Skip to content

[AutoPR- Security] Patch qemu for CVE-2025-14876, CVE-2024-8354 [MEDIUM]#16173

Open
azurelinux-security wants to merge 1 commit intomicrosoft:3.0-devfrom
azurelinux-security:azure-autosec/qemu/3.0/1067687
Open

[AutoPR- Security] Patch qemu for CVE-2025-14876, CVE-2024-8354 [MEDIUM]#16173
azurelinux-security wants to merge 1 commit intomicrosoft:3.0-devfrom
azurelinux-security:azure-autosec/qemu/3.0/1067687

Conversation

@azurelinux-security
Copy link
Contributor

@azurelinux-security azurelinux-security commented Mar 11, 2026
edited
Loading

Auto Patch qemu for CVE-2025-14876, CVE-2024-8354.

Autosec pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1067687&view=results

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge
Summary

What does the PR accomplish, why was it needed?

Change Log
Does this affect the toolchain?

YES/NO

Associated issues
  • N/A
Links to CVEs
Test Methodology

@microsoft-github-policy-service microsoft-github-policy-service bot added Packaging 3.0-dev PRs Destined for AzureLinux 3.0 labels Mar 11, 2026
@Kanishk-Bansal Kanishk-Bansal marked this pull request as ready for review March 12, 2026 04:16
@Kanishk-Bansal Kanishk-Bansal requested a review from a team as a code owner March 12, 2026 04:16
@azurelinux-security
Copy link
Contributor Author

azurelinux-security commented Mar 12, 2026

🔒 CVE Patch Review: CVE-2024-8354, CVE-2025-14876

PR #16173 — [AutoPR- Security] Patch qemu for CVE-2025-14876, CVE-2024-8354 [MEDIUM]
Package: qemu | Branch: 3.0-dev

Spec File Validation

Check Status Detail
Release bump Release bumped 1 → 2
Patch entry Patch entries added: ['CVE-2024-8354.patch', 'CVE-2025-14876.patch'] (covers ['CVE-2024-8354', 'CVE-2025-14876'])
Patch application %autosetup found in full spec — patches applied automatically
Changelog Changelog entry looks good
Signatures No source tarball changes — signatures N/A
Manifests Not a toolchain PR — manifests N/A

