summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSean Nyekjaer <sean@geanix.com>2023-10-16 14:21:58 +0200
committerSteve Sakoman <steve@sakoman.com>2023-10-25 04:51:00 -1000
commitd4bc6a9374cedfe6e1e1ed0aa14985548d524819 (patch)
tree69782127fd3e16dd80931d45e81112bde9b453bf
parent9954a4df00884fcd76e60bb0a809670625c92454 (diff)
downloadpoky-d4bc6a9374cedfe6e1e1ed0aa14985548d524819.tar.gz
dmidecode: fixup for CVE-2023-30630
The previous CVE-2023-30630_1.patch picked only the patch "dmidecode: Write the whole dump file at once" d8cfbc808f. But there was a refactoring which does not allow to cherry-pick it fast forward. Resolving this conflict was not correctly done. The patch was: + u32 len; + u8 *table; ... - if (!(opt.flags & FLAG_QUIET)) - pr_comment("Writing %d bytes to %s.", crafted[0x05], - opt.dumpfile); - write_dump(0, crafted[0x05], crafted, opt.dumpfile, 1); + dmi_table_dump(crafted, crafted[0x05], table, len); It looks like the variables len and table have been added without initialization. Now this problem is solved by applying the previous refactoring as well. Patch 1 gets replaced by Patch 1a and Patch 1b. Patch 2..4 are rebased without changes. This is basically the same patch as in kirkstone: ea069a94a2 dmidecode: fixup for CVE-2023-30630 (From OE-Core rev: 0bc69dc078c39381a39789d3c5fff673d7da994c) Signed-off-by: Sean Nyekjaer <sean@geanix.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat
-rw-r--r--meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1a.patch236
-rw-r--r--meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1b.patch197
-rw-r--r--meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_2.patch8
-rw-r--r--meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_3.patch55
-rw-r--r--meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_4.patch143
-rw-r--r--meta/recipes-devtools/dmidecode/dmidecode_3.4.bb3
6 files changed, 539 insertions, 103 deletions
diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1a.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1a.patch
new file mode 100644
index 0000000000..bf93fbc13c
--- /dev/null
+++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1a.patch
@@ -0,0 +1,236 @@
1From ee6db10dd70b8fdc7a93cffd7cf5bc7a28f9d3d7 Mon Sep 17 00:00:00 2001
2From: Jean Delvare <jdelvare@suse.de>
3Date: Mon, 20 Feb 2023 14:53:21 +0100
4Subject: [PATCH 1/5] dmidecode: Split table fetching from decoding
5
6Clean up function dmi_table so that it does only one thing:
7* dmi_table() is renamed to dmi_table_get(). It now retrieves the
8 DMI table, but does not process it any longer.
9* Decoding or dumping the table is now done in smbios3_decode(),
10 smbios_decode() and legacy_decode().
11No functional change.
12
13A side effect of this change is that writing the header and body of
14dump files is now done in a single location. This is required to
15further consolidate the writing of dump files.
16
17Signed-off-by: Jean Delvare <jdelvare@suse.de>
18Reviewed-by: Jerry Hoemann <jerry.hoemann@hpe.com>
19
20CVE: CVE-2023-30630
21
22Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=39b2dd7b6ab719b920e96ed832cfb4bdd664e808]
23
24Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
25---
26 dmidecode.c | 86 ++++++++++++++++++++++++++++++++++++++---------------
27 1 file changed, 62 insertions(+), 24 deletions(-)
28
29diff --git a/dmidecode.c b/dmidecode.c
30index cd2b5c9..b082c03 100644
31--- a/dmidecode.c
32+++ b/dmidecode.c
33@@ -5247,8 +5247,9 @@ static void dmi_table_decode(u8 *buf, u32 len, u16 num, u16 ver, u32 flags)
34 }
35 }
36
37-static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
38- u32 flags)
39+/* Allocates a buffer for the table, must be freed by the caller */
40+static u8 *dmi_table_get(off_t base, u32 *len, u16 num, u32 ver,
41+ const char *devmem, u32 flags)
42 {
43 u8 *buf;
44
45@@ -5267,7 +5268,7 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
46 {
47 if (num)
48 pr_info("%u structures occupying %u bytes.",
49- num, len);
50+ num, *len);
51 if (!(opt.flags & FLAG_FROM_DUMP))
52 pr_info("Table at 0x%08llX.",
53 (unsigned long long)base);
54@@ -5285,19 +5286,19 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
55 * would be the result of the kernel truncating the table on
56 * parse error.
