* [PATCH v2 0/2] hw/uefi: security fixes @ 2026-07-02 9:23 Gerd Hoffmann 2026-07-02 9:23 ` [PATCH v2 1/2] hw/uefi: add sanity check Gerd Hoffmann 2026-07-02 9:23 ` [PATCH v2 2/2] hw/uefi: disable debug function Gerd Hoffmann 0 siblings, 2 replies; 5+ messages in thread From: Gerd Hoffmann @ 2026-07-02 9:23 UTC (permalink / raw) To: qemu-devel; +Cc: Gerd Hoffmann, peter.maydell Gerd Hoffmann (2): hw/uefi: add sanity check hw/uefi: disable debug function hw/uefi/var-service-policy.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) -- 2.55.0 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH v2 1/2] hw/uefi: add sanity check 2026-07-02 9:23 [PATCH v2 0/2] hw/uefi: security fixes Gerd Hoffmann @ 2026-07-02 9:23 ` Gerd Hoffmann 2026-07-02 9:23 ` [PATCH v2 2/2] hw/uefi: disable debug function Gerd Hoffmann 1 sibling, 0 replies; 5+ messages in thread From: Gerd Hoffmann @ 2026-07-02 9:23 UTC (permalink / raw) To: qemu-devel; +Cc: Gerd Hoffmann, peter.maydell Verify the passed buffer has the minimal required length before reading the size field + verifying the total length. Fixes: CVE-2026-58581 Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3614 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> --- hw/uefi/var-service-policy.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hw/uefi/var-service-policy.c b/hw/uefi/var-service-policy.c index 58da4adbebaf..989bf87ddb86 100644 --- a/hw/uefi/var-service-policy.c +++ b/hw/uefi/var-service-policy.c @@ -276,6 +276,9 @@ static uint32_t uefi_vars_mm_check_policy_register(uefi_vars_state *uv, uefi_var_policy *pol; uint64_t length; + if (mhdr->length < sizeof(*mchk) + sizeof(*pe)) { + return uefi_vars_mm_policy_error(mhdr, mchk, EFI_BAD_BUFFER_SIZE); + } if (uadd64_overflow(sizeof(*mchk), pe->size, &length)) { return uefi_vars_mm_policy_error(mhdr, mchk, EFI_BAD_BUFFER_SIZE); } -- 2.55.0 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH v2 2/2] hw/uefi: disable debug function 2026-07-02 9:23 [PATCH v2 0/2] hw/uefi: security fixes Gerd Hoffmann 2026-07-02 9:23 ` [PATCH v2 1/2] hw/uefi: add sanity check Gerd Hoffmann @ 2026-07-02 9:23 ` Gerd Hoffmann 2026-07-02 12:56 ` Philippe Mathieu-Daudé 1 sibling, 1 reply; 5+ messages in thread From: Gerd Hoffmann @ 2026-07-02 9:23 UTC (permalink / raw) To: qemu-devel; +Cc: Gerd Hoffmann, peter.maydell This was never meant to be active in production builds. It's a code path not hit on a normal boot (OVMF wouldn't try variable updates which are not allowed), so this went unnoticed. Wrap the call into "if (VARIABLE_POLICY_DEBUG)" so it is never used unless the #define is changed to true. Also fix the name printing to not overrun the entry size. Fixes: CVE-2026-58582 Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3615 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> --- hw/uefi/var-service-policy.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/hw/uefi/var-service-policy.c b/hw/uefi/var-service-policy.c index 989bf87ddb86..b56fc62f7092 100644 --- a/hw/uefi/var-service-policy.c +++ b/hw/uefi/var-service-policy.c @@ -16,6 +16,8 @@ #include "trace.h" +#define VARIABLE_POLICY_DEBUG 0 + static void calc_policy(uefi_var_policy *pol); static int uefi_var_policy_post_load(void *opaque, int version_id) @@ -40,11 +42,12 @@ const VMStateDescription vmstate_uefi_var_policy = { static void print_policy_entry(variable_policy_entry *pe) { uint16_t *name = (void *)pe + pe->offset_to_name; + uint16_t *end = (void *)pe + pe->size; fprintf(stderr, "%s:\n", __func__); fprintf(stderr, " name ´"); - while (*name) { + while (*name && name < end) { fprintf(stderr, "%c", *name); name++; } @@ -173,7 +176,9 @@ efi_status uefi_vars_policy_check(uefi_vars_state *uv, pe = pol->entry; uefi_trace_variable(__func__, var->guid, var->name, var->name_size); - print_policy_entry(pe); + if (VARIABLE_POLICY_DEBUG) { + print_policy_entry(pe); + } if ((var->attributes & pe->attributes_must_have) != pe->attributes_must_have) { trace_uefi_vars_policy_deny("must-have-attr"); -- 2.55.0 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH v2 2/2] hw/uefi: disable debug function 2026-07-02 9:23 ` [PATCH v2 2/2] hw/uefi: disable debug function Gerd Hoffmann @ 2026-07-02 12:56 ` Philippe Mathieu-Daudé 2026-07-06 10:49 ` Gerd Hoffmann 0 siblings, 1 reply; 5+ messages in thread From: Philippe Mathieu-Daudé @ 2026-07-02 12:56 UTC (permalink / raw) To: Gerd Hoffmann, qemu-devel; +Cc: peter.maydell Hi Gerd, On 2/7/26 11:23, Gerd Hoffmann wrote: > This was never meant to be active in production builds. It's a code > path not hit on a normal boot (OVMF wouldn't try variable updates which > are not allowed), so this went unnoticed. > > Wrap the call into "if (VARIABLE_POLICY_DEBUG)" so it is never used > unless the #define is changed to true. > > Also fix the name printing to not overrun the entry size. > > Fixes: CVE-2026-58582 > Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3615 > Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > --- > hw/uefi/var-service-policy.c | 9 +++++++-- > 1 file changed, 7 insertions(+), 2 deletions(-) > > diff --git a/hw/uefi/var-service-policy.c b/hw/uefi/var-service-policy.c > index 989bf87ddb86..b56fc62f7092 100644 > --- a/hw/uefi/var-service-policy.c > +++ b/hw/uefi/var-service-policy.c > @@ -16,6 +16,8 @@ > > #include "trace.h" > > +#define VARIABLE_POLICY_DEBUG 0 To avoid this anti-pattern, ... > static void calc_policy(uefi_var_policy *pol); > > static int uefi_var_policy_post_load(void *opaque, int version_id) > @@ -40,11 +42,12 @@ const VMStateDescription vmstate_uefi_var_policy = { > static void print_policy_entry(variable_policy_entry *pe) > { > uint16_t *name = (void *)pe + pe->offset_to_name; > + uint16_t *end = (void *)pe + pe->size; > > fprintf(stderr, "%s:\n", __func__); > > fprintf(stderr, " name ´"); > - while (*name) { > + while (*name && name < end) { > fprintf(stderr, "%c", *name); > name++; > } > @@ -173,7 +176,9 @@ efi_status uefi_vars_policy_check(uefi_vars_state *uv, > pe = pol->entry; > > uefi_trace_variable(__func__, var->guid, var->name, var->name_size); ... better keep it compiled with a trace event: if (trace_event_get_state_backends(TRACE_UEFI_POLICY)) { > - print_policy_entry(pe); > + if (VARIABLE_POLICY_DEBUG) { > + print_policy_entry(pe); > + } > > if ((var->attributes & pe->attributes_must_have) != pe->attributes_must_have) { > trace_uefi_vars_policy_deny("must-have-attr"); ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2 2/2] hw/uefi: disable debug function 2026-07-02 12:56 ` Philippe Mathieu-Daudé @ 2026-07-06 10:49 ` Gerd Hoffmann 0 siblings, 0 replies; 5+ messages in thread From: Gerd Hoffmann @ 2026-07-06 10:49 UTC (permalink / raw) To: Philippe Mathieu-Daudé; +Cc: qemu-devel, peter.maydell Hi, > > @@ -173,7 +176,9 @@ efi_status uefi_vars_policy_check(uefi_vars_state *uv, > > pe = pol->entry; > > uefi_trace_variable(__func__, var->guid, var->name, var->name_size); > > ... better keep it compiled with a trace event: > > if (trace_event_get_state_backends(TRACE_UEFI_POLICY)) { Hmm? The function called doesn't use trace points ... take care, Gerd ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-07-06 10:50 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-07-02 9:23 [PATCH v2 0/2] hw/uefi: security fixes Gerd Hoffmann 2026-07-02 9:23 ` [PATCH v2 1/2] hw/uefi: add sanity check Gerd Hoffmann 2026-07-02 9:23 ` [PATCH v2 2/2] hw/uefi: disable debug function Gerd Hoffmann 2026-07-02 12:56 ` Philippe Mathieu-Daudé 2026-07-06 10:49 ` Gerd Hoffmann
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.