1 files changed, 236 insertions, 0 deletions
diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1a.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1a.patch
new file mode 100644
index 0000000000..bf93fbc13c
--- /dev/null
+++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1a.patch
@@ -0,0 +1,236 @@
+From ee6db10dd70b8fdc7a93cffd7cf5bc7a28f9d3d7 Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Mon, 20 Feb 2023 14:53:21 +0100
+Subject: [PATCH 1/5] dmidecode: Split table fetching from decoding
+Clean up function dmi_table so that it does only one thing:
+* dmi_table() is renamed to dmi_table_get(). It now retrieves the
+  DMI table, but does not process it any longer.
+* Decoding or dumping the table is now done in smbios3_decode(),
+  smbios_decode() and legacy_decode().
+No functional change.
+A side effect of this change is that writing the header and body of
+dump files is now done in a single location. This is required to
+further consolidate the writing of dump files.
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+Reviewed-by: Jerry Hoemann <jerry.hoemann@hpe.com>
+CVE: CVE-2023-30630
+Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=39b2dd7b6ab719b920e96ed832cfb4bdd664e808]
+Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
+---
+ dmidecode.c | 86 ++++++++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 62 insertions(+), 24 deletions(-)
+diff --git a/dmidecode.c b/dmidecode.c
+index cd2b5c9..b082c03 100644
+--- a/dmidecode.c
+++ b/dmidecode.c
+@@ -5247,8 +5247,9 @@ static void dmi_table_decode(u8 *buf, u32 len, u16 num, u16 ver, u32 flags)
+        }
+ }
+ 
+-static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
+-                     u32 flags)
+/* Allocates a buffer for the table, must be freed by the caller */
+static u8 *dmi_table_get(off_t base, u32 *len, u16 num, u32 ver,
+                        const char *devmem, u32 flags)
+ {
+        u8 *buf;
+ 
+@@ -5267,7 +5268,7 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
+                {
+                        if (num)
+                                pr_info("%u structures occupying %u bytes.",
+-                                       num, len);
+                                       num, *len);
+                        if (!(opt.flags & FLAG_FROM_DUMP))
+                                pr_info("Table at 0x%08llX.",
+                                        (unsigned long long)base);
+@@ -5285,19 +5286,19 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
+                 * would be the result of the kernel truncating the table on
+                 * parse error.
+                 */
+-               size_t size = len;
+               size_t size = *len;
+                buf = read_file(flags & FLAG_NO_FILE_OFFSET ? 0 : base,
+                        &size, devmem);
+-               if (!(opt.flags & FLAG_QUIET) && num && size != (size_t)len)
+               if (!(opt.flags & FLAG_QUIET) && num && size != (size_t)*len)
+                {
+                        fprintf(stderr, "Wrong DMI structures length: %u bytes "
+                                "announced, only %lu bytes available.\n",
+-                               len, (unsigned long)size);
+                               *len, (unsigned long)size);
+                }
+-               len = size;
+               *len = size;
+        }
+        else
+-               buf = mem_chunk(base, len, devmem);
+               buf = mem_chunk(base, *len, devmem);
+ 
+        if (buf == NULL)
+        {
+@@ -5307,15 +5308,9 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
+                        fprintf(stderr,
+                                "Try compiling dmidecode with -DUSE_MMAP.\n");
+ #endif
+-               return;
+        }
+ 
+-       if (opt.flags & FLAG_DUMP_BIN)
+-               dmi_table_dump(buf, len);
+-       else
+-               dmi_table_decode(buf, len, num, ver >> 8, flags);
+-
+-       free(buf);
+       return buf;
+ }
+ 
+ 
+@@ -5350,8 +5345,9 @@ static void overwrite_smbios3_address(u8 *buf)
+ 
+ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
+ {
+-       u32 ver;
+       u32 ver, len;
+        u64 offset;
+       u8 *table;
+ 
+        /* Don't let checksum run beyond the buffer */
+        if (buf[0x06] > 0x20)
+@@ -5377,8 +5373,12 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
+                return 0;
+        }
+ 
+-       dmi_table(((off_t)offset.h << 32) | offset.l,
+-                 DWORD(buf + 0x0C), 0, ver, devmem, flags | FLAG_STOP_AT_EOT);
+       /* Maximum length, may get trimmed */
+       len = DWORD(buf + 0x0C);
+       table = dmi_table_get(((off_t)offset.h << 32) | offset.l, &len, 0, ver,
