[{"id":3675185,"web_url":"http://patchwork.ozlabs.org/comment/3675185/","msgid":"","list_archive_url":null,"date":"2026-04-09T08:50:27","subject":"Re: [PATCH for 11.0] hw/uefi: fix heap overflow (CVE-2026-5744)","submitter":{"id":2694,"url":"http://patchwork.ozlabs.org/api/people/2694/","name":"Daniel P. Berrangé","email":"berrange@redhat.com"},"content":"On Wed, Apr 08, 2026 at 09:34:02AM +0200, Gerd Hoffmann wrote:\n> When copying the request response into the pio transfer buffer the code\n> skips the 'struct mm_header' but does not consider that when calculating\n> transfer size, so it will copy 24 (== sizeof(struct mm_header)) extra\n> bytes, which can overflow uv->pio_xfer_buffer.\n> \n> Fix that by copying the complete buffer, including the header, which\n> also makes the pio code path consistent with the (unaffected) dma code\n> path.\n> \n> Fixes: CVE-2026-5744\n> Fixes: 90ca4e03c27d (\"hw/uefi: add var-service-core.c\")\n> Reported-by: Yuma Kurogome \n> Signed-off-by: Gerd Hoffmann \n> ---\n> hw/uefi/var-service-core.c | 5 ++---\n> 1 file changed, 2 insertions(+), 3 deletions(-)\n\nReviewed-by: Daniel P. Berrangé \n\n\nWith regards,\nDaniel","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=A25kLDM4;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4frtvq5PGBz1yD3\n\tfor ; Thu, 09 Apr 2026 18:51:33 +1000 (AEST)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from )\n\tid 1wAl64-00070v-7S; Thu, 09 Apr 2026 04:50:44 -0400","from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from )\n id 1wAl61-00070h-1N\n for qemu-devel@nongnu.org; Thu, 09 Apr 2026 04:50:41 -0400","from us-smtp-delivery-124.mimecast.com ([170.10.133.124])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from )\n id 1wAl5y-0004AH-HH\n for qemu-devel@nongnu.org; Thu, 09 Apr 2026 04:50:40 -0400","from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com\n (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by\n relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,\n cipher=TLS_AES_256_GCM_SHA384) id us-mta-688-PIqJM-oiOGqzpgA1Lsc1rw-1; Thu,\n 09 Apr 2026 04:50:32 -0400","from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com\n (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS\n id 9AC871955F18; Thu, 9 Apr 2026 08:50:31 +0000 (UTC)","from redhat.com (headnet01.pony-001.prod.iad2.dc.redhat.com\n [10.2.32.101])\n by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with\n ESMTPS\n id 3016C30001BE; Thu, 9 Apr 2026 08:50:29 +0000 (UTC)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;\n s=mimecast20190719; t=1775724636;\n h=from:from:reply-to:reply-to:subject:subject:date:date:\n message-id:message-id:to:to:cc:cc:mime-version:mime-version:\n content-type:content-type:\n content-transfer-encoding:content-transfer-encoding:\n