diff options
Diffstat (limited to 'meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1a.patch')
-rw-r--r-- | meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1a.patch | 236 |
1 files changed, 236 insertions, 0 deletions
diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1a.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1a.patch new file mode 100644 index 0000000000..bf93fbc13c --- /dev/null +++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1a.patch | |||
@@ -0,0 +1,236 @@ | |||
1 | From ee6db10dd70b8fdc7a93cffd7cf5bc7a28f9d3d7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jean Delvare <jdelvare@suse.de> | ||
3 | Date: Mon, 20 Feb 2023 14:53:21 +0100 | ||
4 | Subject: [PATCH 1/5] dmidecode: Split table fetching from decoding | ||
5 | |||
6 | Clean up function dmi_table so that it does only one thing: | ||
7 | * dmi_table() is renamed to dmi_table_get(). It now retrieves the | ||
8 | DMI table, but does not process it any longer. | ||
9 | * Decoding or dumping the table is now done in smbios3_decode(), | ||
10 | smbios_decode() and legacy_decode(). | ||
11 | No functional change. | ||
12 | |||
13 | A side effect of this change is that writing the header and body of | ||
14 | dump files is now done in a single location. This is required to | ||
15 | further consolidate the writing of dump files. | ||
16 | |||
17 | Signed-off-by: Jean Delvare <jdelvare@suse.de> | ||
18 | Reviewed-by: Jerry Hoemann <jerry.hoemann@hpe.com> | ||
19 | |||
20 | CVE: CVE-2023-30630 | ||
21 | |||
22 | Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=39b2dd7b6ab719b920e96ed832cfb4bdd664e808] | ||
23 | |||
24 | Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com> | ||
25 | --- | ||
26 | dmidecode.c | 86 ++++++++++++++++++++++++++++++++++++++--------------- | ||
27 | 1 file changed, 62 insertions(+), 24 deletions(-) | ||
28 | |||
29 | diff --git a/dmidecode.c b/dmidecode.c | ||
30 | index cd2b5c9..b082c03 100644 | ||
31 | --- a/dmidecode.c | ||
32 | +++ b/dmidecode.c | ||
33 | @@ -5247,8 +5247,9 @@ static void dmi_table_decode(u8 *buf, u32 len, u16 num, u16 ver, u32 flags) | ||
34 | } | ||
35 | } | ||
36 | |||
37 | -static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem, | ||
38 | - u32 flags) | ||
39 | +/* Allocates a buffer for the table, must be freed by the caller */ | ||
40 | +static u8 *dmi_table_get(off_t base, u32 *len, u16 num, u32 ver, | ||
41 | + const char *devmem, u32 flags) | ||
42 | { | ||
43 | u8 *buf; | ||
44 | |||
45 | @@ -5267,7 +5268,7 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem, | ||
46 | { | ||
47 | if (num) | ||
48 | pr_info("%u structures occupying %u bytes.", | ||
49 | - num, len); | ||
50 | + num, *len); | ||
51 | if (!(opt.flags & FLAG_FROM_DUMP)) | ||
52 | pr_info("Table at 0x%08llX.", | ||
53 | (unsigned long long)base); | ||
54 | @@ -5285,19 +5286,19 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem, | ||
55 | * would be the result of the kernel truncating the table on | ||
56 | * parse error. | ||
57 | */ | ||
