Branch: refs/heads/staging
Home: https://github.com/qemu/qemu
Commit: 6a9e81b705c04b7488e49103c51ee209065c83e3
https://github.com/qemu/qemu/commit/6a9e81b705c04b7488e49103c51ee209065c83e3
Author: Daniel P. Berrangé <[email protected]>
Date: 2025-10-24 (Fri, 24 Oct 2025)
Changed paths:
M crypto/tlssession.c
M io/channel-tls.c
Log Message:
-----------
crypto: propagate Error object on premature termination
The way that premature termination was handled in TLS connections was
changed to handle an ordering problem during graceful shutdown in the
migration code.
Unfortunately one of the codepaths returned -1 to indicate an error
condition, but failed to set the 'errp' parameter.
This broke error handling in the qio_channel_tls_handshake function,
as the QTask callback would no longer see that an error was raised.
As a result, the client will go on to try to use the already closed
TLS connection, resulting in misleading errors.
This was evidenced in the I/O test 233 which showed changes such as
-qemu-nbd: Certificate does not match the hostname localhost
+qemu-nbd: Failed to read initial magic: Unable to read from socket: Connection
reset by peer
Fixes: 7e0c22d585581b8083ffdeb332ea497218665daf
Acked-by: Peter Xu <[email protected]>
Signed-off-by: Daniel P. Berrangé <[email protected]>
Commit: 7249713b4f3a0c0ae5e83015f9889d1c3d75218d
https://github.com/qemu/qemu/commit/7249713b4f3a0c0ae5e83015f9889d1c3d75218d
Author: Daniel P. Berrangé <[email protected]>
Date: 2025-10-24 (Fri, 24 Oct 2025)
Changed paths:
M qom/object_interfaces.c
Log Message:
-----------
qom: use ERRP_GUARD in user_creatable_complete
With error_propagate, the stack trace from any error_abort/fatal
usage will start from the error_propagate() call, which is largely
useless. Using ERRP_GUARD ensures the stack trace starts from
the origin that reported the error.
Reviewed-by: Paolo Bonzini <[email protected]>
Reviewed-by: Markus Armbruster <[email protected]>
Signed-off-by: Daniel P. Berrangé <[email protected]>
Commit: e60eff91ef347361411c5173c829a8a94acf8795
https://github.com/qemu/qemu/commit/e60eff91ef347361411c5173c829a8a94acf8795
Author: Daniel P. Berrangé <[email protected]>
Date: 2025-10-24 (Fri, 24 Oct 2025)
Changed paths:
M tests/unit/test-char.c
Log Message:
-----------
tests: use macros for registering char tests for sockets
The test-char.c has a couple of helper macros for registering tests that
need to be repeated for both IP and UNIX sockets. One test case was not
using the macro though.
Reviewed-by: Peter Maydell <[email protected]>
Signed-off-by: Daniel P. Berrangé <[email protected]>
Commit: 2c147611cf568eb1cd7dc8bf4479b272bad3b9d6
https://github.com/qemu/qemu/commit/2c147611cf568eb1cd7dc8bf4479b272bad3b9d6
Author: Daniel P. Berrangé <[email protected]>
Date: 2025-10-24 (Fri, 24 Oct 2025)
Changed paths:
M io/channel-tls.c
Log Message:
-----------
io: release active GSource in TLS channel finalizer
While code is supposed to call qio_channel_close() before releasing the
last reference on an QIOChannel, this is not guaranteed. QIOChannelFile
and QIOChannelSocket both cleanup resources in their finalizer if the
close operation was missed.
This ensures the TLS channel will do the same failsafe cleanup.
Reviewed-by: Eric Blake <[email protected]>
Signed-off-by: Daniel P. Berrangé <[email protected]>
Commit: 322c3c4f3abee616a18b3bfe563ec29dd67eae63
https://github.com/qemu/qemu/commit/322c3c4f3abee616a18b3bfe563ec29dd67eae63
Author: Daniel P. Berrangé <[email protected]>
Date: 2025-10-24 (Fri, 24 Oct 2025)
Changed paths:
M io/channel-websock.c
Log Message:
-----------
io: move websock resource release to close method
The QIOChannelWebsock object releases all its resources in the
finalize callback. This is later than desired, as callers expect
to be able to call qio_channel_close() to fully close a channel
and release resources related to I/O.
