Commit af74c9e46b for qemu.org

commit af74c9e46bb55e2da042315a0c65666f59c61686
Author: Gerd Hoffmann <kraxel@redhat.com>
Date:   Wed Apr 8 09:34:02 2026 +0200

    hw/uefi: fix heap overflow (CVE-2026-5744)

    When copying the request response into the pio transfer buffer the code
    skips the 'struct mm_header' but does not consider that when calculating
    transfer size, so it will copy 24 (== sizeof(struct mm_header)) extra
    bytes, which can overflow uv->pio_xfer_buffer.

    Fix that by copying the complete buffer, including the header, which
    also makes the pio code path consistent with the (unaffected) dma code
    path.

    Fixes: CVE-2026-5744
    Fixes: 90ca4e03c27d ("hw/uefi: add var-service-core.c")
    Reported-by: Yuma Kurogome <yumak@ricsec.co.jp>
    Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
    Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
    Message-id: 20260408073403.3410541-1-kraxel@redhat.com
    Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

diff --git a/hw/uefi/var-service-core.c b/hw/uefi/var-service-core.c
index ce0628fa52..68d7594c0d 100644
--- a/hw/uefi/var-service-core.c
+++ b/hw/uefi/var-service-core.c
@@ -137,9 +137,8 @@ static uint32_t uefi_vars_cmd_mm(uefi_vars_state *uv, bool dma_mode)
                          uv->buffer, sizeof(*mhdr) + mhdr->length,
                          MEMTXATTRS_UNSPECIFIED);
     } else {
-        memcpy(uv->pio_xfer_buffer + sizeof(*mhdr),
-               uv->buffer + sizeof(*mhdr),
-               sizeof(*mhdr) + mhdr->length);
+        memcpy(uv->pio_xfer_buffer,
+               uv->buffer, sizeof(*mhdr) + mhdr->length);
     }

     return retval;