58 | - size_t size = len; | ||
59 | + size_t size = *len; | ||
60 | buf = read_file(flags & FLAG_NO_FILE_OFFSET ? 0 : base, | ||
61 | &size, devmem); | ||
62 | - if (!(opt.flags & FLAG_QUIET) && num && size != (size_t)len) | ||
63 | + if (!(opt.flags & FLAG_QUIET) && num && size != (size_t)*len) | ||
64 | { | ||
65 | fprintf(stderr, "Wrong DMI structures length: %u bytes " | ||
66 | "announced, only %lu bytes available.\n", | ||
67 | - len, (unsigned long)size); | ||
68 | + *len, (unsigned long)size); | ||
69 | } | ||
70 | - len = size; | ||
71 | + *len = size; | ||
72 | } | ||
73 | else | ||
74 | - buf = mem_chunk(base, len, devmem); | ||
75 | + buf = mem_chunk(base, *len, devmem); | ||
76 | |||
77 | if (buf == NULL) | ||
78 | { | ||
79 | @@ -5307,15 +5308,9 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem, | ||
80 | fprintf(stderr, | ||
81 | "Try compiling dmidecode with -DUSE_MMAP.\n"); | ||
82 | #endif | ||
83 | - return; | ||
84 | } | ||
85 | |||
86 | - if (opt.flags & FLAG_DUMP_BIN) | ||
87 | - dmi_table_dump(buf, len); | ||
88 | - else | ||
89 | - dmi_table_decode(buf, len, num, ver >> 8, flags); | ||
90 | - | ||
91 | - free(buf); | ||
92 | + return buf; | ||
93 | } | ||
94 | |||
95 | |||
96 | @@ -5350,8 +5345,9 @@ static void overwrite_smbios3_address(u8 *buf) | ||
97 | |||
98 | static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) | ||
99 | { | ||
100 | - u32 ver; | ||
101 | + u32 ver, len; | ||
102 | u64 offset; | ||
103 | + u8 *table; | ||
104 | |||
105 | /* Don't let checksum run beyond the buffer */ | ||
106 | if (buf[0x06] > 0x20) | ||
107 | @@ -5377,8 +5373,12 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) | ||
108 | return 0; | ||
109 | } | ||
110 | |||
111 | - dmi_table(((off_t)offset.h << 32) | offset.l, | ||
112 | - DWORD(buf + 0x0C), 0, ver, devmem, flags | FLAG_STOP_AT_EOT); | ||
113 | + /* Maximum length, may get trimmed */ | ||
114 | + len = DWORD(buf + 0x0C); | ||
115 | + table = dmi_table_get(((off_t)offset.h << 32) | offset.l, &len, 0, ver, | ||
116 | + devmem, flags | FLAG_STOP_AT_EOT); | ||
117 | + if (table == NULL) | ||
118 | + return 1; | ||
119 | |||
120 | if (opt.flags & FLAG_DUMP_BIN) | ||
121 | { | ||
122 | @@ -5387,18 +5387,28 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) | ||
123 | memcpy(crafted, buf, 32); | ||
124 | overwrite_smbios3_address(crafted); | ||
125 | |||
126 | + dmi_table_dump(table, len); | ||
127 | if (!(opt.flags & FLAG_QUIET)) | ||
128 | pr_comment("Writing %d bytes to %s.", crafted[0x06], | ||
129 | opt.dumpfile); | ||
130 | write_dump(0, crafted[0x06], crafted, opt.dumpfile, 1); | ||
131 | } | ||
132 | + else | ||
133 | + { | ||
134 | + dmi_table_decode(table, len, 0, ver >> 8, | ||
135 | + flags | FLAG_STOP_AT_EOT); | ||
136 | + } | ||
137 | + | ||
138 | + free(table); | ||
139 | |||
140 | return 1; | ||
141 | } | ||
142 | |||
143 | static int smbios_decode(u8 *buf, const char *devmem, u32 flags) | ||
144 | { | ||
145 | - u16 ver; | ||
146 | + u16 ver, num; | ||
147 | + u32 len; | ||
148 | + u8 *table; | ||