The logic in the finalize method is at most a failsafe to handle
cases where a consumer forgets to call qio_channel_close.
This adds equivalent logic to the close method to release the
resources, using g_clear_handle_id/g_clear_pointer to be robust
against repeated invocations. The finalize method is tweaked
so that the GSource is removed before releasing the underlying
channel.
Reviewed-by: Eric Blake <[email protected]>
Signed-off-by: Daniel P. Berrangé <[email protected]>
Commit: b7a1f2ca45c7865b9e98e02ae605a65fc9458ae9
https://github.com/qemu/qemu/commit/b7a1f2ca45c7865b9e98e02ae605a65fc9458ae9
Author: Daniel P. Berrangé <[email protected]>
Date: 2025-10-24 (Fri, 24 Oct 2025)
Changed paths:
M include/io/channel-websock.h
M io/channel-websock.c
Log Message:
-----------
io: fix use after free in websocket handshake code
If the QIOChannelWebsock object is freed while it is waiting to
complete a handshake, a GSource is leaked. This can lead to the
callback firing later on and triggering a use-after-free in the
use of the channel. This was observed in the VNC server with the
following trace from valgrind:
==2523108== Invalid read of size 4
==2523108== at 0x4054A24: vnc_disconnect_start (vnc.c:1296)
==2523108== by 0x4054A24: vnc_client_error (vnc.c:1392)
==2523108== by 0x4068A09: vncws_handshake_done (vnc-ws.c:105)
==2523108== by 0x44863B4: qio_task_complete (task.c:197)
==2523108== by 0x448343D: qio_channel_websock_handshake_io
(channel-websock.c:588)
==2523108== by 0x6EDB862: UnknownInlinedFun (gmain.c:3398)
==2523108== by 0x6EDB862: g_main_context_dispatch_unlocked.lto_priv.0
(gmain.c:4249)
==2523108== by 0x6EDBAE4: g_main_context_dispatch (gmain.c:4237)
==2523108== by 0x45EC79F: glib_pollfds_poll (main-loop.c:287)
==2523108== by 0x45EC79F: os_host_main_loop_wait (main-loop.c:310)
==2523108== by 0x45EC79F: main_loop_wait (main-loop.c:589)
==2523108== by 0x423A56D: qemu_main_loop (runstate.c:835)
==2523108== by 0x454F300: qemu_default_main (main.c:37)
==2523108== by 0x73D6574: (below main) (libc_start_call_main.h:58)
==2523108== Address 0x57a6e0dc is 28 bytes inside a block of size 103,608
free'd
==2523108== at 0x5F2FE43: free (vg_replace_malloc.c:989)
==2523108== by 0x6EDC444: g_free (gmem.c:208)
==2523108== by 0x4053F23: vnc_update_client (vnc.c:1153)
==2523108== by 0x4053F23: vnc_refresh (vnc.c:3225)
==2523108== by 0x4042881: dpy_refresh (console.c:880)
==2523108== by 0x4042881: gui_update (console.c:90)
==2523108== by 0x45EFA1B: timerlist_run_timers.part.0 (qemu-timer.c:562)
==2523108== by 0x45EFC8F: timerlist_run_timers (qemu-timer.c:495)
==2523108== by 0x45EFC8F: qemu_clock_run_timers (qemu-timer.c:576)
==2523108== by 0x45EFC8F: qemu_clock_run_all_timers (qemu-timer.c:663)
==2523108== by 0x45EC765: main_loop_wait (main-loop.c:600)
==2523108== by 0x423A56D: qemu_main_loop (runstate.c:835)
==2523108== by 0x454F300: qemu_default_main (main.c:37)
==2523108== by 0x73D6574: (below main) (libc_start_call_main.h:58)
==2523108== Block was alloc'd at
==2523108== at 0x5F343F3: calloc (vg_replace_malloc.c:1675)
==2523108== by 0x6EE2F81: g_malloc0 (gmem.c:133)
