Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2226107/?format=api
{ "id": 2226107, "url": "http://patchwork.ozlabs.org/api/patches/2226107/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260422092910.444997-2-kraxel@redhat.com/", "project": { "id": 14, "url": "http://patchwork.ozlabs.org/api/projects/14/?format=api", "name": "QEMU Development", "link_name": "qemu-devel", "list_id": "qemu-devel.nongnu.org", "list_email": "qemu-devel@nongnu.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260422092910.444997-2-kraxel@redhat.com>", "list_archive_url": null, "date": "2026-04-22T09:29:04", "name": "[1/6] hw/uefi: fix buffer overruns", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "14a9ca40d8c468582e1abc245aa418f0ec4690f7", "submitter": { "id": 589, "url": "http://patchwork.ozlabs.org/api/people/589/?format=api", "name": "Gerd Hoffmann", "email": "kraxel@redhat.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260422092910.444997-2-kraxel@redhat.com/mbox/", "series": [ { "id": 500953, "url": "http://patchwork.ozlabs.org/api/series/500953/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/list/?series=500953", "date": "2026-04-22T09:29:03", "name": "hw/uefi: a batch of security fixes", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/500953/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2226107/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2226107/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=PJgqzkr2;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists1p.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)" ], "Received": [ "from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g0v8P6znbz1y2d\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 22 Apr 2026 19:30:12 +1000 (AEST)", "from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists1p.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1wFTtb-00042U-7a; Wed, 22 Apr 2026 05:29:23 -0400", "from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1wFTtX-00041T-MQ\n for qemu-devel@nongnu.org; Wed, 22 Apr 2026 05:29:19 -0400", "from us-smtp-delivery-124.mimecast.com ([170.10.129.124])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1wFTtW-0007nS-8Z\n for qemu-devel@nongnu.org; Wed, 22 Apr 2026 05:29:19 -0400", "from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com\n (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by\n relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,\n cipher=TLS_AES_256_GCM_SHA384) id us-mta-655-znAoKh2pNuOPJ1ZJUlF9xQ-1; Wed,\n 22 Apr 2026 05:29:13 -0400", "from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com\n (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS\n id D81171800370; Wed, 22 Apr 2026 09:29:12 +0000 (UTC)", "from sirius.home.kraxel.org (unknown [10.44.48.53])\n by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with\n ESMTPS\n id 49FFF180047F; Wed, 22 Apr 2026 09:29:12 +0000 (UTC)", "by sirius.home.kraxel.org (Postfix, from userid 1000)\n id 2C7971801022; Wed, 22 Apr 2026 11:29:10 +0200 (CEST)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;\n s=mimecast20190719; t=1776850157;\n h=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n to:to:cc:cc:mime-version:mime-version:\n content-transfer-encoding:content-transfer-encoding:\n in-reply-to:in-reply-to:references:references;\n bh=oXM0BYtBJ+OU81xkYbvynrY9rWrN/LL+9+zViB+eWHw=;\n b=PJgqzkr2svlW+yrLNiU+hxHmCFWaLQAi2A7/ljaph5ahLWqejFH/qMFXFQdZXyxRNJ6hrE\n fgbWeXnlAf/4Panhw289sauVl188rOJWMyWMtdyeAH051zr/MrULaTL1frCXZLmTpRj2vC\n XPqKMYqVNQJP4IaeregVVIdIgGVc6l8=", "X-MC-Unique": "znAoKh2pNuOPJ1ZJUlF9xQ-1", "X-Mimecast-MFC-AGG-ID": "znAoKh2pNuOPJ1ZJUlF9xQ_1776850153", "From": "Gerd Hoffmann <kraxel@redhat.com>", "To": "qemu-devel@nongnu.org", "Cc": "Gerd Hoffmann <kraxel@redhat.com>,\n Katherine Leaver <katherine.j.leaver@gmail.com>", "Subject": "[PATCH 1/6] hw/uefi: fix buffer overruns", "Date": "Wed, 22 Apr 