149 | |||
150 | /* Don't let checksum run beyond the buffer */ | ||
151 | if (buf[0x05] > 0x20) | ||
152 | @@ -5438,8 +5448,13 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags) | ||
153 | pr_info("SMBIOS %u.%u present.", | ||
154 | ver >> 8, ver & 0xFF); | ||
155 | |||
156 | - dmi_table(DWORD(buf + 0x18), WORD(buf + 0x16), WORD(buf + 0x1C), | ||
157 | - ver << 8, devmem, flags); | ||
158 | + /* Maximum length, may get trimmed */ | ||
159 | + len = WORD(buf + 0x16); | ||
160 | + num = WORD(buf + 0x1C); | ||
161 | + table = dmi_table_get(DWORD(buf + 0x18), &len, num, ver << 8, | ||
162 | + devmem, flags); | ||
163 | + if (table == NULL) | ||
164 | + return 1; | ||
165 | |||
166 | if (opt.flags & FLAG_DUMP_BIN) | ||
167 | { | ||
168 | @@ -5448,27 +5463,43 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags) | ||
169 | memcpy(crafted, buf, 32); | ||
170 | overwrite_dmi_address(crafted + 0x10); | ||
171 | |||
172 | + dmi_table_dump(table, len); | ||
173 | if (!(opt.flags & FLAG_QUIET)) | ||
174 | pr_comment("Writing %d bytes to %s.", crafted[0x05], | ||
175 | opt.dumpfile); | ||
176 | write_dump(0, crafted[0x05], crafted, opt.dumpfile, 1); | ||
177 | } | ||
178 | + else | ||
179 | + { | ||
180 | + dmi_table_decode(table, len, num, ver, flags); | ||
181 | + } | ||
182 | + | ||
183 | + free(table); | ||
184 | |||
185 | return 1; | ||
186 | } | ||
187 | |||
188 | static int legacy_decode(u8 *buf, const char *devmem, u32 flags) | ||
189 | { | ||
190 | + u16 ver, num; | ||
191 | + u32 len; | ||
192 | + u8 *table; | ||
193 | + | ||
194 | if (!checksum(buf, 0x0F)) | ||
195 | return 0; | ||
196 | |||
197 | + ver = ((buf[0x0E] & 0xF0) << 4) + (buf[0x0E] & 0x0F); | ||
198 | if (!(opt.flags & FLAG_QUIET)) | ||
199 | pr_info("Legacy DMI %u.%u present.", | ||
200 | buf[0x0E] >> 4, buf[0x0E] & 0x0F); | ||
201 | |||
202 | - dmi_table(DWORD(buf + 0x08), WORD(buf + 0x06), WORD(buf + 0x0C), | ||
203 | - ((buf[0x0E] & 0xF0) << 12) + ((buf[0x0E] & 0x0F) << 8), | ||
204 | - devmem, flags); | ||
205 | + /* Maximum length, may get trimmed */ | ||
206 | + len = WORD(buf + 0x06); | ||
207 | + num = WORD(buf + 0x0C); | ||
208 | + table = dmi_table_get(DWORD(buf + 0x08), &len, num, ver << 8, | ||
209 | + devmem, flags); | ||
210 | + if (table == NULL) | ||
211 | + return 1; | ||
212 | |||
213 | if (opt.flags & FLAG_DUMP_BIN) | ||
214 | { | ||
215 | @@ -5477,11 +5508,18 @@ static int legacy_decode(u8 *buf, const char *devmem, u32 flags) | ||
216 | memcpy(crafted, buf, 16); | ||
217 | overwrite_dmi_address(crafted); | ||
218 | |||
219 | + dmi_table_dump(table, len); | ||
220 | if (!(opt.flags & FLAG_QUIET)) | ||
221 | pr_comment("Writing %d bytes to %s.", 0x0F, | ||
222 | opt.dumpfile); | ||
223 | write_dump(0, 0x0F, crafted, opt.dumpfile, 1); | ||
224 | } | ||
225 | + else | ||
226 | + { | ||
227 | + dmi_table_decode(table, len, num, ver, flags); | ||
228 | + } | ||
229 | + | ||
230 | + free(table); | ||
231 | |||
232 | return 1; | ||
233 | } | ||
234 | -- | ||
235 | 2.41.0 | ||
236 | |||