* [OE-core][wrynose][PATCH 1/3] qemu: Fix CVE-2026-2243
@ 2026-06-29 12:44 Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 12:44 ` [OE-core][wrynose][PATCH 2/3] qemu: Fix CVE-2026-0665 Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 12:44 ` [OE-core][wrynose][PATCH 3/3] qemu: Fix CVE-2025-14876 Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)
0 siblings, 2 replies; 3+ messages in thread
From: Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-06-29 12:44 UTC (permalink / raw)
To: openembedded-core; +Cc: xe-linux-external, to, Ashishkumar Parmar
From: Ashishkumar Parmar <asparmar@cisco.com>
This patch applies the upstream stable-10.2 backport for CVE-2026-2243.
The upstream fix commit is referenced in [1], and the public CVE advisory
is referenced in [2].
[1] https://gitlab.com/qemu-project/qemu/-/commit/86b5130fefbe476f3c0a85b9e136f9e3fd518689
[2] https://github.com/advisories/GHSA-cw9w-w7fx-35q6
Signed-off-by: Ashishkumar Parmar <asparmar@cisco.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2026-2243.patch | 45 +++++++++++++++++++
2 files changed, 46 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2026-2243.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 4b6c2252b7..1d493ee1a3 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -37,6 +37,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://qemu-guest-agent.init \
file://qemu-guest-agent.udev \
file://CVE-2024-6519.patch \
+ file://CVE-2026-2243.patch \
"
# file index at download.qemu.org isn't reliable: https://gitlab.com/qemu-project/qemu-web/-/issues/9
UPSTREAM_CHECK_URI = "https://www.qemu.org"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2026-2243.patch b/meta/recipes-devtools/qemu/qemu/CVE-2026-2243.patch
new file mode 100644
index 0000000000..bb2cb63b91
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2026-2243.patch
@@ -0,0 +1,45 @@
+From 1633b8cd69483ed6c481aa596d3c760c09257c27 Mon Sep 17 00:00:00 2001
+From: "Halil Oktay (oblivionsage)" <cookieandcream560@gmail.com>
+Date: Tue, 10 Feb 2026 13:33:25 +0100
+Subject: [PATCH] block/vmdk: fix OOB read in vmdk_read_extent()
+
+Bounds check for marker.size doesn't account for the 12-byte marker
+header, allowing zlib to read past the allocated buffer.
+
+Move the check inside the has_marker block and subtract the marker size.
+
+CVE: CVE-2026-2243
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/86b5130fefbe476f3c0a85b9e136f9e3fd518689]
+
+Fixes: CVE-2026-2243
+Reported-by: Halil Oktay (oblivionsage) <cookieandcream560@gmail.com>
+Signed-off-by: Halil Oktay (oblivionsage) <cookieandcream560@gmail.com>
+Reviewed-by: Kevin Wolf <kwolf@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit cfda94eddb6c9c49b66461c950b22845a46a75c9)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+(cherry picked from commit 86b5130fefbe476f3c0a85b9e136f9e3fd518689)
+Signed-off-by: Ashishkumar Parmar <asparmar@cisco.com>
+---
+ block/vmdk.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/block/vmdk.c b/block/vmdk.c
+index 89e89cd10..cd8b4ec7c 100644
+--- a/block/vmdk.c
++++ b/block/vmdk.c
+@@ -1951,10 +1951,10 @@ vmdk_read_extent(VmdkExtent *extent, int64_t cluster_offset,
+ marker = (VmdkGrainMarker *)cluster_buf;
+ compressed_data = marker->data;
+ data_len = le32_to_cpu(marker->size);
+- }
+- if (!data_len || data_len > buf_bytes) {
+- ret = -EINVAL;
+- goto out;
++ if (!data_len || data_len > buf_bytes - sizeof(VmdkGrainMarker)) {
++ ret = -EINVAL;
++ goto out;
++ }
+ }
+ ret = uncompress(uncomp_buf, &buf_len, compressed_data, data_len);
+ if (ret != Z_OK) {
--
2.35.6
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [OE-core][wrynose][PATCH 2/3] qemu: Fix CVE-2026-0665
2026-06-29 12:44 [OE-core][wrynose][PATCH 1/3] qemu: Fix CVE-2026-2243 Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-06-29 12:44 ` Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 12:44 ` [OE-core][wrynose][PATCH 3/3] qemu: Fix CVE-2025-14876 Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)
1 sibling, 0 replies; 3+ messages in thread
From: Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-06-29 12:44 UTC (permalink / raw)
To: openembedded-core; +Cc: xe-linux-external, to, Ashishkumar Parmar
From: Ashishkumar Parmar <asparmar@cisco.com>
This patch applies the upstream stable-10.2 backport for CVE-2026-0665.
