[efi] Clear DMA-coherent buffers before mapping

mcb30 · mcb30 · commit 7b60a487528a · 2022-11-04T20:28:09.000Z
The DMA mapping is performed implicitly as part of the call to
dma_alloc().  The current implementation creates the IOMMU mapping for
the allocated and potentially uninitialised data before returning to
the caller (which will immediately zero out or otherwise initialise
the buffer).  This leaves a small window within which a malicious PCI
device could potentially attempt to retrieve firmware-owned secrets
present in the uninitialised buffer.  (Note that the hypothetically
malicious PCI device has no viable way to know the address of the
buffer from which to attempt a DMA read, rendering the attack
extremely implausible.)

Guard against any such hypothetical attacks by zeroing out the
allocated buffer prior to creating the coherent DMA mapping.

Suggested-by: Mateusz Siwiec &lt;Mateusz.Siwiec@ioactive.com&gt;
Signed-off-by: Michael Brown &lt;mcb30@ipxe.org&gt;
diff --git a/src/interface/efi/efi_pci.c b/src/interface/efi/efi_pci.c
@@ -524,6 +524,9 @@ static void * efipci_dma_alloc ( struct dma_device *dma,
 		goto err_alloc;
 	}
 
+	/* Clear buffer */
+	memset ( addr, 0, ( pages * EFI_PAGE_SIZE ) );
+
 	/* Map buffer */
 	if ( ( rc = efipci_dma_map ( dma, map, virt_to_phys ( addr ),
 				     ( pages * EFI_PAGE_SIZE ),

Original file line number	Diff line number	Diff line change
`@@ -524,6 +524,9 @@ static void * efipci_dma_alloc ( struct dma_device *dma,`
`524`	`524`	`goto err_alloc;`
`525`	`525`	`}`
`526`	`526`
	`527`	`+ /* Clear buffer */`
	`528`	`+ memset ( addr, 0, ( pages * EFI_PAGE_SIZE ) );`
	`529`	`+`
`527`	`530`	`/* Map buffer */`
`528`	`531`	`if ( ( rc = efipci_dma_map ( dma, map, virt_to_phys ( addr ),`
`529`	`532`	`( pages * EFI_PAGE_SIZE ),`