57 */
58- size_t size = len;
59+ size_t size = *len;
60 buf = read_file(flags & FLAG_NO_FILE_OFFSET ? 0 : base,
61 &size, devmem);
62- if (!(opt.flags & FLAG_QUIET) && num && size != (size_t)len)
63+ if (!(opt.flags & FLAG_QUIET) && num && size != (size_t)*len)
64 {
65 fprintf(stderr, "Wrong DMI structures length: %u bytes "
66 "announced, only %lu bytes available.\n",
67- len, (unsigned long)size);
68+ *len, (unsigned long)size);
69 }
70- len = size;
71+ *len = size;
72 }
73 else
74- buf = mem_chunk(base, len, devmem);
75+ buf = mem_chunk(base, *len, devmem);
76
77 if (buf == NULL)
78 {
79@@ -5307,15 +5308,9 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
80 fprintf(stderr,
81 "Try compiling dmidecode with -DUSE_MMAP.\n");
82 #endif
83- return;
84 }
85
86- if (opt.flags & FLAG_DUMP_BIN)
87- dmi_table_dump(buf, len);
88- else
89- dmi_table_decode(buf, len, num, ver >> 8, flags);
90-
91- free(buf);
92+ return buf;
93 }
94
95
96@@ -5350,8 +5345,9 @@ static void overwrite_smbios3_address(u8 *buf)
97
98 static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
99 {
100- u32 ver;
101+ u32 ver, len;
102 u64 offset;
103+ u8 *table;
104
105 /* Don't let checksum run beyond the buffer */
106 if (buf[0x06] > 0x20)
107@@ -5377,8 +5373,12 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
108 return 0;
109 }
110
111- dmi_table(((off_t)offset.h << 32) | offset.l,
112- DWORD(buf + 0x0C), 0, ver, devmem, flags | FLAG_STOP_AT_EOT);
113+ /* Maximum length, may get trimmed */
114+ len = DWORD(buf + 0x0C);
115+ table = dmi_table_get(((off_t)offset.h << 32) | offset.l, &len, 0, ver,
116+ devmem, flags | FLAG_STOP_AT_EOT);
117+ if (table == NULL)
118+ return 1;
119
120 if (opt.flags & FLAG_DUMP_BIN)
121 {
122@@ -5387,18 +5387,28 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
123 memcpy(crafted, buf, 32);
124 overwrite_smbios3_address(crafted);
125
126+ dmi_table_dump(table, len);
127 if (!(opt.flags & FLAG_QUIET))
128 pr_comment("Writing %d bytes to %s.", crafted[0x06],
129 opt.dumpfile);
130 write_dump(0, crafted[0x06], crafted, opt.dumpfile, 1);
131 }
132+ else
133+ {
134+ dmi_table_decode(table, len, 0, ver >> 8,
135+ flags | FLAG_STOP_AT_EOT);
136+ }
137+
138+ free(table);
139
140 return 1;
141 }
142
143 static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
144 {
145- u16 ver;
146+ u16 ver, num;
147+ u32 len;
148+ u8 *table;
149
150 /* Don't let checksum run beyond the buffer */
151 if (buf[0x05] > 0x20)
152@@ -5438,8 +5448,13 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
153 pr_info("SMBIOS %u.%u present.",
154 ver >> 8, ver & 0xFF);
155
156- dmi_table(DWORD(buf + 0x18), WORD(buf + 0x16), WORD(buf + 0x1C),
157- ver << 8, devmem, flags);
158+ /* Maximum length, may get trimmed */
159+ len = WORD(buf + 0x16);
160+ num = WORD(buf + 0x1C);
