Two vulnerabilities and a good deal of background. Vulns happen in the UEFI Request hypercalls. Passes a struct with pieces of the request (op to perform, data pointers, sizes). First vuln is a host-kernel heap overflow as the “name” size is trusted but copied into a fixed sized buffer.

Second vuln, is a TOCTOU. The datasize is written to shared memory and then validated before returning. On a Write request (SetVariaible) the VMM validates this size, on a Read request its delegated to the user-side, if the user-side returns status=0 then the data size is fetched (double fetch) again and used to copy data to the guest. Race this between one thread doing a large write, and QueryVariableInfo which does a 24byte read. Racing for Query to do a big return.