[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.4] EFI: fix getting EFI variable list on some systems

commit 21a97a7de7f0b2f633169235444c0ebcbb6cbf9b
Author:     Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
AuthorDate: Thu Mar 26 08:38:35 2015 +0100
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Thu Mar 26 08:38:35 2015 +0100

    EFI: fix getting EFI variable list on some systems
    
    Copy the entire output buffer to the guest because some firmwares update
    size on successful calls (contrary to the spec) and the buffer may
    contain data beyond the output size that the firmware requires on a
    subsequent GetNextVariableName() call (e.g. a NULL character).
    
    Note that this shouldn't change the amount of data copied because on 
success, a
    compliant firmware does not change size and so the entire buffer is copied
    anyway.  If size is changed, Xen does not copy the buffer.
    
    Without this change, the following (simplified) sequence would occur:
    GetNextVariableName: in \0, size 1024 || out AdminPw\0, size 7
    GetNextVariableName: in AdminPw\0, size 1024 || out UserPw\0, size 6
    GetNextVariableName: in UserPww\0, size 1024 || NOT FOUND
    
    This was seen on an Intel S1200RP_SE with firmware
    S1200RP.86B.02.02.0005.102320140911, version 4.6, date 2014-10-23.
    
    Signed-off-by: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
    Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    master commit: 1f4eb9d27d0ebd62a0b6cdff8213726f5ae8f25c
    master date: 2015-03-10 13:52:01 +0100
---
 xen/arch/x86/efi/runtime.c |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/xen/arch/x86/efi/runtime.c b/xen/arch/x86/efi/runtime.c
index ff6a49c..7fd7431 100644
--- a/xen/arch/x86/efi/runtime.c
+++ b/xen/arch/x86/efi/runtime.c
@@ -508,9 +508,13 @@ int efi_runtime_call(struct xenpf_efi_runtime_call *op)
                 cast_guid(&op->u.get_next_variable_name.vendor_guid));
             efi_rs_leave(cr3);
 
+            /*
+             * Copy the variable name if necessary. The caller provided size
+             * is used because some firmwares update size when they shouldn't.
+             * */
             if ( !EFI_ERROR(status) &&
-                 copy_to_guest(op->u.get_next_variable_name.name,
-                               name.raw, size) )
+                 __copy_to_guest(op->u.get_next_variable_name.name,
+                                 name.raw, op->u.get_next_variable_name.size) )
                 rc = -EFAULT;
             op->u.get_next_variable_name.size = size;
         }
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.4

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.