161+ table = dmi_table_get(DWORD(buf + 0x18), &len, num, ver << 8,
162+ devmem, flags);
163+ if (table == NULL)
164+ return 1;
165
166 if (opt.flags & FLAG_DUMP_BIN)
167 {
168@@ -5448,27 +5463,43 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
169 memcpy(crafted, buf, 32);
170 overwrite_dmi_address(crafted + 0x10);
171
172+ dmi_table_dump(table, len);
173 if (!(opt.flags & FLAG_QUIET))
174 pr_comment("Writing %d bytes to %s.", crafted[0x05],
175 opt.dumpfile);
176 write_dump(0, crafted[0x05], crafted, opt.dumpfile, 1);
177 }
178+ else
179+ {
180+ dmi_table_decode(table, len, num, ver, flags);
181+ }
182+
183+ free(table);
184
185 return 1;
186 }
187
188 static int legacy_decode(u8 *buf, const char *devmem, u32 flags)
189 {
190+ u16 ver, num;
191+ u32 len;
192+ u8 *table;
193+
194 if (!checksum(buf, 0x0F))
195 return 0;
196
197+ ver = ((buf[0x0E] & 0xF0) << 4) + (buf[0x0E] & 0x0F);
198 if (!(opt.flags & FLAG_QUIET))
199 pr_info("Legacy DMI %u.%u present.",
200 buf[0x0E] >> 4, buf[0x0E] & 0x0F);
201
202- dmi_table(DWORD(buf + 0x08), WORD(buf + 0x06), WORD(buf + 0x0C),
203- ((buf[0x0E] & 0xF0) << 12) + ((buf[0x0E] & 0x0F) << 8),
204- devmem, flags);
205+ /* Maximum length, may get trimmed */
206+ len = WORD(buf + 0x06);
207+ num = WORD(buf + 0x0C);
208+ table = dmi_table_get(DWORD(buf + 0x08), &len, num, ver << 8,
209+ devmem, flags);
210+ if (table == NULL)
211+ return 1;
212
213 if (opt.flags & FLAG_DUMP_BIN)
214 {
215@@ -5477,11 +5508,18 @@ static int legacy_decode(u8 *buf, const char *devmem, u32 flags)
216 memcpy(crafted, buf, 16);
217 overwrite_dmi_address(crafted);
218
219+ dmi_table_dump(table, len);
220 if (!(opt.flags & FLAG_QUIET))
221 pr_comment("Writing %d bytes to %s.", 0x0F,
222 opt.dumpfile);
223 write_dump(0, 0x0F, crafted, opt.dumpfile, 1);
224 }
225+ else
226+ {
227+ dmi_table_decode(table, len, num, ver, flags);
228+ }
229+
230+ free(table);
231
232 return 1;
233 }
234--
2352.41.0
236
diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1b.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1b.patch
new file mode 100644
index 0000000000..e03bda05e4
--- /dev/null
+++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1b.patch
@@ -0,0 +1,197 @@
1From d362549bce92ac22860cda8cad4532c1a3fe6928 Mon Sep 17 00:00:00 2001
2From: Jean Delvare <jdelvare@suse.de>
3Date: Mon, 20 Feb 2023 14:53:25 +0100
4Subject: [PATCH 2/5] dmidecode: Write the whole dump file at once
5
6When option --dump-bin is used, write the whole dump file at once,
7instead of opening and closing the file separately for the table
8and then for the entry point.
9
10As the file writing function is no longer generic, it gets moved
11from util.c to dmidecode.c.
12
13One minor functional change resulting from the new implementation is
14that the entry point is written first now, so the messages printed
15are swapped.
