[efi] Clear DMA-coherent buffers before mapping

The DMA mapping is performed implicitly as part of the call to
dma_alloc().  The current implementation creates the IOMMU mapping for
the allocated and potentially uninitialised data before returning to
the caller (which will immediately zero out or otherwise initialise
the buffer).  This leaves a small window within which a malicious PCI
device could potentially attempt to retrieve firmware-owned secrets
present in the uninitialised buffer.  (Note that the hypothetically
malicious PCI device has no viable way to know the address of the
buffer from which to attempt a DMA read, rendering the attack
extremely implausible.)

Guard against any such hypothetical attacks by zeroing out the
allocated buffer prior to creating the coherent DMA mapping.

Suggested-by: Mateusz Siwiec <Mateusz.Siwiec@ioactive.com>
Signed-off-by: Michael Brown <mcb30@ipxe.org>

diff --git a/src/interface/efi/efi_pci.c b/src/interface/efi/efi_pci.c
index 19e34170765f8047dc0ddfa9de3138de4fc7c57d..4796201e92be6b942b23d8ba8575ff41f68d1849 100644 (file)
--- a/src/interface/efi/efi_pci.c
+++ b/src/interface/efi/efi_pci.c
@@ -524,6 +524,9 @@ static void * efipci_dma_alloc ( struct dma_device *dma,
                goto err_alloc;
        }
 
+       /* Clear buffer */
+       memset ( addr, 0, ( pages * EFI_PAGE_SIZE ) );
+
        /* Map buffer */
        if ( ( rc = efipci_dma_map ( dma, map, virt_to_phys ( addr ),
                                     ( pages * EFI_PAGE_SIZE ),