On Mon May 18, 2026 at 10:17 AM CEST, Kai wrote: > On 3/7/26 04:53, Yoann Congal via lists.openembedded.org wrote: >> On Fri Feb 20, 2026 at 6:10 AM CET, Hitendra Prajapati via >> lists.openembedded.org wrote: >>> This patch fix use after free in websocket handshake code. >>> >>> Backport patch from debian refer : >>> https://security-tracker.debian.org/tracker/CVE-2025-11234 >>> >>> Signed-off-by: Hitendra Prajapati<[email protected]> >>> --- >>> meta/recipes-devtools/qemu/qemu.inc | 2 + >>> .../qemu/qemu/CVE-2025-11234-01.patch | 72 ++++++++ >>> .../qemu/qemu/CVE-2025-11234-02.patch | 174 ++++++++++++++++++ >>> 3 files changed, 248 insertions(+) >>> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2025-11234-01.patch >>> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2025-11234-02.patch >> Hello, > Hi Yoann, >> Thanks for the v2, it looks better. But it still needs a fix for >> whinlatter (the fix is in 10.0.7, whinlatter in 10.0.6, so maybe an >> upgrade?) > > May I ask why it didn't be merged to scarthgap, please?
I simply lost track of it. I've added this one to my scarthgap review branch. I plan to review the patches in "Awaiting Upstream" state on patchwork (like this one) for the next cycle. Thanks! > Regards, > Kai > >> >> Regards, >> >>> diff --git a/meta/recipes-devtools/qemu/qemu.inc >>> b/meta/recipes-devtools/qemu/qemu.inc >>> index 748a32215e..ba21d57010 100644 >>> --- a/meta/recipes-devtools/qemu/qemu.inc >>> +++ b/meta/recipes-devtools/qemu/qemu.inc >>> @@ -43,6 +43,8 @@ SRC_URI ="https://download.qemu.org/${BPN}-${PV}.tar.xz \ >>> file://qemu-guest-agent.udev \ file://CVE-2024-8354.patch \ >>> file://CVE-2025-12464.patch \ + file://CVE-2025-11234-01.patch \ + >>> file://CVE-2025-11234-02.patch \ " >>> UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" >>> >>> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2025-11234-01.patch >>> b/meta/recipes-devtools/qemu/qemu/CVE-2025-11234-01.patch >>> new file mode 100644 >>> index 0000000000..c3797bc66f >>> --- /dev/null >>> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2025-11234-01.patch >>> @@ -0,0 +1,72 @@ >>> +From 911c814c8cc5f836286bd96694843036db83e99f Mon Sep 17 00:00:00 2001 >>> +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?=<[email protected]> >>> +Date: Tue, 30 Sep 2025 11:58:35 +0100 >>> +Subject: [PATCH] io: move websock resource release to close method >>> +MIME-Version: 1.0 >>> +Content-Type: text/plain; charset=UTF-8 >>> +Content-Transfer-Encoding: 8bit >>> + >>> +The QIOChannelWebsock object releases all its resources in the >>> +finalize callback. This is later than desired, as callers expect >>> +to be able to call qio_channel_close() to fully close a channel >>> +and release resources related to I/O. >>> + >>> +The logic in the finalize method is at most a failsafe to handle >>> +cases where a consumer forgets to call qio_channel_close. >>> + >>> +This adds equivalent logic to the close method to release the >>> +resources, using g_clear_handle_id/g_clear_pointer to be robust >>> +against repeated invocations. The finalize method is tweaked >>> +so that the GSource is removed before releasing the underlying >>> +channel. >>> + >>> +Reviewed-by: Eric Blake<[email protected]> >>> +Signed-off-by: Daniel P. Berrangé<[email