Build Verification

  • Build status: ❌ FAILED
  • Artifact downloaded:
  • CVE applied during build:
  • Errors (2):
    • L61: time="2026-03-11T20:31:35Z" level=debug msg="Error: Failed to synchronize cache for repo 'Azure Linux Official Base 3.0 x86_64'"
    • L91: time="2026-03-11T20:31:48Z" level=debug msg="Error: Failed to synchronize cache for repo 'Azure Linux Official Base 3.0 x86_64'"
  • Warnings (22):
    • L10549: time="2026-03-11T20:51:33Z" level=debug msg="../subprojects/berkeley-testfloat-3/source/slowfloat.c:1016:14: warning: 'uiZ' may be used uninitialized [-Wmaybe-uninitialized]"
    • L10556: time="2026-03-11T20:51:33Z" level=debug msg="../subprojects/berkeley-testfloat-3/source/slowfloat.c:878:11: warning: 'uiZ' may be used uninitialized [-Wmaybe-uninitialized]"
    • L10563: time="2026-03-11T20:51:33Z" level=debug msg="../subprojects/berkeley-testfloat-3/source/slowfloat.c:742:11: warning: 'uiZ' may be used uninitialized [-Wmaybe-uninitialized]"
    • L10781: time="2026-03-11T20:51:48Z" level=debug msg="[9661/9957] x86_64-pc-linux-gnu-gcc -m64 -Itests/qtest/fuzz-xlnx-dp-test.p -Itests/qtest -I../tests/qtest -I. -Iqapi -Itrace -Iui -Iui/shader -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include -fdiagnostics-color=auto -Wall -Winvalid-pch -std=gnu11 -O2 -g -fstack-protector-strong -Wempty-body -Wendif-labels -Wexpansion-to-defined -Wformat-security -Wformat-y2k -Wignored-qualifiers -Wimplicit-fallthrough=2 -Winit-self -Wmissing-format-attribute -Wmissing-prototypes -Wnested-externs -Wold-style-declaration -Wold-style-definition -Wredundant-decls -Wshadow=local -Wstrict-prototypes -Wtype-limits -Wundef -Wvla -Wwrite-strings -Wno-missing-include-dirs -Wno-psabi -Wno-shift-negative-value -isystem /usr/src/azl/BUILD/qemu-9.1.0/linux-headers -isystem linux-headers -iquote . -iquote /usr/src/azl/BUILD/qemu-9.1.0 -iquote /usr/src/azl/BUILD/qemu-9.1.0/include -iquote /usr/src/azl/BUILD/qemu-9.1.0/host/include/x86_64 -iquote /usr/src/azl/BUILD/qemu-9.1.0/host/include/generic -iquote /usr/src/azl/BUILD/qemu-9.1.0/tcg/i386 -pthread -DSTAP_SDT_V2 -msse2 -mcx16 -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -fno-strict-aliasing -fno-common -fwrapv -ftrivial-auto-var-init=zero -fzero-call-used-regs=used-gpr -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/azl/default-hardened-cc1 -fcommon -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -O2 -g -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/azl/default-hardened-cc1 -fcommon -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fPIE -MD -MQ tests/qtest/fuzz-xlnx-dp-test.p/fuzz-xlnx-dp-test.c.o -MF tests/qtest/fuzz-xlnx-dp-test.p/fuzz-xlnx-dp-test.c.o.d -o tests/qtest/fuzz-xlnx-dp-test.p/fuzz-xlnx-dp-test.c.o -c ../tests/qtest/fuzz-xlnx-dp-test.c"
    • L10792: time="2026-03-11T20:51:49Z" level=debug msg="[9672/9957] x86_64-pc-linux-gnu-gcc -m64 -o tests/qtest/fuzz-xlnx-dp-test libevent-loop-base.a.p/event-loop-base.c.o libqom.a.p/qom_container.c.o libqom.a.p/qom_object.c.o libqom.a.p/qom_object_interfaces.c.o libqom.a.p/qom_qom-qobject.c.o tests/qtest/libqos/libqos.a.p/.._libqtest.c.o tests/qtest/libqos/libqos.a.p/.._libqmp.c.o tests/qtest/libqos/libqos.a.p/qgraph.c.o tests/qtest/libqos/libqos.a.p/qos_external.c.o tests/qtest/libqos/libqos.a.p/pci.c.o tests/qtest/libqos/libqos.a.p/fw_cfg.c.o tests/qtest/libqos/libqos.a.p/libqos-malloc.c.o tests/qtest/libqos/libqos.a.p/libqos.c.o tests/qtest/libqos/libqos.a.p/sdhci-cmd.c.o tests/qtest/libqos/libqos.a.p/malloc-spapr.c.o tests/qtest/libqos/libqos.a.p/libqos-spapr.c.o tests/qtest/libqos/libqos.a.p/rtas.c.o tests/qtest/libqos/libqos.a.p/pci-spapr.c.o tests/qtest/libqos/libqos.a.p/pci-pc.c.o tests/qtest/libqos/libqos.a.p/malloc-pc.c.o tests/qtest/libqos/libqos.a.p/libqos-pc.c.o tests/qtest/libqos/libqos.a.p/ahci.c.o tests/qtest/libqos/libqos.a.p/usb.c.o tests/qtest/libqos/libqos.a.p/e1000e.c.o tests/qtest/libqos/libqos.a.p/i2c.c.o tests/qtest/libqos/libqos.a.p/i2c-imx.c.o tests/qtest/libqos/libqos.a.p/i2c-omap.c.o tests/qtest/libqos/libqos.a.p/igb.c.o tests/qtest/libqos/libqos.a.p/sdhci.c.o tests/qtest/libqos/libqos.a.p/tpci200.c.o tests/qtest/libqos/libqos.a.p/virtio.c.o tests/qtest/libqos/libqos.a.p/virtio-balloon.c.o tests/qtest/libqos/libqos.a.p/virtio-blk.c.o tests/qtest/libqos/libqos.a.p/vhost-user-blk.c.o tests/qtest/libqos/libqos.a.p/virtio-mmio.c.o tests/qtest/libqos/libqos.a.p/virtio-net.c.o tests/qtest/libqos/libqos.a.p/virtio-pci.c.o tests/qtest/libqos/libqos.a.p/virtio-pci-modern.c.o tests/qtest/libqos/libqos.a.p/virtio-rng.c.o tests/qtest/libqos/libqos.a.p/virtio-scsi.c.o tests/qtest/libqos/libqos.a.p/virtio-serial.c.o tests/qtest/libqos/libqos.a.p/virtio-iommu.c.o tests/qtest/libqos/libqos.a.p/virtio-gpio.c.o tests/qtest/libqos/libqos.a.p/virtio-scmi.c.o tests/qtest/libqos/libqos.a.p/generic-pcihost.c.o tests/qtest/libqos/libqos.a.p/aarch64-xlnx-zcu102-machine.c.o tests/qtest/libqos/libqos.a.p/arm-imx25-pdk-machine.c.o tests/qtest/libqos/libqos.a.p/arm-n800-machine.c.o tests/qtest/libqos/libqos.a.p/arm-raspi2-machine.c.o tests/qtest/libqos/libqos.a.p/arm-sabrelite-machine.c.o tests/qtest/libqos/libqos.a.p/arm-smdkc210-machine.c.o tests/qtest/libqos/libqos.a.p/arm-virt-machine.c.o tests/qtest/libqos/libqos.a.p/arm-xilinx-zynq-a9-machine.c.o tests/qtest/libqos/libqos.a.p/ppc64_pseries-machine.c.o tests/qtest/libqos/libqos.a.p/x86_64_pc-machine.c.o tests/qtest/libqos/libqos.a.p/riscv-virt-machine.c.o tests/qtest/libqos/libqos.a.p/loongarch-virt-machine.c.o tests/qtest/libqos/libqos.a.p/virtio-9p.c.o tests/qtest/libqos/libqos.a.p/virtio-9p-client.c.o tests/qtest/fuzz-xlnx-dp-test.p/fuzz-xlnx-dp-test.c.o -Wl,--as-needed -Wl,--no-undefined -pie -fstack-protector-strong -Wl,-z,relro -Wl,-z,now -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/azl/default-hardened-cc1 -fcommon -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/azl/default-hardened-ld -Wl,-dT,/usr/src/azl/BUILD/module_info.ld -O2 -g -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/azl/default-hardened-cc1 -fcommon -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/azl/default-hardened-ld -Wl,-dT,/usr/src/azl/BUILD/module_info.ld -Wl,--start-group libqemuutil.a subprojects/libvhost-user/libvhost-user-glib.a subprojects/libvhost-user/libvhost-user.a -lnuma /usr/lib/liburing.so /usr/lib/libgio-2.0.so /usr/lib/libgobject-2.0.so /usr/lib/libglib-2.0.so -Wl,--export-dynamic /usr/lib/libgmodule-2.0.so -pthread /usr/lib/libgnutls.so -lm -Wl,--end-group"
    • L10851: time="2026-03-11T20:51:53Z" level=debug msg="../tests/qtest/migration-test.c:3187:13: warning: 'test_multifd_tcp_tls_psk_mismatch' defined but not used [-Wunused-function]"
    • L10854: time="2026-03-11T20:51:53Z" level=debug msg="../tests/qtest/migration-test.c:3177:13: warning: 'test_multifd_tcp_tls_psk_match' defined but not used [-Wunused-function]"
    • L10857: time="2026-03-11T20:51:53Z" level=debug msg="../tests/qtest/migration-test.c:2508:13: warning: 'test_precopy_tcp_tls_psk_mismatch' defined but not used [-Wunused-function]"
    • L10860: time="2026-03-11T20:51:53Z" level=debug msg="../tests/qtest/migration-test.c:2497:13: warning: 'test_precopy_tcp_tls_psk_match' defined but not used [-Wunused-function]"
    • L10863: time="2026-03-11T20:51:53Z" level=debug msg="../tests/qtest/migration-test.c:2049:13: warning: 'test_precopy_unix_tls_psk' defined but not used [-Wunused-function]"
    • … and 12 more

