diff options
author | Sean Nyekjaer <sean@geanix.com> | 2023-10-16 14:21:58 +0200 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-10-25 04:51:00 -1000 |
commit | d4bc6a9374cedfe6e1e1ed0aa14985548d524819 (patch) | |
tree | 69782127fd3e16dd80931d45e81112bde9b453bf | |
parent | 9954a4df00884fcd76e60bb0a809670625c92454 (diff) | |
download | poky-d4bc6a9374cedfe6e1e1ed0aa14985548d524819.tar.gz |
dmidecode: fixup for CVE-2023-30630
The previous CVE-2023-30630_1.patch picked only the patch
"dmidecode: Write the whole dump file at once" d8cfbc808f.
But there was a refactoring which does not allow to cherry-pick it fast
forward. Resolving this conflict was not correctly done. The patch was:
+ u32 len;
+ u8 *table;
...
- if (!(opt.flags & FLAG_QUIET))
- pr_comment("Writing %d bytes to %s.", crafted[0x05],
- opt.dumpfile);
- write_dump(0, crafted[0x05], crafted, opt.dumpfile, 1);
+ dmi_table_dump(crafted, crafted[0x05], table, len);
It looks like the variables len and table have been added without
initialization.
Now this problem is solved by applying the previous refactoring as
well. Patch 1 gets replaced by Patch 1a and Patch 1b. Patch 2..4 are
rebased without changes.
This is basically the same patch as in kirkstone:
ea069a94a2 dmidecode: fixup for CVE-2023-30630
(From OE-Core rev: 0bc69dc078c39381a39789d3c5fff673d7da994c)
Signed-off-by: Sean Nyekjaer <sean@geanix.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
6 files changed, 539 insertions, 103 deletions
diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1a.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1a.patch new file mode 100644 index 0000000000..bf93fbc13c --- /dev/null +++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1a.patch | |||
@@ -0,0 +1,236 @@ | |||
1 | From ee6db10dd70b8fdc7a93cffd7cf5bc7a28f9d3d7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jean Delvare <jdelvare@suse.de> | ||
3 | Date: Mon, 20 Feb 2023 14:53:21 +0100 | ||
4 | Subject: [PATCH 1/5] dmidecode: Split table fetching from decoding | ||
5 | |||
6 | Clean up function dmi_table so that it does only one thing: | ||
7 | * dmi_table() is renamed to dmi_table_get(). It now retrieves the | ||
8 | DMI table, but does not process it any longer. | ||
9 | * Decoding or dumping the table is now done in smbios3_decode(), | ||
10 | smbios_decode() and legacy_decode(). | ||
11 | No functional change. | ||
12 | |||
13 | A side effect of this change is that writing the header and body of | ||
14 | dump files is now done in a single location. This is required to | ||
15 | further consolidate the writing of dump files. | ||
16 | |||
17 | Signed-off-by: Jean Delvare <jdelvare@suse.de> | ||
18 | Reviewed-by: Jerry Hoemann <jerry.hoemann@hpe.com> | ||
19 | |||
20 | CVE: CVE-2023-30630 | ||
21 | |||
22 | Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=39b2dd7b6ab719b920e96ed832cfb4bdd664e808] | ||
23 | |||
24 | Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com> | ||
25 | --- | ||
26 | dmidecode.c | 86 ++++++++++++++++++++++++++++++++++++++--------------- | ||
27 | 1 file changed, 62 insertions(+), 24 deletions(-) | ||
28 | |||
29 | diff --git a/dmidecode.c b/dmidecode.c | ||
30 | index cd2b5c9..b082c03 100644 | ||
31 | --- a/dmidecode.c | ||
32 | +++ b/dmidecode.c | ||
33 | @@ -5247,8 +5247,9 @@ static void dmi_table_decode(u8 *buf, u32 len, u16 num, u16 ver, u32 flags) | ||
34 | } | ||
35 | } | ||
36 | |||
37 | -static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem, | ||
38 | - u32 flags) | ||
39 | +/* Allocates a buffer for the table, must be freed by the caller */ | ||
40 | +static u8 *dmi_table_get(off_t base, u32 *len, u16 num, u32 ver, | ||
41 | + const char *devmem, u32 flags) | ||
42 | { | ||
43 | u8 *buf; | ||
44 | |||
45 | @@ -5267,7 +5268,7 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem, | ||
46 | { | ||
