From b04b16e9650f4ecd0b5fe1a9476839be7a86dc35 Mon Sep 17 00:00:00 2001 From: Deepak Rathore Date: Mon, 15 Jun 2026 10:30:49 -0700 Subject: [PATCH] qemu: Fix CVE-2024-6519 This patch applies the upstream v11.0.0-rc2 backport for CVE-2024-6519. The upstream fix commit is referenced in [1], and the public CVE advisory is referenced in [2]. The individual backported commit link is recorded in the embedded patch header. [1] https://gitlab.com/qemu-project/qemu/-/commit/4862d2c95104d9fd0430cc003c205094f8ada1f9 [2] https://security-tracker.debian.org/tracker/CVE-2024-6519 (From OE-Core rev: bb5a1f9c6562038d422ea0efd4e975737c9374c3) Signed-off-by: Deepak Rathore Signed-off-by: Yoann Congal Signed-off-by: Paul Barker --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2024-6519.patch | 51 +++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-6519.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index b688c2bd12..ff8877e54b 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -47,6 +47,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://0002-python-backport-avoid-creating-additional-event-loop.patch \ file://CVE-2025-11234-01.patch \ file://CVE-2025-11234-02.patch \ + file://CVE-2024-6519.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2024-6519.patch b/meta/recipes-devtools/qemu/qemu/CVE-2024-6519.patch new file mode 100644 index 0000000000..431afbbc60 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2024-6519.patch @@ -0,0 +1,51 @@ +From 86bc714d9d02a23ea6be878febdc327bbfc9ff50 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Fri, 27 Mar 2026 17:37:31 +0100 +Subject: [PATCH] lsi53c895a: keep a reference to the device while SCRIPTS + execute + +SCRIPTS execution can trigger PCI device unplug and consequently +a use-after-free after the unplug returns. Avoid this by keeping +the device alive. + +Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3090 + +CVE: CVE-2024-6519 +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/4862d2c95104d9fd0430cc003c205094f8ada1f9] + +Cc: qemu-stable@nongnu.org +Signed-off-by: Paolo Bonzini +(cherry picked from commit 4862d2c95104d9fd0430cc003c205094f8ada1f9) +Signed-off-by: Deepak Rathore +--- + hw/scsi/lsi53c895a.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c +index 4d0c5fcd9b7..37dd38d7a87 100644 +--- a/hw/scsi/lsi53c895a.c ++++ b/hw/scsi/lsi53c895a.c +@@ -1158,6 +1158,7 @@ static void lsi_execute_script(LSIState *s) + s->waiting = LSI_NOWAIT; + } + ++ object_ref(s); + reentrancy_level++; + + s->istat1 |= LSI_ISTAT1_SRUN; +@@ -1177,6 +1178,7 @@ again: + s->waiting = LSI_WAIT_SCRIPTS; + lsi_scripts_timer_start(s); + reentrancy_level--; ++ object_unref(s); + return; + } + insn = read_dword(s, s->dsp); +@@ -1625,6 +1627,7 @@ again: + trace_lsi_execute_script_stop(); + + reentrancy_level--; ++ object_unref(s); + } + + static uint8_t lsi_reg_readb(LSIState *s, int offset)