* [PULL 1/4] hw/uefi: clear uefi-vars buffer in uefi_vars_write callback
2025-08-12 10:01 [PULL 0/4] Uefi 20250812 patches Gerd Hoffmann
@ 2025-08-12 10:01 ` Gerd Hoffmann
2025-08-12 10:01 ` [PULL 2/4] hw/uefi: return success for notifications Gerd Hoffmann
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Gerd Hoffmann @ 2025-08-12 10:01 UTC (permalink / raw)
To: qemu-devel; +Cc: Gerd Hoffmann, Mauro Matteo Cascella, ZDI
From: Mauro Matteo Cascella <mcascell@redhat.com>
When the guest writes to register UEFI_VARS_REG_BUFFER_SIZE, the .write
callback `uefi_vars_write` is invoked. The function allocates a
heap buffer without zeroing the memory, leaving the buffer filled with
residual data from prior allocations. When the guest later reads from
register UEFI_VARS_REG_PIO_BUFFER_TRANSFER, the .read callback
`uefi_vars_read` returns leftover metadata or other sensitive process
memory from the previously allocated buffer, leading to an information
disclosure vulnerability.
Fixes: CVE-2025-8860
Fixes: 90ca4e03c27d ("hw/uefi: add var-service-core.c")
Reported-by: ZDI <zdi-disclosures@trendmicro.com>
Suggested-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Message-ID: <20250811101128.17661-1-mcascell@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/uefi/var-service-core.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/uefi/var-service-core.c b/hw/uefi/var-service-core.c
index feec5a59583b..6ab8df091aaf 100644
--- a/hw/uefi/var-service-core.c
+++ b/hw/uefi/var-service-core.c
@@ -259,8 +259,8 @@ static void uefi_vars_write(void *opaque, hwaddr addr, uint64_t val, unsigned si
uv->buf_size = val;
g_free(uv->buffer);
g_free(uv->pio_xfer_buffer);
- uv->buffer = g_malloc(uv->buf_size);
- uv->pio_xfer_buffer = g_malloc(uv->buf_size);
+ uv->buffer = g_malloc0(uv->buf_size);
+ uv->pio_xfer_buffer = g_malloc0(uv->buf_size);
break;
case UEFI_VARS_REG_DMA_BUFFER_ADDR_LO:
uv->buf_addr_lo = val;
--
2.50.1
^ permalink raw reply related [flat|nested] 6+ messages in thread* [PULL 2/4] hw/uefi: return success for notifications
2025-08-12 10:01 [PULL 0/4] Uefi 20250812 patches Gerd Hoffmann
2025-08-12 10:01 ` [PULL 1/4] hw/uefi: clear uefi-vars buffer in uefi_vars_write callback Gerd Hoffmann
@ 2025-08-12 10:01 ` Gerd Hoffmann
2025-08-12 10:01 ` [PULL 3/4] hw/uefi: check access for first variable Gerd Hoffmann
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Gerd Hoffmann @ 2025-08-12 10:01 UTC (permalink / raw)
To: qemu-devel; +Cc: Gerd Hoffmann, Philippe Mathieu-Daudé
Set status to SUCCESS for ready-to-boot and exit-boot-services
notification calls.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-ID: <20250811130110.820958-2-kraxel@redhat.com>
---
hw/uefi/var-service-vars.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/hw/uefi/var-service-vars.c b/hw/uefi/var-service-vars.c
index 37d05b71cf70..cbeccdbd2664 100644
--- a/hw/uefi/var-service-vars.c
+++ b/hw/uefi/var-service-vars.c
@@ -702,12 +702,14 @@ uint32_t uefi_vars_mm_vars_proto(uefi_vars_state *uv)
case SMM_VARIABLE_FUNCTION_READY_TO_BOOT:
trace_uefi_event("ready-to-boot");
uv->ready_to_boot = true;
+ mvar->status = EFI_SUCCESS;
length = 0;
break;
case SMM_VARIABLE_FUNCTION_EXIT_BOOT_SERVICE:
trace_uefi_event("exit-boot-service");
uv->exit_boot_service = true;
+ mvar->status = EFI_SUCCESS;
length = 0;
break;
--
2.50.1
^ permalink raw reply related [flat|nested] 6+ messages in thread* [PULL 3/4] hw/uefi: check access for first variable
2025-08-12 10:01 [PULL 0/4] Uefi 20250812 patches Gerd Hoffmann
2025-08-12 10:01 ` [PULL 1/4] hw/uefi: clear uefi-vars buffer in uefi_vars_write callback Gerd Hoffmann