The upstream fix commit is referenced in [1], and the public CVE advisory
is referenced in [2].
[1] https://gitlab.com/qemu-project/qemu/-/commit/058e1774d678031ec207441a51efcf8ae94cc6af
[2] https://github.com/advisories/GHSA-4pq4-6gr5-cr69
Signed-off-by: Ashishkumar Parmar <asparmar@cisco.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2026-0665.patch | 38 +++++++++++++++++++
2 files changed, 39 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2026-0665.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 1d493ee1a3..518ef69789 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -38,6 +38,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://qemu-guest-agent.udev \
file://CVE-2024-6519.patch \
file://CVE-2026-2243.patch \
+ file://CVE-2026-0665.patch \
"
# file index at download.qemu.org isn't reliable: https://gitlab.com/qemu-project/qemu-web/-/issues/9
UPSTREAM_CHECK_URI = "https://www.qemu.org"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2026-0665.patch b/meta/recipes-devtools/qemu/qemu/CVE-2026-0665.patch
new file mode 100644
index 0000000000..ed8623c225
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2026-0665.patch
@@ -0,0 +1,38 @@
+From 77705f3f91dc1ede803228a0eaf4593103466e3a Mon Sep 17 00:00:00 2001
+From: Vulnerability Report <vr@darknavy.com>
+Date: Fri, 9 Jan 2026 10:35:48 +0800
+Subject: [PATCH] hw/i386/kvm: fix PIRQ bounds check in xen_physdev_map_pirq()
+
+Reject pirq == s->nr_pirqs in xen_physdev_map_pirq().
+
+CVE: CVE-2026-0665
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/058e1774d678031ec207441a51efcf8ae94cc6af]
+
+Fixes: aa98ee38a5 ("hw/xen: Implement emulated PIRQ hypercall support")
+Fixes: CVE-2026-0665
+Reported-by: DARKNAVY (@DarkNavyOrg) <vr@darknavy.com>
+Reviewed-by: David Woodhouse <dwmw@amazon.co.uk>
+Signed-off-by: Vulnerability Report <vr@darknavy.com>
+Link: https://lore.kernel.org/r/13FE03BE60EA78D6+20260109023548.4047-1-vr@darknavy.com
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit c7504ba2a560fd884557f6e5142f03b491aad0c7)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+(cherry picked from commit 058e1774d678031ec207441a51efcf8ae94cc6af)
+Signed-off-by: Ashishkumar Parmar <asparmar@cisco.com>
+---
+ hw/i386/kvm/xen_evtchn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/i386/kvm/xen_evtchn.c b/hw/i386/kvm/xen_evtchn.c
+index dd566c496..173e0818c 100644
+--- a/hw/i386/kvm/xen_evtchn.c
++++ b/hw/i386/kvm/xen_evtchn.c
+@@ -1877,7 +1877,7 @@ int xen_physdev_map_pirq(struct physdev_map_pirq *map)
+ return pirq;
+ }
+ map->pirq = pirq;
+- } else if (pirq > s->nr_pirqs) {
++ } else if (pirq >= s->nr_pirqs) {
+ return -EINVAL;
+ } else {
+ /*
--
2.35.6
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [OE-core][wrynose][PATCH 3/3] qemu: Fix CVE-2025-14876
2026-06-29 12:44 [OE-core][wrynose][PATCH 1/3] qemu: Fix CVE-2026-2243 Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 12:44 ` [OE-core][wrynose][PATCH 2/3] qemu: Fix CVE-2026-0665 Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-06-29 12:44 ` Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)
1 sibling, 0 replies; 3+ messages in thread
From: Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-06-29 12:44 UTC (permalink / raw)
To: openembedded-core; +Cc: xe-linux-external, to, Ashishkumar Parmar
From: Ashishkumar Parmar <asparmar@cisco.com>
This patch applies the upstream stable-10.2 backport for CVE-2025-14876.
