1 files changed, 236 insertions, 0 deletions
diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p1.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p1.patch
new file mode 100644
index 0000000000..f1d449acbe
--- /dev/null
+++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p1.patch
@@ -0,0 +1,236 @@
+From 24def311c6168d0dfb7c5f0f183b72b709c49265 Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Mon, 20 Feb 2023 14:53:21 +0100
+Subject: [PATCH] dmidecode: Split table fetching from decoding
+Clean up function dmi_table so that it does only one thing:
+* dmi_table() is renamed to dmi_table_get(). It now retrieves the
+  DMI table, but does not process it any longer.
+* Decoding or dumping the table is now done in smbios3_decode(),
+  smbios_decode() and legacy_decode().
+No functional change.
+A side effect of this change is that writing the header and body of
+dump files is now done in a single location. This is required to
+further consolidate the writing of dump files.
+CVE-ID: CVE-2023-30630
+Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=39b2dd7b6ab7]
+Backport Changes:
+- In the file dmidecode.c, the commit [dd593d2] in v3.3 introduces
+  pr_info(). This is backported to printf() as per v3.2.
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+Reviewed-by: Jerry Hoemann <jerry.hoemann@hpe.com>
+(cherry picked from commit 39b2dd7b6ab719b920e96ed832cfb4bdd664e808)
+Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com>
+---
+ dmidecode.c | 86 ++++++++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 62 insertions(+), 24 deletions(-)
+diff --git a/dmidecode.c b/dmidecode.c
+index a3e9d6c..d6eedd1 100644
+--- a/dmidecode.c
+++ b/dmidecode.c
+@@ -5211,8 +5211,9 @@ static void dmi_table_decode(u8 *buf, u32 len, u16 num, u16 ver, u32 flags)
+        }
+ }
+ 
+-static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
+-                     u32 flags)
+/* Allocates a buffer for the table, must be freed by the caller */
+static u8 *dmi_table_get(off_t base, u32 *len, u16 num, u32 ver,
+                        const char *devmem, u32 flags)
+ {
+        u8 *buf;
+ 
+@@ -5231,7 +5232,7 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
+                {
+                        if (num)
+                                printf("%u structures occupying %u bytes.\n",
+-                                      num, len);
+                                      num, *len);
+                        if (!(opt.flags & FLAG_FROM_DUMP))
+                                printf("Table at 0x%08llX.\n",
+                                       (unsigned long long)base);
+@@ -5249,19 +5250,19 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
+                 * would be the result of the kernel truncating the table on
+                 * parse error.
+                 */
+-               size_t size = len;
+               size_t size = *len;
+                buf = read_file(flags & FLAG_NO_FILE_OFFSET ? 0 : base,
+                        &size, devmem);
+-               if (!(opt.flags & FLAG_QUIET) && num && size != (size_t)len)
+               if (!(opt.flags & FLAG_QUIET) && num && size != (size_t)*len)
+                {
+                        fprintf(stderr, "Wrong DMI structures length: %u bytes "
+                                "announced, only %lu bytes available.\n",
+-                               len, (unsigned long)size);
+                               *len, (unsigned long)size);
+                }
+-               len = size;
+               *len = size;
+        }
+        else
+-               buf = mem_chunk(base, len, devmem);
+               buf = mem_chunk(base, *len, devmem);
+ 
+        if (buf == NULL)
+        {
+@@ -5271,15 +5272,9 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
