From: "Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)" <asparmar@cisco.com>
To: openembedded-core@lists.openembedded.org
Cc: xe-linux-external@cisco.com, to@cisco.com,
Ashishkumar Parmar <asparmar@cisco.com>
Subject: [OE-core][wrynose][PATCH 3/3] qemu: Fix CVE-2025-14876
Date: Mon, 29 Jun 2026 05:44:31 -0700 [thread overview]
Message-ID: <20260629124431.2000781-3-asparmar@cisco.com> (raw)
In-Reply-To: <20260629124431.2000781-1-asparmar@cisco.com>
From: Ashishkumar Parmar <asparmar@cisco.com>
This patch applies the upstream stable-10.2 backport for CVE-2025-14876.
The upstream fix commits are referenced in [1] and [2], and the
public CVE advisory is referenced in [3].
[1] https://gitlab.com/qemu-project/qemu/-/commit/2ac11c1d9370423ccdc527f9159ddd2ba4a2ea77
[2] https://gitlab.com/qemu-project/qemu/-/commit/51514aa3c2f1e072c9728c975865e0b247b2619b
[3] https://github.com/advisories/GHSA-gq25-pccv-6q8j
Signed-off-by: Ashishkumar Parmar <asparmar@cisco.com>
---
meta/recipes-devtools/qemu/qemu.inc | 2 +
.../qemu/qemu/CVE-2025-14876_p1.patch | 52 +++++++++++++++++
.../qemu/qemu/CVE-2025-14876_p2.patch | 56 +++++++++++++++++++
3 files changed, 110 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p1.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p2.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 518ef69789..60a5c62fe9 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -39,6 +39,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2024-6519.patch \
file://CVE-2026-2243.patch \
file://CVE-2026-0665.patch \
+ file://CVE-2025-14876_p1.patch \
+ file://CVE-2025-14876_p2.patch \
"
# file index at download.qemu.org isn't reliable: https://gitlab.com/qemu-project/qemu-web/-/issues/9
UPSTREAM_CHECK_URI = "https://www.qemu.org"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p1.patch
new file mode 100644
index 0000000000..44e0b0f1a9
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p1.patch
@@ -0,0 +1,52 @@
+From 1a7c7a0066f2bdb4ddb0d4f689d4949ca70bb8c4 Mon Sep 17 00:00:00 2001
+From: zhenwei pi <pizhenwei@tensorfer.com>
+Date: Sun, 21 Dec 2025 10:43:20 +0800
+Subject: [PATCH] hw/virtio/virtio-crypto: verify asym request size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The total lenght of request is limited by cryptodev config, verify it
+to avoid unexpected request from guest.
+
+CVE: CVE-2025-14876
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/2ac11c1d9370423ccdc527f9159ddd2ba4a2ea77]
+
+Fixes: CVE-2025-14876
+Fixes: 0e660a6f90a ("crypto: Introduce RSA algorithm")
+Reported-by: 이재영 <nakamurajames123@gmail.com>
+Signed-off-by: zhenwei pi <zhenwei.pi@linux.dev>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Message-Id: <20251221024321.143196-2-zhenwei.pi@linux.dev>
+(cherry picked from commit 91c6438caffc880e999a7312825479685d659b44)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+(cherry picked from commit 2ac11c1d9370423ccdc527f9159ddd2ba4a2ea77)
+Signed-off-by: Ashishkumar Parmar <asparmar@cisco.com>
+---
+ hw/virtio/virtio-crypto.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
+index 517f2089c..b20f29993 100644
+--- a/hw/virtio/virtio-crypto.c
++++ b/hw/virtio/virtio-crypto.c
+@@ -767,11 +767,18 @@ virtio_crypto_handle_asym_req(VirtIOCrypto *vcrypto,
+ uint32_t len;
+ uint8_t *src = NULL;
+ uint8_t *dst = NULL;
++ uint64_t max_len;
+
+ asym_op_info = g_new0(CryptoDevBackendAsymOpInfo, 1);
+ src_len = ldl_le_p(&req->para.src_data_len);
+ dst_len = ldl_le_p(&req->para.dst_data_len);
+
++ max_len = (uint64_t)src_len + dst_len;
++ if (unlikely(max_len > vcrypto->conf.max_size)) {
++ virtio_error(vdev, "virtio-crypto asym request is too large");
++ goto err;
++ }
++
+ if (src_len > 0) {
+ src = g_malloc0(src_len);
+ len = iov_to_buf(iov, out_num, 0, src, src_len);
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p2.patch
new file mode 100644
index 0000000000..580440f900
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p2.patch
@@ -0,0 +1,56 @@
+From baff597605a973ca92d57a1a728db98d9c2b680e Mon Sep 17 00:00:00 2001
+From: zhenwei pi <pizhenwei@tensorfer.com>
+Date: Sun, 21 Dec 2025 10:43:21 +0800
+Subject: [PATCH] cryptodev-builtin: Limit the maximum size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This backend driver is used for demonstration purposes only, unlimited
+size leads QEMU OOM.
