On Fri Jun 12, 2026 at 2:18 PM CEST, Ashishkumar Parmar X (asparmar - E 
INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote:
> From: Ashishkumar Parmar <[email protected]>
>
> This patch applies the upstream v10.0.8 stable backport for
> CVE-2025-14876. The upstream fix commit is referenced in [1],
> and the public CVE advisory is referenced in [2]. The individual
> backported commit links are recorded in the embedded patch headers
> when the fix expands to multiple commits.
>
> [1] 
> https://gitlab.com/qemu-project/qemu/-/commit/e649201bb96ae7e91a69d57392c8907ec085111e
> [2] https://access.redhat.com/security/cve/CVE-2025-14876
>
> Signed-off-by: Ashishkumar Parmar <[email protected]>
> ---

If I'm not mistaken, the 3 patches of this series where introduced after
the 10.2.0 version on the 10.2.x branch of QEMU. In that case, they are
missing for wrynose.

Can you send the fix for wrynose, and then, ping back here?

Thanks!

>  meta/recipes-devtools/qemu/qemu.inc           |  2 +
>  .../qemu/qemu/CVE-2025-14876_p1.patch         | 52 +++++++++++++++++
>  .../qemu/qemu/CVE-2025-14876_p2.patch         | 56 +++++++++++++++++++
>  3 files changed, 110 insertions(+)
>  create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p1.patch
>  create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p2.patch
>
> diff --git a/meta/recipes-devtools/qemu/qemu.inc 
> b/meta/recipes-devtools/qemu/qemu.inc
> index 54644dd924..26d10991a7 100644
> --- a/meta/recipes-devtools/qemu/qemu.inc
> +++ b/meta/recipes-devtools/qemu/qemu.inc
> @@ -45,6 +45,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
>             file://CVE-2025-12464.patch \
>             
> file://0001-python-backport-Remove-deprecated-get_event_loop-cal.patch \
>             
> file://0002-python-backport-avoid-creating-additional-event-loop.patch \
> +           file://CVE-2025-14876_p1.patch \
> +           file://CVE-2025-14876_p2.patch \
>             "
>  UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
>  
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p1.patch 
> b/meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p1.patch
> new file mode 100644
> index 0000000000..1f47ff2ebc
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p1.patch
> @@ -0,0 +1,52 @@
> +From 96ac1b4f958287776ec2199749beaaad60148a85 Mon Sep 17 00:00:00 2001
> +From: zhenwei pi <[email protected]>
> +Date: Sun, 21 Dec 2025 10:43:20 +0800
> +Subject: [PATCH] hw/virtio/virtio-crypto: verify asym request size
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +The total lenght of request is limited by cryptodev config, verify it
> +to avoid unexpected request from guest.
> +
> +CVE: CVE-2025-14876
> +Upstream-Status: Backport 
> [https://gitlab.com/qemu-project/qemu/-/commit/e649201bb96ae7e91a69d57392c8907ec085111e]
> +
> +Fixes: CVE-2025-14876
> +Fixes: 0e660a6f90a ("crypto: Introduce RSA algorithm")
> +Reported-by: 이재영 <[email protected]>
> +Signed-off-by: zhenwei pi <[email protected]>
> +Reviewed-by: Michael S. Tsirkin <[email protected]>
> +Signed-off-by: Michael S. Tsirkin <[email protected]>
> +Message-Id: <[email protected]>
> +(cherry picked from commit 91c6438caffc880e999a7312825479685d659b44)
> +Signed-off-by: Michael Tokarev <[email protected]>
> +(cherry picked from commit e649201bb96ae7e91a69d57392c8907ec085111e)
> +Signed-off-by: Ashishkumar Parmar <[email protected]>
> +---
> + hw/virtio/virtio-crypto.c | 7 +++++++
> + 1 file changed, 7 insertions(+)
> +
> +diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
> +index 4aaced74b..6927f7d1a 100644
> +--- a/hw/virtio/virtio-crypto.c
> ++++ b/hw/virtio/virtio-crypto.c
> +@@ -767,11 +767,18 @@ virtio_crypto_handle_asym_req(VirtIOCrypto *vcrypto,
> +     uint32_t len;
> +     uint8_t *src = NULL;
> +     uint8_t *dst = NULL;