🤖 AI Build Log Analysis

  • Risk: medium
  • Summary: The qemu 9.1.0-2.azl3 package rebuilt successfully and produced all expected binary and source RPMs. Both security patches for CVE-2024-8354 and CVE-2025-14876 applied cleanly with no rejects. While the build environment experienced transient repository synchronization and scriptlet issues during dependency setup, these did not prevent configuration, compilation, or packaging. Tests were disabled (rpmbuild --nocheck).
  • AI-detected issues:
    • Dependency installation via tdnf reported Error(1207): Could not resolve hostname and failed to synchronize cache for repo 'Azure Linux Official Base 3.0 x86_64', indicating transient network or mirror issues.
    • During a dependency script step, /usr/src/azl/BUILD/systemtap-5.0/missing was not found, causing make Error 127; this did not abort the qemu build but indicates a failing systemtap-related scriptlet.
    • modprobe: FATAL: Module i2c-dev not found in directory /lib/modules/... during lm-sensors post-install, which contributed to a scriptlet failure.
  • AI-detected warnings:
    • warning: %post(lm-sensors-3.6.0-2.azl3.x86_64) scriptlet failed, exit status 1.
    • Patch for CVE-2021-20255 applied with offsets in hw/net/eepro100.c (hunks succeeded at +7 lines).
    • Patch for CVE-2025-11234 applied with small offsets in io/channel-tls.c and io/channel-websock.c.
    • Patch for CVE-2025-12464 applied with an offset (-12 lines) in net/net.c.
    • warning: Macro expanded in comment: %{name}.lang.
    • warning: Could not canonicalize hostname.
    • touch: cannot touch '/var/lib/rpm-state/systemd-resolved.initial-installation': No such file or directory.