The upstream fix commits are referenced in [1] and [2], and the
public CVE advisory is referenced in [3].
[1] https://gitlab.com/qemu-project/qemu/-/commit/2ac11c1d9370423ccdc527f9159ddd2ba4a2ea77
[2] https://gitlab.com/qemu-project/qemu/-/commit/51514aa3c2f1e072c9728c975865e0b247b2619b
[3] https://github.com/advisories/GHSA-gq25-pccv-6q8j
Signed-off-by: Ashishkumar Parmar <asparmar@cisco.com>
---
meta/recipes-devtools/qemu/qemu.inc | 2 +
.../qemu/qemu/CVE-2025-14876_p1.patch | 52 +++++++++++++++++
.../qemu/qemu/CVE-2025-14876_p2.patch | 56 +++++++++++++++++++
3 files changed, 110 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p1.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p2.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 518ef69789..60a5c62fe9 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -39,6 +39,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2024-6519.patch \
file://CVE-2026-2243.patch \
file://CVE-2026-0665.patch \
+ file://CVE-2025-14876_p1.patch \
+ file://CVE-2025-14876_p2.patch \
"
# file index at download.qemu.org isn't reliable: https://gitlab.com/qemu-project/qemu-web/-/issues/9
UPSTREAM_CHECK_URI = "https://www.qemu.org"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p1.patch
new file mode 100644
index 0000000000..44e0b0f1a9
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p1.patch
@@ -0,0 +1,52 @@
+From 1a7c7a0066f2bdb4ddb0d4f689d4949ca70bb8c4 Mon Sep 17 00:00:00 2001
+From: zhenwei pi <pizhenwei@tensorfer.com>
+Date: Sun, 21 Dec 2025 10:43:20 +0800
+Subject: [PATCH] hw/virtio/virtio-crypto: verify asym request size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The total lenght of request is limited by cryptodev config, verify it
+to avoid unexpected request from guest.
+
+CVE: CVE-2025-14876
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/2ac11c1d9370423ccdc527f9159ddd2ba4a2ea77]
+
+Fixes: CVE-2025-14876
+Fixes: 0e660a6f90a ("crypto: Introduce RSA algorithm")
+Reported-by: 이재영 <nakamurajames123@gmail.com>
+Signed-off-by: zhenwei pi <zhenwei.pi@linux.dev>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Message-Id: <20251221024321.143196-2-zhenwei.pi@linux.dev>
+(cherry picked from commit 91c6438caffc880e999a7312825479685d659b44)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+(cherry picked from commit 2ac11c1d9370423ccdc527f9159ddd2ba4a2ea77)
+Signed-off-by: Ashishkumar Parmar <asparmar@cisco.com>
+---
+ hw/virtio/virtio-crypto.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
+index 517f2089c..b20f29993 100644
+--- a/hw/virtio/virtio-crypto.c
++++ b/hw/virtio/virtio-crypto.c
+@@ -767,11 +767,18 @@ virtio_crypto_handle_asym_req(VirtIOCrypto *vcrypto,
+ uint32_t len;
+ uint8_t *src = NULL;
+ uint8_t *dst = NULL;
++ uint64_t max_len;
+
+ asym_op_info = g_new0(CryptoDevBackendAsymOpInfo, 1);
+ src_len = ldl_le_p(&req->para.src_data_len);
+ dst_len = ldl_le_p(&req->para.dst_data_len);
+
++ max_len = (uint64_t)src_len + dst_len;
++ if (unlikely(max_len > vcrypto->conf.max_size)) {
++ virtio_error(vdev, "virtio-crypto asym request is too large");
++ goto err;
++ }
++
+ if (src_len > 0) {
+ src = g_malloc0(src_len);
+ len = iov_to_buf(iov, out_num, 0, src, src_len);
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p2.patch
new file mode 100644
index 0000000000..580440f900
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p2.patch
@@ -0,0 +1,56 @@
+From baff597605a973ca92d57a1a728db98d9c2b680e Mon Sep 17 00:00:00 2001
+From: zhenwei pi <pizhenwei@tensorfer.com>
+Date: Sun, 21 Dec 2025 10:43:21 +0800
+Subject: [PATCH] cryptodev-builtin: Limit the maximum size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This backend driver is used for demonstration purposes only, unlimited
+size leads QEMU OOM.
