{"id":2221137,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2221137/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20260408073403.3410541-1-kraxel@redhat.com/","project":{"id":14,"url":"http://patchwork.ozlabs.org/api/1.1/projects/14/?format=json","name":"QEMU Development","link_name":"qemu-devel","list_id":"qemu-devel.nongnu.org","list_email":"qemu-devel@nongnu.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20260408073403.3410541-1-kraxel@redhat.com>","date":"2026-04-08T07:34:02","name":"[for,11.0] hw/uefi: fix heap overflow (CVE-2026-5744)","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"27e5a56f835ba9fb2983420c8efde60dff49a0fb","submitter":{"id":589,"url":"http://patchwork.ozlabs.org/api/1.1/people/589/?format=json","name":"Gerd Hoffmann","email":"kraxel@redhat.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20260408073403.3410541-1-kraxel@redhat.com/mbox/","series":[{"id":499195,"url":"http://patchwork.ozlabs.org/api/1.1/series/499195/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/list/?series=499195","date":"2026-04-08T07:34:02","name":"[for,11.0] hw/uefi: fix heap overflow (CVE-2026-5744)","version":1,"mbox":"http://patchwork.ozlabs.org/series/499195/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2221137/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2221137/checks/","tags":{},"headers":{"Return-Path":"<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=cQUHQCCC;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4frXys0fxFz1xv0\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 09 Apr 2026 05:23:01 +1000 (AEST)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1wAYSj-0003lJ-Ro; Wed, 08 Apr 2026 15:21:17 -0400","from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1wAY3n-00064g-5s\n for qemu-devel@nongnu.org; Wed, 08 Apr 2026 14:55:31 -0400","from us-smtp-delivery-124.mimecast.com ([170.10.129.124])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1wANQQ-0001L4-Ne\n for qemu-devel@nongnu.org; Wed, 08 Apr 2026 03:34:13 -0400","from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com\n (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by\n relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,\n cipher=TLS_AES_256_GCM_SHA384) id us-mta-219-yya9sPyDOU-g_yDcKveqMA-1; Wed,\n 08 Apr 2026 03:34:07 -0400","from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com\n (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS\n id DEAEE18005B9; Wed,  8 Apr 2026 07:34:05 +0000 (UTC)","from sirius.home.kraxel.org (unknown [10.44.49.216])\n by mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with\n ESMTPS\n id 65D261800673; Wed,  8 Apr 2026 07:34:05 +0000 (UTC)","by sirius.home.kraxel.org (Postfix, from userid 1000)\n id 1B2BD1800381; Wed, 08 Apr 2026 09:34:03 +0200 (CEST)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;\n s=mimecast20190719; t=1775633648;\n h=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n to:to:cc:cc:mime-version:mime-version:\n content-transfer-encoding:content-transfer-encoding;\n bh=ezy+HD52UjJTkuVdmNzj0BC3WnJxDi0i97P4xBBU1cc=;\n b=cQUHQCCCBzszEIsAfxKxszYsMAmjltZ8pkVI4wklxirXmCOtWPt+lio6vQIfllXCCZEuVH\n Y7i0SJiiRuORoBcibI3sEPOnE51S6nJC+hX3lGhiHyTcQm5jyuQUjuGvI/Z0cMsCD9Ra81\n zqPoWxH9+tIrtJruBWCO1VHFb2C/GA0=","X-MC-Unique":"yya9sPyDOU-g_yDcKveqMA-1","X-Mimecast-MFC-AGG-ID":"yya9sPyDOU-g_yDcKveqMA_1775633646","From":"Gerd Hoffmann <kraxel@redhat.com>","To":"qemu-devel@nongnu.org","Cc":"Gerd Hoffmann <kraxel@redhat.com>,\n\tYuma Kurogome <yumak@ricsec.co.jp>","Subject":"[PATCH for 11.0] hw/uefi: fix heap overflow (CVE-2026-5744)","Date":"Wed,  8 Apr 2026 09:34:02 +0200","Message-ID":"<20260408073403.3410541-1-kraxel@redhat.com>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-Scanned-By":"MIMEDefang 3.4.1 on 10.30.177.93","Received-SPF":"pass client-ip=170.10.129.124; envelope-from=kraxel@redhat.com;\n helo=us-smtp-delivery-124.mimecast.com","X-Spam_score_int":"-25","X-Spam_score":"-2.6","X-Spam_bar":"--","X-Spam_report":"(-2.6 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.54,\n DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,\n RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001,\n RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,\n SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no","X-Spam_action":"no action","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"qemu development <qemu-devel.nongnu.org>","List-Unsubscribe":"<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>","List-Archive":"<https://lists.nongnu.org/archive/html/qemu-devel>","List-Post":"<mailto:qemu-devel@nongnu.org>","List-Help":"<mailto:qemu-devel-request@nongnu.org?subject=help>","List-Subscribe":"<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"},"content":"When copying the request response into the pio transfer buffer the code\nskips the 'struct mm_header' but does not consider that when calculating\ntransfer size, so it will copy 24 (== sizeof(struct mm_header)) extra\nbytes, which can overflow uv->pio_xfer_buffer.\n\nFix that by copying the complete buffer, including the header, which\nalso makes the pio code path consistent with the (unaffected) dma code\npath.\n\nFixes: CVE-2026-5744\nFixes: 90ca4e03c27d (\"hw/uefi: add var-service-core.c\")\nReported-by: Yuma Kurogome <yumak@ricsec.co.jp>\nSigned-off-by: Gerd Hoffmann <kraxel@redhat.com>\n---\n hw/uefi/var-service-core.c | 5 ++---\n 1 file changed, 2 insertions(+), 3 deletions(-)","diff":"diff --git a/hw/uefi/var-service-core.c b/hw/uefi/var-service-core.c\nindex ce0628fa5248..68d7594c0dd6 100644\n--- a/hw/uefi/var-service-core.c\n+++ b/hw/uefi/var-service-core.c\n@@ -137,9 +137,8 @@ static uint32_t uefi_vars_cmd_mm(uefi_vars_state *uv, bool dma_mode)\n                          uv->buffer, sizeof(*mhdr) + mhdr->length,\n                          MEMTXATTRS_UNSPECIFIED);\n     } else {\n-        memcpy(uv->pio_xfer_buffer + sizeof(*mhdr),\n-               uv->buffer + sizeof(*mhdr),\n-               sizeof(*mhdr) + mhdr->length);\n+        memcpy(uv->pio_xfer_buffer,\n+               uv->buffer, sizeof(*mhdr) + mhdr->length);\n     }\n \n     return retval;\n","prefixes":["for","11.0"]}