🧪 Test Log Analysis

  • Test status: ❌ FAILED
  • Test warnings (132):
    • L10551: time="2026-03-11T20:51:33Z" level=debug msg="../subprojects/berkeley-testfloat-3/source/slowfloat.c:1016:14: warning: 'uiZ' may be used uninitialized [-Wmaybe-uninitialized]"
    • L10558: time="2026-03-11T20:51:33Z" level=debug msg="../subprojects/berkeley-testfloat-3/source/slowfloat.c:878:11: warning: 'uiZ' may be used uninitialized [-Wmaybe-uninitialized]"
    • L10565: time="2026-03-11T20:51:33Z" level=debug msg="../subprojects/berkeley-testfloat-3/source/slowfloat.c:742:11: warning: 'uiZ' may be used uninitialized [-Wmaybe-uninitialized]"
    • L10791: time="2026-03-11T20:51:49Z" level=debug msg="[9666/9957] x86_64-pc-linux-gnu-gcc -m64 -Itests/qtest/fuzz-xlnx-dp-test.p -Itests/qtest -I../tests/qtest -I. -Iqapi -Itrace -Iui -Iui/shader -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include -fdiagnostics-color=auto -Wall -Winvalid-pch -std=gnu11 -O2 -g -fstack-protector-strong -Wempty-body -Wendif-labels -Wexpansion-to-defined -Wformat-security -Wformat-y2k -Wignored-qualifiers -Wimplicit-fallthrough=2 -Winit-self -Wmissing-format-attribute -Wmissing-prototypes -Wnested-externs -Wold-style-declaration -Wold-style-definition -Wredundant-decls -Wshadow=local -Wstrict-prototypes -Wtype-limits -Wundef -Wvla -Wwrite-strings -Wno-missing-include-dirs -Wno-psabi -Wno-shift-negative-value -isystem /usr/src/azl/BUILD/qemu-9.1.0/linux-headers -isystem linux-headers -iquote . -iquote /usr/src/azl/BUILD/qemu-9.1.0 -iquote /usr/src/azl/BUILD/qemu-9.1.0/include -iquote /usr/src/azl/BUILD/qemu-9.1.0/host/include/x86_64 -iquote /usr/src/azl/BUILD/qemu-9.1.0/host/include/generic -iquote /usr/src/azl/BUILD/qemu-9.1.0/tcg/i386 -pthread -DSTAP_SDT_V2 -msse2 -mcx16 -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -fno-strict-aliasing -fno-common -fwrapv -ftrivial-auto-var-init=zero -fzero-call-used-regs=used-gpr -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/azl/default-hardened-cc1 -fcommon -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -O2 -g -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/azl/default-hardened-cc1 -fcommon -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fPIE -MD -MQ tests/qtest/fuzz-xlnx-dp-test.p/fuzz-xlnx-dp-test.c.o -MF tests/qtest/fuzz-xlnx-dp-test.p/fuzz-xlnx-dp-test.c.o.d -o tests/qtest/fuzz-xlnx-dp-test.p/fuzz-xlnx-dp-test.c.o -c ../tests/qtest/fuzz-xlnx-dp-test.c"
    • L10797: time="2026-03-11T20:51:49Z" level=debug msg="[9672/9957] x86_64-pc-linux-gnu-gcc -m64 -o tests/qtest/fuzz-xlnx-dp-test libevent-loop-base.a.p/event-loop-base.c.o libqom.a.p/qom_container.c.o libqom.a.p/qom_object.c.o libqom.a.p/qom_object_interfaces.c.o libqom.a.p/qom_qom-qobject.c.o tests/qtest/libqos/libqos.a.p/.._libqtest.c.o tests/qtest/libqos/libqos.a.p/.._libqmp.c.o tests/qtest/libqos/libqos.a.p/qgraph.c.o tests/qtest/libqos/libqos.a.p/qos_external.c.o tests/qtest/libqos/libqos.a.p/pci.c.o tests/qtest/libqos/libqos.a.p/fw_cfg.c.o tests/qtest/libqos/libqos.a.p/libqos-malloc.c.o tests/qtest/libqos/libqos.a.p/libqos.c.o tests/qtest/libqos/libqos.a.p/sdhci-cmd.c.o tests/qtest/libqos/libqos.a.p/malloc-spapr.c.o tests/qtest/libqos/libqos.a.p/libqos-spapr.c.o tests/qtest/libqos/libqos.a.p/rtas.c.o tests/qtest/libqos/libqos.a.p/pci-spapr.c.o tests/qtest/libqos/libqos.a.p/pci-pc.c.o tests/qtest/libqos/libqos.a.p/malloc-pc.c.o tests/qtest/libqos/libqos.a.p/libqos-pc.c.o tests/qtest/libqos/libqos.a.p/ahci.c.o tests/qtest/libqos/libqos.a.p/usb.c.o tests/qtest/libqos/libqos.a.p/e1000e.c.o tests/qtest/libqos/libqos.a.p/i2c.c.o tests/qtest/libqos/libqos.a.p/i2c-imx.c.o tests/qtest/libqos/libqos.a.p/i2c-omap.c.o tests/qtest/libqos/libqos.a.p/igb.c.o tests/qtest/libqos/libqos.a.p/sdhci.c.o tests/qtest/libqos/libqos.a.p/tpci200.c.o tests/qtest/libqos/libqos.a.p/virtio.c.o tests/qtest/libqos/libqos.a.p/virtio-balloon.c.o tests/qtest/libqos/libqos.a.p/virtio-blk.c.o tests/qtest/libqos/libqos.a.p/vhost-user-blk.c.o tests/qtest/libqos/libqos.a.p/virtio-mmio.c.o tests/qtest/libqos/libqos.a.p/virtio-net.c.o tests/qtest/libqos/libqos.a.p/virtio-pci.c.o tests/qtest/libqos/libqos.a.p/virtio-pci-modern.c.o tests/qtest/libqos/libqos.a.p/virtio-rng.c.o tests/qtest/libqos/libqos.a.p/virtio-scsi.c.o tests/qtest/libqos/libqos.a.p/virtio-serial.c.o tests/qtest/libqos/libqos.a.p/virtio-iommu.c.o tests/qtest/libqos/libqos.a.p/virtio-gpio.c.o tests/qtest/libqos/libqos.a.p/virtio-scmi.c.o tests/qtest/libqos/libqos.a.p/generic-pcihost.c.o tests/qtest/libqos/libqos.a.p/aarch64-xlnx-zcu102-machine.c.o tests/qtest/libqos/libqos.a.p/arm-imx25-pdk-machine.c.o tests/qtest/libqos/libqos.a.p/arm-n800-machine.c.o tests/qtest/libqos/libqos.a.p/arm-raspi2-machine.c.o tests/qtest/libqos/libqos.a.p/arm-sabrelite-machine.c.o tests/qtest/libqos/libqos.a.p/arm-smdkc210-machine.c.o tests/qtest/libqos/libqos.a.p/arm-virt-machine.c.o tests/qtest/libqos/libqos.a.p/arm-xilinx-zynq-a9-machine.c.o tests/qtest/libqos/libqos.a.p/ppc64_pseries-machine.c.o tests/qtest/libqos/libqos.a.p/x86_64_pc-machine.c.o tests/qtest/libqos/libqos.a.p/riscv-virt-machine.c.o tests/qtest/libqos/libqos.a.p/loongarch-virt-machine.c.o tests/qtest/libqos/libqos.a.p/virtio-9p.c.o tests/qtest/libqos/libqos.a.p/virtio-9p-client.c.o tests/qtest/fuzz-xlnx-dp-test.p/fuzz-xlnx-dp-test.c.o -Wl,--as-needed -Wl,--no-undefined -pie -fstack-protector-strong -Wl,-z,relro -Wl,-z,now -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/azl/default-hardened-cc1 -fcommon -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/azl/default-hardened-ld -Wl,-dT,/usr/src/azl/BUILD/module_info.ld -O2 -g -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/azl/default-hardened-cc1 -fcommon -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/azl/default-hardened-ld -Wl,-dT,/usr/src/azl/BUILD/module_info.ld -Wl,--start-group libqemuutil.a subprojects/libvhost-user/libvhost-user-glib.a subprojects/libvhost-user/libvhost-user.a -lnuma /usr/lib/liburing.so /usr/lib/libgio-2.0.so /usr/lib/libgobject-2.0.so /usr/lib/libglib-2.0.so -Wl,--export-dynamic /usr/lib/libgmodule-2.0.so -pthread /usr/lib/libgnutls.so -lm -Wl,--end-group"
    • L10840: time="2026-03-11T20:51:52Z" level=debug msg="../tests/qtest/migration-test.c:3187:13: warning: 'test_multifd_tcp_tls_psk_mismatch' defined but not used [-Wunused-function]"
    • L10843: time="2026-03-11T20:51:52Z" level=debug msg="../tests/qtest/migration-test.c:3177:13: warning: 'test_multifd_tcp_tls_psk_match' defined but not used [-Wunused-function]"
    • L10846: time="2026-03-11T20:51:52Z" level=debug msg="../tests/qtest/migration-test.c:2508:13: warning: 'test_precopy_tcp_tls_psk_mismatch' defined but not used [-Wunused-function]"
    • L10849: time="2026-03-11T20:51:52Z" level=debug msg="../tests/qtest/migration-test.c:2497:13: warning: 'test_precopy_tcp_tls_psk_match' defined but not used [-Wunused-function]"
    • L10852: time="2026-03-11T20:51:52Z" level=debug msg="../tests/qtest/migration-test.c:2049:13: warning: 'test_precopy_unix_tls_psk' defined but not used [-Wunused-function]"
🤖 AI Test Log Analysis
  • Risk: medium
  • Summary: QEMU 9.1.0 built successfully and the CVE patches for CVE-2024-8354 (hw/usb/hcd-uhci.c) and CVE-2025-14876 (hw/virtio/virtio-crypto.c) applied cleanly, but there is no visible %check or test-suite output in the log; a patch explicitly disables certain failing tests (migration-test) on this distro, so overall test coverage and pass/fail status cannot be verified from the provided log.
  • AI-detected test issues:
    • No %check/meson test execution output detected; unable to confirm that the test suite ran.
    • Some tests explicitly disabled by patch 0002-Disable-failing-tests-on-azl.patch (affecting tests/qtest/migration-test.c).
    • Non-fatal environment/scriptlet issue during dependency installation: lm-sensors %post failed due to missing i2c-dev module.
    • Packaging warnings (duplicate/missing build-ids) observed; not test failures but indicate packaging anomalies.

