On Tue, Jul 18, 2023 at 11:49 AM Randy MacLeod <[email protected]> wrote: > > Add Kai, > > On 2023-07-14 18:32, Steve Sakoman via lists.openembedded.org wrote: > > From: Yogita Urade <[email protected]> > > Dmidecode before 3.5 allows -dump-bin to overwrite a local file. > This has security relevance because, for example, execution of > Dmidecode via Sudo is plausible. > > References: > https://nvd.nist.gov/vuln/detail/CVE-2023-30630 > https://lists.nongnu.org/archive/html/dmidecode-devel/2023-04/msg00016.html > https://lists.nongnu.org/archive/html/dmidecode-devel/2023-04/msg00017.html > > Signed-off-by: Yogita Urade <[email protected]> > Signed-off-by: Steve Sakoman <[email protected]> > --- > .../dmidecode/CVE-2023-30630_1.patch | 237 ++++++++++++++++++ > .../dmidecode/CVE-2023-30630_2.patch | 81 ++++++ > .../dmidecode/CVE-2023-30630_3.patch | 69 +++++ > .../dmidecode/CVE-2023-30630_4.patch | 137 ++++++++++ > > > Summary: > > I think this can merge but we should agree on how to handle dmidecode. > > > Details: > > These changes work but it's bringing back 4 patches rather than bumping the > version to 3.5 > and picking up 2 patches. My conclusion is that it's okay but we should > probably talk > about how to maintain dmidecode since it just produces a bunch of programs > for dumping > HW DMI/SMBIOS info and doesn't provide a runtime ABI, we can probably update > to 3.5 > ( or even 3.6 when that's out). > > Do you agree Steve?
You'll always get the same answer from me: no version bumps that implement new features/apis. Bug/security fixes only. If there is a strong case to be made for something outside this policy, it should go to the TSC for consideration. I don't want our stable branches to start resembling the kernel "stable" branches ... So, yes, I think we should merge this patch rather than version bump :-) Steve > The patches back-ported are: > > ❯ rg -i "subject: \[PATCH\]" /tmp/dmidecode-mickledore-cve.eml > 201:+Subject: [PATCH] dmidecode: Write the whole dump file at once > 444:+Subject: [PATCH] dmidecode: Do not let --dump-bin overwrite an existing > file > 531:+Subject: [PATCH] Consistently use read_file() when reading from a dump > file > 606:+Subject: [PATCH] Don't read beyond sysfs entry point buffer > > > Two of these patches would be picked up if we update mickledore to 3.5 - so > let's look at what changed: > > ❯ git log --oneline dmidecode-3-4..dmidecode-3-5 > > 484f893 (tag: dmidecode-3-5) Set the version to 3.5 > 8baf2f5 Fix a build warning when USE_MMAP isn't set > b9ebecc dmioem: HPE type 242: Fix ID on 32-bit systems > 189ca35 Ensure /dev/mem is a character device file > 8427888 dmidecode: Use the right variable for -s > bios-revision/firmware-revision > 6ca381c dmidecode: Do not let --dump-bin overwrite an existing file > <---------- Added. > d8cfbc8 dmidecode: Write the whole dump file at once > <---------- Added. > 39b2dd7 dmidecode: Split table fetching from decoding > 11b168f dmioem: Avoid intermediate buffer (HPE type 216) > 9d2bbd5 dmioem: Decode HPE OEM Record 216 > 3d68350 dmidecode: Drop the CPUID exception list > c1a2520 dmidecode: Add a --no-quirks option > 67dc0b2 dmidecode: Fortify entry point length checks > f801673 dmioem: Typo fix (Virutal -> Virtual) > 90d1323 dmioem: Decode HPE OEM Record 242 > f50b925 dmioem: Update HPE OEM Record 238 > ac24b67 dmioem: Decode HPE OEM Record 230 > c3357b5 dmioem: Fix segmentation fault in dmi_hp_240_attr() > a1a2258 dmioem: Decode HPE OEM Record 224 > fb8766a NEWS: Fix typo > > > My summary of the changes above: > > - support additional HW, > > - fix bugs, typos and build warnings. > > - internal program restructuring: 39b2dd7 dmidecode: Split table fetching > from decoding > > I was a bit concerned about: > > 3d68350 dmidecode: Drop the CPUID exception list > > but it's pretty arcane (1) and only affects HW from 2008 or earlier > > so we should be okay with that change! > > > Steve, > > Do you agree? > > Thanks, > > ../Randy > > > > 1) > > commit 3d6835047f80691678e5db3127f9d573956413f0 > Author: Jean Delvare <[email protected]> > Date: Fri Dec 16 04:37:04 2022 > > dmidecode: Drop the CPUID exception list > > Back in 2003, I had a system where the CPU type was not set. I added > a quirk so that it would still be recognized as x86, and the CPUID > could be decoded. > > A few more exceptions where added over the years, but in effect, the > list was last modified in 2008. > > Having such an exception list isn't actually a good idea, for the > following reasons: > * It requires endless maintenance work if we want to keep it > up-to-date. > * It adds some (admittedly minimal) burden to the sane systems. > * If we were to add more entries to the exception list, it wouldn't > scale well (linear algorithmic complexity). This could be improved > but at the cost of more complex code. > * It sends the wrong message to the hardware manufacturers ("You can > get things wrong, we'll add a workaround on our side.") > > Therefore I would like to get rid of this exception list. Doing so > has the nice side effect of simplifying the code and making the > binary smaller. > > If anyone really needs the CPUID information on such non-compliant > systems, there are other ways to retrieve it, such as lscpu or > /proc/cpuinfo. > > https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=3d6835047f80691678e5db3127f9d573956413f0 > > > > .../dmidecode/dmidecode_3.4.bb | 4 + > 5 files changed, 528 insertions(+) > create mode 100644 > meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1.patch > create mode 100644 > meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_2.patch > create mode 100644 > meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_3.patch > create mode 100644 > meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_4.patch > > diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1.patch > b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1.patch > new file mode 100644 > index 0000000000..53480d6299 > --- /dev/null > +++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1.patch > @@ -0,0 +1,237 @@ > +From d8cfbc808f387e87091c25e7d5b8c2bb348bb206 Mon Sep 17 00:00:00 2001 > +From: Jean Delvare <[email protected]> > +Date: Tue, 27 Jun 2023 09:40:23 +0000 > +Subject: [PATCH] dmidecode: Write the whole dump file at once > + > +When option --dump-bin is used, write the whole dump file at once, > +instead of opening and closing the file separately for the table > +and then for the entry point. > + > +As the file writing function is no longer generic, it gets moved > +from util.c to dmidecode.c. > + > +One minor functional change resulting from the new implementation is > +that the entry point is written first now, so the messages printed > +are swapped. > + > +Signed-off-by: Jean Delvare <[email protected]> > +Reviewed-by: Jerry Hoemann <[email protected]> > + > +CVE: CVE-2023-30630 > + > +Reference: > https://github.com/mirror/dmidecode/commit/39b2dd7b6ab719b920e96ed832cfb4bdd664e808 > + > +Upstream-Status: Backport > [https://github.com/mirror/dmidecode/commit/d8cfbc808f387e87091c25e7d5b8c2bb348bb206] > + > +Signed-off-by: Yogita Urade <[email protected]> > +--- > + dmidecode.c | 79 +++++++++++++++++++++++++++++++++++++++-------------- > + util.c | 40 --------------------------- > + util.h | 1 - > + 3 files changed, 58 insertions(+), 62 deletions(-) > + > +diff --git a/dmidecode.c b/dmidecode.c > +index 9aeff91..5477309 100644 > +--- a/dmidecode.c > ++++ b/dmidecode.c > +@@ -5427,11 +5427,56 @@ static void dmi_table_string(const struct dmi_header > *h, const u8 *data, u16 ver > + } > + } > + > +-static void dmi_table_dump(const u8 *buf, u32 len) > ++static int dmi_table_dump(const u8 *ep, u32 ep_len, const u8 *table, > ++ u32 table_len) > + { > ++ FILE *f; > ++ > ++ f = fopen(opt.dumpfile, "wb"); > ++ if (!f) > ++ { > ++ fprintf(stderr, "%s: ", opt.dumpfile); > ++ perror("fopen"); > ++ return -1; > ++ } > ++ > ++ if (!(opt.flags & FLAG_QUIET)) > ++ pr_comment("Writing %d bytes to %s.", ep_len, opt.dumpfile); > ++ if (fwrite(ep, ep_len, 1, f) != 1) > ++ { > ++ fprintf(stderr, "%s: ", opt.dumpfile); > ++ perror("fwrite"); > ++ goto err_close; > ++ } > ++ > ++ if (fseek(f, 32, SEEK_SET) != 0) > ++ { > ++ fprintf(stderr, "%s: ", opt.dumpfile); > ++ perror("fseek"); > ++ goto err_close; > ++ } > ++ > + if (!(opt.flags & FLAG_QUIET)) > +- pr_comment("Writing %d bytes to %s.", len, opt.dumpfile); > +- write_dump(32, len, buf, opt.dumpfile, 0); > ++ pr_comment("Writing %d bytes to %s.", table_len, opt.dumpfile); > ++ if (fwrite(table, table_len, 1, f) != 1) > ++ { > ++ fprintf(stderr, "%s: ", opt.dumpfile); > ++ perror("fwrite"); > ++ goto err_close; > ++ } > ++ > ++ if (fclose(f)) > ++ { > ++ fprintf(stderr, "%s: ", opt.dumpfile); > ++ perror("fclose"); > ++ return -1; > ++ } > ++ > ++ return 0; > ++ > ++err_close: > ++ fclose(f); > ++ return -1; > + } > + > + static void dmi_table_decode(u8 *buf, u32 len, u16 num, u16 ver, u32 flags) > +@@ -5648,11 +5693,6 @@ static void dmi_table(off_t base, u32 len, u16 num, > u32 ver, const char *devmem, > + return; > + } > + > +- if (opt.flags & FLAG_DUMP_BIN) > +- dmi_table_dump(buf, len); > +- else > +- dmi_table_decode(buf, len, num, ver >> 8, flags); > +- > + free(buf); > + } > + > +@@ -5688,8 +5728,9 @@ static void overwrite_smbios3_address(u8 *buf) > + > + static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) > + { > +- u32 ver; > ++ u32 ver, len; > + u64 offset; > ++ u8 *table; > + > + /* Don't let checksum run beyond the buffer */ > + if (buf[0x06] > 0x20) > +@@ -5725,10 +5766,7 @@ static int smbios3_decode(u8 *buf, const char > *devmem, u32 flags) > + memcpy(crafted, buf, 32); > + overwrite_smbios3_address(crafted); > + > +- if (!(opt.flags & FLAG_QUIET)) > +- pr_comment("Writing %d bytes to %s.", crafted[0x06], > +- opt.dumpfile); > +- write_dump(0, crafted[0x06], crafted, opt.dumpfile, 1); > ++ dmi_table_dump(crafted, crafted[0x06], table, len); > + } > + > + return 1; > +@@ -5737,6 +5775,8 @@ static int smbios3_decode(u8 *buf, const char *devmem, > u32 flags) > + static int smbios_decode(u8 *buf, const char *devmem, u32 flags) > + { > + u16 ver; > ++ u32 len; > ++ u8 *table; > + > + /* Don't let checksum run beyond the buffer */ > + if (buf[0x05] > 0x20) > +@@ -5786,10 +5826,7 @@ static int smbios_decode(u8 *buf, const char *devmem, > u32 flags) > + memcpy(crafted, buf, 32); > + overwrite_dmi_address(crafted + 0x10); > + > +- if (!