+
+CVE: CVE-2025-14876
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/51514aa3c2f1e072c9728c975865e0b247b2619b]
+
+Fixes: CVE-2025-14876
+Fixes: 1653a5f3fc7 ("cryptodev: introduce a new cryptodev backend")
+Reported-by: 이재영 <nakamurajames123@gmail.com>
+Signed-off-by: zhenwei pi <zhenwei.pi@linux.dev>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Message-Id: <20251221024321.143196-3-zhenwei.pi@linux.dev>
+(cherry picked from commit 7b913094c703641a0442bb1d1165323a019c591c)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+(cherry picked from commit 51514aa3c2f1e072c9728c975865e0b247b2619b)
+Signed-off-by: Ashishkumar Parmar <asparmar@cisco.com>
+---
+ backends/cryptodev-builtin.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/backends/cryptodev-builtin.c b/backends/cryptodev-builtin.c
+index 0414c01e0..55a3fbd27 100644
+--- a/backends/cryptodev-builtin.c
++++ b/backends/cryptodev-builtin.c
+@@ -53,6 +53,8 @@ typedef struct CryptoDevBackendBuiltinSession {
+
+ #define CRYPTODEV_BUITLIN_MAX_AUTH_KEY_LEN 512
+ #define CRYPTODEV_BUITLIN_MAX_CIPHER_KEY_LEN 64
++/* demonstration purposes only, use a limited size to avoid QEMU OOM */
++#define CRYPTODEV_BUITLIN_MAX_REQUEST_SIZE (1024 * 1024)
+
+ struct CryptoDevBackendBuiltin {
+ CryptoDevBackend parent_obj;
+@@ -98,12 +100,7 @@ static void cryptodev_builtin_init(
+ 1u << QCRYPTODEV_BACKEND_SERVICE_TYPE_MAC;
+ backend->conf.cipher_algo_l = 1u << VIRTIO_CRYPTO_CIPHER_AES_CBC;
+ backend->conf.hash_algo = 1u << VIRTIO_CRYPTO_HASH_SHA1;
+- /*
+- * Set the Maximum length of crypto request.
+- * Why this value? Just avoid to overflow when
+- * memory allocation for each crypto request.
+- */
+- backend->conf.max_size = LONG_MAX - sizeof(CryptoDevBackendOpInfo);
++ backend->conf.max_size = CRYPTODEV_BUITLIN_MAX_REQUEST_SIZE;
+ backend->conf.max_cipher_key_len = CRYPTODEV_BUITLIN_MAX_CIPHER_KEY_LEN;
+ backend->conf.max_auth_key_len = CRYPTODEV_BUITLIN_MAX_AUTH_KEY_LEN;
+ cryptodev_builtin_init_akcipher(backend);
--
2.35.6
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-06-29 12:44 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-29 12:44 [OE-core][wrynose][PATCH 1/3] qemu: Fix CVE-2026-2243 Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 12:44 ` [OE-core][wrynose][PATCH 2/3] qemu: Fix CVE-2026-0665 Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 12:44 ` [OE-core][wrynose][PATCH 3/3] qemu: Fix CVE-2025-14876 Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.