+                             devmem, flags | FLAG_STOP_AT_EOT);
+       if (table == NULL)
+               return 1;
+ 
+        if (opt.flags & FLAG_DUMP_BIN)
+        {
+@@ -5387,18 +5387,28 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
+                memcpy(crafted, buf, 32);
+                overwrite_smbios3_address(crafted);
+ 
+               dmi_table_dump(table, len);
+                if (!(opt.flags & FLAG_QUIET))
+                        pr_comment("Writing %d bytes to %s.", crafted[0x06],
+                                   opt.dumpfile);
+                write_dump(0, crafted[0x06], crafted, opt.dumpfile, 1);
+        }
+       else
+       {
+               dmi_table_decode(table, len, 0, ver >> 8,
+                                flags | FLAG_STOP_AT_EOT);
+       }
+
+       free(table);
+ 
+        return 1;
+ }
+ 
+ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
+ {
+-       u16 ver;
+       u16 ver, num;
+       u32 len;
+       u8 *table;
+ 
+        /* Don't let checksum run beyond the buffer */
+        if (buf[0x05] > 0x20)
+@@ -5438,8 +5448,13 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
+                pr_info("SMBIOS %u.%u present.",
+                        ver >> 8, ver & 0xFF);
+ 
+-       dmi_table(DWORD(buf + 0x18), WORD(buf + 0x16), WORD(buf + 0x1C),
+-               ver << 8, devmem, flags);
+       /* Maximum length, may get trimmed */
+       len = WORD(buf + 0x16);
+       num = WORD(buf + 0x1C);
+       table = dmi_table_get(DWORD(buf + 0x18), &len, num, ver << 8,
+                             devmem, flags);
+       if (table == NULL)
+               return 1;
+ 
+        if (opt.flags & FLAG_DUMP_BIN)
+        {
+@@ -5448,27 +5463,43 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
+                memcpy(crafted, buf, 32);
+                overwrite_dmi_address(crafted + 0x10);
+ 
+               dmi_table_dump(table, len);
+                if (!(opt.flags & FLAG_QUIET))
+                        pr_comment("Writing %d bytes to %s.", crafted[0x05],
+                                   opt.dumpfile);
+                write_dump(0, crafted[0x05], crafted, opt.dumpfile, 1);
+        }
+       else
+       {
+               dmi_table_decode(table, len, num, ver, flags);
+       }
+
+       free(table);
+ 
+        return 1;
+ }
+ 
+ static int legacy_decode(u8 *buf, const char *devmem, u32 flags)
+ {
+       u16 ver, num;
+       u32 len;
+       u8 *table;
+
+        if (!checksum(buf, 0x0F))
+                return 0;
+ 
+       ver = ((buf[0x0E] & 0xF0) << 4) + (buf[0x0E] & 0x0F);
+        if (!(opt.flags & FLAG_QUIET))
+                pr_info("Legacy DMI %u.%u present.",
+                        buf[0x0E] >> 4, buf[0x0E] & 0x0F);
+ 
+-       dmi_table(DWORD(buf + 0x08), WORD(buf + 0x06), WORD(buf + 0x0C),
+-               ((buf[0x0E] & 0xF0) << 12) + ((buf[0x0E] & 0x0F) << 8),
+-               devmem, flags);
+       /* Maximum length, may get trimmed */
+       len = WORD(buf + 0x06);
+       num = WORD(buf + 0x0C);
+       table = dmi_table_get(DWORD(buf + 0x08), &len, num, ver << 8,
+                             devmem, flags);
+       if (table == NULL)
+               return 1;
+ 
+        if (opt.flags & FLAG_DUMP_BIN)
+        {
+@@ -5477,11 +5508,18 @@ static int legacy_decode(u8 *buf, const char *devmem, u32 flags)
+                memcpy(crafted, buf, 16);
+                overwrite_dmi_address(crafted);
+ 
+               dmi_table_dump(table, len);
+                if (!(opt.flags & FLAG_QUIET))
+                        pr_comment("Writing %d bytes to %s.", 0x0F,
+                                   opt.dumpfile);
+                write_dump(0, 0x0F, crafted, opt.dumpfile, 1);
+        }
+       else
+       {
+               dmi_table_decode(table, len, num, ver, flags);
+       }
+
+       free(table);
+ 
+        return 1;
+ }
+-- 
+2.41.0

diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1a.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1a.patch new file mode 100644 index 0000000000..bf93fbc13c --- /dev/null +++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1a.patch
@@ -0,0 +1,236 @@
	1	From ee6db10dd70b8fdc7a93cffd7cf5bc7a28f9d3d7 Mon Sep 17 00:00:00 2001
	2	From: Jean Delvare <jdelvare@suse.de>
	3	Date: Mon, 20 Feb 2023 14:53:21 +0100
	4	Subject: [PATCH 1/5] dmidecode: Split table fetching from decoding
	5
	6	Clean up function dmi_table so that it does only one thing:
	7	* dmi_table() is renamed to dmi_table_get(). It now retrieves the
	8	DMI table, but does not process it any longer.
	9	* Decoding or dumping the table is now done in smbios3_decode(),
	10	smbios_decode() and legacy_decode().
