aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael Brown <mcb30@ipxe.org>2022-11-04 20:28:09 +0000
committerMichael Brown <mcb30@ipxe.org>2022-11-04 20:28:09 +0000
commit7b60a487528a2b6dfa43da179f9ae9ef7ce34e76 (patch)
tree563e4ed718b82a369bd2fdf4709e350ca3be246e
parentf48b01cb016921cf0f58bd6be676c17042923719 (diff)
downloadipxe-7b60a487528a2b6dfa43da179f9ae9ef7ce34e76.zip
ipxe-7b60a487528a2b6dfa43da179f9ae9ef7ce34e76.tar.gz
ipxe-7b60a487528a2b6dfa43da179f9ae9ef7ce34e76.tar.bz2
[efi] Clear DMA-coherent buffers before mappingioactive
The DMA mapping is performed implicitly as part of the call to dma_alloc(). The current implementation creates the IOMMU mapping for the allocated and potentially uninitialised data before returning to the caller (which will immediately zero out or otherwise initialise the buffer). This leaves a small window within which a malicious PCI device could potentially attempt to retrieve firmware-owned secrets present in the uninitialised buffer. (Note that the hypothetically malicious PCI device has no viable way to know the address of the buffer from which to attempt a DMA read, rendering the attack extremely implausible.) Guard against any such hypothetical attacks by zeroing out the allocated buffer prior to creating the coherent DMA mapping. Suggested-by: Mateusz Siwiec <Mateusz.Siwiec@ioactive.com> Signed-off-by: Michael Brown <mcb30@ipxe.org>
-rw-r--r--src/interface/efi/efi_pci.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/src/interface/efi/efi_pci.c b/src/interface/efi/efi_pci.c
index 19e3417..4796201 100644
--- a/src/interface/efi/efi_pci.c
+++ b/src/interface/efi/efi_pci.c
@@ -524,6 +524,9 @@ static void * efipci_dma_alloc ( struct dma_device *dma,
goto err_alloc;
}
+ /* Clear buffer */
+ memset ( addr, 0, ( pages * EFI_PAGE_SIZE ) );
+
/* Map buffer */
if ( ( rc = efipci_dma_map ( dma, map, virt_to_phys ( addr ),
( pages * EFI_PAGE_SIZE ),