From: Gerd Hoffmann <kraxel@redhat.com>
To: qemu-devel@nongnu.org
Cc: Gerd Hoffmann <kraxel@redhat.com>,
Mauro Matteo Cascella <mcascell@redhat.com>,
ZDI <zdi-disclosures@trendmicro.com>
Subject: [PULL 1/4] hw/uefi: clear uefi-vars buffer in uefi_vars_write callback
Date: Tue, 12 Aug 2025 12:01:07 +0200 [thread overview]
Message-ID: <20250812100111.1520917-2-kraxel@redhat.com> (raw)
In-Reply-To: <20250812100111.1520917-1-kraxel@redhat.com>
From: Mauro Matteo Cascella <mcascell@redhat.com>
When the guest writes to register UEFI_VARS_REG_BUFFER_SIZE, the .write
callback `uefi_vars_write` is invoked. The function allocates a
heap buffer without zeroing the memory, leaving the buffer filled with
residual data from prior allocations. When the guest later reads from
register UEFI_VARS_REG_PIO_BUFFER_TRANSFER, the .read callback
`uefi_vars_read` returns leftover metadata or other sensitive process
memory from the previously allocated buffer, leading to an information
disclosure vulnerability.
Fixes: CVE-2025-8860
Fixes: 90ca4e03c27d ("hw/uefi: add var-service-core.c")
Reported-by: ZDI <zdi-disclosures@trendmicro.com>
Suggested-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Message-ID: <20250811101128.17661-1-mcascell@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/uefi/var-service-core.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/uefi/var-service-core.c b/hw/uefi/var-service-core.c
index feec5a59583b..6ab8df091aaf 100644
--- a/hw/uefi/var-service-core.c
+++ b/hw/uefi/var-service-core.c
@@ -259,8 +259,8 @@ static void uefi_vars_write(void *opaque, hwaddr addr, uint64_t val, unsigned si
uv->buf_size = val;
g_free(uv->buffer);
g_free(uv->pio_xfer_buffer);
- uv->buffer = g_malloc(uv->buf_size);
- uv->pio_xfer_buffer = g_malloc(uv->buf_size);
+ uv->buffer = g_malloc0(uv->buf_size);
+ uv->pio_xfer_buffer = g_malloc0(uv->buf_size);
break;
case UEFI_VARS_REG_DMA_BUFFER_ADDR_LO:
uv->buf_addr_lo = val;
--
2.50.1
next prev parent reply other threads:[~2025-08-12 10:02 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-12 10:01 [PULL 0/4] Uefi 20250812 patches Gerd Hoffmann
2025-08-12 10:01 ` Gerd Hoffmann [this message]
2025-08-12 10:01 ` [PULL 2/4] hw/uefi: return success for notifications Gerd Hoffmann
2025-08-12 10:01 ` [PULL 3/4] hw/uefi: check access for first variable Gerd Hoffmann
2025-08-12 10:01 ` [PULL 4/4] hw/uefi: open json file in binary mode Gerd Hoffmann
2025-08-14 6:14 ` [PULL 0/4] Uefi 20250812 patches Michael Tokarev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250812100111.1520917-2-kraxel@redhat.com \
--to=kraxel@redhat.com \
--cc=mcascell@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=zdi-disclosures@trendmicro.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).