Patch Analysis

  • Match type: backport
  • Risk assessment: low
  • Summary: The PR patch is a clean backport of the upstream fix for CVE-2024-8354, introducing the same logic to reject USB SETUP tokens to non-zero endpoints in UHCI. It adds ep_id extraction, adjusts the switch-case to treat non-EP0 SETUP as a fatal TD error, and uses ep_id in usb_ep_get, matching upstream functionality. Differences are limited to context/line numbers and packaging metadata. | The PR patch is a direct backport of the upstream fix that adds a bounds check in virtio_crypto_handle_asym_req to ensure the combined src_len + dst_len does not exceed vcrypto->conf.max_size. The code changes are identical to upstream; differences are limited to packaging metadata and differing context hashes.
Detailed analysis

Comparison of hunks:

  • Variable extraction: Both upstream and PR add 'uint8_t ep_id = (td->token >> 15) & 0xf;' immediately after computing pid in uhci_handle_td(). This is identical.
  • PID switch handling: Upstream changes the switch on pid to remove the unconditional 'USB_TOKEN_SETUP' break alongside OUT/IN, and instead adds a dedicated 'case USB_TOKEN_SETUP:' which only breaks if ep_id == 0, otherwise falls through to 'default' to signal an error. The PR patch applies exactly the same change, including the comment and fallthrough behavior. This ensures SETUP to non-zero endpoints is treated as a fatal TD error, preventing the assertion in the USB core.
  • usb_ep_get call: Upstream replaces 'usb_ep_get(dev, pid, (td->token >> 15) & 0xf);' with 'usb_ep_get(dev, pid, ep_id);'. The PR patch does the same.