16
17Signed-off-by: Jean Delvare <jdelvare@suse.de>
18Reviewed-by: Jerry Hoemann <jerry.hoemann@hpe.com>
19
20CVE: CVE-2023-30630
21
22Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=d8cfbc808f387e87091c25e7d5b8c2bb348bb206]
23
24Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
25---
26 dmidecode.c | 69 +++++++++++++++++++++++++++++++++++++++--------------
27 util.c | 40 -------------------------------
28 util.h | 1 -
29 3 files changed, 51 insertions(+), 59 deletions(-)
30
31diff --git a/dmidecode.c b/dmidecode.c
32index b082c03..a80a140 100644
33--- a/dmidecode.c
34+++ b/dmidecode.c
35@@ -5130,11 +5130,56 @@ static void dmi_table_string(const struct dmi_header *h, const u8 *data, u16 ver
36 }
37 }
38
39-static void dmi_table_dump(const u8 *buf, u32 len)
40+static int dmi_table_dump(const u8 *ep, u32 ep_len, const u8 *table,
41+ u32 table_len)
42 {
43+ FILE *f;
44+
45+ f = fopen(opt.dumpfile, "wb");
46+ if (!f)
47+ {
48+ fprintf(stderr, "%s: ", opt.dumpfile);
49+ perror("fopen");
50+ return -1;
51+ }
52+
53+ if (!(opt.flags & FLAG_QUIET))
54+ pr_comment("Writing %d bytes to %s.", ep_len, opt.dumpfile);
55+ if (fwrite(ep, ep_len, 1, f) != 1)
56+ {
57+ fprintf(stderr, "%s: ", opt.dumpfile);
58+ perror("fwrite");
59+ goto err_close;
60+ }
61+
62+ if (fseek(f, 32, SEEK_SET) != 0)
63+ {
64+ fprintf(stderr, "%s: ", opt.dumpfile);
65+ perror("fseek");
66+ goto err_close;
67+ }
68+
69 if (!(opt.flags & FLAG_QUIET))
70- pr_comment("Writing %d bytes to %s.", len, opt.dumpfile);
71- write_dump(32, len, buf, opt.dumpfile, 0);
72+ pr_comment("Writing %d bytes to %s.", table_len, opt.dumpfile);
73+ if (fwrite(table, table_len, 1, f) != 1)
74+ {
75+ fprintf(stderr, "%s: ", opt.dumpfile);
76+ perror("fwrite");
77+ goto err_close;
78+ }
79+
80+ if (fclose(f))
81+ {
82+ fprintf(stderr, "%s: ", opt.dumpfile);
83+ perror("fclose");
84+ return -1;
85+ }
86+
87+ return 0;
88+
89+err_close:
90+ fclose(f);
91+ return -1;
92 }
93
94 static void dmi_table_decode(u8 *buf, u32 len, u16 num, u16 ver, u32 flags)
95@@ -5387,11 +5432,7 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
96 memcpy(crafted, buf, 32);
97 overwrite_smbios3_address(crafted);
98
99- dmi_table_dump(table, len);
100- if (!(opt.flags & FLAG_QUIET))
101- pr_comment("Writing %d bytes to %s.", crafted[0x06],
102- opt.dumpfile);
103- write_dump(0, crafted[0x06], crafted, opt.dumpfile, 1);
104+ dmi_table_dump(crafted, crafted[0x06], table, len);
105 }
106 else
107 {
108@@ -5463,11 +5504,7 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
109 memcpy(crafted, buf, 32);
110 overwrite_dmi_address(crafted + 0x10);
111
112- dmi_table_dump(table, len);
113- if (!(opt.flags & FLAG_QUIET))
114- pr_comment("Writing %d bytes to %s.", crafted[0x05],
115- opt.dumpfile);
116- write_dump(0, crafted[0x05], crafted, opt.dumpfile, 1);
117+ dmi_table_dump(crafted, crafted[0x05], table, len);
118 }
119 else
120 {
121@@ -5508,11 +5545,7 @@ static int legacy_decode(u8 *buf, const char *devmem, u32 flags)
122 memcpy(crafted, buf, 16);
123 overwrite_dmi_address(crafted);
124
125- dmi_table_dump(table, len);
126- if (!(opt.flags & FLAG_QUIET))
127- pr_comment("Writing %d bytes to %s.", 0x0F,
128- opt.dumpfile);
129- write_dump(0, 0x0F, crafted, opt.dumpfile, 1);
130+ dmi_table_dump(crafted, 0x0F, table, len);
