diff options
author | Michael Brown <mcb30@ipxe.org> | 2022-11-04 20:28:09 +0000 |
---|---|---|
committer | Michael Brown <mcb30@ipxe.org> | 2022-11-04 20:28:09 +0000 |
commit | 7b60a487528a2b6dfa43da179f9ae9ef7ce34e76 (patch) | |
tree | 563e4ed718b82a369bd2fdf4709e350ca3be246e | |
parent | f48b01cb016921cf0f58bd6be676c17042923719 (diff) | |
download | ipxe-7b60a487528a2b6dfa43da179f9ae9ef7ce34e76.zip ipxe-7b60a487528a2b6dfa43da179f9ae9ef7ce34e76.tar.gz ipxe-7b60a487528a2b6dfa43da179f9ae9ef7ce34e76.tar.bz2 |
[efi] Clear DMA-coherent buffers before mappingioactive
The DMA mapping is performed implicitly as part of the call to
dma_alloc(). The current implementation creates the IOMMU mapping for
the allocated and potentially uninitialised data before returning to
the caller (which will immediately zero out or otherwise initialise
the buffer). This leaves a small window within which a malicious PCI
device could potentially attempt to retrieve firmware-owned secrets
present in the uninitialised buffer. (Note that the hypothetically
malicious PCI device has no viable way to know the address of the
buffer from which to attempt a DMA read, rendering the attack
extremely implausible.)
Guard against any such hypothetical attacks by zeroing out the
allocated buffer prior to creating the coherent DMA mapping.
Suggested-by: Mateusz Siwiec <Mateusz.Siwiec@ioactive.com>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
-rw-r--r-- | src/interface/efi/efi_pci.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/interface/efi/efi_pci.c b/src/interface/efi/efi_pci.c index 19e3417..4796201 100644 --- a/src/interface/efi/efi_pci.c +++ b/src/interface/efi/efi_pci.c @@ -524,6 +524,9 @@ static void * efipci_dma_alloc ( struct dma_device *dma, goto err_alloc; } + /* Clear buffer */ + memset ( addr, 0, ( pages * EFI_PAGE_SIZE ) ); + /* Map buffer */ if ( ( rc = efipci_dma_map ( dma, map, virt_to_phys ( addr ), ( pages * EFI_PAGE_SIZE ), |