[AUTO-CHERRYPICK] Recreated cloud-hypervisor patch for CVE-2025-1744 [Critical] - branch main (#12916)

Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>

Author: CBL-Mariner-Bot

SPECS/cloud-hypervisor/CVE-2025-1744.patch

@@ -1,22 +1,25 @@
-From b49d2f0b84d424ec7fbf47138bf6acc6b18e1b0d Mon Sep 17 00:00:00 2001
-From: tabudz <tanb74653@gmail.com>
-Date: Tue, 18 Feb 2025 11:28:15 +0800
+From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001
+From: Mark Adler <fork@madler.net>
+Date: Sat, 30 Jul 2022 15:51:11 -0700
 Subject: [PATCH] Fix a bug when getting a gzip header extra field with
- inflate(). If the extra field was larger than the space the user provided
- with inflateGetHeader(), and if multiple calls of inflate() delivered the
- extra header data, then there could be a buffer overflow of the provided
- space. This commit assures that provided space is not exceeded.
+ inflate().
 
-Upstream Reference: https://github.com/radareorg/radare2/pull/23969/commits/b49d2f0b84d424ec7fbf47138bf6acc6b18e1b0d
+If the extra field was larger than the space the user provided with
+inflateGetHeader(), and if multiple calls of inflate() delivered
+the extra header data, then there could be a buffer overflow of the
+provided space. This commit assures that provided space is not
+exceeded.
+
+Upstream Reference : https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1
 ---
  inflate.c | 5 +++--
  1 file changed, 3 insertions(+), 2 deletions(-)
 
 diff --git a/inflate.c b/inflate.c
-index e9ed74cff3279..2ecfb4876d155 100644
+index 7be8c6366..7a7289749 100644
 --- a/inflate.c
 +++ b/inflate.c
-@@ -755,9 +755,10 @@ int ZEXPORT inflate(z_streamp strm, int flush)
+@@ -763,9 +763,10 @@ int flush;
                  copy = state->length;
                  if (copy > have) copy = have;
                  if (copy) {
@@ -29,3 +32,35 @@ index e9ed74cff3279..2ecfb4876d155 100644
                          zmemcpy(state->head->extra + len, next,
                                  len + copy > state->head->extra_max ?
                                  state->head->extra_max - len : copy);
+
+From 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d Mon Sep 17 00:00:00 2001
+From: Mark Adler <fork@madler.net>
+Date: Mon, 8 Aug 2022 10:50:09 -0700
+Subject: [PATCH] Fix extra field processing bug that dereferences NULL
+ state->head.
+
+The recent commit to fix a gzip header extra field processing bug
+introduced the new bug fixed here.
+Upstream Reference : https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d
+
+---
+ inflate.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/inflate.c b/inflate.c
+index 7a7289749..2a3c4fe98 100644
+--- a/inflate.c
++++ b/inflate.c
+@@ -763,10 +763,10 @@ int flush;
+                 copy = state->length;
+                 if (copy > have) copy = have;
+                 if (copy) {
+-                    len = state->head->extra_len - state->length;
+                     if (state->head != Z_NULL &&
+                         state->head->extra != Z_NULL &&
+-                        len < state->head->extra_max) {
++                        (len = state->head->extra_len - state->length) <
++                            state->head->extra_max) {
+                         zmemcpy(state->head->extra + len, next,
+                                 len + copy > state->head->extra_max ?
+                                 state->head->extra_max - len : copy);

SPECS/cloud-hypervisor/cloud-hypervisor.spec

@@ -5,7 +5,7 @@
 Summary:        Cloud Hypervisor is an open source Virtual Machine Monitor (VMM) that runs on top of KVM.
 Name:           cloud-hypervisor
 Version:        32.0
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        ASL 2.0 OR BSD-3-clause
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -166,7 +166,10 @@ cargo build --release --target=%{rust_musl_target} --package vhost_user_block %{
 %license LICENSE-BSD-3-Clause
 
 %changelog
-* Tue Mar 04 2024 Kanishk Bansal <kanbansal@microsoft.com> - 32.0-4
+* Tue Mar 04 2024 Kanishk Bansal <kanbansal@microsoft.com> - 32.0-6
+- Recreated patch for CVE-2025-1744 to address a bug introduced by the previous patch. This update includes both the CVE fix and the bug fix.
+
+* Tue Mar 04 2024 Kanishk Bansal <kanbansal@microsoft.com> - 32.0-5
 - Patch CVE-2025-1744
 
 * Mon May 20 2024 Saul Paredes <saulparedes@microsoft.com> - 32.0-4