uefi: verify pio_xfer_offset before calculating buffer checksum

Gerd Hoffmann Fri, 08 May 2026 02:56:23 -0700

Without that it is possible to do trigger OOB reads by first
advancing offset, then making the buffer smaller, finally
asking for a checksum.


Fixes: CVE-2026-41436
Fixes: 90ca4e03c27d ("hw/uefi: add var-service-core.c")
Reported-by: Katherine Leaver <[email protected]>
Signed-off-by: Gerd Hoffmann <[email protected]>
Message-ID: <[email protected]>
---
 hw/uefi/var-service-core.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/hw/uefi/var-service-core.c b/hw/uefi/var-service-core.c
index 68d7594c0dd6..828d76007318 100644
--- a/hw/uefi/var-service-core.c
+++ b/hw/uefi/var-service-core.c
@@ -235,6 +235,10 @@ static uint64_t uefi_vars_read(void *opaque, hwaddr addr, 
unsigned size)
         uv->pio_xfer_offset += size;
         break;
     case UEFI_VARS_REG_PIO_BUFFER_CRC32C:
+        if (uv->pio_xfer_offset > uv->buf_size) {
+            retval = 0;
+            break;
+        }
         retval = crc32c(0xffffffff, uv->pio_xfer_buffer, uv->pio_xfer_offset);
         break;
     case UEFI_VARS_REG_FLAGS:
-- 
2.54.0

[PULL 2/6] hw/uefi: verify pio_xfer_offset before calculating buffer checksum

Reply via email to