EFI: fix getting EFI variable list on some systems

Copy the entire output buffer to the guest because some firmwares update
size on successful calls (contrary to the spec) and the buffer may
contain data beyond the output size that the firmware requires on a
subsequent GetNextVariableName() call (e.g. a NULL character).

Note that this shouldn't change the amount of data copied because on success, a
compliant firmware does not change size and so the entire buffer is copied
anyway.  If size is changed, Xen does not copy the buffer.

Without this change, the following (simplified) sequence would occur:
GetNextVariableName: in \0, size 1024 || out AdminPw\0, size 7
GetNextVariableName: in AdminPw\0, size 1024 || out UserPw\0, size 6
GetNextVariableName: in UserPww\0, size 1024 || NOT FOUND

This was seen on an Intel S1200RP_SE with firmware
S1200RP.86B.02.02.0005.102320140911, version 4.6, date 2014-10-23.

Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

diff --git a/xen/common/efi/runtime.c b/xen/common/efi/runtime.c
index 7ed5bfabd4de1387fbda46906a94a20bf76e6595..5ed8b01025c7f495d36aec9e6bc966271af87b50 100644 (file)
--- a/xen/common/efi/runtime.c
+++ b/xen/common/efi/runtime.c
@@ -516,9 +516,13 @@ int efi_runtime_call(struct xenpf_efi_runtime_call *op)
                 cast_guid(&op->u.get_next_variable_name.vendor_guid));
             efi_rs_leave(cr3);
 
+            /*
+             * Copy the variable name if necessary. The caller provided size
+             * is used because some firmwares update size when they shouldn't.
+             * */
             if ( !EFI_ERROR(status) &&
-                 copy_to_guest(op->u.get_next_variable_name.name,
-                               name.raw, size) )
+                 __copy_to_guest(op->u.get_next_variable_name.name,
+                                 name.raw, op->u.get_next_variable_name.size) )
                 rc = -EFAULT;
             op->u.get_next_variable_name.size = size;
         }