Context/offsets: The PR patch applies the hunks at slightly different line numbers (724/767/816 vs 735/778/829), and with different blob indices, which is expected for a backport to a different QEMU base. The surrounding context in the PR matches the upstream locations and semantics (same function, same control flow around error handling). No upstream hunks are missing.

Metadata differences: The PR patch includes additional Signed-off-by and an Upstream-reference URL appropriate for packaging; these do not affect code.

Risk assessment: Low. The PR implements the same minimal and targeted change as upstream. It only affects handling of invalid guest input (SETUP to non-zero endpoint), converting a crash/assertion into a handled controller error. Potential regressions are unlikely, as valid SETUP to endpoint 0 remains permitted and other paths are unchanged.

  1. Core fix equivalence: The PR patch introduces the same 7-line change as upstream within hw/virtio/virtio-crypto.c. It adds a uint64_t max_len variable, computes max_len = (uint64_t)src_len + dst_len, and checks if max_len > vcrypto->conf.max_size. On violation, it calls virtio_error(vdev, "virtio-crypto asym request is too large") and jumps to the existing err label. This matches the upstream logic exactly, including the unlikely() hint.

  2. Differences vs upstream: The only differences are in patch metadata and context: the PR stores the change as SPECS/qemu/CVE-2025-14876.patch with an added Signed-off-by: rpm-build and an Upstream-reference URL. The file index hashes differ (5034768..5e5c9cd vs cbd1810fbc6fa..6fceb396813d2), which is consistent with applying to a different tree revision. The functional code hunk is identical.

  3. Missing hunks: None. Upstream patch only contains this single hunk with 7 insertions; the PR patch contains the same hunk and no parts are omitted.

  4. Completeness and regression risk: The fix prevents overly large asymmetric crypto requests from guests by validating the sum of src and dst lengths against the configured maximum. Casting src_len to uint64_t before addition prevents 32-bit overflow in the sum. The check is performed before any buffer allocation or iov_to_buf operations, which is correct to avert excessive allocation or copying. As this is a straightforward bounds check identical to upstream's accepted fix, the risk of regressions is low; the primary behavioral change is rejecting requests that exceed the configured maximum.

  5. Backport context safety: The surrounding context lines and function name match, and the goto err path is present in this function in QEMU. The difference in index hashes indicates a different base but does not affect the semantics of the change. Therefore, this is a clean backport.

