uefi: clear uefi-vars buffer in uefi_vars_write...

stefanhaRH via Qemu-commits Wed, 13 Aug 2025 15:41:21 -0700

  Branch: refs/heads/master
  Home:   https://github.com/qemu/qemu
  Commit: f757d9d90d19b914d4023663bfc4da73bbbf007e
      
https://github.com/qemu/qemu/commit/f757d9d90d19b914d4023663bfc4da73bbbf007e
  Author: Mauro Matteo Cascella <mcasc...@redhat.com>
  Date:   2025-08-12 (Tue, 12 Aug 2025)


  Changed paths:
    M hw/uefi/var-service-core.c

  Log Message:
  -----------
  hw/uefi: clear uefi-vars buffer in uefi_vars_write callback

When the guest writes to register UEFI_VARS_REG_BUFFER_SIZE, the .write
callback `uefi_vars_write` is invoked. The function allocates a
heap buffer without zeroing the memory, leaving the buffer filled with
residual data from prior allocations. When the guest later reads from
register UEFI_VARS_REG_PIO_BUFFER_TRANSFER, the .read callback
`uefi_vars_read` returns leftover metadata or other sensitive process
memory from the previously allocated buffer, leading to an information
disclosure vulnerability.

Fixes: CVE-2025-8860
Fixes: 90ca4e03c27d ("hw/uefi: add var-service-core.c")
Reported-by: ZDI <zdi-disclosu...@trendmicro.com>
Suggested-by: Gerd Hoffmann <kra...@redhat.com>
Signed-off-by: Mauro Matteo Cascella <mcasc...@redhat.com>
Message-ID: <20250811101128.17661-1-mcasc...@redhat.com>
Signed-off-by: Gerd Hoffmann <kra...@redhat.com>


  Commit: 88e5a28d5aabb57f44c1805fbba0a458023f5106
      
https://github.com/qemu/qemu/commit/88e5a28d5aabb57f44c1805fbba0a458023f5106
  Author: Gerd Hoffmann <kra...@redhat.com>
  Date:   2025-08-12 (Tue, 12 Aug 2025)

  Changed paths:
    M hw/uefi/var-service-vars.c

  Log Message:
  -----------
  hw/uefi: return success for notifications

Set status to SUCCESS for ready-to-boot and exit-boot-services
notification calls.

Reviewed-by: Philippe Mathieu-Daudé <phi...@linaro.org>
Signed-off-by: Gerd Hoffmann <kra...@redhat.com>
Message-ID: <20250811130110.820958-2-kra...@redhat.com>


  Commit: fc8ee8fe58ad410f27fca64e4ad212c5a3eabe00
      
https://github.com/qemu/qemu/commit/fc8ee8fe58ad410f27fca64e4ad212c5a3eabe00
  Author: Gerd Hoffmann <kra...@redhat.com>
  Date:   2025-08-12 (Tue, 12 Aug 2025)

  Changed paths:
    M hw/uefi/var-service-vars.c

  Log Message:
  -----------
  hw/uefi: check access for first variable

When listing variables (via get-next-variable-name) only the names of
variables which can be accessed will be returned.  That check was
missing for the first variable though.  Add it.

Reviewed-by: Philippe Mathieu-Daudé <phi...@linaro.org>
Signed-off-by: Gerd Hoffmann <kra...@redhat.com>
Message-ID: <20250811130110.820958-3-kra...@redhat.com>


  Commit: 040237436f423253f3397547aa78d449394dfbca
      
https://github.com/qemu/qemu/commit/040237436f423253f3397547aa78d449394dfbca
  Author: Gerd Hoffmann <kra...@redhat.com>
  Date:   2025-08-12 (Tue, 12 Aug 2025)

