Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
68 changes: 68 additions & 0 deletions SPECS/qemu/CVE-2026-3196.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
From 394323879339a425ad8af7220b2466913ebc12e6 Mon Sep 17 00:00:00 2001
From: AllSpark <allspark@microsoft.com>
Date: Wed, 1 Jul 2026 04:42:41 +0000
Subject: [PATCH] virtio-snd: handle 5.14.6.2 for PCM_INFO properly

Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: AI Backport of https://gitlab.com/qemu-project/qemu/-/commit/d84fbf241d0322f19adfbe466c60bed5f50de262.patch
---
hw/audio/virtio-snd.c | 31 +++++++++++++++++++++++++++----
1 file changed, 27 insertions(+), 4 deletions(-)

diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c
index 4a4ad01..a15c151 100644
--- a/hw/audio/virtio-snd.c
+++ b/hw/audio/virtio-snd.c
@@ -181,7 +181,7 @@ static virtio_snd_pcm_set_params *virtio_snd_pcm_get_params(VirtIOSound *s,
static void virtio_snd_handle_pcm_info(VirtIOSound *s,
virtio_snd_ctrl_command *cmd)
{
- uint32_t stream_id, start_id, count, size;
+ uint32_t stream_id, start_id, count, size, tmp;
virtio_snd_pcm_info val;
virtio_snd_query_info req;
VirtIOSoundPCMStream *stream = NULL;
@@ -207,14 +207,37 @@ static void virtio_snd_handle_pcm_info(VirtIOSound *s,
count = le32_to_cpu(req.count);
size = le32_to_cpu(req.size);

- if (iov_size(cmd->elem->in_sg, cmd->elem->in_num) <
- sizeof(virtio_snd_hdr) + size * count) {
+ /*
+ * 5.14.6.2 Driver Requirements: Item Information Request
+ * "The driver MUST NOT set start_id and count such that start_id + count
+ * is greater than the total number of particular items that is indicated
+ * in the device configuration space."
+ */
+ if (start_id > s->snd_conf.streams
+ || !g_uint_checked_add(&tmp, start_id, count)
+ || start_id + count > s->snd_conf.streams) {
+ error_report("pcm info: start_id + count is greater than the total "
+ "number of streams, got: start_id = %u, count = %u",
+ start_id, count);
+ cmd->resp.code = cpu_to_le32(VIRTIO_SND_S_BAD_MSG);
+ return;
+ }
+
+ /*
+ * 5.14.6.2 Driver Requirements: Item Information Request
+ * "The driver MUST provide a buffer of sizeof(struct virtio_snd_hdr) +
+ * count * size bytes for the response."
+ */
+ if (!g_uint_checked_mul(&tmp, size, count)
+ || !g_uint_checked_add(&tmp, tmp, sizeof(virtio_snd_hdr))
+ || iov_size(cmd->elem->in_sg, cmd->elem->in_num) <
+ sizeof(virtio_snd_hdr) + size * count) {
/*
* TODO: do we need to set DEVICE_NEEDS_RESET?
*/
error_report("pcm info: buffer too small, got: %zu, needed: %zu",
iov_size(cmd->elem->in_sg, cmd->elem->in_num),
- sizeof(virtio_snd_pcm_info));
+ sizeof(virtio_snd_pcm_info) * count);
cmd->resp.code = cpu_to_le32(VIRTIO_SND_S_BAD_MSG);
return;
}
--
2.45.4

6 changes: 5 additions & 1 deletion SPECS/qemu/qemu.spec
Original file line number Diff line number Diff line change
Expand Up @@ -432,7 +432,7 @@ Obsoletes: sgabios-bin <= 1:0.20180715git-10.fc38
Summary: QEMU is a FAST! processor emulator
Name: qemu
Version: 9.1.0
Release: 9%{?dist}
Release: 10%{?dist}
License: Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND FSFAP AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-2.0-or-later WITH GCC-exception-2.0 AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND MIT AND LicenseRef-Fedora-Public-Domain AND CC-BY-3.0
URL: http://www.qemu.org/

Expand Down Expand Up @@ -472,6 +472,7 @@ Patch29: kvm-nbd-server-Support-inactive-nodes.patch
Patch30: kvm-migration-Fix-UAF-for-incoming-migration-on-Migratio.patch
Patch31: CVE-2026-3195.patch
Patch32: CVE-2026-48914.patch
Patch33: CVE-2026-3196.patch

Source10: qemu-guest-agent.service
Source11: 99-qemu-guest-agent.rules
Expand Down Expand Up @@ -3521,6 +3522,9 @@ fi
# endif !tools_only
%endif
%changelog
* Wed Jul 01 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 9.1.0-10
- Patch for CVE-2026-3196

* Sat Jun 27 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 9.1.0-9
- Patch for CVE-2026-3195

Expand Down
Loading