+                        fprintf(stderr,
+                                "Try compiling dmidecode with -DUSE_MMAP.\n");
+ #endif
+-               return;
+        }
+ 
+-       if (opt.flags & FLAG_DUMP_BIN)
+-               dmi_table_dump(buf, len);
+-       else
+-               dmi_table_decode(buf, len, num, ver >> 8, flags);
+-
+-       free(buf);
+       return buf;
+ }
+ 
+ 
+@@ -5314,8 +5309,9 @@ static void overwrite_smbios3_address(u8 *buf)
+ 
+ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
+ {
+-       u32 ver;
+       u32 ver, len;
+        u64 offset;
+       u8 *table;
+ 
+        /* Don't let checksum run beyond the buffer */
+        if (buf[0x06] > 0x20)
+@@ -5341,8 +5337,12 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
+                return 0;
+        }
+ 
+-       dmi_table(((off_t)offset.h << 32) | offset.l,
+-                 DWORD(buf + 0x0C), 0, ver, devmem, flags | FLAG_STOP_AT_EOT);
+       /* Maximum length, may get trimmed */
+       len = DWORD(buf + 0x0C);
+       table = dmi_table_get(((off_t)offset.h << 32) | offset.l, &len, 0, ver,
+                             devmem, flags | FLAG_STOP_AT_EOT);
+       if (table == NULL)
+               return 1;
+ 
+        if (opt.flags & FLAG_DUMP_BIN)
+        {
+@@ -5351,18 +5351,28 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
+                memcpy(crafted, buf, 32);
+                overwrite_smbios3_address(crafted);
+ 
+               dmi_table_dump(table, len);
+                if (!(opt.flags & FLAG_QUIET))
+                        printf("# Writing %d bytes to %s.\n", crafted[0x06],
+                               opt.dumpfile);
+                write_dump(0, crafted[0x06], crafted, opt.dumpfile, 1);
+        }
+       else
+       {
+               dmi_table_decode(table, len, 0, ver >> 8,
+                                flags | FLAG_STOP_AT_EOT);
+       }
+
+       free(table);
+ 
+        return 1;
+ }
+ 
+ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
+ {
+-       u16 ver;
+       u16 ver, num;
+       u32 len;
+       u8 *table;
+ 
+        /* Don't let checksum run beyond the buffer */
+        if (buf[0x05] > 0x20)
+@@ -5402,8 +5412,13 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
+                printf("SMBIOS %u.%u present.\n",
+                        ver >> 8, ver & 0xFF);
+ 
+-       dmi_table(DWORD(buf + 0x18), WORD(buf + 0x16), WORD(buf + 0x1C),
+-               ver << 8, devmem, flags);
+       /* Maximum length, may get trimmed */
+       len = WORD(buf + 0x16);
+       num = WORD(buf + 0x1C);
+       table = dmi_table_get(DWORD(buf + 0x18), &len, num, ver << 8,
+                             devmem, flags);
+       if (table == NULL)
+               return 1;
+ 
+        if (opt.flags & FLAG_DUMP_BIN)
+        {
+@@ -5412,27 +5427,43 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
+                memcpy(crafted, buf, 32);
+                overwrite_dmi_address(crafted + 0x10);
+ 
+               dmi_table_dump(table, len);
+                if (!(opt.flags & FLAG_QUIET))
+                        printf("# Writing %d bytes to %s.\n", crafted[0x05],
+                                opt.dumpfile);
+                write_dump(0, crafted[0x05], crafted, opt.dumpfile, 1);
+        }
+       else
+       {
+               dmi_table_decode(table, len, num, ver, flags);
+       }
+
+       free(table);
+ 
+        return 1;
+ }
+ 
+ static int legacy_decode(u8 *buf, const char *devmem, u32 flags)
+ {
+       u16 ver, num;
+       u32 len;
+       u8 *table;
+
+        if (!checksum(buf, 0x0F))
+                return 0;
+ 
+       ver = ((buf[0x0E] & 0xF0) << 4) + (buf[0x0E] & 0x0F);
+        if (!(opt.flags & FLAG_QUIET))
+                printf("Legacy DMI %u.%u present.\n",
