Don't let the entry point checksum verification run beyond the end of
the buffer holding it (32 bytes).
This bug was discovered by Lionel Debroux using the AFL fuzzer and
AddressSanitizer.
---
It is hard to believe that something as obvious as this went unnoticed
so far... Thank you very much Lionel, this should fix the first 2 OOB
read cases you sent to me.
For the record, the Linux kernel is not affected by this bug, as the
length check has been there since the beginning.
dmidecode.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
--- dmidecode.orig/dmidecode.c 2018-07-20 14:56:12.124984235 +0200
+++ dmidecode/dmidecode.c 2018-07-20 15:26:23.943770274 +0200
@@ -4928,6 +4928,15 @@ static int smbios3_decode(u8 *buf, const
u32 ver;
u64 offset;
+ /* Don't let checksum run beyond the buffer */
+ if (buf[0x06] > 0x20)
+ {
+ fprintf(stderr,
+ "Entry point length too large (%u bytes, expected
%u).\n",
+ (unsigned int)buf[0x06], 0x18U);
+ return 0;
+ }
+
if (!checksum(buf, buf[0x06]))
return 0;
@@ -4966,6 +4975,15 @@ static int smbios_decode(u8 *buf, const
{
u16 ver;
+ /* Don't let checksum run beyond the buffer */
+ if (buf[0x05] > 0x20)
+ {
+ fprintf(stderr,
+ "Entry point length too large (%u bytes, expected
%u).\n",
+ (unsigned int)buf[0x05], 0x1FU);
+ return 0;
+ }
+
if (!checksum(buf, buf[0x05])
|| memcmp(buf + 0x10, "_DMI_", 5) != 0
|| !checksum(buf + 0x10, 0x0F))
--
Jean Delvare
SUSE L3 Support
_______________________________________________
https://lists.nongnu.org/mailman/listinfo/dmidecode-devel
