Google Git
Sign in
qemu / qemu / f757d9d90d19b914d4023663bfc4da73bbbf007e
commitf757d9d90d19b914d4023663bfc4da73bbbf007e[log] [tgz]
authorMauro Matteo Cascella <mcascell@redhat.com>Mon Aug 11 12:11:24 2025 +0200
committerGerd Hoffmann <kraxel@redhat.com>Tue Aug 12 08:03:16 2025 +0200
tree5be2a5a3b212cfb191ad3e8d6dbbb01ce6782147
parent624d7463043c120facfab2b54985fcfb679d5379 [diff]
hw/uefi: clear uefi-vars buffer in uefi_vars_write callback

When the guest writes to register UEFI_VARS_REG_BUFFER_SIZE, the .write
callback `uefi_vars_write` is invoked. The function allocates a
heap buffer without zeroing the memory, leaving the buffer filled with
residual data from prior allocations. When the guest later reads from
register UEFI_VARS_REG_PIO_BUFFER_TRANSFER, the .read callback
`uefi_vars_read` returns leftover metadata or other sensitive process
memory from the previously allocated buffer, leading to an information
disclosure vulnerability.

Fixes: CVE-2025-8860
Fixes: 90ca4e03c27d ("hw/uefi: add var-service-core.c")
Reported-by: ZDI <zdi-disclosures@trendmicro.com>
Suggested-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Message-ID: <20250811101128.17661-1-mcascell@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
1 file changed
tree: 5be2a5a3b212cfb191ad3e8d6dbbb01ce6782147
  1. .github/
  2. .gitlab/
  3. .gitlab-ci.d/
  4. accel/
  5. audio/
  6. authz/
  7. backends/
  8. block/
  9. bsd-user/
  10. chardev/
  11. common-user/
  12. configs/
  13. contrib/
  14. crypto/
  15. disas/
  16. docs/
  17. dump/
  18. ebpf/
  19. fpu/
  20. fsdev/
  21. gdb-xml/
  22. gdbstub/
  23. host/
  24. hw/
  25. include/
  26. io/
  27. libdecnumber/
  28. linux-headers/
  29. linux-user/
  30. migration/
  31. monitor/
  32. nbd/
  33. net/
  34. pc-bios/
  35. plugins/
  36. po/
  37. python/
  38. qapi/
  39. qga/
  40. qobject/
  41. qom/
  42. replay/
  43. roms/
  44. rust/
  45. scripts/
  46. scsi/
  47. semihosting/
  48. stats/
  49. storage-daemon/
  50. stubs/
  51. subprojects/
  52. system/
  53. target/
  54. tcg/
  55. tests/
  56. tools/
  57. trace/
  58. ui/
  59. util/
  60. .b4-config
  61. .dir-locals.el
  62. .editorconfig
  63. .exrc
  64. .gdbinit
  65. .git-blame-ignore-revs
  66. .gitattributes
  67. .gitignore
  68. .gitlab-ci.yml
  69. .gitmodules
  70. .gitpublish
  71. .mailmap
  72. .patchew.yml
  73. .readthedocs.yml
  74. .travis.yml
  75. block.c
  76. blockdev-nbd.c
  77. blockdev.c
  78. blockjob.c
  79. clippy.toml
  80. configure
  81. COPYING
  82. COPYING.LIB
  83. cpu-common.c
  84. cpu-target.c
  85. event-loop-base.c
  86. gitdm.config
  87. hmp-commands-info.hx
  88. hmp-commands.hx
  89. iothread.c
  90. job-qmp.c
  91. job.c
  92. Kconfig
  93. Kconfig.host
  94. LICENSE
  95. MAINTAINERS
  96. Makefile
  97. meson.build
  98. meson_options.txt
  99. module-common.c
  100. os-posix.c
  101. os-wasm.c
  102. os-win32.c
  103. page-target.c
  104. page-vary-common.c
  105. page-vary-target.c
  106. pythondeps.toml
  107. qemu-bridge-helper.c
  108. qemu-edid.c
  109. qemu-img-cmds.hx
  110. qemu-img.c
  111. qemu-io-cmds.c
  112. qemu-io.c
  113. qemu-keymap.c
  114. qemu-nbd.c
  115. qemu-options.hx
  116. qemu.nsi
  117. qemu.sasl
  118. README.rst
  119. replication.c
  120. target-info-stub.c
  121. target-info.c
  122. trace-events
  123. VERSION
  124. version.rc