+                        buf[0x0E] >> 4, buf[0x0E] & 0x0F);
+ 
+-       dmi_table(DWORD(buf + 0x08), WORD(buf + 0x06), WORD(buf + 0x0C),
+-               ((buf[0x0E] & 0xF0) << 12) + ((buf[0x0E] & 0x0F) << 8),
+-               devmem, flags);
+       /* Maximum length, may get trimmed */
+       len = WORD(buf + 0x06);
+       num = WORD(buf + 0x0C);
+       table = dmi_table_get(DWORD(buf + 0x08), &len, num, ver << 8,
+                             devmem, flags);
+       if (table == NULL)
+               return 1;
+ 
+        if (opt.flags & FLAG_DUMP_BIN)
+        {
+@@ -5441,11 +5472,18 @@ static int legacy_decode(u8 *buf, const char *devmem, u32 flags)
+                memcpy(crafted, buf, 16);
+                overwrite_dmi_address(crafted);
+ 
+               dmi_table_dump(table, len);
+                if (!(opt.flags & FLAG_QUIET))
+                        printf("# Writing %d bytes to %s.\n", 0x0F,
+                                opt.dumpfile);
+                write_dump(0, 0x0F, crafted, opt.dumpfile, 1);
+        }
+       else
+       {
+               dmi_table_decode(table, len, num, ver, flags);
+       }
+
+       free(table);
+ 
+        return 1;
+ }

diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p1.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p1.patch new file mode 100644 index 0000000000..f1d449acbe --- /dev/null +++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p1.patch
@@ -0,0 +1,236 @@
	1	From 24def311c6168d0dfb7c5f0f183b72b709c49265 Mon Sep 17 00:00:00 2001
	2	From: Jean Delvare <jdelvare@suse.de>
	3	Date: Mon, 20 Feb 2023 14:53:21 +0100
	4	Subject: [PATCH] dmidecode: Split table fetching from decoding
	5
	6	Clean up function dmi_table so that it does only one thing:
	7	* dmi_table() is renamed to dmi_table_get(). It now retrieves the
	8	DMI table, but does not process it any longer.
	9	* Decoding or dumping the table is now done in smbios3_decode(),
	10	smbios_decode() and legacy_decode().
	11	No functional change.
	12
	13	A side effect of this change is that writing the header and body of
	14	dump files is now done in a single location. This is required to
	15	further consolidate the writing of dump files.
	16
	17	CVE-ID: CVE-2023-30630
	18	Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=39b2dd7b6ab7]
	19
	20	Backport Changes:
	21	- In the file dmidecode.c, the commit [dd593d2] in v3.3 introduces
	22	pr_info(). This is backported to printf() as per v3.2.
	23
	24	Signed-off-by: Jean Delvare <jdelvare@suse.de>
	25	Reviewed-by: Jerry Hoemann <jerry.hoemann@hpe.com>
	26	(cherry picked from commit 39b2dd7b6ab719b920e96ed832cfb4bdd664e808)
	27	Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com>
	28	---
	29	dmidecode.c \| 86 ++++++++++++++++++++++++++++++++++++++---------------
	30	1 file changed, 62 insertions(+), 24 deletions(-)
	31
	32	diff --git a/dmidecode.c b/dmidecode.c
	33	index a3e9d6c..d6eedd1 100644
	34	--- a/dmidecode.c
	35	+++ b/dmidecode.c
	36	@@ -5211,8 +5211,9 @@ static void dmi_table_decode(u8 *buf, u32 len, u16 num, u16 ver, u32 flags)
	37	}
	38	}
	39
	40	-static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
	41	- u32 flags)
	42	+/* Allocates a buffer for the table, must be freed by the caller */
	43	+static u8 dmi_table_get(off_t base, u32 len, u16 num, u32 ver,
	44	+ const char *devmem, u32 flags)
	45	{
	46	u8 *buf;
	47
	48	@@ -5231,7 +5232,7 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
	49	{
	50	if (num)
	51	printf("%u structures occupying %u bytes.\n",
	52	- num, len);
	53	+ num, *len);
	54	if (!(opt.flags & FLAG_FROM_DUMP))
	55	printf("Table at 0x%08llX.\n",
	56	(unsigned long long)base);
	57	@@ -5249,19 +5250,19 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
	58	* would be the result of the kernel truncating the table on
	59	* parse error.
