hw/uefi: clear uefi-vars buffer in uefi_vars_write callback - focaccia-qemu - Unnamed repository; edit this file 'description' to name the repository.

diff options

author	Mauro Matteo Cascella <mcascell@redhat.com>	2025-08-11 12:11:24 +0200
committer	Gerd Hoffmann <kraxel@redhat.com>	2025-08-12 08:03:16 +0200
commit	f757d9d90d19b914d4023663bfc4da73bbbf007e (patch)
tree	5be2a5a3b212cfb191ad3e8d6dbbb01ce6782147 /hw/m68k/virt.c
parent	624d7463043c120facfab2b54985fcfb679d5379 (diff)
download	focaccia-qemu-f757d9d90d19b914d4023663bfc4da73bbbf007e.tar.gz focaccia-qemu-f757d9d90d19b914d4023663bfc4da73bbbf007e.zip

hw/uefi: clear uefi-vars buffer in uefi_vars_write callback

When the guest writes to register UEFI_VARS_REG_BUFFER_SIZE, the .write
callback `uefi_vars_write` is invoked. The function allocates a
heap buffer without zeroing the memory, leaving the buffer filled with
residual data from prior allocations. When the guest later reads from
register UEFI_VARS_REG_PIO_BUFFER_TRANSFER, the .read callback
`uefi_vars_read` returns leftover metadata or other sensitive process
memory from the previously allocated buffer, leading to an information
disclosure vulnerability.

Fixes: CVE-2025-8860
Fixes: 90ca4e03c27d ("hw/uefi: add var-service-core.c")
Reported-by: ZDI <zdi-disclosures@trendmicro.com>
Suggested-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Message-ID: <20250811101128.17661-1-mcascell@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

Diffstat (limited to 'hw/m68k/virt.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: