diff --git a/SPECS/qemu/CVE-2026-3196.patch b/SPECS/qemu/CVE-2026-3196.patch new file mode 100644 index 00000000000..f51490b1241 --- /dev/null +++ b/SPECS/qemu/CVE-2026-3196.patch @@ -0,0 +1,68 @@ +From 394323879339a425ad8af7220b2466913ebc12e6 Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Wed, 1 Jul 2026 04:42:41 +0000 +Subject: [PATCH] virtio-snd: handle 5.14.6.2 for PCM_INFO properly + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport of https://gitlab.com/qemu-project/qemu/-/commit/d84fbf241d0322f19adfbe466c60bed5f50de262.patch +--- + hw/audio/virtio-snd.c | 31 +++++++++++++++++++++++++++---- + 1 file changed, 27 insertions(+), 4 deletions(-) + +diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c +index 4a4ad01..a15c151 100644 +--- a/hw/audio/virtio-snd.c ++++ b/hw/audio/virtio-snd.c +@@ -181,7 +181,7 @@ static virtio_snd_pcm_set_params *virtio_snd_pcm_get_params(VirtIOSound *s, + static void virtio_snd_handle_pcm_info(VirtIOSound *s, + virtio_snd_ctrl_command *cmd) + { +- uint32_t stream_id, start_id, count, size; ++ uint32_t stream_id, start_id, count, size, tmp; + virtio_snd_pcm_info val; + virtio_snd_query_info req; + VirtIOSoundPCMStream *stream = NULL; +@@ -207,14 +207,37 @@ static void virtio_snd_handle_pcm_info(VirtIOSound *s, + count = le32_to_cpu(req.count); + size = le32_to_cpu(req.size); + +- if (iov_size(cmd->elem->in_sg, cmd->elem->in_num) < +- sizeof(virtio_snd_hdr) + size * count) { ++ /* ++ * 5.14.6.2 Driver Requirements: Item Information Request ++ * "The driver MUST NOT set start_id and count such that start_id + count ++ * is greater than the total number of particular items that is indicated ++ * in the device configuration space." ++ */ ++ if (start_id > s->snd_conf.streams ++ || !g_uint_checked_add(&tmp, start_id, count) ++ || start_id + count > s->snd_conf.streams) { ++ error_report("pcm info: start_id + count is greater than the total " ++ "number of streams, got: start_id = %u, count = %u", ++ start_id, count); ++ cmd->resp.code = cpu_to_le32(VIRTIO_SND_S_BAD_MSG); ++ return; ++ } ++ ++ /* ++ * 5.14.6.2 Driver Requirements: Item Information Request ++ * "The driver MUST provide a buffer of sizeof(struct virtio_snd_hdr) + ++ * count * size bytes for the response." ++ */ ++ if (!g_uint_checked_mul(&tmp, size, count) ++ || !g_uint_checked_add(&tmp, tmp, sizeof(virtio_snd_hdr)) ++ || iov_size(cmd->elem->in_sg, cmd->elem->in_num) < ++ sizeof(virtio_snd_hdr) + size * count) { + /* + * TODO: do we need to set DEVICE_NEEDS_RESET? + */ + error_report("pcm info: buffer too small, got: %zu, needed: %zu", + iov_size(cmd->elem->in_sg, cmd->elem->in_num), +- sizeof(virtio_snd_pcm_info)); ++ sizeof(virtio_snd_pcm_info) * count); + cmd->resp.code = cpu_to_le32(VIRTIO_SND_S_BAD_MSG); + return; + } +-- +2.45.4 + diff --git a/SPECS/qemu/qemu.spec b/SPECS/qemu/qemu.spec index ba21a4ca26c..e1894a61dac 100644 --- a/SPECS/qemu/qemu.spec +++ b/SPECS/qemu/qemu.spec @@ -432,7 +432,7 @@ Obsoletes: sgabios-bin <= 1:0.20180715git-10.fc38 Summary: QEMU is a FAST! processor emulator Name: qemu Version: 9.1.0 -Release: 9%{?dist} +Release: 10%{?dist} License: Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND FSFAP AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-2.0-or-later WITH GCC-exception-2.0 AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND MIT AND LicenseRef-Fedora-Public-Domain AND CC-BY-3.0 URL: http://www.qemu.org/ @@ -472,6 +472,7 @@ Patch29: kvm-nbd-server-Support-inactive-nodes.patch Patch30: kvm-migration-Fix-UAF-for-incoming-migration-on-Migratio.patch Patch31: CVE-2026-3195.patch Patch32: CVE-2026-48914.patch +Patch33: CVE-2026-3196.patch Source10: qemu-guest-agent.service Source11: 99-qemu-guest-agent.rules @@ -3521,6 +3522,9 @@ fi # endif !tools_only %endif %changelog +* Wed Jul 01 2026 Azure Linux Security Servicing Account - 9.1.0-10 +- Patch for CVE-2026-3196 + * Sat Jun 27 2026 Azure Linux Security Servicing Account - 9.1.0-9 - Patch for CVE-2026-3195