RE: [Stable-10.0.4 56/59] hw/uefi: clear uefi-vars buffer in uefi_vars_write callback

Sat, 30 Aug 2025 09:33:59 -0700 

Hello Team,

May we know the ZDI-CAN mapped to CVE-2025-8860?

Regards,
The ZDI

-----Original Message-----
From: Michael Tokarev <m...@tls.msk.ru>
Sent: Wednesday, August 27, 2025 8:03 AM
To: qemu-devel@nongnu.org
Cc: qemu-sta...@nongnu.org; Mauro Matteo Cascella <mcasc...@redhat.com>; ZDI 
Disclosures Mailbox <zdi-disclosu...@trendmicro.com>; Gerd Hoffmann 
<kra...@redhat.com>; Michael Tokarev <m...@tls.msk.ru>
Subject: [Stable-10.0.4 56/59] hw/uefi: clear uefi-vars buffer in 
uefi_vars_write callback

From: Mauro Matteo Cascella <mcasc...@redhat.com>

When the guest writes to register UEFI_VARS_REG_BUFFER_SIZE, the .write
callback `uefi_vars_write` is invoked. The function allocates a
heap buffer without zeroing the memory, leaving the buffer filled with
residual data from prior allocations. When the guest later reads from
register UEFI_VARS_REG_PIO_BUFFER_TRANSFER, the .read callback
`uefi_vars_read` returns leftover metadata or other sensitive process
memory from the previously allocated buffer, leading to an information
disclosure vulnerability.

Fixes: CVE-2025-8860
Fixes: 90ca4e03c27d ("hw/uefi: add var-service-core.c")
Reported-by: ZDI <zdi-disclosu...@trendmicro.com>
Suggested-by: Gerd Hoffmann <kra...@redhat.com>
Signed-off-by: Mauro Matteo Cascella <mcasc...@redhat.com>
Message-ID: <20250811101128.17661-1-mcasc...@redhat.com>
Signed-off-by: Gerd Hoffmann <kra...@redhat.com>
(cherry picked from commit f757d9d90d19b914d4023663bfc4da73bbbf007e)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>

diff --git a/hw/uefi/var-service-core.c b/hw/uefi/var-service-core.c
index 4836a0cb81..92fc121fe7 100644
--- a/hw/uefi/var-service-core.c
+++ b/hw/uefi/var-service-core.c
@@ -259,8 +259,8 @@ static void uefi_vars_write(void *opaque, hwaddr addr, 
uint64_t val, unsigned si
         uv->buf_size = val;
         g_free(uv->buffer);
         g_free(uv->pio_xfer_buffer);
-        uv->buffer = g_malloc(uv->buf_size);
-        uv->pio_xfer_buffer = g_malloc(uv->buf_size);
+        uv->buffer = g_malloc0(uv->buf_size);
+        uv->pio_xfer_buffer = g_malloc0(uv->buf_size);
         break;
     case UEFI_VARS_REG_DMA_BUFFER_ADDR_LO:
         uv->buf_addr_lo = val;
--
2.47.2

TREND MICRO EMAIL NOTICE

The information contained in this email and any attachments is confidential and 
may be subject to copyright or other intellectual property protection. If you 
are not the intended recipient, you are not authorized to use or disclose this 
information, and we request that you notify us by reply mail or telephone and 
delete the original message from your mail system.

For details about what personal information we collect and why, please see our 
Privacy Notice on our website at: Read privacy 
policy<http://www.trendmicro.com/privacy>

Reply via email to