47 | if (num) | ||
48 | pr_info("%u structures occupying %u bytes.", | ||
49 | - num, len); | ||
50 | + num, *len); | ||
51 | if (!(opt.flags & FLAG_FROM_DUMP)) | ||
52 | pr_info("Table at 0x%08llX.", | ||
53 | (unsigned long long)base); | ||
54 | @@ -5285,19 +5286,19 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem, | ||
55 | * would be the result of the kernel truncating the table on | ||
56 | * parse error. | ||
57 | */ | ||
58 | - size_t size = len; | ||
59 | + size_t size = *len; | ||
60 | buf = read_file(flags & FLAG_NO_FILE_OFFSET ? 0 : base, | ||
61 | &size, devmem); | ||
62 | - if (!(opt.flags & FLAG_QUIET) && num && size != (size_t)len) | ||
63 | + if (!(opt.flags & FLAG_QUIET) && num && size != (size_t)*len) | ||
64 | { | ||
65 | fprintf(stderr, "Wrong DMI structures length: %u bytes " | ||
66 | "announced, only %lu bytes available.\n", | ||
67 | - len, (unsigned long)size); | ||
68 | + *len, (unsigned long)size); | ||
69 | } | ||
70 | - len = size; | ||
71 | + *len = size; | ||
72 | } | ||
73 | else | ||
74 | - buf = mem_chunk(base, len, devmem); | ||
75 | + buf = mem_chunk(base, *len, devmem); | ||
76 | |||
77 | if (buf == NULL) | ||
78 | { | ||
79 | @@ -5307,15 +5308,9 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem, | ||
80 | fprintf(stderr, | ||
81 | "Try compiling dmidecode with -DUSE_MMAP.\n"); | ||
82 | #endif | ||
83 | - return; | ||
84 | } | ||
85 | |||
86 | - if (opt.flags & FLAG_DUMP_BIN) | ||
87 | - dmi_table_dump(buf, len); | ||
88 | - else | ||
89 | - dmi_table_decode(buf, len, num, ver >> 8, flags); | ||
90 | - | ||
91 | - free(buf); | ||
92 | + return buf; | ||
93 | } | ||
94 | |||
95 | |||
96 | @@ -5350,8 +5345,9 @@ static void overwrite_smbios3_address(u8 *buf) | ||
97 | |||
98 | static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) | ||
99 | { | ||
100 | - u32 ver; | ||
101 | + u32 ver, len; | ||
102 | u64 offset; | ||
103 | + u8 *table; | ||
104 | |||
105 | /* Don't let checksum run beyond the buffer */ | ||
106 | if (buf[0x06] > 0x20) | ||
107 | @@ -5377,8 +5373,12 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) | ||
108 | return 0; | ||
109 | } | ||
110 | |||
111 | - dmi_table(((off_t)offset.h << 32) | offset.l, | ||
112 | - DWORD(buf + 0x0C), 0, ver, devmem, flags | FLAG_STOP_AT_EOT); | ||
113 | + /* Maximum length, may get trimmed */ | ||
114 | + len = DWORD(buf + 0x0C); | ||
115 | + table = dmi_table_get(((off_t)offset.h << 32) | offset.l, &len, 0, ver, | ||
116 | + devmem, flags | FLAG_STOP_AT_EOT); | ||
117 | + if (table == NULL) | ||
118 | + return 1; | ||
119 | |||
120 | if (opt.flags & FLAG_DUMP_BIN) | ||
121 | { | ||
122 | @@ -5387,18 +5387,28 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) | ||
123 | memcpy(crafted, buf, 32); | ||
124 | overwrite_smbios3_address(crafted); | ||
125 | |||
126 | + dmi_table_dump(table, len); | ||
127 | if (!(opt.flags & FLAG_QUIET)) | ||
128 | pr_comment("Writing %d bytes to %s.", crafted[0x06], | ||
129 | opt.dumpfile); | ||
130 | write_dump(0, crafted[0x06], crafted, opt.dumpfile, 1); | ||
131 | } | ||
132 | + else | ||
133 | + { | ||
134 | + dmi_table_decode(table, len, 0, ver >> 8, | ||
135 | + flags | FLAG_STOP_AT_EOT); | ||
136 | + } | ||
137 | + | ||
138 | + free(table); | ||
139 | |||
140 | return 1; | ||
141 | } | ||
142 | |||
143 | static int smbios_decode(u8 *buf, const char *devmem, u32 flags) | ||
144 | { | ||
145 | - u16 ver; | ||
146 | + u16 ver, num; | ||
147 | + u32 len; | ||
148 | + u8 *table; | ||
149 | |||
150 | /* Don't let checksum run beyond the buffer */ | ||
151 | if (buf[0x05] > 0x20) | ||
152 | @@ -5438,8 +5448,13 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags) | ||
153 | pr_info("SMBIOS %u.%u present.", | ||
154 | ver >> 8, ver & 0xFF); | ||
155 | |||
156 | - dmi_table(DWORD(buf + 0x18), WORD(buf + 0x16), WORD(buf + 0x1C), | ||
157 | - ver << 8, devmem, flags); | ||
158 | + /* Maximum length, may get trimmed */ | ||
159 | + len = WORD(buf + 0x16); | ||
160 | + num = WORD(buf + 0x1C); | ||
161 | + table = dmi_table_get(DWORD(buf + 0x18), &len, num, ver << 8, | ||
162 | + devmem, flags); | ||
163 | + if (table == NULL) | ||
164 | + return 1; | ||
165 | |||
166 | if (opt.flags & FLAG_DUMP_BIN) | ||
167 | { | ||
168 | @@ -5448,27 +5463,43 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags) | ||
169 | memcpy(crafted, buf, 32); | ||
170 | overwrite_dmi_address(crafted + 0x10); | ||
171 | |||
172 | + dmi_table_dump(table, len); | ||
173 | if (!(opt.flags & FLAG_QUIET)) | ||
174 | pr_comment("Writing %d bytes to %s.", crafted[0x05], | ||
175 | opt.dumpfile); | ||
176 | write_dump(0, crafted[0x05], crafted, opt.dumpfile, 1); | ||
177 | } | ||
178 | + else | ||
179 | + { | ||
180 | + dmi_table_decode(table, len, num, ver, flags); | ||
181 | + } | ||
182 | + | ||
183 | + free(table); | ||
184 | |||
185 | return 1; | ||
186 | } | ||
187 | |||
188 | static int legacy_decode(u8 *buf, const char *devmem, u32 flags) | ||
189 | { | ||
190 | + u16 ver, num; | ||
191 | + u32 len; | ||
192 | + u8 *table; | ||
193 | + | ||
194 | if (!checksum(buf, 0x0F)) | ||
195 | return 0; | ||
196 | |||
197 | + ver = ((buf[0x0E] & 0xF0) << 4) + (buf[0x0E] & 0x0F); | ||
198 | if (!(opt.flags & FLAG_QUIET)) | ||
199 | pr_info("Legacy DMI %u.%u present.", | ||
200 | buf[0x0E] >> 4, buf[0x0E] & 0x0F); | ||
201 | |||
202 | - dmi_table(DWORD(buf + 0x08), WORD(buf + 0x06), WORD(buf + 0x0C), | ||
203 | - ((buf[0x0E] & 0xF0) << 12) + ((buf[0x0E] & 0x0F) << 8), | ||
204 | - devmem, flags); | ||
205 | + /* Maximum length, may get trimmed */ | ||
206 | + len = WORD(buf + 0x06); | ||
207 | + num = WORD(buf + 0x0C); | ||
208 | + table = dmi_table_get(DWORD(buf + 0x08), &len, num, ver << 8, | ||
209 | + devmem, flags); | ||
210 | + if (table == NULL) | ||
211 | + return 1; | ||
212 | |||
213 | if (opt.flags & FLAG_DUMP_BIN) | ||
214 | { | ||
215 | @@ -5477,11 +5508,18 @@ static int legacy_decode(u8 *buf, const char *devmem, u32 flags) | ||
216 | memcpy(crafted, buf, 16); | ||
217 | overwrite_dmi_address(crafted); | ||
218 | |||
219 | + dmi_table_dump(table, len); | ||
220 | if (!(opt.flags & FLAG_QUIET)) | ||
221 | pr_comment("Writing %d bytes to %s.", 0x0F, | ||
222 | opt.dumpfile); | ||
223 | write_dump(0, 0x0F, crafted, opt.dumpfile, 1); | ||
224 | } | ||
225 | + else | ||
226 | + { | ||
227 | + dmi_table_decode(table, len, num, ver, flags); | ||
228 | + } | ||
229 | + | ||
230 | + free(table); | ||
231 | |||
232 | return 1; | ||
233 | } | ||
234 | -- | ||
235 | 2.41.0 | ||
236 | |||
diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1b.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1b.patch new file mode 100644 index 0000000000..e03bda05e4 --- /dev/null +++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1b.patch | |||
@@ -0,0 +1,197 @@ | |||
1 | From d362549bce92ac22860cda8cad4532c1a3fe6928 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jean Delvare <jdelvare@suse.de> | ||
3 | Date: Mon, 20 Feb 2023 14:53:25 +0100 | ||
4 | Subject: [PATCH 2/5] dmidecode: Write the whole dump file at once | ||
5 | |||
6 | When option --dump-bin is used, write the whole dump file at once, | ||
7 | instead of opening and closing the file separately for the table | ||
8 | and then for the entry point. | ||
9 | |||
10 | As the file writing function is no longer generic, it gets moved | ||
11 | from util.c to dmidecode.c. | ||
12 | |||
13 | One minor functional change resulting from the new implementation is | ||
14 | that the entry point is written first now, so the messages printed | ||
15 | are swapped. | ||
16 | |||
17 | Signed-off-by: Jean Delvare <jdelvare@suse.de> | ||
18 | Reviewed-by: Jerry Hoemann <jerry.hoemann@hpe.com> | ||
19 | |||
20 | CVE: CVE-2023-30630 | ||
21 | |||
22 | Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=d8cfbc808f387e87091c25e7d5b8c2bb348bb206] | ||
23 | |||
24 | Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com> | ||
25 | --- | ||
26 | dmidecode.c | 69 +++++++++++++++++++++++++++++++++++++++-------------- | ||
27 | util.c | 40 ------------------------------- | ||
28 | util.h | 1 - | ||
29 | 3 files changed, 51 insertions(+), 59 deletions(-) | ||
30 | |||
31 | diff --git a/dmidecode.c b/dmidecode.c | ||
32 | index b082c03..a80a140 100644 | ||
33 | --- a/dmidecode.c | ||
34 | +++ b/dmidecode.c | ||
35 | @@ -5130,11 +5130,56 @@ static void dmi_table_string(const struct dmi_header *h, const u8 *data, u16 ver | ||
36 | } | ||
37 | } | ||
38 | |||
39 | -static void dmi_table_dump(const u8 *buf, u32 len) | ||
40 | +static int dmi_table_dump(const u8 *ep, u32 ep_len, const u8 *table, | ||
41 | + u32 table_len) | ||
42 | { | ||
43 | + FILE *f; | ||
44 | + | ||
45 | + f = fopen(opt.dumpfile, "wb"); | ||
46 | + if (!f) | ||
47 | + { | ||
48 | + fprintf(stderr, "%s: ", opt.dumpfile); | ||
49 | + perror("fopen"); | ||
50 | + return -1; | ||
51 | + } | ||
52 | + | ||
53 | + if (!(opt.flags & FLAG_QUIET)) | ||
54 | + pr_comment("Writing %d bytes to %s.", ep_len, opt.dumpfile); | ||
55 | + if (fwrite(ep, ep_len, 1, f) != 1) | ||
56 | + { | ||
57 | + fprintf(stderr, "%s: ", opt.dumpfile); | ||
58 | + perror("fwrite"); | ||
59 | + goto err_close; | ||
60 | + } | ||
61 | + | ||
62 | + if (fseek(f, 32, SEEK_SET) != 0) | ||
63 | + { | ||
64 | + fprintf(stderr, "%s: ", opt.dumpfile); | ||
65 | + perror("fseek"); | ||
66 | + goto err_close; | ||
67 | + } | ||
68 | + | ||
69 | if (!(opt.flags & FLAG_QUIET)) | ||
70 | - pr_comment("Writing %d bytes to %s.", len, opt.dumpfile); | ||
71 | - write_dump(32, len, buf, opt.dumpfile, 0); | ||
72 | + pr_comment("Writing %d bytes to %s.", table_len, opt.dumpfile); | ||
73 | + if (fwrite(table, table_len, 1, f) != 1) | ||
74 | + { | ||
75 | + fprintf(stderr, "%s: ", opt.dumpfile); | ||
76 | + perror("fwrite"); | ||
77 | + goto err_close; | ||
78 | + } | ||
79 | + | ||
80 | + if (fclose(f)) | ||
81 | + { | ||
82 | + fprintf(stderr, "%s: ", opt.dumpfile); | ||
83 | + perror("fclose"); | ||
84 | + return -1; | ||
85 | + } | ||
86 | + | ||
87 | + return 0; | ||
88 | + | ||
89 | +err_close: | ||
90 | + fclose(f); | ||
91 | + return -1; | ||
92 | } | ||
93 | |||
94 | static void dmi_table_decode(u8 *buf, u32 len, u16 num, u16 ver, u32 flags) | ||
95 | @@ -5387,11 +5432,7 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) | ||
96 | memcpy(crafted, buf, 32); | ||
97 | overwrite_smbios3_address(crafted); | ||
98 | |||
99 | - dmi_table_dump(table, len); | ||
100 | - if (!(opt.flags & FLAG_QUIET)) | ||
101 | - pr_comment("Writing %d bytes to %s.", crafted[0x06], | ||
102 | - opt.dumpfile); | ||
103 | - write_dump(0, crafted[0x06], crafted, opt.dumpfile, 1); | ||
104 | + dmi_table_dump(crafted, crafted[0x06], table, len); | ||
105 | } | ||
106 | else | ||
107 | { | ||
108 | @@ -5463,11 +5504,7 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags) | ||
109 | memcpy(crafted, buf, 32); | ||
110 | overwrite_dmi_address(crafted + 0x10); | ||
111 | |||
112 | - dmi_table_dump(table, len); | ||
113 | - if (!(opt.flags & FLAG_QUIET)) | ||
114 | - pr_comment("Writing %d bytes to %s.", crafted[0x05], | ||
115 | - opt.dumpfile); | ||
116 | - write_dump(0, crafted[0x05], crafted, opt.dumpfile, 1); | ||
117 | + dmi_table_dump(crafted, crafted[0x05], table, len); | ||
118 | } | ||
119 | else | ||
120 | { | ||
121 | @@ -5508,11 +5545,7 @@ static int legacy_decode(u8 *buf, const char *devmem, u32 flags) | ||
122 | memcpy(crafted, buf, 16); | ||
123 | overwrite_dmi_address(crafted); | ||
124 | |||
125 | - dmi_table_dump(table, len); | ||
126 | - if (!(opt.flags & FLAG_QUIET)) | ||
