While option --dev-mem can be convenient for testing purposes, it
could be abused by attackers to force dmidecode to read a malicious
file. Add a safety check on the type of the mem device file we are
asked to read from. If we are root and this isn't a character device
file, then something is fishy and we better stop.
For non-root users, reading from a regular file is OK and accepted.
Signed-off-by: Jean Delvare <jdelv...@suse.de>
---
dmidecode.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
--- dmidecode.orig/dmidecode.c
+++ dmidecode/dmidecode.c
@@ -67,6 +67,7 @@
#include <unistd.h>
#include <arpa/inet.h>
#include <sys/socket.h>
+#include <sys/stat.h>
#ifdef __FreeBSD__
#include <errno.h>
@@ -5943,6 +5944,24 @@ int main(int argc, char * const argv[])
if (!(opt.flags & FLAG_QUIET))
pr_comment("dmidecode %s", VERSION);
+ /*
+ * Safety check: if running as root, devmem is expected to be a
+ * character device file.
+ */
+ if (geteuid() == 0)
+ {
+ struct stat statbuf;
+
+ if (stat(opt.devmem, &statbuf) != 0
+ || !S_ISCHR(statbuf.st_mode))
+ {
+ pr_info("%s is not a character device file\n",
+ opt.devmem);
+ ret = 1;
+ goto exit_free;
+ }
+ }
+
/* Read from dump if so instructed */
if (opt.flags & FLAG_FROM_DUMP)
{
--
Jean Delvare
SUSE L3 Support