131 }
132 else
133 {
134diff --git a/util.c b/util.c
135index 04aaadd..1547096 100644
136--- a/util.c
137+++ b/util.c
138@@ -259,46 +259,6 @@ out:
139 return p;
140 }
141
142-int write_dump(size_t base, size_t len, const void *data, const char *dumpfile, int add)
143-{
144- FILE *f;
145-
146- f = fopen(dumpfile, add ? "r+b" : "wb");
147- if (!f)
148- {
149- fprintf(stderr, "%s: ", dumpfile);
150- perror("fopen");
151- return -1;
152- }
153-
154- if (fseek(f, base, SEEK_SET) != 0)
155- {
156- fprintf(stderr, "%s: ", dumpfile);
157- perror("fseek");
158- goto err_close;
159- }
160-
161- if (fwrite(data, len, 1, f) != 1)
162- {
163- fprintf(stderr, "%s: ", dumpfile);
164- perror("fwrite");
165- goto err_close;
166- }
167-
168- if (fclose(f))
169- {
170- fprintf(stderr, "%s: ", dumpfile);
171- perror("fclose");
172- return -1;
173- }
174-
175- return 0;
176-
177-err_close:
178- fclose(f);
179- return -1;
180-}
181-
182 /* Returns end - start + 1, assuming start < end */
183 u64 u64_range(u64 start, u64 end)
184 {
185diff --git a/util.h b/util.h
186index 3094cf8..ef24eb9 100644
187--- a/util.h
188+++ b/util.h
189@@ -27,5 +27,4 @@
190 int checksum(const u8 *buf, size_t len);
191 void *read_file(off_t base, size_t *len, const char *filename);
192 void *mem_chunk(off_t base, size_t len, const char *devmem);
193-int write_dump(size_t base, size_t len, const void *data, const char *dumpfile, int add);
194 u64 u64_range(u64 start, u64 end);
195--
1962.41.0
197
diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_2.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_2.patch
index dcc87d2326..971c8c0126 100644
--- a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_2.patch
+++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_2.patch
@@ -29,18 +29,18 @@ index 5477309..98f9692 100644
29@@ -60,6 +60,7 @@ 29@@ -60,6 +60,7 @@
30 * https://www.dmtf.org/sites/default/files/DSP0270_1.0.1.pdf 30 * https://www.dmtf.org/sites/default/files/DSP0270_1.0.1.pdf
31 */ 31 */
32 32
33+#include <fcntl.h> 33+#include <fcntl.h>
34 #include <stdio.h> 34 #include <stdio.h>
35 #include <string.h> 35 #include <string.h>
36 #include <strings.h> 36 #include <strings.h>
37@@ -5430,13 +5431,22 @@ static void dmi_table_string(const struct dmi_header *h, const u8 *data, u16 ver 37@@ -5430,13 +5431,22 @@ static void dmi_table_string(const struct dmi_header *h, const u8 *data, u16 ver
38 static int dmi_table_dump(const u8 *ep, u32 ep_len, const u8 *table, 38 static int dmi_table_dump(const u8 *ep, u32 ep_len, const u8 *table,
39 u32 table_len) 39 u32 table_len)
40 { 40 {
41+ int fd; 41+ int fd;
42 FILE *f; 42 FILE *f;
43 43
44- f = fopen(opt.dumpfile, "wb"); 44- f = fopen(opt.dumpfile, "wb");
45+ fd = open(opt.dumpfile, O_WRONLY|O_CREAT|O_EXCL, 0666); 45+ fd = open(opt.dumpfile, O_WRONLY|O_CREAT|O_EXCL, 0666);
46+ if (fd == -1) 46+ if (fd == -1)
diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_3.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_3.patch
index 01d0d1f867..5a6994065e 100644
--- a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_3.patch
+++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_3.patch
@@ -27,26 +27,26 @@ Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
27 1 file changed, 9 insertions(+), 2 deletions(-) 27 1 file changed, 9 insertions(+), 2 deletions(-)