127 | - pr_comment("Writing %d bytes to %s.", 0x0F, | ||
128 | - opt.dumpfile); | ||
129 | - write_dump(0, 0x0F, crafted, opt.dumpfile, 1); | ||
130 | + dmi_table_dump(crafted, 0x0F, table, len); | ||
131 | } | ||
132 | else | ||
133 | { | ||
134 | diff --git a/util.c b/util.c | ||
135 | index 04aaadd..1547096 100644 | ||
136 | --- a/util.c | ||
137 | +++ b/util.c | ||
138 | @@ -259,46 +259,6 @@ out: | ||
139 | return p; | ||
140 | } | ||
141 | |||
142 | -int write_dump(size_t base, size_t len, const void *data, const char *dumpfile, int add) | ||
143 | -{ | ||
144 | - FILE *f; | ||
145 | - | ||
146 | - f = fopen(dumpfile, add ? "r+b" : "wb"); | ||
147 | - if (!f) | ||
148 | - { | ||
149 | - fprintf(stderr, "%s: ", dumpfile); | ||
150 | - perror("fopen"); | ||
151 | - return -1; | ||
152 | - } | ||
153 | - | ||
154 | - if (fseek(f, base, SEEK_SET) != 0) | ||
155 | - { | ||
156 | - fprintf(stderr, "%s: ", dumpfile); | ||
157 | - perror("fseek"); | ||
158 | - goto err_close; | ||
159 | - } | ||
160 | - | ||
161 | - if (fwrite(data, len, 1, f) != 1) | ||
162 | - { | ||
163 | - fprintf(stderr, "%s: ", dumpfile); | ||
164 | - perror("fwrite"); | ||
165 | - goto err_close; | ||
166 | - } | ||
167 | - | ||
168 | - if (fclose(f)) | ||
169 | - { | ||
170 | - fprintf(stderr, "%s: ", dumpfile); | ||
171 | - perror("fclose"); | ||
172 | - return -1; | ||
173 | - } | ||
174 | - | ||
175 | - return 0; | ||
176 | - | ||
177 | -err_close: | ||
178 | - fclose(f); | ||
179 | - return -1; | ||
180 | -} | ||
181 | - | ||
182 | /* Returns end - start + 1, assuming start < end */ | ||
183 | u64 u64_range(u64 start, u64 end) | ||
184 | { | ||
185 | diff --git a/util.h b/util.h | ||
186 | index 3094cf8..ef24eb9 100644 | ||
187 | --- a/util.h | ||
188 | +++ b/util.h | ||
189 | @@ -27,5 +27,4 @@ | ||
190 | int checksum(const u8 *buf, size_t len); | ||
191 | void *read_file(off_t base, size_t *len, const char *filename); | ||
192 | void *mem_chunk(off_t base, size_t len, const char *devmem); | ||
193 | -int write_dump(size_t base, size_t len, const void *data, const char *dumpfile, int add); | ||
194 | u64 u64_range(u64 start, u64 end); | ||
195 | -- | ||
196 | 2.41.0 | ||
197 | |||
diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_2.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_2.patch index dcc87d2326..971c8c0126 100644 --- a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_2.patch +++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_2.patch | |||
@@ -29,18 +29,18 @@ index 5477309..98f9692 100644 | |||
29 | @@ -60,6 +60,7 @@ | 29 | @@ -60,6 +60,7 @@ |
30 | * https://www.dmtf.org/sites/default/files/DSP0270_1.0.1.pdf | 30 | * https://www.dmtf.org/sites/default/files/DSP0270_1.0.1.pdf |
31 | */ | 31 | */ |
32 | 32 | ||
33 | +#include <fcntl.h> | 33 | +#include <fcntl.h> |
34 | #include <stdio.h> | 34 | #include <stdio.h> |
35 | #include <string.h> | 35 | #include <string.h> |
36 | #include <strings.h> | 36 | #include <strings.h> |
37 | @@ -5430,13 +5431,22 @@ static void dmi_table_string(const struct dmi_header *h, const u8 *data, u16 ver | 37 | @@ -5430,13 +5431,22 @@ static void dmi_table_string(const struct dmi_header *h, const u8 *data, u16 ver |
38 | static int dmi_table_dump(const u8 *ep, u32 ep_len, const u8 *table, | 38 | static int dmi_table_dump(const u8 *ep, u32 ep_len, const u8 *table, |
39 | u32 table_len) | 39 | u32 table_len) |
40 | { | 40 | { |
41 | + int fd; | 41 | + int fd; |
42 | FILE *f; | 42 | FILE *f; |
43 | 43 | ||
44 | - f = fopen(opt.dumpfile, "wb"); | 44 | - f = fopen(opt.dumpfile, "wb"); |
45 | + fd = open(opt.dumpfile, O_WRONLY|O_CREAT|O_EXCL, 0666); | 45 | + fd = open(opt.dumpfile, O_WRONLY|O_CREAT|O_EXCL, 0666); |
46 | + if (fd == -1) | 46 | + if (fd == -1) |
diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_3.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_3.patch index 01d0d1f867..5a6994065e 100644 --- a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_3.patch +++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_3.patch | |||
@@ -27,26 +27,26 @@ Signed-off-by: Yogita Urade <yogita.urade@windriver.com> | |||
27 | 1 file changed, 9 insertions(+), 2 deletions(-) | 27 | 1 file changed, 9 insertions(+), 2 deletions(-) |
28 | 28 | ||
29 | diff --git a/dmidecode.c b/dmidecode.c | 29 | diff --git a/dmidecode.c b/dmidecode.c |
30 | index 98f9692..b4dbc9d 100644 | 30 | index d339577..1ecdf85 100644 |
31 | --- a/dmidecode.c | 31 | --- a/dmidecode.c |
32 | +++ b/dmidecode.c | 32 | +++ b/dmidecode.c |
33 | @@ -5997,17 +5997,25 @@ int main(int argc, char * const argv[]) | 33 | @@ -6031,17 +6031,25 @@ int main(int argc, char * const argv[]) |
34 | pr_comment("dmidecode %s", VERSION); | 34 | pr_comment("dmidecode %s", VERSION); |
35 | 35 | ||
36 | /* Read from dump if so instructed */ | 36 | /* Read from dump if so instructed */ |
37 | + size = 0x20; | 37 | + size = 0x20; |
38 | if (opt.flags & FLAG_FROM_DUMP) | 38 | if (opt.flags & FLAG_FROM_DUMP) |
39 | { | 39 | { |
40 | if (!(opt.flags & FLAG_QUIET)) | 40 | if (!(opt.flags & FLAG_QUIET)) |
41 | pr_info("Reading SMBIOS/DMI data from file %s.", | 41 | pr_info("Reading SMBIOS/DMI data from file %s.", |
42 | opt.dumpfile); | 42 | opt.dumpfile); |
43 | - if ((buf = mem_chunk(0, 0x20, opt.dumpfile)) == NULL) | 43 | - if ((buf = mem_chunk(0, 0x20, opt.dumpfile)) == NULL) |
44 | + if ((buf = read_file(0, &size, opt.dumpfile)) == NULL) | 44 | + if ((buf = read_file(0, &size, opt.dumpfile)) == NULL) |
45 | { | 45 | { |
46 | ret = 1; | 46 | ret = 1; |
47 | goto exit_free; | 47 | goto exit_free; |
48 | } | 48 | } |
49 | 49 | ||
50 | + /* Truncated entry point can't be processed */ | 50 | + /* Truncated entry point can't be processed */ |
51 | + if (size < 0x20) | 51 | + if (size < 0x20) |
52 | + { | 52 | + { |
@@ -54,16 +54,17 @@ index 98f9692..b4dbc9d 100644 | |||
54 | + goto done; | 54 | + goto done; |
55 | + } | 55 | + } |
56 | + | 56 | + |
57 | if (memcmp(buf, "_SM3_", 5) == 0) | 57 | if (memcmp(buf, "_SM3_", 5) == 0) |
58 | { | 58 | { |
59 | if (smbios3_decode(buf, opt.dumpfile, 0)) | 59 | if (smbios3_decode(buf, opt.dumpfile, 0)) |
60 | @@ -6031,7 +6039,6 @@ int main(int argc, char * const argv[]) | 60 | @@ -6065,7 +6073,6 @@ int main(int argc, char * const argv[]) |
61 | * contain one of several types of entry points, so read enough for | 61 | * contain one of several types of entry points, so read enough for |
62 | * the largest one, then determine what type it contains. | 62 | * the largest one, then determine what type it contains. |
63 | */ | 63 | */ |
64 | - size = 0x20; | 64 | - size = 0x20; |
65 | if (!(opt.flags & FLAG_NO_SYSFS) | 65 | if (!(opt.flags & FLAG_NO_SYSFS) |
66 | && (buf = read_file(0, &size, SYS_ENTRY_FILE)) != NULL) | 66 | && (buf = read_file(0, &size, SYS_ENTRY_FILE)) != NULL) |
67 | { | 67 | { |
68 | -- | 68 | -- |
69 | 2.40.0 | 69 | 2.42.0 |
70 | |||
diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_4.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_4.patch index 5fa72b4f9b..a3c5af2f1c 100644 --- a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_4.patch +++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_4.patch | |||
@@ -33,105 +33,106 @@ Signed-off-by: Yogita Urade <yogita.urade@windriver.com> | |||
33 | 1 file changed, 12 insertions(+), 12 deletions(-) | 33 | 1 file changed, 12 insertions(+), 12 deletions(-) |
34 | 34 | ||
35 | diff --git a/dmidecode.c b/dmidecode.c | 35 | diff --git a/dmidecode.c b/dmidecode.c |
36 | index b4dbc9d..870d94e 100644 | 36 | index 1ecdf85..640c079 100644 |
37 | --- a/dmidecode.c | 37 | --- a/dmidecode.c |
38 | +++ b/dmidecode.c | 38 | +++ b/dmidecode.c |
