Commit 1f4eb9d27d0e ("EFI: fix getting EFI variable list on some systems") switched to using the caller provided size for the copy-out without making sure the copied buffer is properly scrubbed.
Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com> Signed-off-by: Jan Beulich <jbeul...@suse.com> Reviewed-by: George Dunlap <george.dun...@citrix.com> --- a/xen/common/efi/runtime.c +++ b/xen/common/efi/runtime.c @@ -571,7 +571,7 @@ int efi_runtime_call(struct xenpf_efi_ru return -EINVAL; size = op->u.get_next_variable_name.size; - name.raw = xmalloc_bytes(size); + name.raw = xzalloc_bytes(size); if ( !name.raw ) return -ENOMEM; if ( copy_from_guest(name.raw, op->u.get_next_variable_name.name, _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel