On Thu Feb 19, 2026 at 10:44 PM CET, Yoann Congal wrote: > Hello, > > On Fri Jan 23, 2026 at 6:53 AM CET, Hitendra Prajapati via > lists.openembedded.org wrote: >> Upstream-Status: Backport from >> https://gitlab.com/qemu-project/qemu/-/commit/911c814c8cc5f836286bd96694843036db83e99f >> && >> https://gitlab.com/qemu-project/qemu/-/commit/cebdbd038e44af56e74272924dc2bf595a51fd8f > > (As the other CVE patches) please remove this Upstream-Status line from commit > message, and add a justification for the patches.
And I forgot to add that this patch is needed on whinlatter (fix was introduced on 10.0.7 and whinlatter is on 10.0.6), but not on master (where the current 10.2.0 does contain it). Can you send the fixed version to whinlatter as well? Thanks! >> Signed-off-by: Hitendra Prajapati <[email protected]> >> --- >> meta/recipes-devtools/qemu/qemu.inc | 2 + >> .../qemu/qemu/CVE-2025-11234-01.patch | 72 ++++++++ >> .../qemu/qemu/CVE-2025-11234-02.patch | 174 ++++++++++++++++++ >> 3 files changed, 248 insertions(+) >> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2025-11234-01.patch >> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2025-11234-02.patch >> >> diff --git a/meta/recipes-devtools/qemu/qemu.inc >> b/meta/recipes-devtools/qemu/qemu.inc >> index 748a32215e..ba21d57010 100644 >> --- a/meta/recipes-devtools/qemu/qemu.inc >> +++ b/meta/recipes-devtools/qemu/qemu.inc >> @@ -43,6 +43,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ >> file://qemu-guest-agent.udev \ >> file://CVE-2024-8354.patch \ >> file://CVE-2025-12464.patch \ >> + file://CVE-2025-11234-01.patch \ >> + file://CVE-2025-11234-02.patch \ >> " >> UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" >> >> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2025-11234-01.patch >> b/meta/recipes-devtools/qemu/qemu/CVE-2025-11234-01.patch >> new file mode 100644 >> index 0000000000..c3797bc66f >> --- /dev/null >> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2025-11234-01.patch >> @@ -0,0 +1,72 @@ >> +From 911c814c8cc5f836286bd96694843036db83e99f Mon Sep 17 00:00:00 2001 >> +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <[email protected]> >> +Date: Tue, 30 Sep 2025 11:58:35 +0100 >> +Subject: [PATCH] io: move websock resource release to close method >> +MIME-Version: 1.0 >> +Content-Type: text/plain; charset=UTF-8 >> +Content-Transfer-Encoding: 8bit >> + >> +The QIOChannelWebsock object releases all its resources in the >> +finalize callback. This is later than desired, as callers expect >> +to be able to call qio_channel_close() to fully close a channel >> +and release resources related to I/O. >> + >> +The logic in the finalize method is at most a failsafe to handle >> +cases where a consumer forgets to call qio_channel_close. >> + >> +This adds equivalent logic to the close method to release the >> +resources, using g_clear_handle_id/g_clear_pointer to be robust >> +against repeated invocations. The finalize method is tweaked >> +so that the GSource is removed before releasing the underlying >> +channel. >> + >> +Reviewed-by: Eric Blake <[email protected]> >> +Signed-off-by: Daniel P. Berrangé <[email protected]> >> +(cherry picked from commit 322c3c4f3abee616a18b3bfe563ec29dd67eae63) >> +Signed-off-by: Michael