diff --git a/SPECS/qemu/CVE-2026-3195.patch b/SPECS/qemu/CVE-2026-3195.patch new file mode 100644 index 00000000000..0b3137323ea --- /dev/null +++ b/SPECS/qemu/CVE-2026-3195.patch @@ -0,0 +1,104 @@ +From a18033a6d4569633a6dade3ef880cb377cd16f56 Mon Sep 17 00:00:00 2001 +From: Manos Pitsidianakis +Date: Fri, 20 Feb 2026 11:40:16 +0200 +Subject: [PATCH 1/2] virtio-snd: tighten read amount in in_cb + +The amount of bytes to read passed to AUD_read() should never surpass +the maximum available buffer length. Tighten the current amount by +MIN(, max_size - ). + +Cc: qemu-stable@nongnu.org +Fixes: 98e77e3dd8dd6e7aa9a7dffa60f49c8c8a49d4e3 ("virtio-snd: add max size bounds check in input cb") +Reported-by: DARKNAVY +Signed-off-by: Manos Pitsidianakis +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +Message-Id: <20260220-virtio-snd-series-v1-5-207c4f7200a2@linaro.org> +(cherry picked from commit 7994203bb1b83a6604f3ab00fe9598909bb66164) +Signed-off-by: Michael Tokarev +--- + hw/audio/virtio-snd.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c +index d1cf5eb..b73aad2 100644 +--- a/hw/audio/virtio-snd.c ++++ b/hw/audio/virtio-snd.c +@@ -1263,7 +1263,7 @@ static void virtio_snd_pcm_in_cb(void *data, int available) + { + VirtIOSoundPCMStream *stream = data; + VirtIOSoundPCMBuffer *buffer; +- size_t size, max_size; ++ size_t size, max_size, to_read; + + WITH_QEMU_LOCK_GUARD(&stream->queue_mutex) { + while (!QSIMPLEQ_EMPTY(&stream->queue)) { +@@ -1283,10 +1283,12 @@ static void virtio_snd_pcm_in_cb(void *data, int available) + return_rx_buffer(stream, buffer); + break; + } ++ to_read = stream->params.period_bytes - buffer->size; ++ to_read = MIN(to_read, available); ++ to_read = MIN(to_read, max_size - buffer->size); + size = AUD_read(stream->voice.in, +- buffer->data + buffer->size, +- MIN(available, (stream->params.period_bytes - +- buffer->size))); ++ buffer->data + buffer->size, ++ to_read); + if (!size) { + available = 0; + break; +-- +2.45.4 + + +From 41363e73db91417b84b4b4a9809363a39e2d5f89 Mon Sep 17 00:00:00 2001 +From: Manos Pitsidianakis +Date: Fri, 20 Feb 2026 11:40:15 +0200 +Subject: [PATCH 2/2] virtio-snd: fix max_size bounds check in input cb + +In 98e77e3d we calculated the max size and checked that each buffer is smaller than it. + +We neglected to subtract the size of the virtio_snd_pcm_status header +from the max size, and max_size was thus larger than the correct value, +leading to potential OOB writes. + +If the buffer cannot fit the header or can fit only the header, return +the buffer immediately. + +Cc: qemu-stable@nongnu.org +Fixes: 98e77e3dd8dd6e7aa9a7dffa60f49c8c8a49d4e3 ("virtio-snd: add max size bounds check in input cb") +Reported-by: DARKNAVY +Signed-off-by: Manos Pitsidianakis +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +Message-Id: <20260220-virtio-snd-series-v1-4-207c4f7200a2@linaro.org> +(cherry picked from commit bcb53328aa70023f1405fade4e253e7f77567261) +Signed-off-by: Michael Tokarev +Signed-off-by: rpm-build +Upstream-reference: https://gitlab.com/qemu-project/qemu/-/commit/298986525140149bd749c236c17cfbb507c69e23.patch https://gitlab.com/qemu-project/qemu/-/commit/a730f98a7a199706c44dd86a39d961e80e2ad18f.patch +--- + hw/audio/virtio-snd.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c +index b73aad2..4a4ad01 100644 +--- a/hw/audio/virtio-snd.c ++++ b/hw/audio/virtio-snd.c +@@ -1278,6 +1278,12 @@ static void virtio_snd_pcm_in_cb(void *data, int available) + } + + max_size = iov_size(buffer->elem->in_sg, buffer->elem->in_num); ++ if (max_size <= sizeof(virtio_snd_pcm_status)) { ++ return_rx_buffer(stream, buffer); ++ continue; ++ } ++ max_size -= sizeof(virtio_snd_pcm_status); ++ + for (;;) { + if (buffer->size >= max_size) { + return_rx_buffer(stream, buffer); +-- +2.45.4 + diff --git a/SPECS/qemu/qemu.spec b/SPECS/qemu/qemu.spec index 639c60b5102..a164d343be0 100644 --- a/SPECS/qemu/qemu.spec +++ b/SPECS/qemu/qemu.spec @@ -432,7 +432,7 @@ Obsoletes: sgabios-bin <= 1:0.20180715git-10.fc38 Summary: QEMU is a FAST! processor emulator Name: qemu Version: 9.1.0 -Release: 7%{?dist} +Release: 8%{?dist} License: Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND FSFAP AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-2.0-or-later WITH GCC-exception-2.0 AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND MIT AND LicenseRef-Fedora-Public-Domain AND CC-BY-3.0 URL: http://www.qemu.org/ @@ -470,6 +470,7 @@ Patch27: kvm-block-Drain-nodes-before-inactivating-them.patch Patch28: kvm-block-export-Add-option-to-allow-export-of-inactive-.patch Patch29: kvm-nbd-server-Support-inactive-nodes.patch Patch30: kvm-migration-Fix-UAF-for-incoming-migration-on-Migratio.patch +Patch31: CVE-2026-3195.patch Source10: qemu-guest-agent.service Source11: 99-qemu-guest-agent.rules @@ -3521,6 +3522,9 @@ fi %changelog +* Sat Jun 27 2026 Azure Linux Security Servicing Account - 9.1.0-8 +- Patch for CVE-2026-3195 + * Tue May 20 2026 Sumedh Sharma - 9.1.0-7 - Enable user_static builds for qemu - configure user_static with 'enable-pie'