2026 11:29:04 +0200", "Message-ID": "<20260422092910.444997-2-kraxel@redhat.com>", "In-Reply-To": "<20260422092910.444997-1-kraxel@redhat.com>", "References": "<20260422092910.444997-1-kraxel@redhat.com>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "X-Scanned-By": "MIMEDefang 3.4.1 on 10.30.177.111", "Received-SPF": "pass client-ip=170.10.129.124; envelope-from=kraxel@redhat.com;\n helo=us-smtp-delivery-124.mimecast.com", "X-Spam_score_int": "-20", "X-Spam_score": "-2.1", "X-Spam_bar": "--", "X-Spam_report": "(-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001,\n DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,\n RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001,\n SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no", "X-Spam_action": "no action", "X-BeenThere": "qemu-devel@nongnu.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "qemu development <qemu-devel.nongnu.org>", "List-Unsubscribe": "<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>", "List-Archive": "<https://lists.nongnu.org/archive/html/qemu-devel>", "List-Post": "<mailto:qemu-devel@nongnu.org>", "List-Help": "<mailto:qemu-devel-request@nongnu.org?subject=help>", "List-Subscribe": "<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>", "Errors-To": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org", "Sender": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org" }, "content": "The buffer size checks do not consider the mm_header size, simliar to\nCVE-2026-5744. Factor out the repeated size check to a small helper\nfunction, fix the check, update all places to use the new helper.\n\nFixes: CVE-2026-41435\nFixes: db1ecfb473ac (\"hw/uefi: add var-service-vars.c\")\nReported-by: Katherine Leaver <katherine.j.leaver@gmail.com>\nSigned-off-by: Gerd Hoffmann <kraxel@redhat.com>\n---\n hw/uefi/var-service-vars.c | 19 +++++++++++++++----\n 1 file changed, 15 insertions(+), 4 deletions(-)", "diff": "diff --git a/hw/uefi/var-service-vars.c b/hw/uefi/var-service-vars.c\nindex 5e3907118d4b..24e6516a9cc0 100644\n--- a/hw/uefi/var-service-vars.c\n+++ b/hw/uefi/var-service-vars.c\n@@ -297,6 +297,17 @@ static size_t uefi_vars_mm_error(mm_header *mhdr, mm_variable *mvar,\n return sizeof(*mvar);\n }\n \n+static bool check_buffer_size(uefi_vars_state *uv, uint64_t length)\n+{\n+ /* uefi_vars_cmd_mm() checks that */\n+ g_assert(uv->buf_size >= sizeof(mm_header));\n+\n+ if (uv->buf_size - sizeof(mm_header) < length) {\n+ return false;\n+ }\n+ return true;\n+}\n+\n static size_t uefi_vars_mm_get_variable(uefi_vars_state *uv, mm_header *mhdr,\n mm_variable *mvar, void *func)\n {\n@@ -344,7 +355,7 @@ static size_t uefi_vars_mm_get_variable(uefi_vars_state *uv, mm_header *mhdr,\n if (uadd64_overflow(length, va->data_size, &length)) {\n return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);\n }\n- if (uv->buf_size < length) {\n+ if (!check_buffer_size(uv, length)) {\n return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);\n }\n \n@@ -414,7 +425,7 @@ uefi_vars_mm_get_next_variable(uefi_vars_state *uv, mm_header *mhdr,\n }\n \n length = sizeof(*mvar) + sizeof(*nv) + var->name_size;\n- if (uv->buf_size < length) {\n+ if (!check_buffer_size(uv, length)) {\n return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);\n }\n \n@@ -605,7 +616,7 @@ static size_t uefi_vars_mm_variable_info(uefi_vars_state *uv, mm_header *mhdr,\n uint64_t length;\n \n length = sizeof(*mvar) + sizeof(*vi);\n- if (uv->buf_size < length) {\n+ if (!check_buffer_size(uv, length)) {\n return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);\n }\n \n@@ -626,7 +637,7 @@ uefi_vars_mm_get_payload_size(uefi_vars_state *uv, mm_header *mhdr,\n uint64_t length;\n \n length = sizeof(*mvar) + sizeof(*ps);\n- if (uv->buf_size < length) {\n+ if (!check_buffer_size(uv, length)) {\n return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);\n }\n \n", "prefixes": [ "1/6" ] }