From: Ashishkumar Parmar <[email protected]> This patch applies the upstream stable-10.2 backport for CVE-2026-2243. The upstream fix commit is referenced in [1], and the public CVE advisory is referenced in [2].
[1] https://gitlab.com/qemu-project/qemu/-/commit/86b5130fefbe476f3c0a85b9e136f9e3fd518689 [2] https://github.com/advisories/GHSA-cw9w-w7fx-35q6 Signed-off-by: Ashishkumar Parmar <[email protected]> Signed-off-by: Yoann Congal <[email protected]> --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2026-2243.patch | 45 +++++++++++++++++++ 2 files changed, 46 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2026-2243.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 4b6c2252b7f..1d493ee1a32 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -37,6 +37,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://qemu-guest-agent.init \ file://qemu-guest-agent.udev \ file://CVE-2024-6519.patch \ + file://CVE-2026-2243.patch \ " # file index at download.qemu.org isn't reliable: https://gitlab.com/qemu-project/qemu-web/-/issues/9 UPSTREAM_CHECK_URI = "https://www.qemu.org" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2026-2243.patch b/meta/recipes-devtools/qemu/qemu/CVE-2026-2243.patch new file mode 100644 index 00000000000..bb2cb63b915 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2026-2243.patch @@ -0,0 +1,45 @@ +From 1633b8cd69483ed6c481aa596d3c760c09257c27 Mon Sep 17 00:00:00 2001 +From: "Halil Oktay (oblivionsage)" <[email protected]> +Date: Tue, 10 Feb 2026 13:33:25 +0100 +Subject: [PATCH] block/vmdk: fix OOB read in vmdk_read_extent() + +Bounds check for marker.size doesn't account for the 12-byte marker +header, allowing zlib to read past the allocated buffer. + +Move the check inside the has_marker block and subtract the marker size. + +CVE: CVE-2026-2243 +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/86b5130fefbe476f3c0a85b9e136f9e3fd518689] + +Fixes: CVE-2026-2243 +Reported-by: Halil Oktay (oblivionsage) <[email protected]> +Signed-off-by: Halil Oktay (oblivionsage) <[email protected]> +Reviewed-by: Kevin Wolf <[email protected]> +Signed-off-by: Kevin Wolf <[email protected]> +(cherry picked from commit cfda94eddb6c9c49b66461c950b22845a46a75c9) +Signed-off-by: Michael Tokarev <[email protected]> +(cherry picked from commit 86b5130fefbe476f3c0a85b9e136f9e3fd518689) +Signed-off-by: Ashishkumar Parmar <[email protected]> +--- + block/vmdk.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/block/vmdk.c b/block/vmdk.c +index 89e89cd10..cd8b4ec7c 100644 +--- a/block/vmdk.c ++++ b/block/vmdk.c +@@ -1951,10 +1951,10 @@ vmdk_read_extent(VmdkExtent *extent, int64_t cluster_offset, + marker = (VmdkGrainMarker *)cluster_buf; + compressed_data = marker->data; + data_len = le32_to_cpu(marker->size); +- } +- if (!data_len || data_len > buf_bytes) { +- ret = -EINVAL; +- goto out; ++ if (!data_len || data_len > buf_bytes - sizeof(VmdkGrainMarker)) { ++ ret = -EINVAL; ++ goto out; ++ } + } + ret = uncompress(uncomp_buf, &buf_len, compressed_data, data_len); + if (ret != Z_OK) {
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#240173): https://lists.openembedded.org/g/openembedded-core/message/240173 Mute This Topic: https://lists.openembedded.org/mt/120131923/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