28 28
29diff --git a/dmidecode.c b/dmidecode.c 29diff --git a/dmidecode.c b/dmidecode.c
30index 98f9692..b4dbc9d 100644 30index d339577..1ecdf85 100644
31--- a/dmidecode.c 31--- a/dmidecode.c
32+++ b/dmidecode.c 32+++ b/dmidecode.c
33@@ -5997,17 +5997,25 @@ int main(int argc, char * const argv[]) 33@@ -6031,17 +6031,25 @@ int main(int argc, char * const argv[])
34 pr_comment("dmidecode %s", VERSION); 34 pr_comment("dmidecode %s", VERSION);
35 35
36 /* Read from dump if so instructed */ 36 /* Read from dump if so instructed */
37+ size = 0x20; 37+ size = 0x20;
38 if (opt.flags & FLAG_FROM_DUMP) 38 if (opt.flags & FLAG_FROM_DUMP)
39 { 39 {
40 if (!(opt.flags & FLAG_QUIET)) 40 if (!(opt.flags & FLAG_QUIET))
41 pr_info("Reading SMBIOS/DMI data from file %s.", 41 pr_info("Reading SMBIOS/DMI data from file %s.",
42 opt.dumpfile); 42 opt.dumpfile);
43- if ((buf = mem_chunk(0, 0x20, opt.dumpfile)) == NULL) 43- if ((buf = mem_chunk(0, 0x20, opt.dumpfile)) == NULL)
44+ if ((buf = read_file(0, &size, opt.dumpfile)) == NULL) 44+ if ((buf = read_file(0, &size, opt.dumpfile)) == NULL)
45 { 45 {
46 ret = 1; 46 ret = 1;
47 goto exit_free; 47 goto exit_free;
48 } 48 }
49 49
50+ /* Truncated entry point can't be processed */ 50+ /* Truncated entry point can't be processed */
51+ if (size < 0x20) 51+ if (size < 0x20)
52+ { 52+ {
@@ -54,16 +54,17 @@ index 98f9692..b4dbc9d 100644
54+ goto done; 54+ goto done;
55+ } 55+ }
56+ 56+
57 if (memcmp(buf, "_SM3_", 5) == 0) 57 if (memcmp(buf, "_SM3_", 5) == 0)
58 { 58 {
59 if (smbios3_decode(buf, opt.dumpfile, 0)) 59 if (smbios3_decode(buf, opt.dumpfile, 0))
60@@ -6031,7 +6039,6 @@ int main(int argc, char * const argv[]) 60@@ -6065,7 +6073,6 @@ int main(int argc, char * const argv[])
61 * contain one of several types of entry points, so read enough for 61 * contain one of several types of entry points, so read enough for
62 * the largest one, then determine what type it contains. 62 * the largest one, then determine what type it contains.
63 */ 63 */
64- size = 0x20; 64- size = 0x20;
65 if (!(opt.flags & FLAG_NO_SYSFS) 65 if (!(opt.flags & FLAG_NO_SYSFS)
66 && (buf = read_file(0, &size, SYS_ENTRY_FILE)) != NULL) 66 && (buf = read_file(0, &size, SYS_ENTRY_FILE)) != NULL)
67 { 67 {
68-- 68--
692.40.0 692.42.0
70
diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_4.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_4.patch
index 5fa72b4f9b..a3c5af2f1c 100644
--- a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_4.patch
+++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_4.patch
@@ -33,105 +33,106 @@ Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
33 1 file changed, 12 insertions(+), 12 deletions(-) 33 1 file changed, 12 insertions(+), 12 deletions(-)
34 34
35diff --git a/dmidecode.c b/dmidecode.c 35diff --git a/dmidecode.c b/dmidecode.c
36index b4dbc9d..870d94e 100644 36index 1ecdf85..640c079 100644
37--- a/dmidecode.c 37--- a/dmidecode.c
38+++ b/dmidecode.c 38+++ b/dmidecode.c
39@@ -5736,14 +5736,14 @@ static void overwrite_smbios3_address(u8 *buf) 39@@ -5736,14 +5736,14 @@ static void overwrite_smbios3_address(u8 *buf)
40 buf[0x17] = 0; 40 buf[0x17] = 0;
41 } 41 }
42 42
43-static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) 43-static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