2025-08-12 10:01 ` [PULL 2/4] hw/uefi: return success for notifications Gerd Hoffmann
@ 2025-08-12 10:01 ` Gerd Hoffmann
2025-08-12 10:01 ` [PULL 4/4] hw/uefi: open json file in binary mode Gerd Hoffmann
2025-08-14 6:14 ` [PULL 0/4] Uefi 20250812 patches Michael Tokarev
4 siblings, 0 replies; 6+ messages in thread
From: Gerd Hoffmann @ 2025-08-12 10:01 UTC (permalink / raw)
To: qemu-devel; +Cc: Gerd Hoffmann, Philippe Mathieu-Daudé
When listing variables (via get-next-variable-name) only the names of
variables which can be accessed will be returned. That check was
missing for the first variable though. Add it.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-ID: <20250811130110.820958-3-kraxel@redhat.com>
---
hw/uefi/var-service-vars.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/uefi/var-service-vars.c b/hw/uefi/var-service-vars.c
index cbeccdbd2664..8533533ea5c8 100644
--- a/hw/uefi/var-service-vars.c
+++ b/hw/uefi/var-service-vars.c
@@ -357,6 +357,9 @@ uefi_vars_mm_get_next_variable(uefi_vars_state *uv, mm_header *mhdr,
if (uefi_strlen(name, nv->name_size) == 0) {
/* empty string -> first */
var = QTAILQ_FIRST(&uv->variables);
+ while (var && !check_access(uv, var)) {
+ var = QTAILQ_NEXT(var, next);
+ }
if (!var) {
return uefi_vars_mm_error(mhdr, mvar, EFI_NOT_FOUND);
}
--
2.50.1
^ permalink raw reply related [flat|nested] 6+ messages in thread* [PULL 4/4] hw/uefi: open json file in binary mode
2025-08-12 10:01 [PULL 0/4] Uefi 20250812 patches Gerd Hoffmann
` (2 preceding siblings ...)
2025-08-12 10:01 ` [PULL 3/4] hw/uefi: check access for first variable Gerd Hoffmann
@ 2025-08-12 10:01 ` Gerd Hoffmann
2025-08-14 6:14 ` [PULL 0/4] Uefi 20250812 patches Michael Tokarev
4 siblings, 0 replies; 6+ messages in thread
From: Gerd Hoffmann @ 2025-08-12 10:01 UTC (permalink / raw)
To: qemu-devel; +Cc: Gerd Hoffmann, Philippe Mathieu-Daudé
Fixes file length discrepancies due to line ending conversions
on windows hosts.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3058
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-ID: <20250811130110.820958-4-kraxel@redhat.com>
---
hw/uefi/var-service-json.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/uefi/var-service-json.c b/hw/uefi/var-service-json.c
index ad3462cd1557..f5f155683334 100644
--- a/hw/uefi/var-service-json.c
+++ b/hw/uefi/var-service-json.c
@@ -172,7 +172,7 @@ static GString *uefi_vars_to_json(uefi_vars_state *uv)
void uefi_vars_json_init(uefi_vars_state *uv, Error **errp)
{
if (uv->jsonfile) {
- uv->jsonfd = qemu_create(uv->jsonfile, O_RDWR, 0666, errp);
+ uv->jsonfd = qemu_create(uv->jsonfile, O_RDWR | O_BINARY, 0666, errp);
}
}
--
2.50.1
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: [PULL 0/4] Uefi 20250812 patches
2025-08-12 10:01 [PULL 0/4] Uefi 20250812 patches Gerd Hoffmann
` (3 preceding siblings ...)
2025-08-12 10:01 ` [PULL 4/4] hw/uefi: open json file in binary mode Gerd Hoffmann
@ 2025-08-14 6:14 ` Michael Tokarev
4 siblings, 0 replies; 6+ messages in thread
From: Michael Tokarev @ 2025-08-14 6:14 UTC (permalink / raw)
To: Gerd Hoffmann, qemu-devel; +Cc: qemu-stable
On 12.08.2025 13:01, Gerd Hoffmann wrote:
> hw/uefi: last-minute bug fixes for the uefi variable store [for 10.1]
>
> ----------------------------------------------------------------
>
> Gerd Hoffmann (3):
> hw/uefi: return success for notifications
> hw/uefi: check access for first variable
> hw/uefi: open json file in binary mode
>
> Mauro Matteo Cascella (1):
> hw/uefi: clear uefi-vars buffer in uefi_vars_write callback
I'm picking this whole lot to stable-10.0 branch as well.
Please let me know if I shouldn't.
Thanks,
/mjt
^ permalink raw reply [flat|nested] 6+ messages in thread