==2523108== by 0x4057DA3: vnc_connect (vnc.c:3245)
==2523108== by 0x448591B: qio_net_listener_channel_func (net-listener.c:54)
==2523108== by 0x6EDB862: UnknownInlinedFun (gmain.c:3398)
==2523108== by 0x6EDB862: g_main_context_dispatch_unlocked.lto_priv.0
(gmain.c:4249)
==2523108== by 0x6EDBAE4: g_main_context_dispatch (gmain.c:4237)
==2523108== by 0x45EC79F: glib_pollfds_poll (main-loop.c:287)
==2523108== by 0x45EC79F: os_host_main_loop_wait (main-loop.c:310)
==2523108== by 0x45EC79F: main_loop_wait (main-loop.c:589)
==2523108== by 0x423A56D: qemu_main_loop (runstate.c:835)
==2523108== by 0x454F300: qemu_default_main (main.c:37)
==2523108== by 0x73D6574: (below main) (libc_start_call_main.h:58)
==2523108==
The above can be reproduced by launching QEMU with
$ qemu-system-x86_64 -vnc localhost:0,websocket=5700
and then repeatedly running:
for i in {1..100}; do
(echo -n "GET / HTTP/1.1" && sleep 0.05) | nc -w 1 localhost 5700 &
done
CVE-2025-11234
Reported-by: Grant Millar | Cylo <[email protected]>
Reviewed-by: Eric Blake <[email protected]>
Signed-off-by: Daniel P. Berrangé <[email protected]>
Commit: 75216f239f663f66ea0358a6fc2354d39909c1e3
https://github.com/qemu/qemu/commit/75216f239f663f66ea0358a6fc2354d39909c1e3
Author: Henry Kleynhans <[email protected]>
Date: 2025-10-24 (Fri, 24 Oct 2025)
Changed paths:
M crypto/tlscredsx509.c
M tests/unit/test-crypto-tlscredsx509.c
Log Message:
-----------
crypto: only verify CA certs in chain of trust
The CA file provided to qemu may contain CA certificates which do not
form part of the chain of trust for the specific certificate we are
sanity checking.
This patch changes the sanity checking from validating every CA
certificate to only checking the CA certificates which are part of the
chain of trust (issuer chain). Other certificates are ignored.
Reviewed-by: Daniel P. Berrangé <[email protected]>
Reviewed-by: Eric Blake <[email protected]>
Signed-off-by: Henry Kleynhans <[email protected]>
[DB: changed 'int' to 'bool' in 'checking_issuer' variable]
Signed-off-by: Daniel P. Berrangé <[email protected]>
Commit: 068e0379af39e5f02fc3e47f7638af194695c990
https://github.com/qemu/qemu/commit/068e0379af39e5f02fc3e47f7638af194695c990
Author: Daniel P. Berrangé <[email protected]>
Date: 2025-10-24 (Fri, 24 Oct 2025)
Changed paths:
M crypto/tlscredsx509.c
Log Message:
-----------
crypto: remove extraneous pointer usage in gnutls certs
The 'gnutls_x509_crt_t' type is already a pointer, not a struct,
so the extra level of pointer indirection is not needed.
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Eric Blake <[email protected]>
Signed-off-by: Daniel P. Berrangé <[email protected]>
Commit: d37677602a76557f9096ce35eaf25296c7da636c
https://github.com/qemu/qemu/commit/d37677602a76557f9096ce35eaf25296c7da636c
Author: Daniel P. Berrangé <[email protected]>
Date: 2025-10-24 (Fri, 24 Oct 2025)
Changed paths:
M tests/unit/test-crypto-tlscredsx509.c
Log Message:
-----------
crypto: validate an error is reported in test expected fails
There was a bug where TLS x509 credentials validation failed
to fill out the Error object. Validate this in the failure
scenarios.