44+static int smbios3_decode(u8 *buf, size_t buf_len, const char *devmem, u32 flags) 44+static int smbios3_decode(u8 *buf, size_t buf_len, const char *devmem, u32 flags)
45 { 45 {
46 u32 ver, len; 46 u32 ver, len;
47 u64 offset; 47 u64 offset;
48 u8 *table; 48 u8 *table;
49 49
50 /* Don't let checksum run beyond the buffer */ 50 /* Don't let checksum run beyond the buffer */
51- if (buf[0x06] > 0x20) 51- if (buf[0x06] > 0x20)
52+ if (buf[0x06] > buf_len) 52+ if (buf[0x06] > buf_len)
53 { 53 {
54 fprintf(stderr, 54 fprintf(stderr,
55 "Entry point length too large (%u bytes, expected %u).\n", 55 "Entry point length too large (%u bytes, expected %u).\n",
56@@ -5782,14 +5782,14 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) 56@@ -5793,14 +5793,14 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
57 return 1; 57 return 1;
58 } 58 }
59 59
60-static int smbios_decode(u8 *buf, const char *devmem, u32 flags) 60-static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
61+static int smbios_decode(u8 *buf, size_t buf_len, const char *devmem, u32 flags) 61+static int smbios_decode(u8 *buf, size_t buf_len, const char *devmem, u32 flags)
62 { 62 {
63 u16 ver; 63 u16 ver, num;
64 u32 len; 64 u32 len;
65 u8 *table; 65 u8 *table;
66 66
67 /* Don't let checksum run beyond the buffer */ 67 /* Don't let checksum run beyond the buffer */
68- if (buf[0x05] > 0x20) 68- if (buf[0x05] > 0x20)
69+ if (buf[0x05] > buf_len) 69+ if (buf[0x05] > buf_len)
70 { 70 {
71 fprintf(stderr, 71 fprintf(stderr,
72 "Entry point length too large (%u bytes, expected %u).\n", 72 "Entry point length too large (%u bytes, expected %u).\n",
73@@ -6018,12 +6018,12 @@ int main(int argc, char * const argv[]) 73@@ -6052,12 +6052,12 @@ int main(int argc, char * const argv[])
74 74
75 if (memcmp(buf, "_SM3_", 5) == 0) 75 if (memcmp(buf, "_SM3_", 5) == 0)
76 { 76 {
77- if (smbios3_decode(buf, opt.dumpfile, 0)) 77- if (smbios3_decode(buf, opt.dumpfile, 0))
78+ if (smbios3_decode(buf, size, opt.dumpfile, 0)) 78+ if (smbios3_decode(buf, size, opt.dumpfile, 0))
79 found++; 79 found++;
80 } 80 }
81 else if (memcmp(buf, "_SM_", 4) == 0) 81 else if (memcmp(buf, "_SM_", 4) == 0)
82 { 82 {
83- if (smbios_decode(buf, opt.dumpfile, 0)) 83- if (smbios_decode(buf, opt.dumpfile, 0))
84+ if (smbios_decode(buf, size, opt.dumpfile, 0)) 84+ if (smbios_decode(buf, size, opt.dumpfile, 0))
85 found++; 85 found++;
86 } 86 }
87 else if (memcmp(buf, "_DMI_", 5) == 0) 87 else if (memcmp(buf, "_DMI_", 5) == 0)
88@@ -6046,12 +6046,12 @@ int main(int argc, char * const argv[]) 88@@ -6080,12 +6080,12 @@ int main(int argc, char * const argv[])
89 pr_info("Getting SMBIOS data from sysfs."); 89 pr_info("Getting SMBIOS data from sysfs.");
90 if (size >= 24 && memcmp(buf, "_SM3_", 5) == 0) 90 if (size >= 24 && memcmp(buf, "_SM3_", 5) == 0)
91 { 91 {
92- if (smbios3_decode(buf, SYS_TABLE_FILE, FLAG_NO_FILE_OFFSET)) 92- if (smbios3_decode(buf, SYS_TABLE_FILE, FLAG_NO_FILE_OFFSET))
93+ if (smbios3_decode(buf, size, SYS_TABLE_FILE, FLAG_NO_FILE_OFFSET)) 93+ if (smbios3_decode(buf, size, SYS_TABLE_FILE, FLAG_NO_FILE_OFFSET))
94 found++; 94 found++;
95 } 95 }
96 else if (size >= 31 && memcmp(buf, "_SM_", 4) == 0) 96 else if (size >= 31 && memcmp(buf, "_SM_", 4) == 0)
97 { 97 {
