diff options
| author | Mauro Matteo Cascella <mcascell@redhat.com> | 2025-08-11 12:11:24 +0200 |
|---|---|---|
| committer | Gerd Hoffmann <kraxel@redhat.com> | 2025-08-12 08:03:16 +0200 |
| commit | f757d9d90d19b914d4023663bfc4da73bbbf007e (patch) | |
| tree | 5be2a5a3b212cfb191ad3e8d6dbbb01ce6782147 /scripts/dump-guest-memory.py | |
| parent | 624d7463043c120facfab2b54985fcfb679d5379 (diff) | |
| download | qemu-f757d9d90d19b914d4023663bfc4da73bbbf007e.zip qemu-f757d9d90d19b914d4023663bfc4da73bbbf007e.tar.gz qemu-f757d9d90d19b914d4023663bfc4da73bbbf007e.tar.bz2 | |
hw/uefi: clear uefi-vars buffer in uefi_vars_write callback
When the guest writes to register UEFI_VARS_REG_BUFFER_SIZE, the .write
callback `uefi_vars_write` is invoked. The function allocates a
heap buffer without zeroing the memory, leaving the buffer filled with
residual data from prior allocations. When the guest later reads from
register UEFI_VARS_REG_PIO_BUFFER_TRANSFER, the .read callback
`uefi_vars_read` returns leftover metadata or other sensitive process
memory from the previously allocated buffer, leading to an information
disclosure vulnerability.
Fixes: CVE-2025-8860
Fixes: 90ca4e03c27d ("hw/uefi: add var-service-core.c")
Reported-by: ZDI <zdi-disclosures@trendmicro.com>
Suggested-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Message-ID: <20250811101128.17661-1-mcascell@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Diffstat (limited to 'scripts/dump-guest-memory.py')
0 files changed, 0 insertions, 0 deletions