(opt.flags & FLAG_QUIET)) > +- pr_comment("Writing %d bytes to %s.", crafted[0x05], > +- opt.dumpfile); > +- write_dump(0, crafted[0x05], crafted, opt.dumpfile, 1); > ++ dmi_table_dump(crafted, crafted[0x05], table, len); > + } > + > + return 1; > +@@ -5797,6 +5834,9 @@ static int smbios_decode(u8 *buf, const char *devmem, > u32 flags) > + > + static int legacy_decode(u8 *buf, const char *devmem, u32 flags) > + { > ++ u32 len; > ++ u8 *table; > ++ > + if (!checksum(buf, 0x0F)) > + return 0; > + > +@@ -5815,10 +5855,7 @@ static int legacy_decode(u8 *buf, const char *devmem, > u32 flags) > + memcpy(crafted, buf, 16); > + overwrite_dmi_address(crafted); > + > +- if (!(opt.flags & FLAG_QUIET)) > +- pr_comment("Writing %d bytes to %s.", 0x0F, > +- opt.dumpfile); > +- write_dump(0, 0x0F, crafted, opt.dumpfile, 1); > ++ dmi_table_dump(crafted, 0x0F, table, len); > + } > + > + return 1; > +diff --git a/util.c b/util.c > +index 04aaadd..1547096 100644 > +--- a/util.c > ++++ b/util.c > +@@ -259,46 +259,6 @@ out: > + return p; > + } > + > +-int write_dump(size_t base, size_t len, const void *data, const char > *dumpfile, int add) > +-{ > +- FILE *f; > +- > +- f = fopen(dumpfile, add ? "r+b" : "wb"); > +- if (!f) > +- { > +- fprintf(stderr, "%s: ", dumpfile); > +- perror("fopen"); > +- return -1; > +- } > +- > +- if (fseek(f, base, SEEK_SET) != 0) > +- { > +- fprintf(stderr, "%s: ", dumpfile); > +- perror("fseek"); > +- goto err_close; > +- } > +- > +- if (fwrite(data, len, 1, f) != 1) > +- { > +- fprintf(stderr, "%s: ", dumpfile); > +- perror("fwrite"); > +- goto err_close; > +- } > +- > +- if (fclose(f)) > +- { > +- fprintf(stderr, "%s: ", dumpfile); > +- perror("fclose"); > +- return -1; > +- } > +- > +- return 0; > +- > +-err_close: > +- fclose(f); > +- return -1; > +-} > +- > + /* Returns end - start + 1, assuming start < end */ > + u64 u64_range(u64 start, u64 end) > + { > +diff --git a/util.h b/util.h > +index 3094cf8..ef24eb9 100644 > +--- a/util.h > ++++ b/util.h > +@@ -27,5 +27,4 @@ > + int checksum(const u8 *buf, size_t len); > + void *read_file(off_t base, size_t *len, const char *filename); > + void *mem_chunk(off_t base, size_t len, const char *devmem); > +-int write_dump(size_t base, size_t len, const void *data, const char > *dumpfile, int add); > + u64 u64_range(u64 start, u64 end); > +-- > +2.35.5 > diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_2.patch > b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_2.patch > new file mode 100644 > index 0000000000..dcc87d2326 > --- /dev/null > +++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_2.patch > @@ -0,0 +1,81 @@ > +From 6ca381c1247c81f74e1ca4e7706f70bdda72e6f2 Mon Sep 17 00:00:00 2001 > +From: Jean Delvare <[email protected]> > +Date: Tue, 27 Jun 2023 10:03:53 +0000 > +Subject: [PATCH] dmidecode: Do not let --dump-bin overwrite an existing file > + > +Make sure that the file passed to option --dump-bin does not already > +exist. In practice, it is rather unlikely that an honest user would > +want to overwrite an existing dump file, while this possibility > +could be used by a rogue user to corrupt a system file. > + > +Signed-off-by: Jean Delvare <[email protected]> > +Reviewed-by: Jerry Hoemann <[email protected]> > + > +CVE: CVE-2023-30630 > + > +Upstream-Status: Backport > +[https://github.com/mirror/dmidecode/commit/6ca381c1247c81f74e1ca4e7706f70bdda72e6f2] > + > +Signed-off-by: Yogita Urade <[email protected]> > +--- > + dmidecode.c | 14 ++++++++++++-- > + man/dmidecode.8 | 3 ++- > + 2 files changed, 14 insertions(+), 3 deletions(-) > + > +diff --git a/dmidecode.c b/dmidecode.c > +index 5477309..98f9692 100644 > +--- a/dmidecode.c > ++++ b/dmidecode.c > +@@ -60,6 +60,7 @@ > + * https://www.dmtf.org/sites/default/files/DSP0270_1.0.1.pdf > + */ > + > ++#include <fcntl.h> > + #include <stdio.h> > + #include <string.h> > + #include <strings.h> > +@@ -5430,13 +5431,22 @@ static void dmi_table_string(const struct dmi_header > *h, const u8 *data, u16 ver > + static int dmi_table_dump(const u8 *ep, u32 ep_len, const u8 *table, > + u32 table_len) > + { > ++ int fd; > + FILE *f; > + > +- f = fopen(opt.dumpfile, "wb"); > ++ fd = open(opt.dumpfile, O_WRONLY|O_CREAT|O_EXCL, 0666); > ++ if (fd == -1) > ++ { > ++ fprintf(stderr, "%s: ", opt.dumpfile); > ++ perror("open"); > ++ return -1; > ++ } > ++ > ++ f = fdopen(fd, "wb"); > + if (!f) > + { > + fprintf(stderr, "%s: ", opt.dumpfile); > +- perror("fopen"); > ++ perror("fdopen"); > + return -1; > + } > + > +diff --git a/man/dmidecode.8 b/man/dmidecode.8 > +index ed066b3..3a732c0 100644 > +--- a/man/dmidecode.8 > ++++ b/man/dmidecode.8 > +@@ -1,4 +1,4 @@ > +-.TH DMIDECODE 8 "January 2019" "dmidecode" > ++.TH DMIDECODE 8 "February 2023" "dmidecode" > + .\" > + .SH NAME > + dmidecode \- \s-1DMI\s0 table decoder > +@@ -159,6 +159,7 @@ hexadecimal and \s-1ASCII\s0. This option is mainly > useful for debugging. > + Do not decode the entries, instead dump the DMI data to a file in binary > + form. The generated file is suitable to pass to \fB--from-dump\fP > + later. > ++\fIFILE\fP must not exist. > + .TP > + .BR " " " " "--from-dump \fIFILE\fP" > + Read the DMI data from a binary file previously generated using > +-- > +2.35.5 > diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_3.patch > b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_3.patch > new file mode 100644 > index 0000000000..01d0d1f867 > --- /dev/null > +++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_3.patch > @@ -0,0 +1,69 @@ > +From c76ddda0ba0aa99a55945e3290095c2ec493c892 Mon Sep 17 00:00:00 2001 > +From: Jean Delvare <[email protected]> > +Date: Tue, 27 Jun 2023 10:25:50 +0000 > +Subject: [PATCH] Consistently use read_file() when reading from a dump file > + > +Use read_file() instead of mem_chunk() to read the entry point from a > +dump file. This is faster, and consistent with how we then read the > +actual DMI table from that dump file. > + > +This made no functional difference so far, which is why it went > +unnoticed for years. But now that a file type check was added to the > +mem_chunk() function, we must stop using it to read from regular > +files. > + > +This will again allow root to use the --from-dump option. > + > +Signed-off-by: Jean Delvare <[email protected]> > +Tested-by: Jerry Hoemann <[email protected]> > + > +CVE: CVE-2023-30630 > + > +Upstream-Status: Backport > [https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=c76ddda0ba0aa99a55945e3290095c2ec493c892] > + > +Signed-off-by: Yogita Urade <[email protected]> > +--- > + dmidecode.c | 11 +++++++++-- > + 1 file changed, 9 insertions(+), 2 deletions(-) > + > +diff --git a/dmidecode.c b/dmidecode.c > +index 98f9692..b4dbc9d 100644 > +--- a/dmidecode.c > ++++ b/dmidecode.c > +@@ -5997,17 +5997,25 @@ int main(int argc, char * const argv[]) > + pr_comment("dmidecode %s", VERSION); > + > + /* Read from dump if so instructed */ > ++ size = 0x20; > + if (opt.flags & FLAG_FROM_DUMP) > + { > + if (!