* [PULL 0/4] Uefi 20250812 patches
@ 2025-08-12 10:01 Gerd Hoffmann
2025-08-12 10:01 ` [PULL 1/4] hw/uefi: clear uefi-vars buffer in uefi_vars_write callback Gerd Hoffmann
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: Gerd Hoffmann @ 2025-08-12 10:01 UTC (permalink / raw)
To: qemu-devel; +Cc: Gerd Hoffmann
The following changes since commit 624d7463043c120facfab2b54985fcfb679d5379:
Merge tag 'pull-nvme-20250811' of https://gitlab.com/birkelund/qemu into staging (2025-08-11 12:57:55 -0400)
are available in the Git repository at:
https://gitlab.com/kraxel/qemu.git tags/uefi-20250812-pull-request
for you to fetch changes up to 040237436f423253f3397547aa78d449394dfbca:
hw/uefi: open json file in binary mode (2025-08-12 08:03:16 +0200)
----------------------------------------------------------------
hw/uefi: last-minute bug fixes for the uefi variable store [for 10.1]
----------------------------------------------------------------
Gerd Hoffmann (3):
hw/uefi: return success for notifications
hw/uefi: check access for first variable
hw/uefi: open json file in binary mode
Mauro Matteo Cascella (1):
hw/uefi: clear uefi-vars buffer in uefi_vars_write callback
hw/uefi/var-service-core.c | 4 ++--
hw/uefi/var-service-json.c | 2 +-
hw/uefi/var-service-vars.c | 5 +++++
3 files changed, 8 insertions(+), 3 deletions(-)
--
2.50.1
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PULL 1/4] hw/uefi: clear uefi-vars buffer in uefi_vars_write callback
2025-08-12 10:01 [PULL 0/4] Uefi 20250812 patches Gerd Hoffmann
@ 2025-08-12 10:01 ` Gerd Hoffmann
2025-08-12 10:01 ` [PULL 2/4] hw/uefi: return success for notifications Gerd Hoffmann
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Gerd Hoffmann @ 2025-08-12 10:01 UTC (permalink / raw)
To: qemu-devel; +Cc: Gerd Hoffmann, Mauro Matteo Cascella, ZDI
From: Mauro Matteo Cascella <mcascell@redhat.com>
When the guest writes to register UEFI_VARS_REG_BUFFER_SIZE, the .write
callback `uefi_vars_write` is invoked. The function allocates a
heap buffer without zeroing the memory, leaving the buffer filled with
residual data from prior allocations. When the guest later reads from
register UEFI_VARS_REG_PIO_BUFFER_TRANSFER, the .read callback
`uefi_vars_read` returns leftover metadata or other sensitive process
memory from the previously allocated buffer, leading to an information
disclosure vulnerability.
Fixes: CVE-2025-8860
Fixes: 90ca4e03c27d ("hw/uefi: add var-service-core.c")
Reported-by: ZDI <zdi-disclosures@trendmicro.com>
Suggested-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Message-ID: <20250811101128.17661-1-mcascell@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/uefi/var-service-core.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/uefi/var-service-core.c b/hw/uefi/var-service-core.c
index feec5a59583b..6ab8df091aaf 100644
--- a/hw/uefi/var-service-core.c
+++ b/hw/uefi/var-service-core.c
@@ -259,8 +259,8 @@ static void uefi_vars_write(void *opaque, hwaddr addr, uint64_t val, unsigned si
uv->buf_size = val;
g_free(uv->buffer);
g_free(uv->pio_xfer_buffer);
- uv->buffer = g_malloc(uv->buf_size);
- uv->pio_xfer_buffer = g_malloc(uv->buf_size);
+ uv->buffer = g_malloc0(uv->buf_size);
+ uv->pio_xfer_buffer = g_malloc0(uv->buf_size);
break;
case UEFI_VARS_REG_DMA_BUFFER_ADDR_LO:
uv->buf_addr_lo = val;
--
2.50.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PULL 2/4] hw/uefi: return success for notifications
2025-08-12 10:01 [PULL 0/4] Uefi 20250812 patches Gerd Hoffmann
2025-08-12 10:01 ` [PULL 1/4] hw/uefi: clear uefi-vars buffer in uefi_vars_write callback Gerd Hoffmann
@ 2025-08-12 10:01 ` Gerd Hoffmann
2025-08-12 10:01 ` [PULL 3/4] hw/uefi: check access for first variable Gerd Hoffmann
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Gerd Hoffmann @ 2025-08-12 10:01 UTC (permalink / raw)
To: qemu-devel; +Cc: Gerd Hoffmann, Philippe Mathieu-Daudé
Set status to SUCCESS for ready-to-boot and exit-boot-services
notification calls.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-ID: <20250811130110.820958-2-kraxel@redhat.com>
---
hw/uefi/var-service-vars.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/hw/uefi/var-service-vars.c b/hw/uefi/var-service-vars.c
index 37d05b71cf70..cbeccdbd2664 100644
--- a/hw/uefi/var-service-vars.c
+++ b/hw/uefi/var-service-vars.c
@@ -702,12 +702,14 @@ uint32_t uefi_vars_mm_vars_proto(uefi_vars_state *uv)
case SMM_VARIABLE_FUNCTION_READY_TO_BOOT:
trace_uefi_event("ready-to-boot");
uv->ready_to_boot = true;
+ mvar->status = EFI_SUCCESS;
length = 0;
break;
case SMM_VARIABLE_FUNCTION_EXIT_BOOT_SERVICE:
trace_uefi_event("exit-boot-service");