39 | @@ -5736,14 +5736,14 @@ static void overwrite_smbios3_address(u8 *buf) | 39 | @@ -5736,14 +5736,14 @@ static void overwrite_smbios3_address(u8 *buf) |
40 | buf[0x17] = 0; | 40 | buf[0x17] = 0; |
41 | } | 41 | } |
42 | 42 | ||
43 | -static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) | 43 | -static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) |
44 | +static int smbios3_decode(u8 *buf, size_t buf_len, const char *devmem, u32 flags) | 44 | +static int smbios3_decode(u8 *buf, size_t buf_len, const char *devmem, u32 flags) |
45 | { | 45 | { |
46 | u32 ver, len; | 46 | u32 ver, len; |
47 | u64 offset; | 47 | u64 offset; |
48 | u8 *table; | 48 | u8 *table; |
49 | 49 | ||
50 | /* Don't let checksum run beyond the buffer */ | 50 | /* Don't let checksum run beyond the buffer */ |
51 | - if (buf[0x06] > 0x20) | 51 | - if (buf[0x06] > 0x20) |
52 | + if (buf[0x06] > buf_len) | 52 | + if (buf[0x06] > buf_len) |
53 | { | 53 | { |
54 | fprintf(stderr, | 54 | fprintf(stderr, |
55 | "Entry point length too large (%u bytes, expected %u).\n", | 55 | "Entry point length too large (%u bytes, expected %u).\n", |
56 | @@ -5782,14 +5782,14 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) | 56 | @@ -5793,14 +5793,14 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) |
57 | return 1; | 57 | return 1; |
58 | } | 58 | } |
59 | 59 | ||
60 | -static int smbios_decode(u8 *buf, const char *devmem, u32 flags) | 60 | -static int smbios_decode(u8 *buf, const char *devmem, u32 flags) |
61 | +static int smbios_decode(u8 *buf, size_t buf_len, const char *devmem, u32 flags) | 61 | +static int smbios_decode(u8 *buf, size_t buf_len, const char *devmem, u32 flags) |
62 | { | 62 | { |
63 | u16 ver; | 63 | u16 ver, num; |
64 | u32 len; | 64 | u32 len; |
65 | u8 *table; | 65 | u8 *table; |
66 | 66 | ||
67 | /* Don't let checksum run beyond the buffer */ | 67 | /* Don't let checksum run beyond the buffer */ |
68 | - if (buf[0x05] > 0x20) | 68 | - if (buf[0x05] > 0x20) |
69 | + if (buf[0x05] > buf_len) | 69 | + if (buf[0x05] > buf_len) |
70 | { | 70 | { |
71 | fprintf(stderr, | 71 | fprintf(stderr, |
72 | "Entry point length too large (%u bytes, expected %u).\n", | 72 | "Entry point length too large (%u bytes, expected %u).\n", |
73 | @@ -6018,12 +6018,12 @@ int main(int argc, char * const argv[]) | 73 | @@ -6052,12 +6052,12 @@ int main(int argc, char * const argv[]) |
74 | 74 | ||
75 | if (memcmp(buf, "_SM3_", 5) == 0) | 75 | if (memcmp(buf, "_SM3_", 5) == 0) |
76 | { | 76 | { |
77 | - if (smbios3_decode(buf, opt.dumpfile, 0)) | 77 | - if (smbios3_decode(buf, opt.dumpfile, 0)) |
78 | + if (smbios3_decode(buf, size, opt.dumpfile, 0)) | 78 | + if (smbios3_decode(buf, size, opt.dumpfile, 0)) |
79 | found++; | 79 | found++; |
80 | } | 80 | } |
81 | else if (memcmp(buf, "_SM_", 4) == 0) | 81 | else if (memcmp(buf, "_SM_", 4) == 0) |
82 | { | 82 | { |
83 | - if (smbios_decode(buf, opt.dumpfile, 0)) | 83 | - if (smbios_decode(buf, opt.dumpfile, 0)) |
84 | + if (smbios_decode(buf, size, opt.dumpfile, 0)) | 84 | + if (smbios_decode(buf, size, opt.dumpfile, 0)) |
85 | found++; | 85 | found++; |
86 | } | 86 | } |
87 | else if (memcmp(buf, "_DMI_", 5) == 0) | 87 | else if (memcmp(buf, "_DMI_", 5) == 0) |
88 | @@ -6046,12 +6046,12 @@ int main(int argc, char * const argv[]) | 88 | @@ -6080,12 +6080,12 @@ int main(int argc, char * const argv[]) |
89 | pr_info("Getting SMBIOS data from sysfs."); | 89 | pr_info("Getting SMBIOS data from sysfs."); |
90 | if (size >= 24 && memcmp(buf, "_SM3_", 5) == 0) | 90 | if (size >= 24 && memcmp(buf, "_SM3_", 5) == 0) |
91 | { | 91 | { |
92 | - if (smbios3_decode(buf, SYS_TABLE_FILE, FLAG_NO_FILE_OFFSET)) | 92 | - if (smbios3_decode(buf, SYS_TABLE_FILE, FLAG_NO_FILE_OFFSET)) |
93 | + if (smbios3_decode(buf, size, SYS_TABLE_FILE, FLAG_NO_FILE_OFFSET)) | 93 | + if (smbios3_decode(buf, size, SYS_TABLE_FILE, FLAG_NO_FILE_OFFSET)) |
