Patch Detail

HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 2226109,
    "url": "http://patchwork.ozlabs.org/api/patches/2226109/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260422092910.444997-7-kraxel@redhat.com/",
    "project": {
        "id": 14,
        "url": "http://patchwork.ozlabs.org/api/projects/14/?format=api",
        "name": "QEMU Development",
        "link_name": "qemu-devel",
        "list_id": "qemu-devel.nongnu.org",
        "list_email": "qemu-devel@nongnu.org",
        "web_url": "",
        "scm_url": "",
        "webscm_url": "",
        "list_archive_url": "",
        "list_archive_url_format": "",
        "commit_url_format": ""
    },
    "msgid": "<20260422092910.444997-7-kraxel@redhat.com>",
    "list_archive_url": null,
    "date": "2026-04-22T09:29:09",
    "name": "[6/6] hw/uefi: avoid possibly unaligned variable_auth_2 struct field access",
    "commit_ref": null,
    "pull_url": null,
    "state": "new",
    "archived": false,
    "hash": "c134b240b8eedbe943dfa49c8e694cca908d78fb",
    "submitter": {
        "id": 589,
        "url": "http://patchwork.ozlabs.org/api/people/589/?format=api",
        "name": "Gerd Hoffmann",
        "email": "kraxel@redhat.com"
    },
    "delegate": null,
    "mbox": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260422092910.444997-7-kraxel@redhat.com/mbox/",
    "series": [
        {
            "id": 500953,
            "url": "http://patchwork.ozlabs.org/api/series/500953/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/list/?series=500953",
            "date": "2026-04-22T09:29:03",
            "name": "hw/uefi: a batch of security fixes",
            "version": 1,
            "mbox": "http://patchwork.ozlabs.org/series/500953/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/patches/2226109/comments/",
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/2226109/checks/",
    "tags": {},
    "related": [],
    "headers": {
        "Return-Path": "<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>",
        "X-Original-To": "incoming@patchwork.ozlabs.org",
        "Delivered-To": "patchwork-incoming@legolas.ozlabs.org",
        "Authentication-Results": [
            "legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=RsTZ3IjX;\n\tdkim-atps=neutral",
            "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists1p.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"
        ],
        "Received": [
            "from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g0v8m1wR9z1y2d\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 22 Apr 2026 19:30:32 +1000 (AEST)",
            "from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists1p.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1wFTtg-00045E-1B; Wed, 22 Apr 2026 05:29:28 -0400",
            "from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1wFTte-00044p-Ur\n for qemu-devel@nongnu.org; Wed, 22 Apr 2026 05:29:26 -0400",
            "from us-smtp-delivery-124.mimecast.com ([170.10.129.124])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1wFTtd-0007pD-IT\n for qemu-devel@nongnu.org; Wed, 22 Apr 2026 05:29:26 -0400",
            "from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com\n (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by\n relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,\n cipher=TLS_AES_256_GCM_SHA384) id us-mta-651-eAP9D6Q0N8qPww87yH8u9A-1; Wed,\n 22 Apr 2026 05:29:21 -0400",
            "from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com\n (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS\n id 2B6B419560AA; Wed, 22 Apr 2026 09:29:20 +0000 (UTC)",
            "from sirius.home.kraxel.org (unknown [10.44.48.53])\n by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with\n ESMTPS\n id C81203000C15; Wed, 22 Apr 2026 09:29:19 +0000 (UTC)",
            "by sirius.home.kraxel.org (Postfix, from userid 1000)\n id 774DC1801033; Wed, 22 Apr 2026 11:29:10 +0200 (CEST)"
        ],
        "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;\n s=mimecast20190719; t=1776850164;\n h=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n to:to:cc:cc:mime-version:mime-version:\n content-transfer-encoding:content-transfer-encoding:\n in-reply-to:in-reply-to:references:references;\n bh=gQ81jDtxmHW5yOUxb8N6HXBRdoL8rvnU1AKzIe2hTls=;\n b=RsTZ3IjXtCCa+f/p6KKnapnBXsBzeGgtLWzw6alEwynpJdj7s+pwCn4p3VQedrvnxBbLox\n hbYHr15kwNu4gP9bTr9/pQt35DHUyO+ijwkOhnFACIOO1OxM4QRgcVdOQcgntsVpOzeMO3\n +Sney3AHuoLD363TTjgJULwEXQg/z+Q=",