protected]> >>> +(cherry picked from commit 322c3c4f3abee616a18b3bfe563ec29dd67eae63) >>> +Signed-off-by: Michael Tokarev<[email protected]> >>> + >>> +CVE: CVE-2025-11234 >>> +Upstream-Status: Backport >>> [https://gitlab.com/qemu-project/qemu/-/commit/911c814c8cc5f836286bd96694843036db83e99f] >>> +Signed-off-by: Hitendra Prajapati<[email protected]> >>> +--- >>> + io/channel-websock.c | 11 ++++++++++- >>> + 1 file changed, 10 insertions(+), 1 deletion(-) >>> + >>> +diff --git a/io/channel-websock.c b/io/channel-websock.c >>> +index de39f0d18..1aac3c88a 100644 >>> +--- a/io/channel-websock.c >>> ++++ b/io/channel-websock.c >>> +@@ -922,13 +922,13 @@ static void qio_channel_websock_finalize(Object *obj) >>> + buffer_free(&ioc->encinput); >>> + buffer_free(&ioc->encoutput); >>> + buffer_free(&ioc->rawinput); >>> +- object_unref(OBJECT(ioc->master)); >>> + if (ioc->io_tag) { >>> + g_source_remove(ioc->io_tag); >>> + } >>> + if (ioc->io_err) { >>> + error_free(ioc->io_err); >>> + } >>> ++ object_unref(OBJECT(ioc->master)); >>> + } >>> + >>> + >>> +@@ -1219,6 +1219,15 @@ static int qio_channel_websock_close(QIOChannel >>> *ioc, >>> + QIOChannelWebsock *wioc = QIO_CHANNEL_WEBSOCK(ioc); >>> + >>> + trace_qio_channel_websock_close(ioc); >>> ++ buffer_free(&wioc->encinput); >>> ++ buffer_free(&wioc->encoutput); >>> ++ buffer_free(&wioc->rawinput); >>> ++ if (wioc->io_tag) { >>> ++ g_clear_handle_id(&wioc->io_tag, g_source_remove); >>> ++ } >>> ++ if (wioc->io_err) { >>> ++ g_clear_pointer(&wioc->io_err, error_free); >>> ++ } >>> + return qio_channel_close(wioc->master, errp); >>> + } >>> + >>> +-- >>> +2.50.1 >>> + >>> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2025-11234-02.patch >>> b/meta/recipes-devtools/qemu/qemu/CVE-2025-11234-02.patch >>> new file mode 100644 >>> index 0000000000..364d19457d >>> --- /dev/null >>> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2025-11234-02.patch >>> @@ -0,0 +1,174 @@ >>> +From cebdbd038e44af56e74272924dc2bf595a51fd8f Mon Sep 17 00:00:00 2001 >>> +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?=<[email protected]> >>> +Date: Tue, 30 Sep 2025 12:03:15 +0100 >>> +Subject: [PATCH] io: fix use after free in websocket handshake code >>> +MIME-Version: 1.0 >>> +Content-Type: text/plain; charset=UTF-8 >>> +Content-Transfer-Encoding: 8bit >>> + >>> +If the QIOChannelWebsock object is freed while it is waiting to >>> +complete a handshake, a GSource is leaked. This can lead to the >>> +callback firing later on and triggering a use-after-free in the >>> +use of the channel. This was observed in the VNC server with the >>> +following trace from valgrind: >>> + >>> +==2523108== Invalid read of size 4 >>> +==2523108== at 0x4054A24: vnc_disconnect_start (vnc.c:1296) >>> +==2523108== by 0x4054A24: vnc_client_error (vnc.c:1392) >>> +==2523108== by 0x4068A09: vncws_handshake_done (vnc-ws.c:105) >>> +==2523108== by 0x44863B4: qio_task_complete (task.c:197) >>> +==2523108== by 0x448343D: qio_channel_websock_handshake_io >>> (channel-websock.c:588) >>> +==2523108== by 0x6EDB862: UnknownInlinedFun (gmain.c:3398) >>> +==2523108== by 0x6EDB862: g_main_context_dispatch_unlocked.lto_priv.0 >>> (gmain.c:4249) >>> +==2523108== by 0x6EDBAE4: g_main_context_dispatch (gmain.c:4237) >>> +==2523108== by 