Tokarev <[email protected]> >> + >> +CVE: CVE-2025-11234 >> +Upstream-Status: Backport >> [https://gitlab.com/qemu-project/qemu/-/commit/911c814c8cc5f836286bd96694843036db83e99f] > > This backport is weird to decypher, this commit is in the 7.2 branch > (while scarthgap has 8.2). The more easy to understand is > 322c3c4f3abee616a18b3bfe563ec29dd67eae63 (on master and in the 10.2.0 > release) > >> +Signed-off-by: Hitendra Prajapati <[email protected]> >> +--- >> + io/channel-websock.c | 11 ++++++++++- >> + 1 file changed, 10 insertions(+), 1 deletion(-) >> + >> +diff --git a/io/channel-websock.c b/io/channel-websock.c >> +index de39f0d18..1aac3c88a 100644 >> +--- a/io/channel-websock.c >> ++++ b/io/channel-websock.c >> +@@ -922,13 +922,13 @@ static void qio_channel_websock_finalize(Object *obj) >> + buffer_free(&ioc->encinput); >> + buffer_free(&ioc->encoutput); >> + buffer_free(&ioc->rawinput); >> +- object_unref(OBJECT(ioc->master)); >> + if (ioc->io_tag) { >> + g_source_remove(ioc->io_tag); >> + } >> + if (ioc->io_err) { >> + error_free(ioc->io_err); >> + } >> ++ object_unref(OBJECT(ioc->master)); >> + } >> + >> + >> +@@ -1219,6 +1219,15 @@ static int qio_channel_websock_close(QIOChannel *ioc, >> + QIOChannelWebsock *wioc = QIO_CHANNEL_WEBSOCK(ioc); >> + >> + trace_qio_channel_websock_close(ioc); >> ++ buffer_free(&wioc->encinput); >> ++ buffer_free(&wioc->encoutput); >> ++ buffer_free(&wioc->rawinput); >> ++ if (wioc->io_tag) { >> ++ g_clear_handle_id(&wioc->io_tag, g_source_remove); >> ++ } >> ++ if (wioc->io_err) { >> ++ g_clear_pointer(&wioc->io_err, error_free); >> ++ } >> + return qio_channel_close(wioc->master, errp); >> + } >> + >> +-- >> +2.50.1 >> + >> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2025-11234-02.patch >> b/meta/recipes-devtools/qemu/qemu/CVE-2025-11234-02.patch >> new file mode 100644 >> index 0000000000..364d19457d >> --- /dev/null >> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2025-11234-02.patch >> @@ -0,0 +1,174 @@ >> +From cebdbd038e44af56e74272924dc2bf595a51fd8f Mon Sep 17 00:00:00 2001 >> +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <[email protected]> >> +Date: Tue, 30 Sep 2025 12:03:15 +0100 >> +Subject: [PATCH] io: fix use after free in websocket handshake code >> +MIME-Version: 1.0 >> +Content-Type: text/plain; charset=UTF-8 >> +Content-Transfer-Encoding: 8bit >> + >> +If the QIOChannelWebsock object is freed while it is waiting to >> +complete a handshake, a GSource is leaked. This can lead to the >> +callback firing later on and triggering a use-after-free in the >> +use of the channel. This was observed in the VNC server with the >> +following trace from valgrind: >> + >> +==2523108== Invalid read of size 4 >> +==2523108== at 0x4054A24: vnc_disconnect_start (vnc.c:1296) >> +==2523108== by 0x4054A24: vnc_client_error (vnc.c:1392) >> +==2523108== by 0x4068A09: vncws_handshake_done (vnc-ws.c:105) >> +==2523108== by 0x44863B4: qio_task_complete (task.c:197) >> +==2523108== by 0x448343D: qio_channel_websock_handshake_io >> (channel-websock.c:588) >> +==2523108== by 0x6EDB862: UnknownInlinedFun (gmain.c:3398) >> +==2523108== by 0x6EDB862: g_main_context_dispatch_unlocked.lto_priv.0 >> (gmain.c:4249) >> +==2523108== by 0x6EDBAE4: g_main_context_dispatch (gmain.c:4237) >> +==2523108== by 0x45EC79F: glib_pollfds_poll (main-loop.c:287) >> +==2523108== by 0x45EC79F: os_host_main_loop_wait (main-loop.c:310) >> +==2523108== by 0x45EC79F: main_loop_wait (main-loop.c:589) >> +==2523108== by 0x423A56D: qemu_main_loop (runstate.c:835) >> +==2523108== by 0x454F300: qemu_default_main (main.c:37) >> +==2523108== by 0x73D6574: (below main) (libc_start_call_main.h:58) >> +==2523108== Address 0x57a6e0dc is 28 bytes inside a block of size 103,608 >> free'd >> +==2523108== at 0x5F2FE43: free (vg_replace_malloc.c:989) >> +==2523108== by 0x6EDC444: g_free (gmem.c:208) >> +==2523108== by 0x4053F23: vnc_update_client (vnc.c:1153) >> +==2523108== by 0x4053F23: vnc_refresh (vnc.c:3225) >> +==2523108== by 0x4042881: dpy_refresh (console.c:880) >> +==2523108== by 0x4042881: gui_update (console.c:90) >> +==2523108== by 0x45EFA1B: timerlist_run_timers.part.0 (qemu-timer.c:562) >> +=2523108== by 0x45EC765: main_loop_wait (main-loop.c:600) >> +==2523108== by 0x423A56D: qemu_main_loop (runstate.c:835) >> +==2523108== by 0x454F300: qemu_default_main (main.c:37) >> +==2523108== by 0x73D6574: (below main) (libc_start_call_main.h:58) >> +==2523108== Block was alloc'd at >> +==2523108== at 0x5F343F3: calloc (vg_replace_malloc.c:1675) >> +==2523108== by 0x6EE2F81: g_malloc0 (gmem.c:133) >> +==2523108== by 0x4057DA3: vnc_connect (vnc.c:3245) >> +==2523108== by 0x448591B: qio_net_listener_channel_func >> (net-listener.c:54) >> +==2523108== by 0x6EDB862: UnknownInlinedFun (gmain.c:3398) >> +==2523108== by 0x6EDB862: g_main_context_dispatch_unlocked.lto_priv.0 >> (gmain.c:4249) >> +==2523108== by 0x6EDBAE4: g_main_context_dispatch (gmain.c:4237) >> +==2523108== by 0x45EC79F: glib_pollfds_poll (main-loop.c:287) >> +==2523108== by 0x45EC79F: os_host_main_loop_wait (main-loop.c:310) >> +==2523108== by 0x45EC79F: main_loop_wait (main-loop.c:589) >> +==2523108== by 0x423A56D: qemu_main_loop (runstate.c:835) >> +==2523108== by 0x454F300: qemu_default_main (main.c:37) >> +==2523108== by 0x73D6574: (below main) (libc_start_call_main.h:58) >> +==2523108== >> + >> +The above can be reproduced by launching QEMU with >> + >> + $ qemu-system-x86_64 -vnc localhost:0,websocket=5700 >> + >> +and then repeatedly running: >> + >> + for i in {1..100}; do >> + (echo -n "GET / HTTP/1.1" && sleep 0.05) | nc -w 1 localhost 5700 & >> + done >> + >> +CVE-2025-11234 >> +Reported-by: Grant Millar | Cylo <[email protected]> >> +Reviewed-by: Eric Blake <[email protected]> >> +Signed-off-by: Daniel P. Berrangé <[email protected]> >> +(cherry picked from commit b7a1f2ca45c7865b9e98e02ae605a65fc9458ae9) >> +Signed-off-by: Michael Tokarev <[email protected]> >> + >> +CVE: CVE-2025-11234 >> +Upstream-Status: Backport >> [https://gitlab.com/qemu-project/qemu/-/commit/cebdbd038e44af56e74272924dc2bf595a51fd8f] > > Same idea: b7a1f2ca45c7865b9e98e02ae605a65fc9458ae9 is easier to > understand. >> +Signed-off-by: Hitendra Prajapati <[email protected]> >> +--- >> + include/io/channel-websock.h | 3 ++- >> + io/channel-websock.c | 22 ++++++++++++++++------ >> + 2 files changed, 18 insertions(+), 7 deletions(-) >> + >> +diff --git a/include/io/channel-websock.h b/include/io/channel-websock.h >> +index e180827c5..6700cf894 100644 >> +--- a/include/io/channel-websock.h >> ++++ b/include/io/channel-websock.h >> +@@ -61,7 +61,8 @@ struct QIOChannelWebsock { >> + size_t payload_remain; >> + size_t pong_remain; >> + QIOChannelWebsockMask mask; >> +- guint io_tag; >> ++ guint hs_io_tag; /* tracking handshake task */ >> ++ guint io_tag; /* tracking watch task */ >> + Error *io_err; >> + gboolean io_eof; >> + uint8_t opcode; >> +diff --git a/io/channel-websock.c b/io/channel-websock.c >> +index 1aac3c88a..583ea8618 100644 >> +--- a/io/channel-websock.c >> ++++ b/io/channel-websock.c >> +@@ -545,6 +545,7 @@ static gboolean >> qio_channel_websock_handshake_send(QIOChannel *ioc, >> + trace_qio_channel_websock_handshake_fail(ioc, >> error_get_pretty(err)); >> + qio_task_set_error(task, err); >> + qio_task_complete(task); >> ++ wioc->hs_io_tag = 0; >> + return FALSE; >> + } >> + >> +@@ -560,6 +561,7 @@ static gboolean >> qio_channel_websock_handshake_send(QIOChannel *ioc, >> + trace_qio_channel_websock_handshake_complete(ioc); >> + qio_task_complete(task); >> + } >> ++ wioc->hs_io_tag = 0; >> + return FALSE; >> + } >> + trace_qio_channel_websock_handshake_pending(ioc, G_IO_OUT); >> +@@ -586,6 +588,7 @@ static gboolean >> qio_channel_websock_handshake_io(QIOChannel *ioc, >> + trace_qio_channel_websock_handshake_fail(ioc, >> error_get_pretty(err)); >> + qio_task_set_error(task, err); >> + qio_task_complete(task); >> ++ wioc->hs_io_tag = 0; >> + return FALSE; >> + } >> + if (ret == 0) { >> +@@ -597,7 +600,7 @@ static gboolean >> qio_channel_websock_handshake_io(QIOChannel *ioc, >> + error_propagate(&wioc->io_err, err); >> + >> + trace_qio_channel_websock_handshake_reply(ioc); >> +- qio_channel_add_watch( >> ++ wioc->hs_io_tag = qio_channel_add_watch( >> + wioc->master, >> + G_IO_OUT, >> + qio_channel_websock_handshake_send, >> +@@ -907,11 +910,12 @@ void qio_channel_websock_handshake(QIOChannelWebsock >> *ioc, >> + >> + trace_qio_channel_websock_handshake_start(ioc); >> + trace_qio_channel_websock_handshake_pending(ioc, G_IO_IN); >> +- qio_channel_add_watch(ioc->master, >> +- G_IO_IN, >> +- qio_channel_websock_handshake_io, >> +- task, >> +- NULL); >> ++ ioc->hs_io_tag = qio_channel_add_watch( >> ++ ioc->master, >> ++ G_IO_IN, >> ++ qio_channel_websock_handshake_io, >> ++ task, >> ++ NULL); >> + } >> + >> + >> +@@ -922,6 +926,9 @@ static void qio_channel_websock_finalize(Object *obj) >> + buffer_free(&ioc->encinput); >> + buffer_free(&ioc->encoutput); >> + buffer_free(&ioc->rawinput); >> ++ if (ioc->hs_io_tag) { >> ++ g_source_remove(ioc->hs_io_tag); >> ++ } >> + if (ioc->io_tag) { >> + g_source_remove(ioc->io_tag); >> + } >> +@@ -1222,6 +1229,9 @@ static int qio_channel_websock_close(QIOChannel *ioc, >> + buffer_free(&wioc->encinput); >> + buffer_free(&wioc->encoutput); >> + buffer_free(&wioc->rawinput); >> ++ if (wioc->hs_io_tag) { >> ++ g_clear_handle_id(&wioc->hs_io_tag, g_source_remove); >> ++ } >> + if (wioc->io_tag) { >> + g_clear_handle_id(&wioc->io_tag, g_source_remove); >> + } >> +-- >> +2.50.1 >> + -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#231444): https://lists.openembedded.org/g/openembedded-core/message/231444 Mute This Topic: https://lists.openembedded.org/mt/117413952/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