        "X-MC-Unique": "eAP9D6Q0N8qPww87yH8u9A-1",
        "X-Mimecast-MFC-AGG-ID": "eAP9D6Q0N8qPww87yH8u9A_1776850160",
        "From": "Gerd Hoffmann <kraxel@redhat.com>",
        "To": "qemu-devel@nongnu.org",
        "Cc": "Gerd Hoffmann <kraxel@redhat.com>,\n Katherine Leaver <katherine.j.leaver@gmail.com>",
        "Subject": "[PATCH 6/6] hw/uefi: avoid possibly unaligned variable_auth_2 struct\n field access",
        "Date": "Wed, 22 Apr 2026 11:29:09 +0200",
        "Message-ID": "<20260422092910.444997-7-kraxel@redhat.com>",
        "In-Reply-To": "<20260422092910.444997-1-kraxel@redhat.com>",
        "References": "<20260422092910.444997-1-kraxel@redhat.com>",
        "MIME-Version": "1.0",
        "Content-Transfer-Encoding": "8bit",
        "X-Scanned-By": "MIMEDefang 3.4.1 on 10.30.177.4",
        "Received-SPF": "pass client-ip=170.10.129.124; envelope-from=kraxel@redhat.com;\n helo=us-smtp-delivery-124.mimecast.com",
        "X-Spam_score_int": "-20",
        "X-Spam_score": "-2.1",
        "X-Spam_bar": "--",
        "X-Spam_report": "(-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001,\n DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,\n RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001,\n SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no",
        "X-Spam_action": "no action",
        "X-BeenThere": "qemu-devel@nongnu.org",
        "X-Mailman-Version": "2.1.29",
        "Precedence": "list",
        "List-Id": "qemu development <qemu-devel.nongnu.org>",
        "List-Unsubscribe": "<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>",
        "List-Archive": "<https://lists.nongnu.org/archive/html/qemu-devel>",
        "List-Post": "<mailto:qemu-devel@nongnu.org>",
        "List-Help": "<mailto:qemu-devel-request@nongnu.org?subject=help>",
        "List-Subscribe": "<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>",
        "Errors-To": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org",
        "Sender": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"
    },
    "content": "Copy data to stack-allocated struct before accessing it\nto make sure it is properly aligned.\n\nFixes: CVE-2026-41440\nFixes: f1488fac0584 (\"hw/uefi: add var-service-auth.c\")\nReported-by: Katherine Leaver <katherine.j.leaver@gmail.com>\nSigned-off-by: Gerd Hoffmann <kraxel@redhat.com>\n---\n hw/uefi/var-service-auth.c | 16 +++++++++-------\n 1 file changed, 9 insertions(+), 7 deletions(-)",
    "diff": "diff --git a/hw/uefi/var-service-auth.c b/hw/uefi/var-service-auth.c\nindex fba5a0956a57..0d17691804df 100644\n--- a/hw/uefi/var-service-auth.c\n+++ b/hw/uefi/var-service-auth.c\n@@ -218,23 +218,25 @@ static efi_status uefi_vars_check_auth_2_sb(uefi_vars_state *uv,\n efi_status uefi_vars_check_auth_2(uefi_vars_state *uv, uefi_variable *var,\n                                   mm_variable_access *va, void *data)\n {\n-    variable_auth_2 *auth = data;\n+    variable_auth_2 auth;\n     uint64_t data_offset;\n     efi_status status;\n \n-    if (va->data_size < sizeof(*auth)) {\n+    if (va->data_size < sizeof(auth)) {\n         return EFI_SECURITY_VIOLATION;\n     }\n-    if (uadd64_overflow(sizeof(efi_time), auth->hdr_length, &data_offset)) {\n+    memcpy(&auth, data, sizeof(auth));\n+\n+    if (uadd64_overflow(sizeof(efi_time), auth.hdr_length, &data_offset)) {\n         return EFI_SECURITY_VIOLATION;\n     }\n     if (va->data_size < data_offset) {\n         return EFI_SECURITY_VIOLATION;\n     }\n \n-    if (auth->hdr_revision != 0x0200 ||\n-        auth->hdr_cert_type != WIN_CERT_TYPE_EFI_GUID ||\n-        !qemu_uuid_is_equal(&auth->guid_cert_type, &EfiCertTypePkcs7Guid)) {\n+    if (auth.hdr_revision != 0x0200 ||\n+        auth.hdr_cert_type != WIN_CERT_TYPE_EFI_GUID ||\n+        !qemu_uuid_is_equal(&auth.guid_cert_type, &EfiCertTypePkcs7Guid)) {\n         return EFI_UNSUPPORTED;\n     }\n \n@@ -255,7 +257,7 @@ efi_status uefi_vars_check_auth_2(uefi_vars_state *uv, uefi_variable *var,\n     }\n \n     /* checks passed, set variable data */\n-    var->time = auth->timestamp;\n+    var->time = auth.timestamp;\n     if (va->data_size - data_offset > 0) {\n         var->data = g_malloc(va->data_size - data_offset);\n         memcpy(var->data, data + data_offset, va->data_size - data_offset);\n",
    "prefixes": [
        "6/6"
    ]
}