[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen master] EFI: don't leak heap contents through XEN_EFI_get_next_variable_name

commit 4783ee894f6bfb0f4deec9f1fe8e7faceafaa1a2
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Thu Feb 6 09:52:33 2020 +0100
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Thu Feb 6 09:52:33 2020 +0100

    EFI: don't leak heap contents through XEN_EFI_get_next_variable_name
    Commit 1f4eb9d27d0e ("EFI: fix getting EFI variable list on some
    systems") switched to using the caller provided size for the copy-out
    without making sure the copied buffer is properly scrubbed.
    Reported-by: Ilja Van Sprundel <ivansprundel@xxxxxxxxxxxx>
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Reviewed-by: George Dunlap <george.dunlap@xxxxxxxxxx>
 xen/common/efi/runtime.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/xen/common/efi/runtime.c b/xen/common/efi/runtime.c
index 752e604390..95367694b5 100644
--- a/xen/common/efi/runtime.c
+++ b/xen/common/efi/runtime.c
@@ -571,7 +571,7 @@ int efi_runtime_call(struct xenpf_efi_runtime_call *op)
             return -EINVAL;
         size = op->u.get_next_variable_name.size;
-        name.raw = xmalloc_bytes(size);
+        name.raw = xzalloc_bytes(size);
         if ( !name.raw )
             return -ENOMEM;
         if ( copy_from_guest(name.raw, op->u.get_next_variable_name.name,
generated by git-patchbot for /home/xen/git/xen.git#master

Xen-changelog mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.