diff options
Diffstat (limited to 'meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p1.patch')
-rw-r--r-- | meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p1.patch | 236 |
1 files changed, 236 insertions, 0 deletions
diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p1.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p1.patch new file mode 100644 index 0000000000..f1d449acbe --- /dev/null +++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p1.patch | |||
@@ -0,0 +1,236 @@ | |||
1 | From 24def311c6168d0dfb7c5f0f183b72b709c49265 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jean Delvare <jdelvare@suse.de> | ||
3 | Date: Mon, 20 Feb 2023 14:53:21 +0100 | ||
4 | Subject: [PATCH] dmidecode: Split table fetching from decoding | ||
5 | |||
6 | Clean up function dmi_table so that it does only one thing: | ||
7 | * dmi_table() is renamed to dmi_table_get(). It now retrieves the | ||
8 | DMI table, but does not process it any longer. | ||
9 | * Decoding or dumping the table is now done in smbios3_decode(), | ||
10 | smbios_decode() and legacy_decode(). | ||
11 | No functional change. | ||
12 | |||
13 | A side effect of this change is that writing the header and body of | ||
14 | dump files is now done in a single location. This is required to | ||
15 | further consolidate the writing of dump files. | ||
16 | |||
17 | CVE-ID: CVE-2023-30630 | ||
18 | Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=39b2dd7b6ab7] | ||
19 | |||
20 | Backport Changes: | ||
21 | - In the file dmidecode.c, the commit [dd593d2] in v3.3 introduces | ||
22 | pr_info(). This is backported to printf() as per v3.2. | ||
23 | |||
24 | Signed-off-by: Jean Delvare <jdelvare@suse.de> | ||
25 | Reviewed-by: Jerry Hoemann <jerry.hoemann@hpe.com> | ||
26 | (cherry picked from commit 39b2dd7b6ab719b920e96ed832cfb4bdd664e808) | ||
27 | Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com> | ||
28 | --- | ||
29 | dmidecode.c | 86 ++++++++++++++++++++++++++++++++++++++--------------- | ||
30 | 1 file changed, 62 insertions(+), 24 deletions(-) | ||
31 | |||
32 | diff --git a/dmidecode.c b/dmidecode.c | ||
33 | index a3e9d6c..d6eedd1 100644 | ||
34 | --- a/dmidecode.c | ||
35 | +++ b/dmidecode.c | ||
36 | @@ -5211,8 +5211,9 @@ static void dmi_table_decode(u8 *buf, u32 len, u16 num, u16 ver, u32 flags) | ||
37 | } | ||
38 | } | ||
39 | |||
40 | -static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem, | ||
41 | - u32 flags) | ||
42 | +/* Allocates a buffer for the table, must be freed by the caller */ | ||
43 | +static u8 *dmi_table_get(off_t base, u32 *len, u16 num, u32 ver, | ||
44 | + const char *devmem, u32 flags) | ||
45 | { | ||
46 | u8 *buf; | ||
47 | |||
48 | @@ -5231,7 +5232,7 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem, | ||
49 | { | ||
50 | if (num) | ||
51 | printf("%u structures occupying %u bytes.\n", | ||
52 | - num, len); | ||
53 | + num, *len); | ||
54 | if (!(opt.flags & FLAG_FROM_DUMP)) | ||
55 | printf("Table at 0x%08llX.\n", | ||
56 | (unsigned long long)base); | ||
57 | @@ -5249,19 +5250,19 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem, | ||