Reviewed-by: Eric Blake <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Signed-off-by: Daniel P. Berrangé <[email protected]>
Commit: c677657e99e080a174052074ae77ff37dbe91335
https://github.com/qemu/qemu/commit/c677657e99e080a174052074ae77ff37dbe91335
Author: Daniel P. Berrangé <[email protected]>
Date: 2025-10-24 (Fri, 24 Oct 2025)
Changed paths:
M crypto/tlscredsx509.c
M tests/unit/test-crypto-tlscredsx509.c
Log Message:
-----------
crypto: fix error reporting in cert chain checks
The loop that checks the CA certificate chain can fail to report
an error message if one of the certs in the chain has an issuer
that is not present in the chain. In this case, the outer loop
'while (checking_issuer)' will terminate after failing to find
the issuer, and no error message will be reported.
Reviewed-by: Eric Blake <[email protected]>
Signed-off-by: Daniel P. Berrangé <[email protected]>
Commit: 87d6282e53a2db1915ea715cf9ee0634f6fb1c70
https://github.com/qemu/qemu/commit/87d6282e53a2db1915ea715cf9ee0634f6fb1c70
Author: matoro <[email protected]>
Date: 2025-10-24 (Fri, 24 Oct 2025)
Changed paths:
M crypto/tlscredsx509.c
M tests/unit/test-crypto-tlscredsx509.c
Log Message:
-----------
crypto: allow client/server cert chains
The existing implementation assumes that client/server certificates are
single individual certificates. If using publicly-issued certificates,
or internal CAs that use an intermediate issuer, this is unlikely to be
the case, and they will instead be certificate chains. While this can
be worked around by moving the intermediate certificates to the CA
certificate, which DOES currently support multiple certificates, this
instead allows the issued certificate chains to be used as-is, without
requiring the overhead of shuffling certificates around.
Corresponding libvirt change is available here:
https://gitlab.com/libvirt/libvirt/-/merge_requests/222
Reviewed-by: Daniel P. Berrangé <[email protected]>
Reviewed-by: Eric Blake <[email protected]>
Signed-off-by: matoro <[email protected]>
[DB: adapted for code conflicts with multi-CA patch]
Signed-off-by: Daniel P. Berrangé <[email protected]>
Commit: 3995fc238e0599e0417ba958ffc5c7a609e82a7f
https://github.com/qemu/qemu/commit/3995fc238e0599e0417ba958ffc5c7a609e82a7f
Author: Daniel P. Berrangé <[email protected]>
Date: 2025-10-24 (Fri, 24 Oct 2025)
Changed paths:
M crypto/tlscredsx509.c
M docs/system/tls.rst
M tests/unit/crypto-tls-x509-helpers.h
M tests/unit/test-crypto-tlscredsx509.c
M tests/unit/test-crypto-tlssession.c
M tests/unit/test-io-channel-tls.c
Log Message:
-----------
crypto: stop requiring "key encipherment" usage in x509 certs
This usage flag was deprecated by RFC8813, such that it is
forbidden to be present for certs using ECDSA/ECDH algorithms,
and in TLS 1.3 is conceptually obsolete.
As such many valid certs will no longer have this key usage
flag set, and QEMU should not be rejecting them, as this
prevents use of otherwise valid & desirable algorithms.
Reviewed-by: Eric Blake <[email protected]>
Signed-off-by: Daniel P. Berrangé <[email protected]>
Commit: 3b3257b00fd256b8704db13373f4fa9c8bc40342
https://github.com/qemu/qemu/commit/3b3257b00fd256b8704db13373f4fa9c8bc40342
Author: Daniel P. Berrangé <[email protected]>
Date: 2025-10-24 (Fri, 24 Oct 2025)
Changed paths:
M crypto/tlssession.c
Log Message:
-----------
crypto: switch to newer gnutls API for distinguished name
The new API automatically allocates the right amount of memory
to hold the distinguished name, avoiding the need to loop and
realloc.