	11	No functional change.
	12
	13	A side effect of this change is that writing the header and body of
	14	dump files is now done in a single location. This is required to
	15	further consolidate the writing of dump files.
	16
	17	Signed-off-by: Jean Delvare <jdelvare@suse.de>
	18	Reviewed-by: Jerry Hoemann <jerry.hoemann@hpe.com>
	19
	20	CVE: CVE-2023-30630
	21
	22	Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=39b2dd7b6ab719b920e96ed832cfb4bdd664e808]
	23
	24	Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
	25	---
	26	dmidecode.c \| 86 ++++++++++++++++++++++++++++++++++++++---------------
	27	1 file changed, 62 insertions(+), 24 deletions(-)
	28
	29	diff --git a/dmidecode.c b/dmidecode.c
	30	index cd2b5c9..b082c03 100644
	31	--- a/dmidecode.c
	32	+++ b/dmidecode.c
	33	@@ -5247,8 +5247,9 @@ static void dmi_table_decode(u8 *buf, u32 len, u16 num, u16 ver, u32 flags)
	34	}
	35	}
	36
	37	-static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
	38	- u32 flags)
	39	+/* Allocates a buffer for the table, must be freed by the caller */
	40	+static u8 dmi_table_get(off_t base, u32 len, u16 num, u32 ver,
	41	+ const char *devmem, u32 flags)
	42	{
	43	u8 *buf;
	44
	45	@@ -5267,7 +5268,7 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
	46	{
	47	if (num)
	48	pr_info("%u structures occupying %u bytes.",
	49	- num, len);
	50	+ num, *len);
	51	if (!(opt.flags & FLAG_FROM_DUMP))
	52	pr_info("Table at 0x%08llX.",
	53	(unsigned long long)base);
	54	@@ -5285,19 +5286,19 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
	55	* would be the result of the kernel truncating the table on
	56	* parse error.
	57	*/
	58	- size_t size = len;
	59	+ size_t size = *len;
	60	buf = read_file(flags & FLAG_NO_FILE_OFFSET ? 0 : base,
	61	&size, devmem);
	62	- if (!(opt.flags & FLAG_QUIET) && num && size != (size_t)len)
	63	+ if (!(opt.flags & FLAG_QUIET) && num && size != (size_t)*len)
	64	{
	65	fprintf(stderr, "Wrong DMI structures length: %u bytes "
	66	"announced, only %lu bytes available.\n",
	67	- len, (unsigned long)size);
	68	+ *len, (unsigned long)size);
	69	}
	70	- len = size;
	71	+ *len = size;
	72	}
	73	else
	74	- buf = mem_chunk(base, len, devmem);
	75	+ buf = mem_chunk(base, *len, devmem);
	76
	77	if (buf == NULL)
	78	{
	79	@@ -5307,15 +5308,9 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
	80	fprintf(stderr,
	81	"Try compiling dmidecode with -DUSE_MMAP.\n");
	82	#endif
	83	- return;
	84	}
	85
	86	- if (opt.flags & FLAG_DUMP_BIN)
	87	- dmi_table_dump(buf, len);
	88	- else
	89	- dmi_table_decode(buf, len, num, ver >> 8, flags);
	90	-
	91	- free(buf);
	92	+ return buf;
	93	}
	94
	95
	96	@@ -5350,8 +5345,9 @@ static void overwrite_smbios3_address(u8 *buf)
	97
	98	static int smbios3_decode(u8 buf, const char devmem, u32 flags)
	99	{
	100	- u32 ver;
	101	+ u32 ver, len;
	102	u64 offset;
	103	+ u8 *table;
	104
	105	/* Don't let checksum run beyond the buffer */
	106	if (buf[0x06] > 0x20)
	107	@@ -5377,8 +5373,12 @@ static int smbios3_decode(u8 buf, const char devmem, u32 flags)
	108	return 0;
	109	}
	110
	111	- dmi_table(((off_t)offset.h << 32) \| offset.l,
	112	- DWORD(buf + 0x0C), 0, ver, devmem, flags \| FLAG_STOP_AT_EOT);
	113	+ /* Maximum length, may get trimmed */
	114	+ len = DWORD(buf + 0x0C);
	115	+ table = dmi_table_get(((off_t)offset.h << 32) \| offset.l, &len, 0, ver,