58 | * would be the result of the kernel truncating the table on | ||
59 | * parse error. | ||
60 | */ | ||
61 | - size_t size = len; | ||
62 | + size_t size = *len; | ||
63 | buf = read_file(flags & FLAG_NO_FILE_OFFSET ? 0 : base, | ||
64 | &size, devmem); | ||
65 | - if (!(opt.flags & FLAG_QUIET) && num && size != (size_t)len) | ||
66 | + if (!(opt.flags & FLAG_QUIET) && num && size != (size_t)*len) | ||
67 | { | ||
68 | fprintf(stderr, "Wrong DMI structures length: %u bytes " | ||
69 | "announced, only %lu bytes available.\n", | ||
70 | - len, (unsigned long)size); | ||
71 | + *len, (unsigned long)size); | ||
72 | } | ||
73 | - len = size; | ||
74 | + *len = size; | ||
75 | } | ||
76 | else | ||
77 | - buf = mem_chunk(base, len, devmem); | ||
78 | + buf = mem_chunk(base, *len, devmem); | ||
79 | |||
80 | if (buf == NULL) | ||
81 | { | ||
82 | @@ -5271,15 +5272,9 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem, | ||
83 | fprintf(stderr, | ||
84 | "Try compiling dmidecode with -DUSE_MMAP.\n"); | ||
85 | #endif | ||
86 | - return; | ||
87 | } | ||
88 | |||
89 | - if (opt.flags & FLAG_DUMP_BIN) | ||
90 | - dmi_table_dump(buf, len); | ||
91 | - else | ||
92 | - dmi_table_decode(buf, len, num, ver >> 8, flags); | ||
93 | - | ||
94 | - free(buf); | ||
95 | + return buf; | ||
96 | } | ||
97 | |||
98 | |||
99 | @@ -5314,8 +5309,9 @@ static void overwrite_smbios3_address(u8 *buf) | ||
100 | |||
101 | static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) | ||
102 | { | ||
103 | - u32 ver; | ||
104 | + u32 ver, len; | ||
105 | u64 offset; | ||
106 | + u8 *table; | ||
107 | |||
108 | /* Don't let checksum run beyond the buffer */ | ||
109 | if (buf[0x06] > 0x20) | ||
110 | @@ -5341,8 +5337,12 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) | ||
111 | return 0; | ||
112 | } | ||
113 | |||
114 | - dmi_table(((off_t)offset.h << 32) | offset.l, | ||
115 | - DWORD(buf + 0x0C), 0, ver, devmem, flags | FLAG_STOP_AT_EOT); | ||
116 | + /* Maximum length, may get trimmed */ | ||
117 | + len = DWORD(buf + 0x0C); | ||
118 | + table = dmi_table_get(((off_t)offset.h << 32) | offset.l, &len, 0, ver, | ||
119 | + devmem, flags | FLAG_STOP_AT_EOT); | ||
120 | + if (table == NULL) | ||
121 | + return 1; | ||
122 | |||
123 | if (opt.flags & FLAG_DUMP_BIN) | ||
124 | { | ||
125 | @@ -5351,18 +5351,28 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) | ||
126 | memcpy(crafted, buf, 32); | ||
127 | overwrite_smbios3_address(crafted); | ||
128 | |||
129 | + dmi_table_dump(table, len); | ||
130 | if (!(opt.flags & FLAG_QUIET)) | ||
131 | printf("# Writing %d bytes to %s.\n", crafted[0x06], | ||
132 | opt.dumpfile); | ||
133 | write_dump(0, crafted[0x06], crafted, opt.dumpfile, 1); | ||
134 | } | ||
135 | + else | ||
136 | + { | ||
137 | + dmi_table_decode(table, len, 0, ver >> 8, | ||
138 | + flags | FLAG_STOP_AT_EOT); | ||
139 | + } | ||
140 | + | ||
141 | + free(table); | ||
142 | |||
143 | return 1; | ||
144 | } | ||
145 | |||
146 | static int smbios_decode(u8 *buf, const char *devmem, u32 flags) | ||
