From: Deepak Rathore <[email protected]> This patch applies the upstream v11.0.0-rc2 backport for CVE-2024-6519. The upstream fix commit is referenced in [1], and the public CVE advisory is referenced in [2]. The individual backported commit link is recorded in the embedded patch header.
[1] https://gitlab.com/qemu-project/qemu/-/commit/4862d2c95104d9fd0430cc003c205094f8ada1f9 [2] https://security-tracker.debian.org/tracker/CVE-2024-6519 Signed-off-by: Deepak Rathore <[email protected]> Signed-off-by: Yoann Congal <[email protected]> --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2024-6519.patch | 51 +++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-6519.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index b688c2bd125..ff8877e54b7 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -47,6 +47,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://0002-python-backport-avoid-creating-additional-event-loop.patch \ file://CVE-2025-11234-01.patch \ file://CVE-2025-11234-02.patch \ + file://CVE-2024-6519.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2024-6519.patch b/meta/recipes-devtools/qemu/qemu/CVE-2024-6519.patch new file mode 100644 index 00000000000..431afbbc60a --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2024-6519.patch @@ -0,0 +1,51 @@ +From 86bc714d9d02a23ea6be878febdc327bbfc9ff50 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini <[email protected]> +Date: Fri, 27 Mar 2026 17:37:31 +0100 +Subject: [PATCH] lsi53c895a: keep a reference to the device while SCRIPTS + execute + +SCRIPTS execution can trigger PCI device unplug and consequently +a use-after-free after the unplug returns. Avoid this by keeping +the device alive. + +Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3090 + +CVE: CVE-2024-6519 +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/4862d2c95104d9fd0430cc003c205094f8ada1f9] + +Cc: [email protected] +Signed-off-by: Paolo Bonzini <[email protected]> +(cherry picked from commit 4862d2c95104d9fd0430cc003c205094f8ada1f9) +Signed-off-by: Deepak Rathore <[email protected]> +--- + hw/scsi/lsi53c895a.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c +index 4d0c5fcd9b7..37dd38d7a87 100644 +--- a/hw/scsi/lsi53c895a.c ++++ b/hw/scsi/lsi53c895a.c +@@ -1158,6 +1158,7 @@ static void lsi_execute_script(LSIState *s) + s->waiting = LSI_NOWAIT; + } + ++ object_ref(s); + reentrancy_level++; + + s->istat1 |= LSI_ISTAT1_SRUN; +@@ -1177,6 +1178,7 @@ again: + s->waiting = LSI_WAIT_SCRIPTS; + lsi_scripts_timer_start(s); + reentrancy_level--; ++ object_unref(s); + return; + } + insn = read_dword(s, s->dsp); +@@ -1625,6 +1627,7 @@ again: + trace_lsi_execute_script_stop(); + + reentrancy_level--; ++ object_unref(s); + } + + static uint8_t lsi_reg_readb(LSIState *s, int offset)
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#239378): https://lists.openembedded.org/g/openembedded-core/message/239378 Mute This Topic: https://lists.openembedded.org/mt/119940218/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
