When the guest writes to register UEFI_VARS_REG_BUFFER_SIZE, the .write
callback `uefi_vars_write` is invoked. The function allocates a
heap buffer without zeroing the memory, leaving the buffer filled with
residual data from prior allocations. When the guest later reads from
register UEFI_VARS_REG_PIO_BUFFER_TRANSFER, the .read callback
`uefi_vars_read` returns leftover metadata or other sensitive process
memory from the previously allocated buffer, leading to an information
disclosure vulnerability.
Fixes: CVE-2025-8860
Fixes: 90ca4e03c27d ("hw/uefi: add var-service-core.c")
Reported-by: ZDI <zdi-disclosures@trendmicro.com>
Suggested-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
---
hw/uefi/var-service-core.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/uefi/var-service-core.c b/hw/uefi/var-service-core.c
index feec5a5958..6ab8df091a 100644
--- a/hw/uefi/var-service-core.c
+++ b/hw/uefi/var-service-core.c
@@ -259,8 +259,8 @@ static void uefi_vars_write(void *opaque, hwaddr addr, uint64_t val, unsigned si
uv->buf_size = val;
g_free(uv->buffer);
g_free(uv->pio_xfer_buffer);
- uv->buffer = g_malloc(uv->buf_size);
- uv->pio_xfer_buffer = g_malloc(uv->buf_size);
+ uv->buffer = g_malloc0(uv->buf_size);
+ uv->pio_xfer_buffer = g_malloc0(uv->buf_size);
break;
case UEFI_VARS_REG_DMA_BUFFER_ADDR_LO:
uv->buf_addr_lo = val;
--
2.50.1