147 | { | ||
148 | - u16 ver; | ||
149 | + u16 ver, num; | ||
150 | + u32 len; | ||
151 | + u8 *table; | ||
152 | |||
153 | /* Don't let checksum run beyond the buffer */ | ||
154 | if (buf[0x05] > 0x20) | ||
155 | @@ -5402,8 +5412,13 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags) | ||
156 | printf("SMBIOS %u.%u present.\n", | ||
157 | ver >> 8, ver & 0xFF); | ||
158 | |||
159 | - dmi_table(DWORD(buf + 0x18), WORD(buf + 0x16), WORD(buf + 0x1C), | ||
160 | - ver << 8, devmem, flags); | ||
161 | + /* Maximum length, may get trimmed */ | ||
162 | + len = WORD(buf + 0x16); | ||
163 | + num = WORD(buf + 0x1C); | ||
164 | + table = dmi_table_get(DWORD(buf + 0x18), &len, num, ver << 8, | ||
165 | + devmem, flags); | ||
166 | + if (table == NULL) | ||
167 | + return 1; | ||
168 | |||
169 | if (opt.flags & FLAG_DUMP_BIN) | ||
170 | { | ||
171 | @@ -5412,27 +5427,43 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags) | ||
172 | memcpy(crafted, buf, 32); | ||
173 | overwrite_dmi_address(crafted + 0x10); | ||
174 | |||
175 | + dmi_table_dump(table, len); | ||
176 | if (!(opt.flags & FLAG_QUIET)) | ||
177 | printf("# Writing %d bytes to %s.\n", crafted[0x05], | ||
178 | opt.dumpfile); | ||
179 | write_dump(0, crafted[0x05], crafted, opt.dumpfile, 1); | ||
180 | } | ||
181 | + else | ||
182 | + { | ||
183 | + dmi_table_decode(table, len, num, ver, flags); | ||
184 | + } | ||
185 | + | ||
186 | + free(table); | ||
187 | |||
188 | return 1; | ||
189 | } | ||
190 | |||
191 | static int legacy_decode(u8 *buf, const char *devmem, u32 flags) | ||
192 | { | ||
193 | + u16 ver, num; | ||
194 | + u32 len; | ||
195 | + u8 *table; | ||
196 | + | ||
197 | if (!checksum(buf, 0x0F)) | ||
198 | return 0; | ||
199 | |||
200 | + ver = ((buf[0x0E] & 0xF0) << 4) + (buf[0x0E] & 0x0F); | ||
201 | if (!(opt.flags & FLAG_QUIET)) | ||
202 | printf("Legacy DMI %u.%u present.\n", | ||
203 | buf[0x0E] >> 4, buf[0x0E] & 0x0F); | ||
204 | |||
205 | - dmi_table(DWORD(buf + 0x08), WORD(buf + 0x06), WORD(buf + 0x0C), | ||
206 | - ((buf[0x0E] & 0xF0) << 12) + ((buf[0x0E] & 0x0F) << 8), | ||
207 | - devmem, flags); | ||
208 | + /* Maximum length, may get trimmed */ | ||
209 | + len = WORD(buf + 0x06); | ||
210 | + num = WORD(buf + 0x0C); | ||
211 | + table = dmi_table_get(DWORD(buf + 0x08), &len, num, ver << 8, | ||
212 | + devmem, flags); | ||
213 | + if (table == NULL) | ||
214 | + return 1; | ||
215 | |||
216 | if (opt.flags & FLAG_DUMP_BIN) | ||
217 | { | ||
218 | @@ -5441,11 +5472,18 @@ static int legacy_decode(u8 *buf, const char *devmem, u32 flags) | ||
219 | memcpy(crafted, buf, 16); | ||
220 | overwrite_dmi_address(crafted); | ||
221 | |||
222 | + dmi_table_dump(table, len); | ||
223 | if (!(opt.flags & FLAG_QUIET)) | ||
224 | printf("# Writing %d bytes to %s.\n", 0x0F, | ||
225 | opt.dumpfile); | ||
226 | write_dump(0, 0x0F, crafted, opt.dumpfile, 1); | ||
227 | } | ||
228 | + else | ||
229 | + { | ||
230 | + dmi_table_decode(table, len, num, ver, flags); | ||
231 | + } | ||
232 | + | ||
233 | + free(table); | ||
234 | |||
235 | return 1; | ||
236 | } | ||