> ++    uint64_t max_len;
> + 
> +     asym_op_info = g_new0(CryptoDevBackendAsymOpInfo, 1);
> +     src_len = ldl_le_p(&req->para.src_data_len);
> +     dst_len = ldl_le_p(&req->para.dst_data_len);
> + 
> ++    max_len = (uint64_t)src_len + dst_len;
> ++    if (unlikely(max_len > vcrypto->conf.max_size)) {
> ++        virtio_error(vdev, "virtio-crypto asym request is too large");
> ++        goto err;
> ++    }
> ++
> +     if (src_len > 0) {
> +         src = g_malloc0(src_len);
> +         len = iov_to_buf(iov, out_num, 0, src, src_len);
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p2.patch 
> b/meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p2.patch
> new file mode 100644
> index 0000000000..60432c8ebb
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2025-14876_p2.patch
> @@ -0,0 +1,56 @@
> +From 17f89320724d16437a26a250c82b1649777387f1 Mon Sep 17 00:00:00 2001
> +From: zhenwei pi <[email protected]>
> +Date: Sun, 21 Dec 2025 10:43:21 +0800
> +Subject: [PATCH] cryptodev-builtin: Limit the maximum size
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +This backend driver is used for demonstration purposes only, unlimited
> +size leads QEMU OOM.
> +
> +CVE: CVE-2025-14876
> +Upstream-Status: Backport 
> [https://gitlab.com/qemu-project/qemu/-/commit/3464e88bc98d72acc3a9674054b9ed0c3d4e9b90]
> +
> +Fixes: CVE-2025-14876
> +Fixes: 1653a5f3fc7 ("cryptodev: introduce a new cryptodev backend")
> +Reported-by: 이재영 <[email protected]>
> +Signed-off-by: zhenwei pi <[email protected]>
> +Reviewed-by: Michael S. Tsirkin <[email protected]>
> +Signed-off-by: Michael S. Tsirkin <[email protected]>
> +Message-Id: <[email protected]>
> +(cherry picked from commit 7b913094c703641a0442bb1d1165323a019c591c)
> +Signed-off-by: Michael Tokarev <[email protected]>
> +(cherry picked from commit 3464e88bc98d72acc3a9674054b9ed0c3d4e9b90)
> +Signed-off-by: Ashishkumar Parmar <[email protected]>
> +---
> + backends/cryptodev-builtin.c | 9 +++------
> + 1 file changed, 3 insertions(+), 6 deletions(-)
> +
> +diff --git a/backends/cryptodev-builtin.c b/backends/cryptodev-builtin.c
> +index 940104ee5..a4c544b6d 100644
> +--- a/backends/cryptodev-builtin.c
> ++++ b/backends/cryptodev-builtin.c
> +@@ -53,6 +53,8 @@ typedef struct CryptoDevBackendBuiltinSession {
> + 
> + #define CRYPTODEV_BUITLIN_MAX_AUTH_KEY_LEN    512
> + #define CRYPTODEV_BUITLIN_MAX_CIPHER_KEY_LEN  64
> ++/* demonstration purposes only, use a limited size to avoid QEMU OOM */
> ++#define CRYPTODEV_BUITLIN_MAX_REQUEST_SIZE  (1024 * 1024)
> + 
> + struct CryptoDevBackendBuiltin {
> +     CryptoDevBackend parent_obj;
> +@@ -98,12 +100,7 @@ static void cryptodev_builtin_init(
> +                          1u << QCRYPTODEV_BACKEND_SERVICE_MAC;
> +     backend->conf.cipher_algo_l = 1u << VIRTIO_CRYPTO_CIPHER_AES_CBC;
> +     backend->conf.hash_algo = 1u << VIRTIO_CRYPTO_HASH_SHA1;
> +-    /*
> +-     * Set the Maximum length of crypto request.
> +-     * Why this value? Just avoid to overflow when
> +-     * memory allocation for each crypto request.
> +-     */
> +-    backend->conf.max_size = LONG_MAX - sizeof(CryptoDevBackendOpInfo);
> ++    backend->conf.max_size = CRYPTODEV_BUITLIN_MAX_REQUEST_SIZE;
> +     backend->conf.max_cipher_key_len = CRYPTODEV_BUITLIN_MAX_CIPHER_KEY_LEN;
> +     backend->conf.max_auth_key_len = CRYPTODEV_BUITLIN_MAX_AUTH_KEY_LEN;
> +     cryptodev_builtin_init_akcipher(backend);


-- 
Yoann Congal
Smile ECS

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#239299): 
https://lists.openembedded.org/g/openembedded-core/message/239299
Mute This Topic: https://lists.openembedded.org/mt/119772263/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

  • ... Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Yoann Congal via lists.openembedded.org

Reply via email to