in-reply-to:in-reply-to:references:references;\n bh=8ykMwwxSHx799hRD7fplH8QIxBEfzFAXGUaFWlwntwI=;\n b=A25kLDM47bPYbzYXeLVmBnMhnx+kgdZHCdLyAi/gRxIRVrWHl41lhsXWYnH9gKOvWXWCZ2\n DYCwjqve6a5H/jfuOgdeXtib2HYiQUOlR39CyJJLnHlkCM5znv16k0m42jp3huhKJL4PzG\n YgZTcIwMyaOcc5IAPxnAJdRXTRchZnY=","X-MC-Unique":"PIqJM-oiOGqzpgA1Lsc1rw-1","X-Mimecast-MFC-AGG-ID":"PIqJM-oiOGqzpgA1Lsc1rw_1775724631","Date":"Thu, 9 Apr 2026 09:50:27 +0100","From":"Daniel =?utf-8?b?UC4gQmVycmFuZ8Op?= ","To":"Gerd Hoffmann ","Cc":"qemu-devel@nongnu.org, Yuma Kurogome ","Subject":"Re: [PATCH for 11.0] hw/uefi: fix heap overflow (CVE-2026-5744)","Message-ID":"","References":"<20260408073403.3410541-1-kraxel@redhat.com>","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","Content-Transfer-Encoding":"8bit","In-Reply-To":"<20260408073403.3410541-1-kraxel@redhat.com>","User-Agent":"Mutt/2.2.14 (2025-02-20)","X-Scanned-By":"MIMEDefang 3.4.1 on 10.30.177.4","Received-SPF":"pass client-ip=170.10.133.124;\n envelope-from=berrange@redhat.com;\n helo=us-smtp-delivery-124.mimecast.com","X-Spam_score_int":"-25","X-Spam_score":"-2.6","X-Spam_bar":"--","X-Spam_report":"(-2.6 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.54,\n DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,\n RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001,\n RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,\n SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no","X-Spam_action":"no action","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"qemu development ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Reply-To":"Daniel =?utf-8?b?UC4gQmVycmFuZ8Op?= ","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"}},{"id":3675293,"web_url":"http://patchwork.ozlabs.org/comment/3675293/","msgid":"","list_archive_url":null,"date":"2026-04-09T12:38:13","subject":"Re: [PATCH for 11.0] hw/uefi: fix heap overflow (CVE-2026-5744)","submitter":{"id":5111,"url":"http://patchwork.ozlabs.org/api/people/5111/","name":"Peter Maydell","email":"peter.maydell@linaro.org"},"content":"On Thu, 9 Apr 2026 at 09:51, Daniel P. Berrangé wrote:\n>\n> On Wed, Apr 08, 2026 at 09:34:02AM +0200, Gerd Hoffmann wrote:\n> > When copying the request response into the pio transfer buffer the code\n> > skips the 'struct mm_header' but does not consider that when calculating\n> > transfer size, so it will copy 24 (== sizeof(struct mm_header)) extra\n> > bytes, which can overflow uv->pio_xfer_buffer.\n> >\n> > Fix that by copying the complete buffer, including the header, which\n> > also makes the pio code path consistent with the (unaffected) dma code\n> > path.