0x45EC79F: glib_pollfds_poll (main-loop.c:287) >>> +==2523108== by 0x45EC79F: os_host_main_loop_wait (main-loop.c:310) >>> +==2523108== by 0x45EC79F: main_loop_wait (main-loop.c:589) >>> +==2523108== by 0x423A56D: qemu_main_loop (runstate.c:835) >>> +==2523108== by 0x454F300: qemu_default_main (main.c:37) >>> +==2523108== by 0x73D6574: (below main) (libc_start_call_main.h:58) >>> +==2523108== Address 0x57a6e0dc is 28 bytes inside a block of size 103,608 >>> free'd >>> +==2523108== at 0x5F2FE43: free (vg_replace_malloc.c:989) >>> +==2523108== by 0x6EDC444: g_free (gmem.c:208) >>> +==2523108== by 0x4053F23: vnc_update_client (vnc.c:1153) >>> +==2523108== by 0x4053F23: vnc_refresh (vnc.c:3225) >>> +==2523108== by 0x4042881: dpy_refresh (console.c:880) >>> +==2523108== by 0x4042881: gui_update (console.c:90) >>> +==2523108== by 0x45EFA1B: timerlist_run_timers.part.0 (qemu-timer.c:562) >>> +=2523108== by 0x45EC765: main_loop_wait (main-loop.c:600) >>> +==2523108== by 0x423A56D: qemu_main_loop (runstate.c:835) >>> +==2523108== by 0x454F300: qemu_default_main (main.c:37) >>> +==2523108== by 0x73D6574: (below main) (libc_start_call_main.h:58) >>> +==2523108== Block was alloc'd at >>> +==2523108== at 0x5F343F3: calloc (vg_replace_malloc.c:1675) >>> +==2523108== by 0x6EE2F81: g_malloc0 (gmem.c:133) >>> +==2523108== by 0x4057DA3: vnc_connect (vnc.c:3245) >>> +==2523108== by 0x448591B: qio_net_listener_channel_func >>> (net-listener.c:54) >>> +==2523108== by 0x6EDB862: UnknownInlinedFun (gmain.c:3398) >>> +==2523108== by 0x6EDB862: g_main_context_dispatch_unlocked.lto_priv.0 >>> (gmain.c:4249) >>> +==2523108== by 0x6EDBAE4: g_main_context_dispatch (gmain.c:4237) >>> +==2523108== by 0x45EC79F: glib_pollfds_poll (main-loop.c:287) >>> +==2523108== by 0x45EC79F: os_host_main_loop_wait (main-loop.c:310) >>> +==2523108== by 0x45EC79F: main_loop_wait (main-loop.c:589) >>> +==2523108== by 0x423A56D: qemu_main_loop (runstate.c:835) >>> +==2523108== by 0x454F300: qemu_default_main (main.c:37) >>> +==2523108== by 0x73D6574: (below main) (libc_start_call_main.h:58) >>> +==2523108== >>> + >>> +The above can be reproduced by launching QEMU with >>> + >>> + $ qemu-system-x86_64 -vnc localhost:0,websocket=5700 >>> + >>> +and then repeatedly running: >>> + >>> + for i in {1..100}; do >>> + (echo -n "GET / HTTP/1.1" && sleep 0.05) | nc -w 1 localhost 5700 & >>> + done >>> + >>> +CVE-2025-11234 >>> +Reported-by: Grant Millar | Cylo<[email protected]> >>> +Reviewed-by: Eric Blake<[email protected]> >>> +Signed-off-by: Daniel P. Berrangé<[email protected]> >>> +(cherry picked from commit b7a1f2ca45c7865b9e98e02ae605a65fc9458ae9) >>> +Signed-off-by: Michael Tokarev<[email protected]> >>> + >>> +CVE: CVE-2025-11234 >>> +Upstream-Status: Backport >>> [https://gitlab.com/qemu-project/qemu/-/commit/cebdbd038e44af56e74272924dc2bf595a51fd8f] >>> +Signed-off-by: Hitendra Prajapati<[email protected]> >>> +--- >>> + include/io/channel-websock.h | 3 ++- >>> + io/channel-websock.c | 22 ++++++++++++++++------ >>> + 2 files changed, 18 insertions(+), 7 deletions(-) >>> + >>> +diff --git a/include/io/channel-websock.h b/include/io/channel-websock.h >>> +index e180827c5..6700cf894 100644 >>> +--- a/include/io/channel-websock.h >>> ++++ b/include/io/channel-websock.h >>> +@@ -61,7 +61,8 @@ struct QIOChannelWebsock { >>> + size_t payload_remain; >>> + size_t pong_remain; >>> + QIOChannelWebsockMask mask; >>> +- guint io_tag; >>> ++ guint hs_io_tag; /* tracking handshake task */ >>> ++ guint io_tag; /* tracking watch task */ >>> + Error *io_err; >>> + gboolean io_eof; >>> + uint8_t opcode; >>> +diff --git a/io/channel-websock.c b/io/channel-websock.c >>> +index 1aac3c88a..583ea8618 100644 >>> +--- a/io/channel-websock.c >>> ++++ b/io/channel-websock.c >>> +@@ -545,6 +545,7 @@ static gboolean >>> qio_channel_websock_handshake_send(QIOChannel *ioc, >>> + trace_qio_channel_websock_handshake_fail(ioc, >>> error_get_pretty(err)); >>> + qio_task_set_error(task, err); >>> + qio_task_complete(task); >>> ++ wioc->hs_io_tag = 0; >>> + return FALSE; >>> + } >>> + >>> +@@ -560,6 +561,7 @@ static gboolean >>> qio_channel_websock_handshake_send(QIOChannel *ioc, >>> + trace_qio_channel_websock_handshake_complete(ioc); >>> + qio_task_complete(task); >>> + } >>> ++ wioc->hs_io_tag = 0; >>> + return FALSE; >>> + } >>> + trace_qio_channel_websock_handshake_pending(ioc, G_IO_OUT); >>> +@@ -586,6 +588,7 @@ static gboolean >>> qio_channel_websock_handshake_io(QIOChannel *ioc, >>> + trace_qio_channel_websock_handshake_fail(ioc, >>> error_get_pretty(err)); >>> + qio_task_set_error(task, err); >>> + qio_task_complete(task); >>> ++ wioc->hs_io_tag = 0; >>> + return FALSE; >>> + } >>> + if (ret == 0) { >>> +@@ -597,7 +600,7 @@ static gboolean >>> qio_channel_websock_handshake_io(QIOChannel *ioc, >>> + error_propagate(&wioc->io_err, err); >>> + >>> + trace_qio_channel_websock_handshake_reply(ioc); >>> +- qio_channel_add_watch( >>> ++ wioc->hs_io_tag = qio_channel_add_watch( >>> + wioc->master, >>> + G_IO_OUT, >>> + qio_channel_websock_handshake_send, >>> +@@ -907,11 +910,12 @@ void qio_channel_websock_handshake(QIOChannelWebsock >>> *ioc, >>> + >>> + trace_qio_channel_websock_handshake_start(ioc); >>> + trace_qio_channel_websock_handshake_pending(ioc, G_IO_IN); >>> +- qio_channel_add_watch(ioc->master, >>> +- G_IO_IN, >>> +- qio_channel_websock_handshake_io, >>> +- task, >>> +- NULL); >>> ++ ioc->hs_io_tag = qio_channel_add_watch( >>> ++ ioc->master, >>> ++ G_IO_IN, >>> ++ qio_channel_websock_handshake_io, >>> ++ task, >>> ++ NULL); >>> + } >>> + >>> + >>> +@@ -922,6 +926,9 @@ static void qio_channel_websock_finalize(Object *obj) >>> + buffer_free(&ioc->encinput); >>> + buffer_free(&ioc->encoutput); >>> + buffer_free(&ioc->rawinput); >>> ++ if (ioc->hs_io_tag) { >>> ++ g_source_remove(ioc->hs_io_tag); >>> ++ } >>> + if (ioc->io_tag) { >>> + g_source_remove(ioc->io_tag); >>> + } >>> +@@ -1222,6 +1229,9 @@ static int qio_channel_websock_close(QIOChannel *ioc, >>> + buffer_free(&wioc->encinput); >>> + buffer_free(&wioc->encoutput); >>> + buffer_free(&wioc->rawinput); >>> ++ if (wioc->hs_io_tag) { >>> ++ g_clear_handle_id(&wioc->hs_io_tag, g_source_remove); >>> ++ } >>> + if (wioc->io_tag) { >>> + g_clear_handle_id(&wioc->io_tag, g_source_remove); >>> + } >>> +-- >>> +2.50.1 >>> + >> >> >> >> -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#237272): https://lists.openembedded.org/g/openembedded-core/message/237272 Mute This Topic: https://lists.openembedded.org/mt/117905702/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
