From 7b60a487528a2b6dfa43da179f9ae9ef7ce34e76 Mon Sep 17 00:00:00 2001 From: Michael Brown Date: Fri, 4 Nov 2022 20:28:09 +0000 Subject: [efi] Clear DMA-coherent buffers before mapping The DMA mapping is performed implicitly as part of the call to dma_alloc(). The current implementation creates the IOMMU mapping for the allocated and potentially uninitialised data before returning to the caller (which will immediately zero out or otherwise initialise the buffer). This leaves a small window within which a malicious PCI device could potentially attempt to retrieve firmware-owned secrets present in the uninitialised buffer. (Note that the hypothetically malicious PCI device has no viable way to know the address of the buffer from which to attempt a DMA read, rendering the attack extremely implausible.) Guard against any such hypothetical attacks by zeroing out the allocated buffer prior to creating the coherent DMA mapping. Suggested-by: Mateusz Siwiec Signed-off-by: Michael Brown --- src/interface/efi/efi_pci.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/interface/efi/efi_pci.c b/src/interface/efi/efi_pci.c index 19e3417..4796201 100644 --- a/src/interface/efi/efi_pci.c +++ b/src/interface/efi/efi_pci.c @@ -524,6 +524,9 @@ static void * efipci_dma_alloc ( struct dma_device *dma, goto err_alloc; } + /* Clear buffer */ + memset ( addr, 0, ( pages * EFI_PAGE_SIZE ) ); + /* Map buffer */ if ( ( rc = efipci_dma_map ( dma, map, virt_to_phys ( addr ), ( pages * EFI_PAGE_SIZE ), -- cgit v1.1