\n> >\n> > Fixes: CVE-2026-5744\n> > Fixes: 90ca4e03c27d (\"hw/uefi: add var-service-core.c\")\n> > Reported-by: Yuma Kurogome \n> > Signed-off-by: Gerd Hoffmann \n> > ---\n> > hw/uefi/var-service-core.c | 5 ++---\n> > 1 file changed, 2 insertions(+), 3 deletions(-)\n>\n> Reviewed-by: Daniel P. Berrangé \n\nThanks; I'm applying this one directly to git so we can\nget it into today's RC.\n\n-- PMM","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256\n header.s=google header.b=Fsxu0AyU;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4frzyk397Fz1xy1\n\tfor ; Thu, 09 Apr 2026 22:39:24 +1000 (AEST)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from )\n\tid 1wAoea-0000Fe-1U; Thu, 09 Apr 2026 08:38:36 -0400","from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from )\n id 1wAoeS-0000FE-QB\n for qemu-devel@nongnu.org; Thu, 09 Apr 2026 08:38:30 -0400","from mail-yx1-xb134.google.com ([2607:f8b0:4864:20::b134])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.90_1) (envelope-from )\n id 1wAoeQ-0001FA-V7\n for qemu-devel@nongnu.org; Thu, 09 Apr 2026 08:38:28 -0400","by mail-yx1-xb134.google.com with SMTP id\n 956f58d0204a3-6500040ef83so630370d50.2\n for ; Thu, 09 Apr 2026 05:38:25 -0700 (PDT)"],"ARC-Seal":"i=1; a=rsa-sha256; t=1775738305; cv=none;\n d=google.com; s=arc-20240605;\n b=WXtPwGogYgKZCmMk7CxMpPyBvaqeRdZ5d4cw686/d6BmTNJXNi0alZzEazNF+J2GvX\n U9gT+NaTrWzB3dPwD/Qlwmwytdpz6CXuVsIuZAAJScJq9vUO9svQBMSSk/OW2HAjAleQ\n Mo50pIw1nnVQLNXVXKtqWnCdpglkBH9qp5kMvati0ftRC6cjzwlH4mfnY5U3ZFmAt5u9\n IcJmNbc8nnLsNcfLnvE9pC7z7+dRHonqu1XhVdAD7b2UBXqUn+SffOWN00rr6i6/6sx7\n 6bwnXOHFvkMiA+yR8sn2Fx45bSZVQRH1H4uhyoMX9sdDw+Eh6oLcQNSQ8+l4urK3ZJ1t\n P90g==","ARC-Message-Signature":"i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;\n s=arc-20240605;\n h=content-transfer-encoding:cc:to:subject:message-id:date:from\n :in-reply-to:references:mime-version:dkim-signature;\n bh=dUo6gleOowfXneHkzzcdVYsGZIakpznXHIV3SYunSEg=;\n fh=U6R6/MSqUIq026Rbe7sxKyi3PXmnuVZRGLkIqXxupeg=;\n b=Qhz8h9h1a2vUhjLVjFXH5/mZRKVBJnT+tZ3vhgfu3iTRsV9HvTV6Xs6wWQe5Co5zmj\n MVaBJmu7S3KVGFTo41iM/osmAr7mmHC6FMsXzxSYoOcjVM5elDBzeIA1lf1fuZetrPvM\n fQCC2yZOhDlWfw5VypCY89TAjflOMiafrdgqWIGJGarjQgpQqbvYNPaUDeG7KOgn8GpH\n sEAjtIxJBtKD4wmYUUEIsSuTL59kukTAwrkFpFURRGWvqYTVRsCSvubLTBluoT6VHl1w\n 4o0aR3StfK5slQtlx21OiVheZtWm4U84UuIAIv7yTjG3sLIqPiFQVZkbaMtjME2wUmkd\n ypJg==; darn=nongnu.org","ARC-Authentication-Results":"i=1; mx.google.com; arc=none","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=linaro.org; s=google; t=1775738305; x=1776343105; darn=nongnu.org;\n h=content-transfer-encoding:cc:to:subject:message-id:date:from\n :in-reply-to:references:mime-version:from:to:cc:subject:date\n :message-id:reply-to;\n bh=dUo6gleOowfXneHkzzcdVYsGZIakpznXHIV3SYunSEg=;\n b=Fsxu0AyUc3ETz+CkSYrfl6Q9fB6Ad3Uq6+OgsZ1cSuUvobEQs8r+JJ3DliHxKAjOa2\n QKjGQWuGqfRCOCoq8LqVEFH1zGbThMIGoa5k1ON5PeqTAb4qIkOdFzoOtOjPaCyZZYaX\n