/hw/i386/kvm/xen_evtchn.c
+@@ -1877,7 +1877,7 @@ int xen_physdev_map_pirq(struct physdev_map_pirq *map)
+ return pirq;
+ }
+ map->pirq = pirq;
+- } else if (pirq > s->nr_pirqs) {
++ } else if (pirq >= s->nr_pirqs) {
+ return -EINVAL;
+ } else {
+ /*
--
2.35.6
next prev parent reply other threads:[~2026-06-29 12:44 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-29 12:44 [OE-core][wrynose][PATCH 1/3] qemu: Fix CVE-2026-2243 Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 12:44 ` Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco) [this message]
2026-06-29 12:44 ` [OE-core][wrynose][PATCH 3/3] qemu: Fix CVE-2025-14876 Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260629124431.2000781-2-asparmar@cisco.com \
--to=asparmar@cisco.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=to@cisco.com \
--cc=xe-linux-external@cisco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.