From: Gerd Hoffmann <[email protected]>
When copying the request response into the pio transfer buffer the code
skips the 'struct mm_header' but does not consider that when calculating
transfer size, so it will copy 24 (== sizeof(struct mm_header)) extra
bytes, which can overflow uv->pio_xfer_buffer.
Fix that by copying the complete buffer, including the header, which
also makes the pio code path consistent with the (unaffected) dma code
path.
Fixes: CVE-2026-5744
Fixes: 90ca4e03c27d ("hw/uefi: add var-service-core.c")
Reported-by: Yuma Kurogome <[email protected]>
Signed-off-by: Gerd Hoffmann <[email protected]>
Reviewed-by: Daniel P. Berrangé <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
(cherry picked from commit af74c9e46bb55e2da042315a0c65666f59c61686)
Signed-off-by: Michael Tokarev <[email protected]>
diff --git a/hw/uefi/var-service-core.c b/hw/uefi/var-service-core.c
index 92fc121fe7..0a05ec4c9c 100644
--- a/hw/uefi/var-service-core.c
+++ b/hw/uefi/var-service-core.c
@@ -133,9 +133,8 @@ static uint32_t uefi_vars_cmd_mm(uefi_vars_state *uv, bool
dma_mode)
uv->buffer, sizeof(*mhdr) + mhdr->length,
MEMTXATTRS_UNSPECIFIED);
} else {
- memcpy(uv->pio_xfer_buffer + sizeof(*mhdr),
- uv->buffer + sizeof(*mhdr),
- sizeof(*mhdr) + mhdr->length);
+ memcpy(uv->pio_xfer_buffer,
+ uv->buffer, sizeof(*mhdr) + mhdr->length);
}
return retval;
--
2.47.3