(opt.flags & FLAG_QUIET)) > + pr_info("Reading SMBIOS/DMI data from file %s.", > + opt.dumpfile); > +- if ((buf = mem_chunk(0, 0x20, opt.dumpfile)) == NULL) > ++ if ((buf = read_file(0, &size, opt.dumpfile)) == NULL) > + { > + ret = 1; > + goto exit_free; > + } > + > ++ /* Truncated entry point can't be processed */ > ++ if (size < 0x20) > ++ { > ++ ret = 1; > ++ goto done; > ++ } > ++ > + if (memcmp(buf, "_SM3_", 5) == 0) > + { > + if (smbios3_decode(buf, opt.dumpfile, 0)) > +@@ -6031,7 +6039,6 @@ int main(int argc, char * const argv[]) > + * contain one of several types of entry points, so read enough for > + * the largest one, then determine what type it contains. > + */ > +- size = 0x20; > + if (!(opt.flags & FLAG_NO_SYSFS) > + && (buf = read_file(0, &size, SYS_ENTRY_FILE)) != NULL) > + { > +-- > +2.40.0 > diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_4.patch > b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_4.patch > new file mode 100644 > index 0000000000..5fa72b4f9b > --- /dev/null > +++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_4.patch > @@ -0,0 +1,137 @@ > +From 2b83c4b898f8325313162f588765411e8e3e5561 Mon Sep 17 00:00:00 2001 > +From: Jean Delvare <[email protected]> > +Date: Tue, 27 Jun 2023 10:58:11 +0000 > +Subject: [PATCH] Don't read beyond sysfs entry point buffer > + > +Functions smbios_decode() and smbios3_decode() include a check > +against buffer overrun. This check assumes that the buffer length is > +always 32 bytes. This is true when reading from /dev/mem or from a > +dump file, however when reading from sysfs, the buffer length is the > +size of the actual sysfs attribute file, typically 31 bytes for an > +SMBIOS 2.x entry point and 24 bytes for an SMBIOS 3.x entry point. > + > +In the unlikely event of a malformed entry point, with encoded length > +larger than expected but smaller than or equal to 32, we would hit a > +buffer overrun. So properly pass the actual buffer length as an > +argument and perform the check against it. > + > +In practice, this will never happen, because on the Linux kernel > +side, the size of the sysfs attribute file is decided from the entry > +point length field. So it is technically impossible for them not to > +match. But user-space code should not make such assumptions. > + > +Signed-off-by: Jean Delvare <[email protected]> > + > +CVE: CVE-2023-30630 > + > +Upstream-Status: Backport > +[https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=2b83c4b898f8325313162f588765411e8e3e5561] > + > +Signed-off-by: Yogita Urade <[email protected]> > +--- > + dmidecode.c | 24 ++++++++++++------------ > + 1 file changed, 12 insertions(+), 12 deletions(-) > + > +diff --git a/dmidecode.c b/dmidecode.c > +index b4dbc9d..870d94e 100644 > +--- a/dmidecode.c > ++++ b/dmidecode.c > +@@ -5736,14 +5736,14 @@ static void overwrite_smbios3_address(u8 *buf) > + buf[0x17] = 0; > + } > + > +-static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) > ++static int smbios3_decode(u8 *buf, size_t buf_len, const char *devmem, u32 > flags) > + { > + u32 ver, len; > + u64 offset; > + u8 *table; > + > + /* Don't let checksum run beyond the buffer */ > +- if (buf[0x06] > 0x20) > ++ if (buf[0x06] > buf_len) > + { > + fprintf(stderr, > + "Entry point length too large (%u bytes, expected %u).