mirror of
https://git.yoctoproject.org/poky
synced 2026-03-10 01:09:40 +01:00
4c0213759a
Dmidecode before 3.5 allows -dump-bin to overwrite a local file. This has security relevance because, for example, execution of Dmidecode via Sudo is plausible. References: https://nvd.nist.gov/vuln/detail/CVE-2023-30630 https://lists.nongnu.org/archive/html/dmidecode-devel/2023-04/msg00016.html https://lists.nongnu.org/archive/html/dmidecode-devel/2023-04/msg00017.html (From OE-Core rev: f92e59a0894145a828dc9ac74bf8c7a9355e0587) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
138 lines
4.4 KiB
Diff
138 lines
4.4 KiB
Diff
From 2b83c4b898f8325313162f588765411e8e3e5561 Mon Sep 17 00:00:00 2001
|
|
From: Jean Delvare <jdelvare@suse.de>
|
|
Date: Tue, 27 Jun 2023 10:58:11 +0000
|
|
Subject: [PATCH] Don't read beyond sysfs entry point buffer
|
|
|
|
Functions smbios_decode() and smbios3_decode() include a check
|
|
against buffer overrun. This check assumes that the buffer length is
|
|
always 32 bytes. This is true when reading from /dev/mem or from a
|
|
dump file, however when reading from sysfs, the buffer length is the
|
|
size of the actual sysfs attribute file, typically 31 bytes for an
|
|
SMBIOS 2.x entry point and 24 bytes for an SMBIOS 3.x entry point.
|
|
|
|
In the unlikely event of a malformed entry point, with encoded length
|
|
larger than expected but smaller than or equal to 32, we would hit a
|
|
buffer overrun. So properly pass the actual buffer length as an
|
|
argument and perform the check against it.
|
|
|
|
In practice, this will never happen, because on the Linux kernel
|
|
side, the size of the sysfs attribute file is decided from the entry
|
|
point length field. So it is technically impossible for them not to
|
|
match. But user-space code should not make such assumptions.
|
|
|
|
Signed-off-by: Jean Delvare <jdelvare@suse.de>
|
|
|
|
CVE: CVE-2023-30630
|
|
|
|
Upstream-Status: Backport
|
|
[https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=2b83c4b898f8325313162f588765411e8e3e5561]
|
|
|
|
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
|
|
---
|
|
dmidecode.c | 24 ++++++++++++------------
|
|
1 file changed, 12 insertions(+), 12 deletions(-)
|
|
|
|
diff --git a/dmidecode.c b/dmidecode.c
|
|
index b4dbc9d..870d94e 100644
|
|
--- a/dmidecode.c
|
|
+++ b/dmidecode.c
|
|
@@ -5736,14 +5736,14 @@ static void overwrite_smbios3_address(u8 *buf)
|
|
buf[0x17] = 0;
|
|
}
|
|
|
|
-static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
|
|
+static int smbios3_decode(u8 *buf, size_t buf_len, const char *devmem, u32 flags)
|
|
{
|
|
u32 ver, len;
|
|
u64 offset;
|
|
u8 *table;
|
|
|
|
/* Don't let checksum run beyond the buffer */
|
|
- if (buf[0x06] > 0x20)
|
|
+ if (buf[0x06] > buf_len)
|
|
{
|
|
fprintf(stderr,
|
|
"Entry point length too large (%u bytes, expected %u).\n",
|
|
@@ -5782,14 +5782,14 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
|
|
return 1;
|
|
}
|
|
|
|
-static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
|
|
+static int smbios_decode(u8 *buf, size_t buf_len, const char *devmem, u32 flags)
|
|
{
|
|
u16 ver;
|
|
u32 len;
|
|
u8 *table;
|
|
|
|
/* Don't let checksum run beyond the buffer */
|
|
- if (buf[0x05] > 0x20)
|
|
+ if (buf[0x05] > buf_len)
|
|
{
|
|
fprintf(stderr,
|
|
"Entry point length too large (%u bytes, expected %u).\n",
|
|
@@ -6018,12 +6018,12 @@ int main(int argc, char * const argv[])
|
|
|
|
if (memcmp(buf, "_SM3_", 5) == 0)
|
|
{
|
|
- if (smbios3_decode(buf, opt.dumpfile, 0))
|
|
+ if (smbios3_decode(buf, size, opt.dumpfile, 0))
|
|
found++;
|
|
}
|
|
else if (memcmp(buf, "_SM_", 4) == 0)
|
|
{
|
|
- if (smbios_decode(buf, opt.dumpfile, 0))
|
|
+ if (smbios_decode(buf, size, opt.dumpfile, 0))
|
|
found++;
|
|
}
|
|
else if (memcmp(buf, "_DMI_", 5) == 0)
|
|
@@ -6046,12 +6046,12 @@ int main(int argc, char * const argv[])
|
|
pr_info("Getting SMBIOS data from sysfs.");
|
|
if (size >= 24 && memcmp(buf, "_SM3_", 5) == 0)
|
|
{
|
|
- if (smbios3_decode(buf, SYS_TABLE_FILE, FLAG_NO_FILE_OFFSET))
|
|
+ if (smbios3_decode(buf, size, SYS_TABLE_FILE, FLAG_NO_FILE_OFFSET))
|
|
found++;
|
|
}
|
|
else if (size >= 31 && memcmp(buf, "_SM_", 4) == 0)
|
|
{
|
|
- if (smbios_decode(buf, SYS_TABLE_FILE, FLAG_NO_FILE_OFFSET))
|
|
+ if (smbios_decode(buf, size, SYS_TABLE_FILE, FLAG_NO_FILE_OFFSET))
|
|
found++;
|
|
}
|
|
else if (size >= 15 && memcmp(buf, "_DMI_", 5) == 0)
|
|
@@ -6088,12 +6088,12 @@ int main(int argc, char * const argv[])
|
|
|
|
if (memcmp(buf, "_SM3_", 5) == 0)
|
|
{
|
|
- if (smbios3_decode(buf, opt.devmem, 0))
|
|
+ if (smbios3_decode(buf, 0x20, opt.devmem, 0))
|
|
found++;
|
|
}
|
|
else if (memcmp(buf, "_SM_", 4) == 0)
|
|
{
|
|
- if (smbios_decode(buf, opt.devmem, 0))
|
|
+ if (smbios_decode(buf, 0x20, opt.devmem, 0))
|
|
found++;
|
|
}
|
|
goto done;
|
|
@@ -6114,7 +6114,7 @@ memory_scan:
|
|
{
|
|
if (memcmp(buf + fp, "_SM3_", 5) == 0)
|
|
{
|
|
- if (smbios3_decode(buf + fp, opt.devmem, 0))
|
|
+ if (smbios3_decode(buf + fp, 0x20, opt.devmem, 0))
|
|
{
|
|
found++;
|
|
goto done;
|
|
@@ -6127,7 +6127,7 @@ memory_scan:
|
|
{
|
|
if (memcmp(buf + fp, "_SM_", 4) == 0 && fp <= 0xFFE0)
|
|
{
|
|
- if (smbios_decode(buf + fp, opt.devmem, 0))
|
|
+ if (smbios_decode(buf + fp, 0x20, opt.devmem, 0))
|
|
{
|
|
found++;
|
|
goto done;
|
|
--
|
|
2.35.5
|