On Fri, Aug 29, 2025 at 7:41 PM zdi-disclosu...@trendmicro.com
<zdi-disclosu...@trendmicro.com> wrote:
>
> Hello Team,
>
> May we know the ZDI-CAN mapped to CVE-2025-8860?
This was reported (by you) to the qemu-security ML as ZDI-CAN-27261.
> Regards,
> The ZDI
>
> -----Original Message-----
> From: Michael Tokarev <m...@tls.msk.ru>
> Sent: Wednesday, August 27, 2025 8:03 AM
> To: qemu-devel@nongnu.org
> Cc: qemu-sta...@nongnu.org; Mauro Matteo Cascella <mcasc...@redhat.com>; ZDI
> Disclosures Mailbox <zdi-disclosu...@trendmicro.com>; Gerd Hoffmann
> <kra...@redhat.com>; Michael Tokarev <m...@tls.msk.ru>
> Subject: [Stable-10.0.4 56/59] hw/uefi: clear uefi-vars buffer in
> uefi_vars_write callback
>
> From: Mauro Matteo Cascella <mcasc...@redhat.com>
>
> When the guest writes to register UEFI_VARS_REG_BUFFER_SIZE, the .write
> callback `uefi_vars_write` is invoked. The function allocates a
> heap buffer without zeroing the memory, leaving the buffer filled with
> residual data from prior allocations. When the guest later reads from
> register UEFI_VARS_REG_PIO_BUFFER_TRANSFER, the .read callback
> `uefi_vars_read` returns leftover metadata or other sensitive process
> memory from the previously allocated buffer, leading to an information
> disclosure vulnerability.
>
> Fixes: CVE-2025-8860
> Fixes: 90ca4e03c27d ("hw/uefi: add var-service-core.c")
> Reported-by: ZDI <zdi-disclosu...@trendmicro.com>
> Suggested-by: Gerd Hoffmann <kra...@redhat.com>
> Signed-off-by: Mauro Matteo Cascella <mcasc...@redhat.com>
> Message-ID: <20250811101128.17661-1-mcasc...@redhat.com>
> Signed-off-by: Gerd Hoffmann <kra...@redhat.com>
> (cherry picked from commit f757d9d90d19b914d4023663bfc4da73bbbf007e)
> Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
>
> diff --git a/hw/uefi/var-service-core.c b/hw/uefi/var-service-core.c
> index 4836a0cb81..92fc121fe7 100644
> --- a/hw/uefi/var-service-core.c
> +++ b/hw/uefi/var-service-core.c
> @@ -259,8 +259,8 @@ static void uefi_vars_write(void *opaque, hwaddr addr,
> uint64_t val, unsigned si
> uv->buf_size = val;
> g_free(uv->buffer);
> g_free(uv->pio_xfer_buffer);
> - uv->buffer = g_malloc(uv->buf_size);
> - uv->pio_xfer_buffer = g_malloc(uv->buf_size);
> + uv->buffer = g_malloc0(uv->buf_size);
> + uv->pio_xfer_buffer = g_malloc0(uv->buf_size);
> break;
> case UEFI_VARS_REG_DMA_BUFFER_ADDR_LO:
> uv->buf_addr_lo = val;
> --
> 2.47.2
>
> TREND MICRO EMAIL NOTICE
>
> The information contained in this email and any attachments is confidential
> and may be subject to copyright or other intellectual property protection. If
> you are not the intended recipient, you are not authorized to use or disclose
> this information, and we request that you notify us by reply mail or
> telephone and delete the original message from your mail system.
>
> For details about what personal information we collect and why, please see
> our Privacy Notice on our website at: Read privacy
> policy<http://www.trendmicro.com/privacy>
>
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
