Branch: refs/heads/staging
Home: https://github.com/qemu/qemu
Commit: f757d9d90d19b914d4023663bfc4da73bbbf007e
https://github.com/qemu/qemu/commit/f757d9d90d19b914d4023663bfc4da73bbbf007e
Author: Mauro Matteo Cascella <[email protected]>
Date: 2025-08-12 (Tue, 12 Aug 2025)
Changed paths:
M hw/uefi/var-service-core.c
Log Message:
-----------
hw/uefi: clear uefi-vars buffer in uefi_vars_write callback
When the guest writes to register UEFI_VARS_REG_BUFFER_SIZE, the .write
callback `uefi_vars_write` is invoked. The function allocates a
heap buffer without zeroing the memory, leaving the buffer filled with
residual data from prior allocations. When the guest later reads from
register UEFI_VARS_REG_PIO_BUFFER_TRANSFER, the .read callback
`uefi_vars_read` returns leftover metadata or other sensitive process
memory from the previously allocated buffer, leading to an information
disclosure vulnerability.
Fixes: CVE-2025-8860
Fixes: 90ca4e03c27d ("hw/uefi: add var-service-core.c")
Reported-by: ZDI <[email protected]>
Suggested-by: Gerd Hoffmann <[email protected]>
Signed-off-by: Mauro Matteo Cascella <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Gerd Hoffmann <[email protected]>
Commit: 88e5a28d5aabb57f44c1805fbba0a458023f5106
https://github.com/qemu/qemu/commit/88e5a28d5aabb57f44c1805fbba0a458023f5106
Author: Gerd Hoffmann <[email protected]>
Date: 2025-08-12 (Tue, 12 Aug 2025)
Changed paths:
M hw/uefi/var-service-vars.c
Log Message:
-----------
hw/uefi: return success for notifications
Set status to SUCCESS for ready-to-boot and exit-boot-services
notification calls.
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Signed-off-by: Gerd Hoffmann <[email protected]>
Message-ID: <[email protected]>
Commit: fc8ee8fe58ad410f27fca64e4ad212c5a3eabe00
https://github.com/qemu/qemu/commit/fc8ee8fe58ad410f27fca64e4ad212c5a3eabe00
Author: Gerd Hoffmann <[email protected]>
Date: 2025-08-12 (Tue, 12 Aug 2025)
Changed paths:
M hw/uefi/var-service-vars.c
Log Message:
-----------
hw/uefi: check access for first variable
When listing variables (via get-next-variable-name) only the names of
variables which can be accessed will be returned. That check was
missing for the first variable though. Add it.
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Signed-off-by: Gerd Hoffmann <[email protected]>
Message-ID: <[email protected]>
Commit: 040237436f423253f3397547aa78d449394dfbca
https://github.com/qemu/qemu/commit/040237436f423253f3397547aa78d449394dfbca
Author: Gerd Hoffmann <[email protected]>
Date: 2025-08-12 (Tue, 12 Aug 2025)
Changed paths:
M hw/uefi/var-service-json.c
Log Message:
-----------
hw/uefi: open json file in binary mode
Fixes file length discrepancies due to line ending conversions
on windows hosts.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3058
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Signed-off-by: Gerd Hoffmann <[email protected]>
Message-ID: <[email protected]>
Commit: 5836af0783213b9355a6bbf85d9e6bc4c9c9363f
https://github.com/qemu/qemu/commit/5836af0783213b9355a6bbf85d9e6bc4c9c9363f
Author: Stefan Hajnoczi <[email protected]>
Date: 2025-08-13 (Wed, 13 Aug 2025)
Changed paths:
M hw/uefi/var-service-core.c
M hw/uefi/var-service-json.c
M hw/uefi/var-service-vars.c
Log Message:
-----------
Merge tag 'uefi-20250812-pull-request' of https://gitlab.com/kraxel/qemu into
staging
hw/uefi: last-minute bug fixes for the uefi variable store [for 10.1]
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCgAdFiEEoDKM/7k6F6eZAf59TLbY7tPocTgFAmibENYACgkQTLbY7tPo
# cTi2vQ/9FlAPZTZ/z/D5dfDHLhB06esVe6qd7LuI7rV3/6bUB+g+LYwoJI40SVMq
# Q5YDsQGX0muhzsE343XYMXIcz8yxUEvALpvFVW6e5pg92Q2g1aeHeJaxsaiPdbo2
# gG9WU3paCOQzRK488fUe8ed6Gkqmu6SLDwuAtQ5D9UXZ7qCSfy2Rr8/Li9Qs5JCJ
# StLccRvK6G72S+ESYDo/O1Q1P0CdpgJXuOV+75NdYZn4e7G0GUXN52l1U3fH0JZZ
# sSqoo4TgMjrchEhE4YrXNm/UFrhLpn+uv1Xhyv6UuLpLLWlSU/5EeARS7mGjMGbp
# z3Np11LrqtbB9fxxrxf75OLzya2aKBVUlmuh/HCP1wLNx7kxYpT4yyjsywXkksQ3
# TV2dMknDHm0JRf/i2DJuS6bDZlbehfu+1KkR25+0h/QSd2tK9Ct/ZxO59QcR02Kt
# ecvSzRfFG8+jTVorwVguftDyRe4b/qpFn4X7KujlkKvLiOA4lZ8NZsIFi0x2FGeA
# efdLRVEaDRJBmblcykPR+NYAyxcwGdHYerOsbf/vnRlCAsNQw1oofqTSU6qxnjnH
# hDF+fGBVQ2drjTfb5aFdLpQ4Fq9yD+x9fdpshT8IzqIdsJDKrlPYZK4ueSBF4A3V
# 32N2ZumxH17bvE44WkclJ0aog25M2+dgs5OJvqjcYY5VllEMTis=
# =Ntwr
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 12 Aug 2025 06:00:54 EDT
# gpg: using RSA key A0328CFFB93A17A79901FE7D4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <[email protected]>" [full]
# gpg: aka "Gerd Hoffmann <[email protected]>" [full]
# gpg: aka "Gerd Hoffmann (private) <[email protected]>" [full]
# Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138
* tag 'uefi-20250812-pull-request' of https://gitlab.com/kraxel/qemu:
hw/uefi: open json file in binary mode
hw/uefi: check access for first variable
hw/uefi: return success for notifications
hw/uefi: clear uefi-vars buffer in uefi_vars_write callback
Signed-off-by: Stefan Hajnoczi <[email protected]>
Compare: https://github.com/qemu/qemu/compare/de784dc0a012...5836af078321
To unsubscribe from these emails, change your notification settings at
https://github.com/qemu/qemu/settings/notifications