Reviewed-by: Eric Blake <[email protected]>
Signed-off-by: Daniel P. Berrangé <[email protected]>
Commit: 36076d24f04ea9dc3357c0fbe7bb14917375819c
https://github.com/qemu/qemu/commit/36076d24f04ea9dc3357c0fbe7bb14917375819c
Author: Richard Henderson <[email protected]>
Date: 2025-10-25 (Sat, 25 Oct 2025)
Changed paths:
M crypto/tlscredsx509.c
M crypto/tlssession.c
M docs/system/tls.rst
M include/io/channel-websock.h
M io/channel-tls.c
M io/channel-websock.c
M qom/object_interfaces.c
M tests/unit/crypto-tls-x509-helpers.h
M tests/unit/test-char.c
M tests/unit/test-crypto-tlscredsx509.c
M tests/unit/test-crypto-tlssession.c
M tests/unit/test-io-channel-tls.c
Log Message:
-----------
Merge tag 'next-pr-pull-request' of https://gitlab.com/berrange/qemu into
staging
Merge misc, crypto and I/O subsystems changes
* Fix use after free in websocket handshake (CVE-2025-11234)
* Improved stack traces fatal errors/aborts raised for
user creatable objects
* Stop requiring 'key encipherment' usage in x509 certs
* Only sanity check CA certs needed in the chain of trust
* Allow intermediate CA certs to be present in client/server
cert file
* Fix regression propagating errors in premature shutdown
of TLS connections
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEE2vOm/bJrYpEtDo4/vobrtBUQT98FAmj7nZQACgkQvobrtBUQ
# T9+ezBAAsgKl5O/8FYGoSAaVHq4dzbXl/Q0NzHzX7NJ7W8K6LvNy4w8zpuPZEWIt
# luo3uAeRFmWGCE5kAe/rfySwvNAYfKTJWbd4+c/DN6spK8MViMfY/mL2Zows3LsJ
# LDkmi7OVZpTO+JTDt9O0LpjXmtRGunDsm1Wq8WZcrLtsMe0KatVaQen0nFqc8aUf
# uwAgMrZiMpsGp23PLlxaqQVBV2lzXGQHb1Y2UR0DkMBn19861ovPeNRgODc1SpmV
# pvqoeXNVu3Mw4CmY3jb0fArRD8G6g8y0USahVNfXV3cYFXp1/SaEL4sNbYU3VhxG
# MJXvA+uVir6HHJWiDbjiAG+6zjoggaPAwkp5f4M89fnPGgX9sRRAsCdJnR5IIEDo
# 58bc1WWni+KzkDXY/GJ1lMQ6jJuQxavIcpW/zi/sSLu1ceK+j+JqLmjGzpr1mPrk
# D63MvLSOsKFgJNP51OeC5s3GN9UOo6jO/wOMyLTDUTdhc/WOz3Q+f5/E/bRXtaE0
# S+NxMTHJdwDfeRpDXMglL9f5K1ApBo7GAMmjhwXCD3XqUb1pD7RbFNu+QKMqgT4Z
# Jv/Rsik3XOHMFNoMtm+fSaUfeETASJBQQancnLyUcCUrWR9MTKBAtlm0fJypxaBp
# 787FL5LthIX5u7tNf5Btl67BJalHFICVEQrFe/gPq5YnuIRDmwo=
# =WY6C
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 24 Oct 2025 05:39:00 PM CEST
# gpg: using RSA key DAF3A6FDB26B62912D0E8E3FBE86EBB415104FDF
# gpg: Good signature from "Daniel P. Berrange <[email protected]>" [unknown]
# gpg: aka "Daniel P. Berrange <[email protected]>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: DAF3 A6FD B26B 6291 2D0E 8E3F BE86 EBB4 1510 4FDF
* tag 'next-pr-pull-request' of https://gitlab.com/berrange/qemu:
crypto: switch to newer gnutls API for distinguished name
crypto: stop requiring "key encipherment" usage in x509 certs
crypto: allow client/server cert chains
crypto: fix error reporting in cert chain checks
crypto: validate an error is reported in test expected fails
crypto: remove extraneous pointer usage in gnutls certs
crypto: only verify CA certs in chain of trust
io: fix use after free in websocket handshake code
io: move websock resource release to close method
io: release active GSource in TLS channel finalizer
tests: use macros for registering char tests for sockets
qom: use ERRP_GUARD in user_creatable_complete
crypto: propagate Error object on premature termination
Signed-off-by: Richard Henderson <[email protected]>
Compare: https://github.com/qemu/qemu/compare/e8779f3d1509...36076d24f04e
To unsubscribe from these emails, change your notification settings at
https://github.com/qemu/qemu/settings/notifications