w+663ll9GmHAI5NRoN+KlpzbWtmGpzUmKaHTT2gZxuqaXHRE7W9pYWzag1YemzKC+OX9\n aktYVTJb6w5vn541QEcWh7h+KDZPtQbc15/Qzg0tFi9eFJYIkgVt3nQwyfondAVQv6S4\n bFRq2uDujQ1HsnV7hQjTd70Bv8rDUyfKnsNgZvewEtD0xPAtOycwAsvBlGdqkTPIvDgM\n j9oQ==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1775738305; x=1776343105;\n h=content-transfer-encoding:cc:to:subject:message-id:date:from\n :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=dUo6gleOowfXneHkzzcdVYsGZIakpznXHIV3SYunSEg=;\n b=Ai/jDBxuneXi0B7QX4z+qfV70jbhiug7RKi5dwhW7ihEnEyP6m6aNiKQKfbZmBuOp9\n ikywndjq0ejrgEWtJdNlV6FtWeVtnh33j0+MABqyUrvjB7O6AebGvSl8mwWacD9NVAun\n 7vJrQHKYz96HBzsw8I8stiqodv7Cx1xifxuI25dHG97ZzzmxYi8L8EzAEnJwj6S2NWdD\n K8+YZhqvrNSIcsqgq+RjkK0pjC2DmJhkUcr2waPo0dOqsZl8gfpjIlrvD3Zbba+VH1GZ\n JmlLFl0qHaUogxORV+52WWnNfGiLl99DOPxjzhEIGiMB62uV1GKxzkf892QUrMUn8qzw\n 1+fw==","X-Forwarded-Encrypted":"i=1;\n AJvYcCXKNHolTYhBGRhxl5CIbEVFwAl9z2uMEVs8Qt8bqFiPTWTZD4bUbKqXvCrHg/vD04v1vMZvaQqBwLTu@nongnu.org","X-Gm-Message-State":"AOJu0YzAdNpfrv2mzVnvhGs/gY7meRlDS9mPrzPhi/MttajpoPq1ROUM\n g7a6Hz33Qnvej4T9zOHeQurClcTutyhzLORRKjhSOlQvyFGV0Qw2NoN0WiORLmpC/tfWuXsVKZZ\n b2Bw3Yhll6q86Zseuga/AiQHsnTdjwMiaNnxT8DUtIg==","X-Gm-Gg":"AeBDieuLfY6RUBjLD+cCZqeGe5Ea27nWEAmraF1nsNNQpT0q6zF5gimynVfz+TMg355\n RqMt8iyw9quXTIGkQsduhd9EYHBZwpT/HEXh8Uc40783wgl6NzWw3vWz3b/kxkDiFr4fYPo+DJ5\n E4Mr9aKt8VF/NObJ98rBGsIVy0y0fQtisGXzJHf/G/KfEsv05eNtQ7lZEGhqwUdyuYPKWFq9++J\n rHOhGZvtH2wRbEEtiLL7RyN9yXUrxo7CqGIEwCsu6kN+nSAix00j4U2veHcWOjUtTeXDUAuYyAu\n uD9d5LQlpGgGQrDOB13mfnYlHSnD46jj0OdWel/8OG7t2QRPFwh5RAXP3/4PC3ag7W0=","X-Received":"by 2002:a05:690e:485:b0:650:314f:1108 with SMTP id\n 956f58d0204a3-6504888209cmr17961923d50.59.1775738304854; Thu, 09 Apr 2026\n 05:38:24 -0700 (PDT)","MIME-Version":"1.0","References":"<20260408073403.3410541-1-kraxel@redhat.com>\n ","In-Reply-To":"","From":"Peter Maydell ","Date":"Thu, 9 Apr 2026 13:38:13 +0100","X-Gm-Features":"AQROBzD_OCZNAUxA7btQhWB4vU46BP7Vh71l4yAB8DleVw3Bmt-1QBdQRH4XQ4Q","Message-ID":"\n ","Subject":"Re: [PATCH for 11.0] hw/uefi: fix heap overflow (CVE-2026-5744)","To":"=?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= ","Cc":"Gerd Hoffmann , qemu-devel@nongnu.org,\n Yuma Kurogome ","Content-Type":"text/plain; charset=\"UTF-8\"","Content-Transfer-Encoding":"quoted-printable","Received-SPF":"pass client-ip=2607:f8b0:4864:20::b134;\n envelope-from=peter.maydell@linaro.org; helo=mail-yx1-xb134.google.com","X-Spam_score_int":"-20","X-Spam_score":"-2.1","X-Spam_bar":"--","X-Spam_report":"(-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,\n RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,\n SPF_PASS=-0.001 autolearn=ham autolearn_force=no","X-Spam_action":"no action","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"qemu development ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"}}]