\n", > +@@ -5782,14 +5782,14 @@ static int smbios3_decode(u8 *buf, const char > *devmem, u32 flags) > + return 1; > + } > + > +-static int smbios_decode(u8 *buf, const char *devmem, u32 flags) > ++static int smbios_decode(u8 *buf, size_t buf_len, const char *devmem, u32 > flags) > + { > + u16 ver; > + u32 len; > + u8 *table; > + > + /* Don't let checksum run beyond the buffer */ > +- if (buf[0x05] > 0x20) > ++ if (buf[0x05] > buf_len) > + { > + fprintf(stderr, > + "Entry point length too large (%u bytes, expected %u).\n", > +@@ -6018,12 +6018,12 @@ int main(int argc, char * const argv[]) > + > + if (memcmp(buf, "_SM3_", 5) == 0) > + { > +- if (smbios3_decode(buf, opt.dumpfile, 0)) > ++ if (smbios3_decode(buf, size, opt.dumpfile, 0)) > + found++; > + } > + else if (memcmp(buf, "_SM_", 4) == 0) > + { > +- if (smbios_decode(buf, opt.dumpfile, 0)) > ++ if (smbios_decode(buf, size, opt.dumpfile, 0)) > + found++; > + } > + else if (memcmp(buf, "_DMI_", 5) == 0) > +@@ -6046,12 +6046,12 @@ int main(int argc, char * const argv[]) > + pr_info("Getting SMBIOS data from sysfs."); > + if (size >= 24 && memcmp(buf, "_SM3_", 5) == 0) > + { > +- if (smbios3_decode(buf, SYS_TABLE_FILE, FLAG_NO_FILE_OFFSET)) > ++ if (smbios3_decode(buf, size, SYS_TABLE_FILE, > FLAG_NO_FILE_OFFSET)) > + found++; > + } > + else if (size >= 31 && memcmp(buf, "_SM_", 4) == 0) > + { > +- if (smbios_decode(buf, SYS_TABLE_FILE, FLAG_NO_FILE_OFFSET)) > ++ if (smbios_decode(buf, size, SYS_TABLE_FILE, > FLAG_NO_FILE_OFFSET)) > + found++; > + } > + else if (size >= 15 && memcmp(buf, "_DMI_", 5) == 0) > +@@ -6088,12 +6088,12 @@ int main(int argc, char * const argv[]) > + > + if (memcmp(buf, "_SM3_", 5) == 0) > + { > +- if (smbios3_decode(buf, opt.devmem, 0)) > ++ if (smbios3_decode(buf, 0x20, opt.devmem, 0)) > + found++; > + } > + else if (memcmp(buf, "_SM_", 4) == 0) > + { > +- if (smbios_decode(buf, opt.devmem, 0)) > ++ if (smbios_decode(buf, 0x20, opt.devmem, 0)) > + found++; > + } > + goto done; > +@@ -6114,7 +6114,7 @@ memory_scan: > + { > + if (memcmp(buf + fp, "_SM3_", 5) == 0) > + { > +- if (smbios3_decode(buf + fp, opt.devmem, 0)) > ++ if (smbios3_decode(buf + fp, 0x20, opt.devmem, 0)) > + { > + found++; > + goto done; > +@@ -6127,7 +6127,7 @@ memory_scan: > + { > + if (memcmp(buf + fp, "_SM_", 4) == 0 && fp <= 0xFFE0) > + { > +- if (smbios_decode(buf + fp, opt.devmem, 0)) > ++ if (smbios_decode(buf + fp, 0x20, opt.devmem, 0)) > + { > + found++; > + goto done; > +-- > +2.35.5 > diff --git a/meta/recipes-devtools/dmidecode/dmidecode_3.4.bb > b/meta/recipes-devtools/dmidecode/dmidecode_3.4.bb > index bc741046dd..4d5255df64 100644 > --- a/meta/recipes-devtools/dmidecode/dmidecode_3.4.bb > +++ b/meta/recipes-devtools/dmidecode/dmidecode_3.4.bb > @@ -6,6 +6,10 @@ LIC_FILES_CHKSUM = > "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263" > > SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/dmidecode/${BP}.tar.xz \ > file://0001-Committing-changes-from-do_unpack_extra.patch \ > + file://CVE-2023-30630_1.patch \ > + file://CVE-2023-30630_2.patch \ > + file://CVE-2023-30630_3.patch \ > + file://CVE-2023-30630_4.patch \ > " > > COMPATIBLE_HOST = "(i.86|x86_64|aarch64|arm|powerpc|powerpc64).*-linux" > > > > > > -- > # Randy MacLeod > # Wind River Linux
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#184562): https://lists.openembedded.org/g/openembedded-core/message/184562 Mute This Topic: https://lists.openembedded.org/mt/100151225/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
