From f757d9d90d19b914d4023663bfc4da73bbbf007e Mon Sep 17 00:00:00 2001 From: Mauro Matteo Cascella Date: Mon, 11 Aug 2025 12:11:24 +0200 Subject: hw/uefi: clear uefi-vars buffer in uefi_vars_write callback When the guest writes to register UEFI_VARS_REG_BUFFER_SIZE, the .write callback `uefi_vars_write` is invoked. The function allocates a heap buffer without zeroing the memory, leaving the buffer filled with residual data from prior allocations. When the guest later reads from register UEFI_VARS_REG_PIO_BUFFER_TRANSFER, the .read callback `uefi_vars_read` returns leftover metadata or other sensitive process memory from the previously allocated buffer, leading to an information disclosure vulnerability. Fixes: CVE-2025-8860 Fixes: 90ca4e03c27d ("hw/uefi: add var-service-core.c") Reported-by: ZDI Suggested-by: Gerd Hoffmann Signed-off-by: Mauro Matteo Cascella Message-ID: <20250811101128.17661-1-mcascell@redhat.com> Signed-off-by: Gerd Hoffmann --- hw/uefi/var-service-core.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'hw') diff --git a/hw/uefi/var-service-core.c b/hw/uefi/var-service-core.c index feec5a5..6ab8df0 100644 --- a/hw/uefi/var-service-core.c +++ b/hw/uefi/var-service-core.c @@ -259,8 +259,8 @@ static void uefi_vars_write(void *opaque, hwaddr addr, uint64_t val, unsigned si uv->buf_size = val; g_free(uv->buffer); g_free(uv->pio_xfer_buffer); - uv->buffer = g_malloc(uv->buf_size); - uv->pio_xfer_buffer = g_malloc(uv->buf_size); + uv->buffer = g_malloc0(uv->buf_size); + uv->pio_xfer_buffer = g_malloc0(uv->buf_size); break; case UEFI_VARS_REG_DMA_BUFFER_ADDR_LO: uv->buf_addr_lo = val; -- cgit v1.1