	60	*/
	61	- size_t size = len;
	62	+ size_t size = *len;
	63	buf = read_file(flags & FLAG_NO_FILE_OFFSET ? 0 : base,
	64	&size, devmem);
	65	- if (!(opt.flags & FLAG_QUIET) && num && size != (size_t)len)
	66	+ if (!(opt.flags & FLAG_QUIET) && num && size != (size_t)*len)
	67	{
	68	fprintf(stderr, "Wrong DMI structures length: %u bytes "
	69	"announced, only %lu bytes available.\n",
	70	- len, (unsigned long)size);
	71	+ *len, (unsigned long)size);
	72	}
	73	- len = size;
	74	+ *len = size;
	75	}
	76	else
	77	- buf = mem_chunk(base, len, devmem);
	78	+ buf = mem_chunk(base, *len, devmem);
	79
	80	if (buf == NULL)
	81	{
	82	@@ -5271,15 +5272,9 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
	83	fprintf(stderr,
	84	"Try compiling dmidecode with -DUSE_MMAP.\n");
	85	#endif
	86	- return;
	87	}
	88
	89	- if (opt.flags & FLAG_DUMP_BIN)
	90	- dmi_table_dump(buf, len);
	91	- else
	92	- dmi_table_decode(buf, len, num, ver >> 8, flags);
	93	-
	94	- free(buf);
	95	+ return buf;
	96	}
	97
	98
	99	@@ -5314,8 +5309,9 @@ static void overwrite_smbios3_address(u8 *buf)
	100
	101	static int smbios3_decode(u8 buf, const char devmem, u32 flags)
	102	{
	103	- u32 ver;
	104	+ u32 ver, len;
	105	u64 offset;
	106	+ u8 *table;
	107
	108	/* Don't let checksum run beyond the buffer */
	109	if (buf[0x06] > 0x20)
	110	@@ -5341,8 +5337,12 @@ static int smbios3_decode(u8 buf, const char devmem, u32 flags)
	111	return 0;
	112	}
	113
	114	- dmi_table(((off_t)offset.h << 32) \| offset.l,
	115	- DWORD(buf + 0x0C), 0, ver, devmem, flags \| FLAG_STOP_AT_EOT);
	116	+ /* Maximum length, may get trimmed */
	117	+ len = DWORD(buf + 0x0C);
	118	+ table = dmi_table_get(((off_t)offset.h << 32) \| offset.l, &len, 0, ver,
	119	+ devmem, flags \| FLAG_STOP_AT_EOT);
	120	+ if (table == NULL)
	121	+ return 1;
	122
	123	if (opt.flags & FLAG_DUMP_BIN)
	124	{
	125	@@ -5351,18 +5351,28 @@ static int smbios3_decode(u8 buf, const char devmem, u32 flags)
	126	memcpy(crafted, buf, 32);
	127	overwrite_smbios3_address(crafted);
	128
	129	+ dmi_table_dump(table, len);
	130	if (!(opt.flags & FLAG_QUIET))
	131	printf("# Writing %d bytes to %s.\n", crafted[0x06],
	132	opt.dumpfile);
	133	write_dump(0, crafted[0x06], crafted, opt.dumpfile, 1);
	134	}
	135	+ else
	136	+ {
	137	+ dmi_table_decode(table, len, 0, ver >> 8,
	138	+ flags \| FLAG_STOP_AT_EOT);
	139	+ }
	140	+
	141	+ free(table);
	142
	143	return 1;
	144	}
	145
	146	static int smbios_decode(u8 buf, const char devmem, u32 flags)
	147	{
	148	- u16 ver;
	149	+ u16 ver, num;