94 | found++; | 94 | found++; |
95 | } | 95 | } |
96 | else if (size >= 31 && memcmp(buf, "_SM_", 4) == 0) | 96 | else if (size >= 31 && memcmp(buf, "_SM_", 4) == 0) |
97 | { | 97 | { |
98 | - if (smbios_decode(buf, SYS_TABLE_FILE, FLAG_NO_FILE_OFFSET)) | 98 | - if (smbios_decode(buf, SYS_TABLE_FILE, FLAG_NO_FILE_OFFSET)) |
99 | + if (smbios_decode(buf, size, SYS_TABLE_FILE, FLAG_NO_FILE_OFFSET)) | 99 | + if (smbios_decode(buf, size, SYS_TABLE_FILE, FLAG_NO_FILE_OFFSET)) |
100 | found++; | 100 | found++; |
101 | } | 101 | } |
102 | else if (size >= 15 && memcmp(buf, "_DMI_", 5) == 0) | 102 | else if (size >= 15 && memcmp(buf, "_DMI_", 5) == 0) |
103 | @@ -6088,12 +6088,12 @@ int main(int argc, char * const argv[]) | 103 | @@ -6122,12 +6122,12 @@ int main(int argc, char * const argv[]) |
104 | 104 | ||
105 | if (memcmp(buf, "_SM3_", 5) == 0) | 105 | if (memcmp(buf, "_SM3_", 5) == 0) |
106 | { | 106 | { |
107 | - if (smbios3_decode(buf, opt.devmem, 0)) | 107 | - if (smbios3_decode(buf, opt.devmem, 0)) |
108 | + if (smbios3_decode(buf, 0x20, opt.devmem, 0)) | 108 | + if (smbios3_decode(buf, 0x20, opt.devmem, 0)) |
109 | found++; | 109 | found++; |
110 | } | 110 | } |
111 | else if (memcmp(buf, "_SM_", 4) == 0) | 111 | else if (memcmp(buf, "_SM_", 4) == 0) |
112 | { | 112 | { |
113 | - if (smbios_decode(buf, opt.devmem, 0)) | 113 | - if (smbios_decode(buf, opt.devmem, 0)) |
114 | + if (smbios_decode(buf, 0x20, opt.devmem, 0)) | 114 | + if (smbios_decode(buf, 0x20, opt.devmem, 0)) |
115 | found++; | 115 | found++; |
116 | } | 116 | } |
117 | goto done; | 117 | goto done; |
118 | @@ -6114,7 +6114,7 @@ memory_scan: | 118 | @@ -6148,7 +6148,7 @@ int main(int argc, char * const argv[]) |
119 | { | 119 | { |
120 | if (memcmp(buf + fp, "_SM3_", 5) == 0) | 120 | if (memcmp(buf + fp, "_SM3_", 5) == 0) |
121 | { | 121 | { |
122 | - if (smbios3_decode(buf + fp, opt.devmem, 0)) | 122 | - if (smbios3_decode(buf + fp, opt.devmem, 0)) |
123 | + if (smbios3_decode(buf + fp, 0x20, opt.devmem, 0)) | 123 | + if (smbios3_decode(buf + fp, 0x20, opt.devmem, 0)) |
124 | { | 124 | { |
125 | found++; | 125 | found++; |
126 | goto done; | 126 | goto done; |
127 | @@ -6127,7 +6127,7 @@ memory_scan: | 127 | @@ -6161,7 +6161,7 @@ int main(int argc, char * const argv[]) |
128 | { | 128 | { |
129 | if (memcmp(buf + fp, "_SM_", 4) == 0 && fp <= 0xFFE0) | 129 | if (memcmp(buf + fp, "_SM_", 4) == 0 && fp <= 0xFFE0) |
130 | { | 130 | { |
131 | - if (smbios_decode(buf + fp, opt.devmem, 0)) | 131 | - if (smbios_decode(buf + fp, opt.devmem, 0)) |
132 | + if (smbios_decode(buf + fp, 0x20, opt.devmem, 0)) | 132 | + if (smbios_decode(buf + fp, 0x20, opt.devmem, 0)) |
133 | { | 133 | { |
134 | found++; | 134 | found++; |
135 | goto done; | 135 | goto done; |
136 | -- | 136 | -- |
137 | 2.35.5 | 137 | 2.42.0 |
138 | |||
diff --git a/meta/recipes-devtools/dmidecode/dmidecode_3.4.bb b/meta/recipes-devtools/dmidecode/dmidecode_3.4.bb index 4d5255df64..cdc628a4ea 100644 --- a/meta/recipes-devtools/dmidecode/dmidecode_3.4.bb +++ b/meta/recipes-devtools/dmidecode/dmidecode_3.4.bb | |||
@@ -6,7 +6,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263" | |||
6 | 6 | ||
7 | SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/dmidecode/${BP}.tar.xz \ | 7 | SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/dmidecode/${BP}.tar.xz \ |
8 | file://0001-Committing-changes-from-do_unpack_extra.patch \ | 8 | file://0001-Committing-changes-from-do_unpack_extra.patch \ |
9 | file://CVE-2023-30630_1.patch \ | 9 | file://CVE-2023-30630_1a.patch \ |
10 | file://CVE-2023-30630_1b.patch \ | ||
10 | file://CVE-2023-30630_2.patch \ | 11 | file://CVE-2023-30630_2.patch \ |
11 | file://CVE-2023-30630_3.patch \ | 12 | file://CVE-2023-30630_3.patch \ |
12 | file://CVE-2023-30630_4.patch \ | 13 | file://CVE-2023-30630_4.patch \ |