+
+CVE: CVE-2025-14876
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/51514aa3c2f1e072c9728c975865e0b247b2619b]
+
+Fixes: CVE-2025-14876
+Fixes: 1653a5f3fc7 ("cryptodev: introduce a new cryptodev backend")
+Reported-by: 이재영 <nakamurajames123@gmail.com>
+Signed-off-by: zhenwei pi <zhenwei.pi@linux.dev>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Message-Id: <20251221024321.143196-3-zhenwei.pi@linux.dev>
+(cherry picked from commit 7b913094c703641a0442bb1d1165323a019c591c)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+(cherry picked from commit 51514aa3c2f1e072c9728c975865e0b247b2619b)
+Signed-off-by: Ashishkumar Parmar <asparmar@cisco.com>
+---
+ backends/cryptodev-builtin.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/backends/cryptodev-builtin.c b/backends/cryptodev-builtin.c
+index 0414c01e0..55a3fbd27 100644
+--- a/backends/cryptodev-builtin.c
++++ b/backends/cryptodev-builtin.c
+@@ -53,6 +53,8 @@ typedef struct CryptoDevBackendBuiltinSession {
+
+ #define CRYPTODEV_BUITLIN_MAX_AUTH_KEY_LEN 512
+ #define CRYPTODEV_BUITLIN_MAX_CIPHER_KEY_LEN 64
++/* demonstration purposes only, use a limited size to avoid QEMU OOM */
++#define CRYPTODEV_BUITLIN_MAX_REQUEST_SIZE (1024 * 1024)
+
+ struct CryptoDevBackendBuiltin {
+ CryptoDevBackend parent_obj;
+@@ -98,12 +100,7 @@ static void cryptodev_builtin_init(
+ 1u << QCRYPTODEV_BACKEND_SERVICE_TYPE_MAC;
+ backend->conf.cipher_algo_l = 1u << VIRTIO_CRYPTO_CIPHER_AES_CBC;
+ backend->conf.hash_algo = 1u << VIRTIO_CRYPTO_HASH_SHA1;
+- /*
+- * Set the Maximum length of crypto request.
+- * Why this value? Just avoid to overflow when
+- * memory allocation for each crypto request.
+- */
+- backend->conf.max_size = LONG_MAX - sizeof(CryptoDevBackendOpInfo);
++ backend->conf.max_size = CRYPTODEV_BUITLIN_MAX_REQUEST_SIZE;
+ backend->conf.max_cipher_key_len = CRYPTODEV_BUITLIN_MAX_CIPHER_KEY_LEN;
+ backend->conf.max_auth_key_len = CRYPTODEV_BUITLIN_MAX_AUTH_KEY_LEN;
+ cryptodev_builtin_init_akcipher(backend);
--
2.35.6
prev parent reply other threads:[~2026-06-29 12:44 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-29 12:44 [OE-core][wrynose][PATCH 1/3] qemu: Fix CVE-2026-2243 Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 12:44 ` [OE-core][wrynose][PATCH 2/3] qemu: Fix CVE-2026-0665 Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 12:44 ` Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco) [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260629124431.2000781-3-asparmar@cisco.com \
--to=asparmar@cisco.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=to@cisco.com \
--cc=xe-linux-external@cisco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.