Raw diff (upstream vs PR) 
--- upstream
+++ pr
@@ -1,69 +1,80 @@
-From d0af3cd0274e265435170a583c72b9f0a4100dff Mon Sep 17 00:00:00 2001
-From: Peter Maydell <peter.maydell@linaro.org>
-Date: Mon, 15 Sep 2025 14:29:10 +0100
-Subject: [PATCH] hw/usb/hcd-uhci: don't assert for SETUP to non-0 endpoint
-
-If the guest feeds invalid data to the UHCI controller, we
-can assert:
-qemu-system-x86_64: ../../hw/usb/core.c:744: usb_ep_get: Assertion `pid == USB_TOKEN_IN || pid == USB_TOKEN_OUT' failed.
-
-(see issue 2548 for the repro case).  This happens because the guest
-attempts USB_TOKEN_SETUP to an endpoint other than 0, which is not
-valid.  The controller code doesn't catch this guest error, so
-instead we hit the assertion in the USB core code.
-
-Catch the case of SETUP to non-zero endpoint, and treat it as a fatal
-error in the TD, in the same way we do for an invalid PID value in
-the TD.
-
-This is the UHCI equivalent of the same bug in OHCI that we fixed in
-commit 3c3c233677 ("hw/usb/hcd-ohci: Fix #1510, #303: pid not IN or
-OUT").
-
-This bug has been tracked as CVE-2024-8354.
-
-Cc: qemu-stable@nongnu.org
-Fixes: https://gitlab.com/qemu-project/qemu/-/issues/2548
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
----
- hw/usb/hcd-uhci.c | 10 ++++++++--
- 1 file changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/hw/usb/hcd-uhci.c b/hw/usb/hcd-uhci.c
-index 4822c704f6922..e207d0587a117 100644
---- a/hw/usb/hcd-uhci.c
-+++ b/hw/usb/hcd-uhci.c
-@@ -735,6 +735,7 @@ static int uhci_handle_td(UHCIState *s, UHCIQueue *q, uint32_t qh_addr,
-     bool spd;
-     bool queuing = (q != NULL);
-     uint8_t pid = td->token & 0xff;
-+    uint8_t ep_id = (td->token >> 15) & 0xf;
-     UHCIAsync *async;
- 
-     async = uhci_async_find_td(s, td_addr);
-@@ -778,9 +779,14 @@ static int uhci_handle_td(UHCIState *s, UHCIQueue *q, uint32_t qh_addr,
- 
-     switch (pid) {
-     case USB_TOKEN_OUT:
--    case USB_TOKEN_SETUP:
-     case USB_TOKEN_IN:
-         break;
-+    case USB_TOKEN_SETUP:
-+        /* SETUP is only valid to endpoint 0 */
-+        if (ep_id == 0) {
-+            break;
-+        }
-+        /* fallthrough */
-     default:
-         /* invalid pid : frame interrupted */
-         s->status |= UHCI_STS_HCPERR;
-@@ -829,7 +835,7 @@ static int uhci_handle_td(UHCIState *s, UHCIQueue *q, uint32_t qh_addr,
-             return uhci_handle_td_error(s, td, td_addr, USB_RET_NODEV,
-                                         int_mask);
-         }
--        ep = usb_ep_get(dev, pid, (td->token >> 15) & 0xf);
-+        ep = usb_ep_get(dev, pid, ep_id);
-         q = uhci_queue_new(s, qh_addr, td, ep);
-     }
-     async = uhci_async_alloc(q, td_addr);
+diff --git a/SPECS/qemu/CVE-2024-8354.patch b/SPECS/qemu/CVE-2024-8354.patch
+new file mode 100644
+index 00000000000..f9461b93ad6
+--- /dev/null
++++ b/SPECS/qemu/CVE-2024-8354.patch
+@@ -0,0 +1,74 @@
++From 3f96bd7f8f0e77baa3d0d8cf8847e35ce1f2a646 Mon Sep 17 00:00:00 2001
++From: Peter Maydell <peter.maydell@linaro.org>
++Date: Mon, 15 Sep 2025 14:29:10 +0100
++Subject: [PATCH] hw/usb/hcd-uhci: don't assert for SETUP to non-0 endpoint
++
++If the guest feeds invalid data to the UHCI controller, we
++can assert:
++qemu-system-x86_64: ../../hw/usb/core.c:744: usb_ep_get: Assertion `pid == USB_TOKEN_IN || pid == USB_TOKEN_OUT' failed.
++
++(see issue 2548 for the repro case).  This happens because the guest
++attempts USB_TOKEN_SETUP to an endpoint other than 0, which is not
++valid.  The controller code doesn't catch this guest error, so
++instead we hit the assertion in the USB core code.
++
++Catch the case of SETUP to non-zero endpoint, and treat it as a fatal
++error in the TD, in the same way we do for an invalid PID value in
++the TD.
++
++This is the UHCI equivalent of the same bug in OHCI that we fixed in
++commit 3c3c233677 ("hw/usb/hcd-ohci: Fix #1510, #303: pid not IN or
++OUT").
++
++This bug has been tracked as CVE-2024-8354.
++
++Cc: qemu-stable@nongnu.org
++Fixes: https://gitlab.com/qemu-project/qemu/-/issues/2548
++Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
++Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
++Signed-off-by: rpm-build <rpm-build>
++Upstream-reference: https://github.com/qemu/qemu/commit/d0af3cd0274e265435170a583c72b9f0a4100dff.patch
++---
++ hw/usb/hcd-uhci.c | 10 ++++++++--
++ 1 file changed, 8 insertions(+), 2 deletions(-)
++
++diff --git a/hw/usb/hcd-uhci.c b/hw/usb/hcd-uhci.c
++index a03cf22..42d34f0 100644
++--- a/hw/usb/hcd-uhci.c
+++++ b/hw/usb/hcd-uhci.c
++@@ -724,6 +724,7 @@ static int uhci_handle_td(UHCIState *s, UHCIQueue *q, uint32_t qh_addr,
++     bool spd;
++     bool queuing = (q != NULL);
++     uint8_t pid = td->token & 0xff;
+++    uint8_t ep_id = (td->token >> 15) & 0xf;
++     UHCIAsync *async;
++ 
++     async = uhci_async_find_td(s, td_addr);
++@@ -767,9 +768,14 @@ static int uhci_handle_td(UHCIState *s, UHCIQueue *q, uint32_t qh_addr,
++ 
++     switch (pid) {
++     case USB_TOKEN_OUT:
++-    case USB_TOKEN_SETUP:
++     case USB_TOKEN_IN:
++         break;
+++    case USB_TOKEN_SETUP:
+++        /* SETUP is only valid to endpoint 0 */
+++        if (ep_id == 0) {
+++            break;
+++        }
+++        /* fallthrough */
++     default:
++         /* invalid pid : frame interrupted */
++         s->status |= UHCI_STS_HCPERR;
++@@ -816,7 +822,7 @@ static int uhci_handle_td(UHCIState *s, UHCIQueue *q, uint32_t qh_addr,
++             return uhci_handle_td_error(s, td, td_addr, USB_RET_NODEV,
++                                         int_mask);
++         }
++-        ep = usb_ep_get(dev, pid, (td->token >> 15) & 0xf);
+++        ep = usb_ep_get(dev, pid, ep_id);
++         q = uhci_queue_new(s, qh_addr, td, ep);
++     }
++     async = uhci_async_alloc(q, td_addr);
++-- 
++2.45.4
++

