[AUTO-CHERRYPICK] [AutoPR- Security] Patch cloud-hypervisor for CVE-2026-27211 [CRITICAL] - branch 3.0-dev (#15995)

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>

Author: 4 people

SPECS/cloud-hypervisor/CVE-2026-27211.patch

@@ -0,0 +1,267 @@
+From 9049e95ce8e99bea5d863f029bfa0ddf356f39f8 Mon Sep 17 00:00:00 2001
+From: Rob Bradford <rbradford@meta.com>
+Date: Sun, 8 Feb 2026 21:14:28 +0000
+Subject: [PATCH] vmm: Add option to control backing files
+
+Backing files (e.g. for QCOW2) interact badly with landlock since they
+are not obvious from the initial VM configuration. Only enable their use
+with an explicit option.
+
+Signed-off-by: Rob Bradford <rbradford@meta.com>
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/microsoft/cloud-hypervisor/commit/69e16ca82cdcd7ad3c4361223a4754cc8ce7f672.patch
+---
+ block/src/lib.rs          |  1 +
+ block/src/qcow_sync.rs    | 14 ++++++++++----
+ tests/integration.rs      | 39 +++++++++++++++++++++++++++------------
+ vmm/src/config.rs         | 13 +++++++++++--
+ vmm/src/device_manager.rs |  6 +++++-
+ vmm/src/vm_config.rs      |  2 ++
+ 6 files changed, 56 insertions(+), 19 deletions(-)
+
+diff --git a/block/src/lib.rs b/block/src/lib.rs
+index 5599258..ef8c05b 100644
+--- a/block/src/lib.rs
++++ b/block/src/lib.rs
+@@ -790,6 +790,7 @@ pub trait AsyncAdaptor {
+     }
+ }
+ 
++#[derive(PartialEq, Eq, Debug)]
+ pub enum ImageType {
+     FixedVhd,
+     Qcow2,
+diff --git a/block/src/qcow_sync.rs b/block/src/qcow_sync.rs
+index cd6a1fb..a05022f 100644
+--- a/block/src/qcow_sync.rs
++++ b/block/src/qcow_sync.rs
+@@ -20,10 +20,16 @@ pub struct QcowDiskSync {
+ }
+ 
+ impl QcowDiskSync {
+-    pub fn new(file: File, direct_io: bool) -> QcowResult<Self> {
+-        Ok(QcowDiskSync {
+-            qcow_file: QcowFile::from(RawFile::new(file, direct_io))?,
+-        })
++    pub fn new(file: File, direct_io: bool, backing_files: bool) -> QcowResult<Self> {
++        if backing_files {
++            Ok(QcowDiskSync {
++                qcow_file: QcowFile::from(RawFile::new(file, direct_io))?,
++            })
++        } else {
++            Ok(QcowDiskSync {
++                qcow_file: QcowFile::from_with_nesting_depth(RawFile::new(file, direct_io), 0)?,
++            })
++        }
+     }
+ }
+ 
+diff --git a/tests/integration.rs b/tests/integration.rs
+index cf20554..f6c8755 100644
+--- a/tests/integration.rs
++++ b/tests/integration.rs
+@@ -3631,6 +3631,7 @@ mod common_parallel {
+         disable_io_uring: bool,
+         disable_aio: bool,
+         verify_os_disk: bool,
++        backing_files: bool,
+     ) {
+         let disk_config = UbuntuDiskConfig::new(image_name.to_string());
+         let guest = Guest::new(Box::new(disk_config));
+@@ -3653,8 +3654,9 @@ mod common_parallel {
+             .args([
+                 "--disk",
+                 format!(
+-                    "path={}",
+-                    guest.disk_config.disk(DiskType::OperatingSystem).unwrap()
++                    "path={},backing_files={}",
++                    guest.disk_config.disk(DiskType::OperatingSystem).unwrap(),
++                    if backing_files { "on"} else {"off"}
+                 )
+                 .as_str(),
+                 format!(
+@@ -3741,17 +3743,17 @@ mod common_parallel {
+ 
+     #[test]
+     fn test_virtio_block_io_uring() {
+-        _test_virtio_block(FOCAL_IMAGE_NAME, false, true, false);
++        _test_virtio_block(FOCAL_IMAGE_NAME, false, true, false, false);
+     }
+ 
+     #[test]
+     fn test_virtio_block_aio() {
+-        _test_virtio_block(FOCAL_IMAGE_NAME, true, false, false);
++        _test_virtio_block(FOCAL_IMAGE_NAME, true, false, false, false);
+     }
+ 
+     #[test]
+     fn test_virtio_block_sync() {
+-        _test_virtio_block(FOCAL_IMAGE_NAME, true, true, false);
++        _test_virtio_block(FOCAL_IMAGE_NAME, true, true, false, false);
+     }
+ 
+     fn run_qemu_img(path: &std::path::Path, args: &[&str]) -> std::process::Output {
+@@ -3927,22 +3929,28 @@ mod common_parallel {
+ 
+     #[test]
+     fn test_virtio_block_qcow2() {
+-        _test_virtio_block(JAMMY_IMAGE_NAME_QCOW2, false, false, true);
++        _test_virtio_block(JAMMY_IMAGE_NAME_QCOW2, false, false, true, false);
+     }
+ 
+     #[test]
+     fn test_virtio_block_qcow2_zlib() {
+-        _test_virtio_block(JAMMY_IMAGE_NAME_QCOW2_ZLIB, false, false, true);
++        _test_virtio_block(JAMMY_IMAGE_NAME_QCOW2_ZLIB, false, false, true, false);
+     }
+ 
+     #[test]
+     fn test_virtio_block_qcow2_zstd() {
+-        _test_virtio_block(JAMMY_IMAGE_NAME_QCOW2_ZSTD, false, false, true);
++        _test_virtio_block(JAMMY_IMAGE_NAME_QCOW2_ZSTD, false, false, true, false);
+     }
+ 
+     #[test]
+     fn test_virtio_block_qcow2_backing_zstd_file() {
