From: Mauro Matteo Cascella Date: Mon, 11 Aug 2025 10:11:24 +0000 (+0200) Subject: hw/uefi: clear uefi-vars buffer in uefi_vars_write callback X-Git-Tag: v10.1.0-rc4~2^2~3 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f757d9d90d19b914d4023663bfc4da73bbbf007e;p=thirdparty%2Fqemu.git hw/uefi: clear uefi-vars buffer in uefi_vars_write callback When the guest writes to register UEFI_VARS_REG_BUFFER_SIZE, the .write callback `uefi_vars_write` is invoked. The function allocates a heap buffer without zeroing the memory, leaving the buffer filled with residual data from prior allocations. When the guest later reads from register UEFI_VARS_REG_PIO_BUFFER_TRANSFER, the .read callback `uefi_vars_read` returns leftover metadata or other sensitive process memory from the previously allocated buffer, leading to an information disclosure vulnerability. Fixes: CVE-2025-8860 Fixes: 90ca4e03c27d ("hw/uefi: add var-service-core.c") Reported-by: ZDI Suggested-by: Gerd Hoffmann Signed-off-by: Mauro Matteo Cascella Message-ID: <20250811101128.17661-1-mcascell@redhat.com> Signed-off-by: Gerd Hoffmann --- diff --git a/hw/uefi/var-service-core.c b/hw/uefi/var-service-core.c index feec5a59583..6ab8df091aa 100644 --- a/hw/uefi/var-service-core.c +++ b/hw/uefi/var-service-core.c @@ -259,8 +259,8 @@ static void uefi_vars_write(void *opaque, hwaddr addr, uint64_t val, unsigned si uv->buf_size = val; g_free(uv->buffer); g_free(uv->pio_xfer_buffer); - uv->buffer = g_malloc(uv->buf_size); - uv->pio_xfer_buffer = g_malloc(uv->buf_size); + uv->buffer = g_malloc0(uv->buf_size); + uv->pio_xfer_buffer = g_malloc0(uv->buf_size); break; case UEFI_VARS_REG_DMA_BUFFER_ADDR_LO: uv->buf_addr_lo = val;