On 9/8/20 5:21 PM, Daniel P. Berrangé wrote:
> SeaBIOS implements the SMBIOS 2.1 entry point which is limited to a
> maximum length of 0xffff. If the SMBIOS data received from QEMU is large
> enough, then adding the type 0 table will cause integer overflow. This
> results in fun behaviour such as a KVM crash, or hangs in SeaBIOS.
>
> Signed-off-by: Daniel P. Berrangé <berra...@redhat.com>
> ---
> src/fw/biostables.c | 14 ++++++++++----
> 1 file changed, 10 insertions(+), 4 deletions(-)
>
> diff --git a/src/fw/biostables.c b/src/fw/biostables.c
> index 0c07833..794b5be 100644
> --- a/src/fw/biostables.c
> +++ b/src/fw/biostables.c
> @@ -462,10 +462,16 @@ smbios_romfile_setup(void)
> /* common case: add our own type 0, with 3 strings and 4 '\0's */
> u16 t0_len = sizeof(struct smbios_type_0) + strlen(BIOS_NAME) +
> strlen(VERSION) + strlen(BIOS_DATE) + 4;
> - ep.structure_table_length += t0_len;
> - if (t0_len > ep.max_structure_size)
> - ep.max_structure_size = t0_len;
> - ep.number_of_structures++;
> + if (t0_len > (0xffff - ep.structure_table_length)) {
> + dprintf(1, "Insufficient space (%d bytes) to add SMBIOS type 0
> table (%d bytes)\n",
> + 0xffff - ep.structure_table_length, t0_len);
> + need_t0 = 0;
> + } else {
> + ep.structure_table_length += t0_len;
> + if (t0_len > ep.max_structure_size)
> + ep.max_structure_size = t0_len;
> + ep.number_of_structures++;
> + }
> }
>
> /* allocate final blob and record its address in the entry point */
>
Reviewed-by: Philippe Mathieu-Daudé <phi...@redhat.com>
_______________________________________________
SeaBIOS mailing list -- seabios@seabios.org
To unsubscribe send an email to seabios-le...@seabios.org