98- if (smbios_decode(buf, SYS_TABLE_FILE, FLAG_NO_FILE_OFFSET)) 98- if (smbios_decode(buf, SYS_TABLE_FILE, FLAG_NO_FILE_OFFSET))
99+ if (smbios_decode(buf, size, SYS_TABLE_FILE, FLAG_NO_FILE_OFFSET)) 99+ if (smbios_decode(buf, size, SYS_TABLE_FILE, FLAG_NO_FILE_OFFSET))
100 found++; 100 found++;
101 } 101 }
102 else if (size >= 15 && memcmp(buf, "_DMI_", 5) == 0) 102 else if (size >= 15 && memcmp(buf, "_DMI_", 5) == 0)
103@@ -6088,12 +6088,12 @@ int main(int argc, char * const argv[]) 103@@ -6122,12 +6122,12 @@ int main(int argc, char * const argv[])
104 104
105 if (memcmp(buf, "_SM3_", 5) == 0) 105 if (memcmp(buf, "_SM3_", 5) == 0)
106 { 106 {
107- if (smbios3_decode(buf, opt.devmem, 0)) 107- if (smbios3_decode(buf, opt.devmem, 0))
108+ if (smbios3_decode(buf, 0x20, opt.devmem, 0)) 108+ if (smbios3_decode(buf, 0x20, opt.devmem, 0))
109 found++; 109 found++;
110 } 110 }
111 else if (memcmp(buf, "_SM_", 4) == 0) 111 else if (memcmp(buf, "_SM_", 4) == 0)
112 { 112 {
113- if (smbios_decode(buf, opt.devmem, 0)) 113- if (smbios_decode(buf, opt.devmem, 0))
114+ if (smbios_decode(buf, 0x20, opt.devmem, 0)) 114+ if (smbios_decode(buf, 0x20, opt.devmem, 0))
115 found++; 115 found++;
116 } 116 }
117 goto done; 117 goto done;
118@@ -6114,7 +6114,7 @@ memory_scan: 118@@ -6148,7 +6148,7 @@ int main(int argc, char * const argv[])
119 { 119 {
120 if (memcmp(buf + fp, "_SM3_", 5) == 0) 120 if (memcmp(buf + fp, "_SM3_", 5) == 0)
121 { 121 {
122- if (smbios3_decode(buf + fp, opt.devmem, 0)) 122- if (smbios3_decode(buf + fp, opt.devmem, 0))
123+ if (smbios3_decode(buf + fp, 0x20, opt.devmem, 0)) 123+ if (smbios3_decode(buf + fp, 0x20, opt.devmem, 0))
124 { 124 {
125 found++; 125 found++;
126 goto done; 126 goto done;
127@@ -6127,7 +6127,7 @@ memory_scan: 127@@ -6161,7 +6161,7 @@ int main(int argc, char * const argv[])
128 { 128 {
129 if (memcmp(buf + fp, "_SM_", 4) == 0 && fp <= 0xFFE0) 129 if (memcmp(buf + fp, "_SM_", 4) == 0 && fp <= 0xFFE0)
130 { 130 {
131- if (smbios_decode(buf + fp, opt.devmem, 0)) 131- if (smbios_decode(buf + fp, opt.devmem, 0))
132+ if (smbios_decode(buf + fp, 0x20, opt.devmem, 0)) 132+ if (smbios_decode(buf + fp, 0x20, opt.devmem, 0))
133 { 133 {
134 found++; 134 found++;
135 goto done; 135 goto done;
136-- 136--
1372.35.5 1372.42.0
138
diff --git a/meta/recipes-devtools/dmidecode/dmidecode_3.4.bb b/meta/recipes-devtools/dmidecode/dmidecode_3.4.bb
index 4d5255df64..cdc628a4ea 100644
--- a/meta/recipes-devtools/dmidecode/dmidecode_3.4.bb
+++ b/meta/recipes-devtools/dmidecode/dmidecode_3.4.bb
@@ -6,7 +6,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263"
6 6
7SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/dmidecode/${BP}.tar.xz \ 7SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/dmidecode/${BP}.tar.xz \
8 file://0001-Committing-changes-from-do_unpack_extra.patch \ 8 file://0001-Committing-changes-from-do_unpack_extra.patch \
9 file://CVE-2023-30630_1.patch \ 9 file://CVE-2023-30630_1a.patch \
10 file://CVE-2023-30630_1b.patch \
10 file://CVE-2023-30630_2.patch \ 11 file://CVE-2023-30630_2.patch \
11 file://CVE-2023-30630_3.patch \ 12 file://CVE-2023-30630_3.patch \
12 file://CVE-2023-30630_4.patch \ 13 file://CVE-2023-30630_4.patch \
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-05-18 01:23:33 +0000