--- upstream
+++ pr
@@ -1,45 +1,56 @@
-From 91c6438caffc880e999a7312825479685d659b44 Mon Sep 17 00:00:00 2001
-From: zhenwei pi <pizhenwei@tensorfer.com>
-Date: Sun, 21 Dec 2025 10:43:20 +0800
-Subject: [PATCH] hw/virtio/virtio-crypto: verify asym request size
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The total lenght of request is limited by cryptodev config, verify it
-to avoid unexpected request from guest.
-
-Fixes: CVE-2025-14876
-Fixes: 0e660a6f90a ("crypto: Introduce RSA algorithm")
-Reported-by: 이재영 <nakamurajames123@gmail.com>
-Signed-off-by: zhenwei pi <zhenwei.pi@linux.dev>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Message-Id: <20251221024321.143196-2-zhenwei.pi@linux.dev>
----
- hw/virtio/virtio-crypto.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
-index cbd1810fbc6fa..6fceb396813d2 100644
---- a/hw/virtio/virtio-crypto.c
-+++ b/hw/virtio/virtio-crypto.c
-@@ -767,11 +767,18 @@ virtio_crypto_handle_asym_req(VirtIOCrypto *vcrypto,
-     uint32_t len;
-     uint8_t *src = NULL;
-     uint8_t *dst = NULL;
-+    uint64_t max_len;
- 
-     asym_op_info = g_new0(CryptoDevBackendAsymOpInfo, 1);
-     src_len = ldl_le_p(&req->para.src_data_len);
-     dst_len = ldl_le_p(&req->para.dst_data_len);
- 
-+    max_len = (uint64_t)src_len + dst_len;
-+    if (unlikely(max_len > vcrypto->conf.max_size)) {
-+        virtio_error(vdev, "virtio-crypto asym request is too large");
-+        goto err;
-+    }
+diff --git a/SPECS/qemu/CVE-2025-14876.patch b/SPECS/qemu/CVE-2025-14876.patch
+new file mode 100644
+index 00000000000..213fff7796e
+--- /dev/null
++++ b/SPECS/qemu/CVE-2025-14876.patch
+@@ -0,0 +1,50 @@
++From 7f06bba748f806932804cf7617b566cfcefe849f Mon Sep 17 00:00:00 2001
++From: zhenwei pi <pizhenwei@tensorfer.com>
++Date: Sun, 21 Dec 2025 10:43:20 +0800
++Subject: [PATCH] hw/virtio/virtio-crypto: verify asym request size
++MIME-Version: 1.0
++Content-Type: text/plain; charset=UTF-8
++Content-Transfer-Encoding: 8bit
 +
-     if (src_len > 0) {
-         src = g_malloc0(src_len);
-         len = iov_to_buf(iov, out_num, 0, src, src_len);
++The total lenght of request is limited by cryptodev config, verify it
++to avoid unexpected request from guest.
++
++Fixes: CVE-2025-14876
++Fixes: 0e660a6f90a ("crypto: Introduce RSA algorithm")
++Reported-by: 이재영 <nakamurajames123@gmail.com>
++Signed-off-by: zhenwei pi <zhenwei.pi@linux.dev>
++Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
++Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
++Message-Id: <20251221024321.143196-2-zhenwei.pi@linux.dev>
++Signed-off-by: rpm-build <rpm-build>
++Upstream-reference: https://github.com/qemu/qemu/commit/91c6438caffc880e999a7312825479685d659b44.patch
++---
++ hw/virtio/virtio-crypto.c | 7 +++++++
++ 1 file changed, 7 insertions(+)
++
++diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
++index 5034768..5e5c9cd 100644
++--- a/hw/virtio/virtio-crypto.c
+++++ b/hw/virtio/virtio-crypto.c
++@@ -767,11 +767,18 @@ virtio_crypto_handle_asym_req(VirtIOCrypto *vcrypto,
++     uint32_t len;
++     uint8_t *src = NULL;
++     uint8_t *dst = NULL;
+++    uint64_t max_len;
++ 
++     asym_op_info = g_new0(CryptoDevBackendAsymOpInfo, 1);
++     src_len = ldl_le_p(&req->para.src_data_len);
++     dst_len = ldl_le_p(&req->para.dst_data_len);
++ 
+++    max_len = (uint64_t)src_len + dst_len;
+++    if (unlikely(max_len > vcrypto->conf.max_size)) {
+++        virtio_error(vdev, "virtio-crypto asym request is too large");
+++        goto err;
+++    }
+++
++     if (src_len > 0) {
++         src = g_malloc0(src_len);
++         len = iov_to_buf(iov, out_num, 0, src, src_len);
++-- 
++2.45.4
++

Verdict

CHANGES REQUESTED — Please address the issues flagged above.

Kanishk-Bansal
Kanishk-Bansal approved these changes Mar 12, 2026
View reviewed changes
Copy link
Contributor

@Kanishk-Bansal Kanishk-Bansal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Patch matches upstream, we are removing the test using 0002-Disable-failing-tests-on-azl.patch
AI analysis for build warnings are known and harmless.
LGTM

@Kanishk-Bansal Kanishk-Bansal added the ready-for-stable-review PR has passed initial review and is now ready for a second-level stable maintainer review label Mar 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Kanishk-Bansal Kanishk-Bansal Kanishk-Bansal approved these changes

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

3.0-dev PRs Destined for AzureLinux 3.0 AutoPR-Security Packaging ready-for-stable-review PR has passed initial review and is now ready for a second-level stable maintainer review security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@azurelinux-security @Kanishk-Bansal