  Changed paths:
    M hw/uefi/var-service-json.c

  Log Message:
  -----------
  hw/uefi: open json file in binary mode

Fixes file length discrepancies due to line ending conversions
on windows hosts.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3058
Reviewed-by: Philippe Mathieu-Daudé <phi...@linaro.org>
Signed-off-by: Gerd Hoffmann <kra...@redhat.com>
Message-ID: <20250811130110.820958-4-kra...@redhat.com>


  Commit: 5836af0783213b9355a6bbf85d9e6bc4c9c9363f
      
https://github.com/qemu/qemu/commit/5836af0783213b9355a6bbf85d9e6bc4c9c9363f
  Author: Stefan Hajnoczi <stefa...@redhat.com>
  Date:   2025-08-13 (Wed, 13 Aug 2025)

  Changed paths:
    M hw/uefi/var-service-core.c
    M hw/uefi/var-service-json.c
    M hw/uefi/var-service-vars.c

  Log Message:
  -----------
  Merge tag 'uefi-20250812-pull-request' of https://gitlab.com/kraxel/qemu into 
staging

hw/uefi: last-minute bug fixes for the uefi variable store [for 10.1]

# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCgAdFiEEoDKM/7k6F6eZAf59TLbY7tPocTgFAmibENYACgkQTLbY7tPo
# cTi2vQ/9FlAPZTZ/z/D5dfDHLhB06esVe6qd7LuI7rV3/6bUB+g+LYwoJI40SVMq
# Q5YDsQGX0muhzsE343XYMXIcz8yxUEvALpvFVW6e5pg92Q2g1aeHeJaxsaiPdbo2
# gG9WU3paCOQzRK488fUe8ed6Gkqmu6SLDwuAtQ5D9UXZ7qCSfy2Rr8/Li9Qs5JCJ
# StLccRvK6G72S+ESYDo/O1Q1P0CdpgJXuOV+75NdYZn4e7G0GUXN52l1U3fH0JZZ
# sSqoo4TgMjrchEhE4YrXNm/UFrhLpn+uv1Xhyv6UuLpLLWlSU/5EeARS7mGjMGbp
# z3Np11LrqtbB9fxxrxf75OLzya2aKBVUlmuh/HCP1wLNx7kxYpT4yyjsywXkksQ3
# TV2dMknDHm0JRf/i2DJuS6bDZlbehfu+1KkR25+0h/QSd2tK9Ct/ZxO59QcR02Kt
# ecvSzRfFG8+jTVorwVguftDyRe4b/qpFn4X7KujlkKvLiOA4lZ8NZsIFi0x2FGeA
# efdLRVEaDRJBmblcykPR+NYAyxcwGdHYerOsbf/vnRlCAsNQw1oofqTSU6qxnjnH
# hDF+fGBVQ2drjTfb5aFdLpQ4Fq9yD+x9fdpshT8IzqIdsJDKrlPYZK4ueSBF4A3V
# 32N2ZumxH17bvE44WkclJ0aog25M2+dgs5OJvqjcYY5VllEMTis=
# =Ntwr
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 12 Aug 2025 06:00:54 EDT
# gpg:                using RSA key A0328CFFB93A17A79901FE7D4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kra...@redhat.com>" [full]
# gpg:                 aka "Gerd Hoffmann <g...@kraxel.org>" [full]
# gpg:                 aka "Gerd Hoffmann (private) <kra...@gmail.com>" [full]
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* tag 'uefi-20250812-pull-request' of https://gitlab.com/kraxel/qemu:
  hw/uefi: open json file in binary mode
  hw/uefi: check access for first variable
  hw/uefi: return success for notifications
  hw/uefi: clear uefi-vars buffer in uefi_vars_write callback

Signed-off-by: Stefan Hajnoczi <stefa...@redhat.com>


Compare: https://github.com/qemu/qemu/compare/de784dc0a012...5836af078321

To unsubscribe from these emails, change your notification settings at 
https://github.com/qemu/qemu/settings/notifications

[Qemu-commits] [qemu/qemu] f757d9: hw/uefi: clear uefi-vars buffer in uefi_vars_write...

Reply via email to