+-        _test_virtio_block(JAMMY_IMAGE_NAME_QCOW2_BACKING_ZSTD_FILE, false, false, true);
++        _test_virtio_block(
++            JAMMY_IMAGE_NAME_QCOW2_BACKING_ZSTD_FILE,
++            false,
++            false,
++            true,
++            true,
++        );
+     }
+ 
+     #[test]
+@@ -3952,12 +3960,19 @@ mod common_parallel {
+             false,
+             false,
+             true,
++            true,
+         );
+     }
+ 
+     #[test]
+     fn test_virtio_block_qcow2_backing_raw_file() {
+-        _test_virtio_block(JAMMY_IMAGE_NAME_QCOW2_BACKING_RAW_FILE, false, false, true);
++        _test_virtio_block(
++            JAMMY_IMAGE_NAME_QCOW2_BACKING_RAW_FILE,
++            false,
++            false,
++            true,
++            true,
++        );
+     }
+ 
+     #[test]
+@@ -3982,7 +3997,7 @@ mod common_parallel {
+             .output()
+             .expect("Expect generating VHD image from RAW image");
+ 
+-        _test_virtio_block(FOCAL_IMAGE_NAME_VHD, false, false, false);
++        _test_virtio_block(FOCAL_IMAGE_NAME_VHD, false, false, false, false);
+     }
+ 
+     #[test]
+@@ -4006,7 +4021,7 @@ mod common_parallel {
+             .output()
+             .expect("Expect generating dynamic VHDx image from RAW image");
+ 
+-        _test_virtio_block(FOCAL_IMAGE_NAME_VHDX, false, false, true);
++        _test_virtio_block(FOCAL_IMAGE_NAME_VHDX, false, false, true, false);
+     }
+ 
+     #[test]
+diff --git a/vmm/src/config.rs b/vmm/src/config.rs
+index 196956a..f4d201f 100644
+--- a/vmm/src/config.rs
++++ b/vmm/src/config.rs
+@@ -1091,7 +1091,7 @@ impl DiskConfig {
+          ops_size=<io_ops>,ops_one_time_burst=<io_ops>,ops_refill_time=<ms>,\
+          id=<device_id>,pci_segment=<segment_id>,rate_limit_group=<group_id>,\
+          queue_affinity=<list_of_queue_indices_with_their_associated_cpuset>,\
+-         serial=<serial_number>";
++         serial=<serial_number>,backing_files=on|off";
+ 
+     pub fn parse(disk: &str) -> Result<Self> {
+         let mut parser = OptionParser::new();
+@@ -1116,7 +1116,8 @@ impl DiskConfig {
+             .add("pci_segment")
+             .add("serial")
+             .add("rate_limit_group")
+-            .add("queue_affinity");
++            .add("queue_affinity")
++            .add("backing_files");
+         parser.parse(disk).map_err(Error::ParseDisk)?;
+ 
+         let path = parser.get("path").map(PathBuf::from);
+@@ -1201,6 +1202,12 @@ impl DiskConfig {
+                     })
+                     .collect()
+             });
++        let backing_files = parser
++            .convert::<Toggle>("backing_files")
++            .map_err(Error::ParseDisk)?
++            .unwrap_or(Toggle(false))
++            .0;
++
+         let bw_tb_config = if bw_size != 0 && bw_refill_time != 0 {
+             Some(TokenBucketConfig {
+                 size: bw_size,
+@@ -1245,6 +1252,7 @@ impl DiskConfig {
+             pci_segment,
+             serial,
+             queue_affinity,
++            backing_files,
+         })
+     }
+ 
+@@ -3425,6 +3433,7 @@ mod tests {
+             pci_segment: 0,
+             serial: None,
+             queue_affinity: None,
++            backing_files: false,
+         }
+     }
+ 
+diff --git a/vmm/src/device_manager.rs b/vmm/src/device_manager.rs
+index d47c461..b26dfea 100644
+--- a/vmm/src/device_manager.rs
++++ b/vmm/src/device_manager.rs
+@@ -2706,6 +2706,10 @@ impl DeviceManager {
+             let image_type =
+                 detect_image_type(&mut file).map_err(DeviceManagerError::DetectImageType)?;
+ 
++            if image_type != ImageType::Qcow2 && disk_cfg.backing_files {
++                warn!("Enabling backing_files option only applies for QCOW2 files");
++            }
++
+             let image = match image_type {
+                 ImageType::FixedVhd => {
+                     // Use asynchronous backend relying on io_uring if the
+@@ -2759,7 +2763,7 @@ impl DeviceManager {
+                 ImageType::Qcow2 => {
+                     info!("Using synchronous QCOW2 disk file");
+                     Box::new(
+-                        QcowDiskSync::new(file, disk_cfg.direct)
++                        QcowDiskSync::new(file, disk_cfg.direct, disk_cfg.backing_files)
+                             .map_err(DeviceManagerError::CreateQcowDiskSync)?,
+                     ) as Box<dyn DiskFile>
+                 }
+diff --git a/vmm/src/vm_config.rs b/vmm/src/vm_config.rs
+index 61f194e..9722e4e 100644
+--- a/vmm/src/vm_config.rs
++++ b/vmm/src/vm_config.rs
+@@ -278,6 +278,8 @@ pub struct DiskConfig {
+     pub serial: Option<String>,
+     #[serde(default)]
+     pub queue_affinity: Option<Vec<VirtQueueAffinity>>,
++    #[serde(default)]
++    pub backing_files: bool,
+ }
+ 
+ impl ApplyLandlock for DiskConfig {
+-- 
+2.45.4
+

SPECS/cloud-hypervisor/cloud-hypervisor.spec

@@ -5,7 +5,7 @@
 Name:           cloud-hypervisor
 Summary:        Cloud Hypervisor is an open source Virtual Machine Monitor (VMM) that runs on top of the KVM hypervisor and the Microsoft Hypervisor (MSHV).
 Version:        48.0.246
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        ASL 2.0 OR BSD-3-clause
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -20,6 +20,7 @@ Source0:        https://github.com/microsoft/cloud-hypervisor/archive/refs/tags/
 #   cargo vendor > config.toml
 #   tar -czf %%{name}-%%{version}-vendor.tar.gz vendor/
 Source1:        %{name}-%{version}-vendor.tar.gz
+Patch0:         CVE-2026-27211.patch
 %endif
 
 BuildRequires:  binutils
@@ -72,6 +73,7 @@ Cloud Hypervisor is an open source Virtual Machine Monitor (VMM) that runs on to
 %prep
 
 %setup -q -n cloud-hypervisor-%{version}
+%patch 0 -p1
 %if 0%{?using_vendored_crates}
 tar xf %{SOURCE1}
 %endif
@@ -137,9 +139,12 @@ cargo build --release --target=%{rust_musl_target} %{cargo_pkg_feature_opts} %{c
 %license LICENSES/CC-BY-4.0.txt
 
 %changelog
-* Mon Feb 02 2026 Archana Shettigar <v-shettigara@microsoft.com> - 48.0.246-2
+* Thu Feb 26 2026 Archana Shettigar <v-shettigara@microsoft.com> - 48.0.246-3
 - Bump release to rebuild with rust
 
+* Wed Feb 25 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 48.0.246-2
+- Patch for CVE-2026-27211
+
 * Fri Jan 23 2026 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 48.0.246-1
 - Auto-upgrade to 48.0.246
 
@@ -233,10 +238,10 @@ cargo build --release --target=%{rust_musl_target} %{cargo_pkg_feature_opts} %{c
 * Wed Aug 17 2022 Anatol Belski <anbelski@linux.microsoft.com> - 26.0-1
 - Pull release 26.0 for Mariner from upstream
 
-* Tue May 16 2022 Anatol Belski <anbelski@linux.microsoft.com> - 23.1-0
+* Mon May 16 2022 Anatol Belski <anbelski@linux.microsoft.com> - 23.1-0
 - Initial import 23.1 for Mariner from upstream
 
-*   Thu Apr 13 2022 Rob Bradford <robert.bradford@intel.com> 23.0-0
+*   Wed Apr 13 2022 Rob Bradford <robert.bradford@intel.com> 23.0-0
 -   Update to 23.0
 
 *   Thu Mar 03 2022 Rob Bradford <robert.bradford@intel.com> 22.0-0