[Medium] Patch qemu for CVE-2025-12464 (#15022)

Author: v-aaditya

SPECS/qemu/CVE-2025-12464.patch

@@ -0,0 +1,62 @@
+From: Peter Maydell @ 2025-10-28 16:00 UTC (permalink / raw)
+To: qemu-devel; +Cc: Jason Wang, Bin Meng
+
+In commits like 969e50b61a28 ("net: Pad short frames to minimum size
+before sending from SLiRP/TAP") we switched away from requiring
+network devices to handle short frames to instead having the net core
+code do the padding of short frames out to the ETH_ZLEN minimum size.
+We then dropped the code for handling short frames from the network
+devices in a series of commits like 140eae9c8f7 ("hw/net: e1000:
+Remove the logic of padding short frames in the receive path").
+
+This missed one route where the device's receive code can still see a
+short frame: if the device is in loopback mode and it transmits a
+short frame via the qemu_receive_packet() function, this will be fed
+back into its own receive code without being padded.
+
+Add the padding logic to qemu_receive_packet().
+
+This fixes a buffer overrun which can be triggered in the
+e1000_receive_iov() logic via the loopback code path.
+
+Other devices that use qemu_receive_packet() to implement loopback
+are cadence_gem, dp8393x, lan9118, msf2-emac, pcnet, rtl8139
+and sungem.
+
+Cc: [email protected]
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3043
+Signed-off-by: Peter Maydell <[email protected]>
+
+Upstream Patch reference: https://lore.kernel.org/qemu-devel/[email protected]/T/#u
+---
+ net/net.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/net/net.c b/net/net.c
+index 0520bc168..d6dc20835 100644
+--- a/net/net.c
++++ b/net/net.c
+@@ -755,10 +755,20 @@ ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size)
+ 
+ ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size)
+ {
++    uint8_t min_pkt[ETH_ZLEN];
++    size_t min_pktsz = sizeof(min_pkt);
++
+     if (!qemu_can_receive_packet(nc)) {
+         return 0;
+     }
+ 
++    if (net_peer_needs_padding(nc)) {
++        if (eth_pad_short_frame(min_pkt, &min_pktsz, buf, size)) {
++            buf = min_pkt;
++            size = min_pktsz;
++        }
++    }
++
+     return qemu_net_queue_receive(nc->incoming_queue, buf, size);
+ }
+ 
+-- 
+2.45.4
+

SPECS/qemu/qemu.spec

@@ -428,7 +428,7 @@ Obsoletes: sgabios-bin <= 1:0.20180715git-10.fc38
 Summary: QEMU is a FAST! processor emulator
 Name: qemu
 Version: 8.2.0
-Release: 24%{?dist}
+Release: 25%{?dist}
 License: Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND FSFAP AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-2.0-or-later WITH GCC-exception-2.0 AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND MIT AND LicenseRef-Fedora-Public-Domain AND CC-BY-3.0
 URL: http://www.qemu.org/
 
@@ -451,6 +451,7 @@ Patch12:  CVE-2024-26327.patch
 Patch13:  CVE-2024-26328.patch
 Patch14:  CVE-2024-7409.patch
 Patch15:  CVE-2025-11234.patch
+Patch16:  CVE-2025-12464.patch
 
 Source10: qemu-guest-agent.service
 Source11: 99-qemu-guest-agent.rules
@@ -3434,6 +3435,9 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
 
 
 %changelog
+* Wed Nov 19 2025 Aditya Singh <[email protected]> - 8.2.0-25
+- Added Patch for CVE-2025-12464
+
 * Mon Nov 10 2025 Andrew Phelps <[email protected]> - 8.2.0-24
 - Bump to rebuild with updated glibc