From 67ac024a29cd6f6af1b9e4ad6e650edee76effae Mon Sep 17 00:00:00 2001 From: Kai Kang Date: Wed, 17 Dec 2025 15:51:18 +0800 Subject: [PATCH] qemu: fix CVE-2025-12464 Backport patch to fix CVE-2025-12464 for qemu. Reference: https://gitlab.com/qemu-project/qemu/-/commit/a01344d9d7 (From OE-Core rev: c3108b279bd5c49a3c0ea35880fe7fd4f5b75b96) Signed-off-by: Kai Kang Signed-off-by: Steve Sakoman --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2025-12464.patch | 70 +++++++++++++++++++ 2 files changed, 71 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2025-12464.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 60d372fce0..dde3b0be13 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -42,6 +42,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://qemu-guest-agent.init \ file://qemu-guest-agent.udev \ file://CVE-2024-8354.patch \ + file://CVE-2025-12464.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2025-12464.patch b/meta/recipes-devtools/qemu/qemu/CVE-2025-12464.patch new file mode 100644 index 0000000000..6099fc79cd --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2025-12464.patch @@ -0,0 +1,70 @@ +From a01344d9d78089e9e585faaeb19afccff2050abf Mon Sep 17 00:00:00 2001 +From: Peter Maydell +Date: Tue, 28 Oct 2025 16:00:42 +0000 +Subject: [PATCH] net: pad packets to minimum length in qemu_receive_packet() + +In commits like 969e50b61a28 ("net: Pad short frames to minimum size +before sending from SLiRP/TAP") we switched away from requiring +network devices to handle short frames to instead having the net core +code do the padding of short frames out to the ETH_ZLEN minimum size. +We then dropped the code for handling short frames from the network +devices in a series of commits like 140eae9c8f7 ("hw/net: e1000: +Remove the logic of padding short frames in the receive path"). + +This missed one route where the device's receive code can still see a +short frame: if the device is in loopback mode and it transmits a +short frame via the qemu_receive_packet() function, this will be fed +back into its own receive code without being padded. + +Add the padding logic to qemu_receive_packet(). + +This fixes a buffer overrun which can be triggered in the +e1000_receive_iov() logic via the loopback code path. + +Other devices that use qemu_receive_packet() to implement loopback +are cadence_gem, dp8393x, lan9118, msf2-emac, pcnet, rtl8139 +and sungem. + +Cc: qemu-stable@nongnu.org +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3043 +Reviewed-by: Akihiko Odaki +Signed-off-by: Peter Maydell +Signed-off-by: Jason Wang + +CVE: CVE-2025-12464 + +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/a01344d9d7] + +Signed-off-by: Kai Kang +--- + net/net.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/net/net.c b/net/net.c +index 27e0d27807..8aefdb3424 100644 +--- a/net/net.c ++++ b/net/net.c +@@ -775,10 +775,20 @@ ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size) + + ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size) + { ++ uint8_t min_pkt[ETH_ZLEN]; ++ size_t min_pktsz = sizeof(min_pkt); ++ + if (!qemu_can_receive_packet(nc)) { + return 0; + } + ++ if (net_peer_needs_padding(nc)) { ++ if (eth_pad_short_frame(min_pkt, &min_pktsz, buf, size)) { ++ buf = min_pkt; ++ size = min_pktsz; ++ } ++ } ++ + return qemu_net_queue_receive(nc->incoming_queue, buf, size); + } + +-- +2.47.1 +