uv->exit_boot_service = true;
+ mvar->status = EFI_SUCCESS;
length = 0;
break;
--
2.50.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PULL 3/4] hw/uefi: check access for first variable
2025-08-12 10:01 [PULL 0/4] Uefi 20250812 patches Gerd Hoffmann
2025-08-12 10:01 ` [PULL 1/4] hw/uefi: clear uefi-vars buffer in uefi_vars_write callback Gerd Hoffmann
2025-08-12 10:01 ` [PULL 2/4] hw/uefi: return success for notifications Gerd Hoffmann
@ 2025-08-12 10:01 ` Gerd Hoffmann
2025-08-12 10:01 ` [PULL 4/4] hw/uefi: open json file in binary mode Gerd Hoffmann
2025-08-14 6:14 ` [PULL 0/4] Uefi 20250812 patches Michael Tokarev
4 siblings, 0 replies; 6+ messages in thread
From: Gerd Hoffmann @ 2025-08-12 10:01 UTC (permalink / raw)
To: qemu-devel; +Cc: Gerd Hoffmann, Philippe Mathieu-Daudé
When listing variables (via get-next-variable-name) only the names of
variables which can be accessed will be returned. That check was
missing for the first variable though. Add it.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-ID: <20250811130110.820958-3-kraxel@redhat.com>
---
hw/uefi/var-service-vars.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/uefi/var-service-vars.c b/hw/uefi/var-service-vars.c
index cbeccdbd2664..8533533ea5c8 100644
--- a/hw/uefi/var-service-vars.c
+++ b/hw/uefi/var-service-vars.c
@@ -357,6 +357,9 @@ uefi_vars_mm_get_next_variable(uefi_vars_state *uv, mm_header *mhdr,
if (uefi_strlen(name, nv->name_size) == 0) {
/* empty string -> first */
var = QTAILQ_FIRST(&uv->variables);
+ while (var && !check_access(uv, var)) {
+ var = QTAILQ_NEXT(var, next);
+ }
if (!var) {
return uefi_vars_mm_error(mhdr, mvar, EFI_NOT_FOUND);
}
--
2.50.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PULL 4/4] hw/uefi: open json file in binary mode
2025-08-12 10:01 [PULL 0/4] Uefi 20250812 patches Gerd Hoffmann
` (2 preceding siblings ...)
2025-08-12 10:01 ` [PULL 3/4] hw/uefi: check access for first variable Gerd Hoffmann
@ 2025-08-12 10:01 ` Gerd Hoffmann
2025-08-14 6:14 ` [PULL 0/4] Uefi 20250812 patches Michael Tokarev
4 siblings, 0 replies; 6+ messages in thread
From: Gerd Hoffmann @ 2025-08-12 10:01 UTC (permalink / raw)
To: qemu-devel; +Cc: Gerd Hoffmann, Philippe Mathieu-Daudé
Fixes file length discrepancies due to line ending conversions
on windows hosts.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3058
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-ID: <20250811130110.820958-4-kraxel@redhat.com>
---
hw/uefi/var-service-json.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/uefi/var-service-json.c b/hw/uefi/var-service-json.c
index ad3462cd1557..f5f155683334 100644
--- a/hw/uefi/var-service-json.c
+++ b/hw/uefi/var-service-json.c
@@ -172,7 +172,7 @@ static GString *uefi_vars_to_json(uefi_vars_state *uv)
void uefi_vars_json_init(uefi_vars_state *uv, Error **errp)
{
if (uv->jsonfile) {
- uv->jsonfd = qemu_create(uv->jsonfile, O_RDWR, 0666, errp);
+ uv->jsonfd = qemu_create(uv->jsonfile, O_RDWR | O_BINARY, 0666, errp);
}
}
--
2.50.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PULL 0/4] Uefi 20250812 patches
2025-08-12 10:01 [PULL 0/4] Uefi 20250812 patches Gerd Hoffmann
` (3 preceding siblings ...)
2025-08-12 10:01 ` [PULL 4/4] hw/uefi: open json file in binary mode Gerd Hoffmann
@ 2025-08-14 6:14 ` Michael Tokarev
4 siblings, 0 replies; 6+ messages in thread
From: Michael Tokarev @ 2025-08-14 6:14 UTC (permalink / raw)
To: Gerd Hoffmann, qemu-devel; +Cc: qemu-stable
On 12.08.2025 13:01, Gerd Hoffmann wrote:
> hw/uefi: last-minute bug fixes for the uefi variable store [for 10.1]
>
> ----------------------------------------------------------------
>
> Gerd Hoffmann (3):
> hw/uefi: return success for notifications
> hw/uefi: check access for first variable
> hw/uefi: open json file in binary mode
>
> Mauro Matteo Cascella (1):
> hw/uefi: clear uefi-vars buffer in uefi_vars_write callback
I'm picking this whole lot to stable-10.0 branch as well.
Please let me know if I shouldn't.
Thanks,
/mjt
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2025-08-14 6:16 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-12 10:01 [PULL 0/4] Uefi 20250812 patches Gerd Hoffmann
2025-08-12 10:01 ` [PULL 1/4] hw/uefi: clear uefi-vars buffer in uefi_vars_write callback Gerd Hoffmann
2025-08-12 10:01 ` [PULL 2/4] hw/uefi: return success for notifications Gerd Hoffmann
2025-08-12 10:01 ` [PULL 3/4] hw/uefi: check access for first variable Gerd Hoffmann
2025-08-12 10:01 ` [PULL 4/4] hw/uefi: open json file in binary mode Gerd Hoffmann
2025-08-14 6:14 ` [PULL 0/4] Uefi 20250812 patches Michael Tokarev
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).