	150	+ u32 len;
	151	+ u8 *table;
	152
	153	/* Don't let checksum run beyond the buffer */
	154	if (buf[0x05] > 0x20)
	155	@@ -5402,8 +5412,13 @@ static int smbios_decode(u8 buf, const char devmem, u32 flags)
	156	printf("SMBIOS %u.%u present.\n",
	157	ver >> 8, ver & 0xFF);
	158
	159	- dmi_table(DWORD(buf + 0x18), WORD(buf + 0x16), WORD(buf + 0x1C),
	160	- ver << 8, devmem, flags);
	161	+ /* Maximum length, may get trimmed */
	162	+ len = WORD(buf + 0x16);
	163	+ num = WORD(buf + 0x1C);
	164	+ table = dmi_table_get(DWORD(buf + 0x18), &len, num, ver << 8,
	165	+ devmem, flags);
	166	+ if (table == NULL)
	167	+ return 1;
	168
	169	if (opt.flags & FLAG_DUMP_BIN)
	170	{
	171	@@ -5412,27 +5427,43 @@ static int smbios_decode(u8 buf, const char devmem, u32 flags)
	172	memcpy(crafted, buf, 32);
	173	overwrite_dmi_address(crafted + 0x10);
	174
	175	+ dmi_table_dump(table, len);
	176	if (!(opt.flags & FLAG_QUIET))
	177	printf("# Writing %d bytes to %s.\n", crafted[0x05],
	178	opt.dumpfile);
	179	write_dump(0, crafted[0x05], crafted, opt.dumpfile, 1);
	180	}
	181	+ else
	182	+ {
	183	+ dmi_table_decode(table, len, num, ver, flags);
	184	+ }
	185	+
	186	+ free(table);
	187
	188	return 1;
	189	}
	190
	191	static int legacy_decode(u8 buf, const char devmem, u32 flags)
	192	{
	193	+ u16 ver, num;
	194	+ u32 len;
	195	+ u8 *table;
	196	+
	197	if (!checksum(buf, 0x0F))
	198	return 0;
	199
	200	+ ver = ((buf[0x0E] & 0xF0) << 4) + (buf[0x0E] & 0x0F);
	201	if (!(opt.flags & FLAG_QUIET))
	202	printf("Legacy DMI %u.%u present.\n",
	203	buf[0x0E] >> 4, buf[0x0E] & 0x0F);
	204
	205	- dmi_table(DWORD(buf + 0x08), WORD(buf + 0x06), WORD(buf + 0x0C),
	206	- ((buf[0x0E] & 0xF0) << 12) + ((buf[0x0E] & 0x0F) << 8),
	207	- devmem, flags);
	208	+ /* Maximum length, may get trimmed */
	209	+ len = WORD(buf + 0x06);
	210	+ num = WORD(buf + 0x0C);
	211	+ table = dmi_table_get(DWORD(buf + 0x08), &len, num, ver << 8,
	212	+ devmem, flags);
	213	+ if (table == NULL)
	214	+ return 1;
	215
	216	if (opt.flags & FLAG_DUMP_BIN)
	217	{
	218	@@ -5441,11 +5472,18 @@ static int legacy_decode(u8 buf, const char devmem, u32 flags)
	219	memcpy(crafted, buf, 16);
	220	overwrite_dmi_address(crafted);
	221
	222	+ dmi_table_dump(table, len);
	223	if (!(opt.flags & FLAG_QUIET))
	224	printf("# Writing %d bytes to %s.\n", 0x0F,
	225	opt.dumpfile);
	226	write_dump(0, 0x0F, crafted, opt.dumpfile, 1);
	227	}
	228	+ else
	229	+ {
	230	+ dmi_table_decode(table, len, num, ver, flags);
	231	+ }
	232	+
	233	+ free(table);
	234
	235	return 1;
	236	}