hw/uefi: fix heap overflow (CVE-2026-5744)

[PATCH for 11.0] hw/uefi: fix heap overflow (CVE-2026-5744)

Posted by Gerd Hoffmann 3 days, 9 hours ago

When copying the request response into the pio transfer buffer the code
skips the 'struct mm_header' but does not consider that when calculating
transfer size, so it will copy 24 (== sizeof(struct mm_header)) extra
bytes, which can overflow uv->pio_xfer_buffer.

Fix that by copying the complete buffer, including the header, which
also makes the pio code path consistent with the (unaffected) dma code
path.

Fixes: CVE-2026-5744
Fixes: 90ca4e03c27d ("hw/uefi: add var-service-core.c")
Reported-by: Yuma Kurogome <yumak@ricsec.co.jp>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/uefi/var-service-core.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/hw/uefi/var-service-core.c b/hw/uefi/var-service-core.c
index ce0628fa5248..68d7594c0dd6 100644
--- a/hw/uefi/var-service-core.c
+++ b/hw/uefi/var-service-core.c
@@ -137,9 +137,8 @@ static uint32_t uefi_vars_cmd_mm(uefi_vars_state *uv, bool dma_mode)
                          uv->buffer, sizeof(*mhdr) + mhdr->length,
                          MEMTXATTRS_UNSPECIFIED);
     } else {
-        memcpy(uv->pio_xfer_buffer + sizeof(*mhdr),
-               uv->buffer + sizeof(*mhdr),
-               sizeof(*mhdr) + mhdr->length);
+        memcpy(uv->pio_xfer_buffer,
+               uv->buffer, sizeof(*mhdr) + mhdr->length);
     }
 
     return retval;
-- 
2.53.0

Re: [PATCH for 11.0] hw/uefi: fix heap overflow (CVE-2026-5744)

Posted by Daniel P. Berrangé 2 days, 8 hours ago

On Wed, Apr 08, 2026 at 09:34:02AM +0200, Gerd Hoffmann wrote:
> When copying the request response into the pio transfer buffer the code
> skips the 'struct mm_header' but does not consider that when calculating
> transfer size, so it will copy 24 (== sizeof(struct mm_header)) extra
> bytes, which can overflow uv->pio_xfer_buffer.
> 
> Fix that by copying the complete buffer, including the header, which
> also makes the pio code path consistent with the (unaffected) dma code
> path.
> 
> Fixes: CVE-2026-5744
> Fixes: 90ca4e03c27d ("hw/uefi: add var-service-core.c")
> Reported-by: Yuma Kurogome <yumak@ricsec.co.jp>
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> ---
>  hw/uefi/var-service-core.c | 5 ++---
>  1 file changed, 2 insertions(+), 3 deletions(-)

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>


With regards,
Daniel
-- 
|: https://berrange.com       ~~        https://hachyderm.io/@berrange :|
|: https://libvirt.org          ~~          https://entangle-photo.org :|
|: https://pixelfed.art/berrange   ~~    https://fstop138.berrange.com :|

Re: [PATCH for 11.0] hw/uefi: fix heap overflow (CVE-2026-5744)

Posted by Peter Maydell 2 days, 4 hours ago

On Thu, 9 Apr 2026 at 09:51, Daniel P. Berrangé <berrange@redhat.com> wrote:
>
> On Wed, Apr 08, 2026 at 09:34:02AM +0200, Gerd Hoffmann wrote:
> > When copying the request response into the pio transfer buffer the code
> > skips the 'struct mm_header' but does not consider that when calculating
> > transfer size, so it will copy 24 (== sizeof(struct mm_header)) extra
> > bytes, which can overflow uv->pio_xfer_buffer.
> >
> > Fix that by copying the complete buffer, including the header, which
> > also makes the pio code path consistent with the (unaffected) dma code
> > path.
> >
> > Fixes: CVE-2026-5744
> > Fixes: 90ca4e03c27d ("hw/uefi: add var-service-core.c")
> > Reported-by: Yuma Kurogome <yumak@ricsec.co.jp>
> > Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> > ---
> >  hw/uefi/var-service-core.c | 5 ++---
> >  1 file changed, 2 insertions(+), 3 deletions(-)
>
> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

Thanks; I'm applying this one directly to git so we can
get it into today's RC.

-- PMM