	116	+ devmem, flags \| FLAG_STOP_AT_EOT);
	117	+ if (table == NULL)
	118	+ return 1;
	119
	120	if (opt.flags & FLAG_DUMP_BIN)
	121	{
	122	@@ -5387,18 +5387,28 @@ static int smbios3_decode(u8 buf, const char devmem, u32 flags)
	123	memcpy(crafted, buf, 32);
	124	overwrite_smbios3_address(crafted);
	125
	126	+ dmi_table_dump(table, len);
	127	if (!(opt.flags & FLAG_QUIET))
	128	pr_comment("Writing %d bytes to %s.", crafted[0x06],
	129	opt.dumpfile);
	130	write_dump(0, crafted[0x06], crafted, opt.dumpfile, 1);
	131	}
	132	+ else
	133	+ {
	134	+ dmi_table_decode(table, len, 0, ver >> 8,
	135	+ flags \| FLAG_STOP_AT_EOT);
	136	+ }
	137	+
	138	+ free(table);
	139
	140	return 1;
	141	}
	142
	143	static int smbios_decode(u8 buf, const char devmem, u32 flags)
	144	{
	145	- u16 ver;
	146	+ u16 ver, num;
	147	+ u32 len;
	148	+ u8 *table;
	149
	150	/* Don't let checksum run beyond the buffer */
	151	if (buf[0x05] > 0x20)
	152	@@ -5438,8 +5448,13 @@ static int smbios_decode(u8 buf, const char devmem, u32 flags)
	153	pr_info("SMBIOS %u.%u present.",
	154	ver >> 8, ver & 0xFF);
	155
	156	- dmi_table(DWORD(buf + 0x18), WORD(buf + 0x16), WORD(buf + 0x1C),
	157	- ver << 8, devmem, flags);
	158	+ /* Maximum length, may get trimmed */
	159	+ len = WORD(buf + 0x16);
	160	+ num = WORD(buf + 0x1C);
	161	+ table = dmi_table_get(DWORD(buf + 0x18), &len, num, ver << 8,
	162	+ devmem, flags);
	163	+ if (table == NULL)
	164	+ return 1;
	165
	166	if (opt.flags & FLAG_DUMP_BIN)
	167	{
	168	@@ -5448,27 +5463,43 @@ static int smbios_decode(u8 buf, const char devmem, u32 flags)
	169	memcpy(crafted, buf, 32);
	170	overwrite_dmi_address(crafted + 0x10);
	171
	172	+ dmi_table_dump(table, len);
	173	if (!(opt.flags & FLAG_QUIET))
	174	pr_comment("Writing %d bytes to %s.", crafted[0x05],
	175	opt.dumpfile);
	176	write_dump(0, crafted[0x05], crafted, opt.dumpfile, 1);
	177	}
	178	+ else
	179	+ {
	180	+ dmi_table_decode(table, len, num, ver, flags);
	181	+ }
	182	+
	183	+ free(table);
	184
	185	return 1;
	186	}
	187
	188	static int legacy_decode(u8 buf, const char devmem, u32 flags)
	189	{
	190	+ u16 ver, num;
	191	+ u32 len;
	192	+ u8 *table;
	193	+
	194	if (!checksum(buf, 0x0F))
	195	return 0;
	196
	197	+ ver = ((buf[0x0E] & 0xF0) << 4) + (buf[0x0E] & 0x0F);
	198	if (!(opt.flags & FLAG_QUIET))
	199	pr_info("Legacy DMI %u.%u present.",
	200	buf[0x0E] >> 4, buf[0x0E] & 0x0F);
	201
	202	- dmi_table(DWORD(buf + 0x08), WORD(buf + 0x06), WORD(buf + 0x0C),
	203	- ((buf[0x0E] & 0xF0) << 12) + ((buf[0x0E] & 0x0F) << 8),
	204	- devmem, flags);
	205	+ /* Maximum length, may get trimmed */
	206	+ len = WORD(buf + 0x06);
	207	+ num = WORD(buf + 0x0C);
	208	+ table = dmi_table_get(DWORD(buf + 0x08), &len, num, ver << 8,
	209	+ devmem, flags);
	210	+ if (table == NULL)
	211	+ return 1;
	212
	213	if (opt.flags & FLAG_DUMP_BIN)
	214	{
	215	@@ -5477,11 +5508,18 @@ static int legacy_decode(u8 buf, const char devmem, u32 flags)
	216	memcpy(crafted, buf, 16);
	217	overwrite_dmi_address(crafted);
	218
	219	+ dmi_table_dump(table, len);
	220	if (!(opt.flags & FLAG_QUIET))
	221	pr_comment("Writing %d bytes to %s.", 0x0F,
	222	opt.dumpfile);
	223	write_dump(0, 0x0F, crafted, opt.dumpfile, 1);
	224	}
	225	+ else
	226	+ {
	227	+ dmi_table_decode(table, len, num, ver, flags);
	228	+ }
	229	+
	230	+ free(table);
	231
	232	return 1;
	233	}
	234	--
	235	2.41.0
	236