4 files changed, 500 insertions, 0 deletions
diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p1.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p1.patch
new file mode 100644
index 0000000000..f1d449acbe
--- /dev/null
+++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p1.patch
@@ -0,0 +1,236 @@
+From 24def311c6168d0dfb7c5f0f183b72b709c49265 Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Mon, 20 Feb 2023 14:53:21 +0100
+Subject: [PATCH] dmidecode: Split table fetching from decoding
+Clean up function dmi_table so that it does only one thing:
+* dmi_table() is renamed to dmi_table_get(). It now retrieves the
+  DMI table, but does not process it any longer.
+* Decoding or dumping the table is now done in smbios3_decode(),
+  smbios_decode() and legacy_decode().
+No functional change.
+A side effect of this change is that writing the header and body of
+dump files is now done in a single location. This is required to
+further consolidate the writing of dump files.
+CVE-ID: CVE-2023-30630
+Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=39b2dd7b6ab7]
+Backport Changes:
+- In the file dmidecode.c, the commit [dd593d2] in v3.3 introduces
+  pr_info(). This is backported to printf() as per v3.2.
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+Reviewed-by: Jerry Hoemann <jerry.hoemann@hpe.com>
+(cherry picked from commit 39b2dd7b6ab719b920e96ed832cfb4bdd664e808)
+Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com>
+---
+ dmidecode.c | 86 ++++++++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 62 insertions(+), 24 deletions(-)
+diff --git a/dmidecode.c b/dmidecode.c
+index a3e9d6c..d6eedd1 100644
+--- a/dmidecode.c
+++ b/dmidecode.c
+@@ -5211,8 +5211,9 @@ static void dmi_table_decode(u8 *buf, u32 len, u16 num, u16 ver, u32 flags)
+        }
+ }
+ 
+-static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
+-                     u32 flags)
+/* Allocates a buffer for the table, must be freed by the caller */
+static u8 *dmi_table_get(off_t base, u32 *len, u16 num, u32 ver,
+                        const char *devmem, u32 flags)
+ {
+        u8 *buf;
+ 
+@@ -5231,7 +5232,7 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
+                {
+                        if (num)
+                                printf("%u structures occupying %u bytes.\n",
+-                                      num, len);
+                                      num, *len);
+                        if (!(opt.flags & FLAG_FROM_DUMP))
+                                printf("Table at 0x%08llX.\n",
+                                       (unsigned long long)base);
+@@ -5249,19 +5250,19 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
+                 * would be the result of the kernel truncating the table on
+                 * parse error.
+                 */
+-               size_t size = len;
+               size_t size = *len;
+                buf = read_file(flags & FLAG_NO_FILE_OFFSET ? 0 : base,
+                        &size, devmem);
+-               if (!(opt.flags & FLAG_QUIET) && num && size != (size_t)len)
+               if (!(opt.flags & FLAG_QUIET) && num && size != (size_t)*len)
+                {
+                        fprintf(stderr, "Wrong DMI structures length: %u bytes "
+                                "announced, only %lu bytes available.\n",
+-                               len, (unsigned long)size);
+                               *len, (unsigned long)size);
+                }
+-               len = size;
+               *len = size;
+        }
+        else
+-               buf = mem_chunk(base, len, devmem);
+               buf = mem_chunk(base, *len, devmem);
+ 
+        if (buf == NULL)
+        {
+@@ -5271,15 +5272,9 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
+                        fprintf(stderr,
+                                "Try compiling dmidecode with -DUSE_MMAP.\n");
+ #endif
+-               return;
+        }
+ 
+-       if (opt.flags & FLAG_DUMP_BIN)
+-               dmi_table_dump(buf, len);
+-       else
+-               dmi_table_decode(buf, len, num, ver >> 8, flags);
+-
+-       free(buf);
+       return buf;
+ }
+ 
+ 
+@@ -5314,8 +5309,9 @@ static void overwrite_smbios3_address(u8 *buf)
+ 
+ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
+ {
+-       u32 ver;
+       u32 ver, len;
+        u64 offset;
+       u8 *table;
+ 
+        /* Don't let checksum run beyond the buffer */
+        if (buf[0x06] > 0x20)
+@@ -5341,8 +5337,12 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
+                return 0;
+        }
+ 
+-       dmi_table(((off_t)offset.h << 32) | offset.l,
+-                 DWORD(buf + 0x0C), 0, ver, devmem, flags | FLAG_STOP_AT_EOT);
+       /* Maximum length, may get trimmed */
+       len = DWORD(buf + 0x0C);
+       table = dmi_table_get(((off_t)offset.h << 32) | offset.l, &len, 0, ver,
+                             devmem, flags | FLAG_STOP_AT_EOT);
+       if (table == NULL)
+               return 1;
+ 
+        if (opt.flags & FLAG_DUMP_BIN)
+        {
+@@ -5351,18 +5351,28 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
+                memcpy(crafted, buf, 32);
+                overwrite_smbios3_address(crafted);
+ 
+               dmi_table_dump(table, len);
+                if (!(opt.flags & FLAG_QUIET))
+                        printf("# Writing %d bytes to %s.\n", crafted[0x06],
+                               opt.dumpfile);
+                write_dump(0, crafted[0x06], crafted, opt.dumpfile, 1);
+        }
+       else
+       {
+               dmi_table_decode(table, len, 0, ver >> 8,
+                                flags | FLAG_STOP_AT_EOT);
+       }
+
+       free(table);
+ 
+        return 1;
+ }
+ 
+ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
+ {
+-       u16 ver;
+       u16 ver, num;
+       u32 len;
+       u8 *table;
+ 
+        /* Don't let checksum run beyond the buffer */
+        if (buf[0x05] > 0x20)
+@@ -5402,8 +5412,13 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
+                printf("SMBIOS %u.%u present.\n",
+                        ver >> 8, ver & 0xFF);
+ 
+-       dmi_table(DWORD(buf + 0x18), WORD(buf + 0x16), WORD(buf + 0x1C),
+-               ver << 8, devmem, flags);
+       /* Maximum length, may get trimmed */
+       len = WORD(buf + 0x16);
+       num = WORD(buf + 0x1C);
+       table = dmi_table_get(DWORD(buf + 0x18), &len, num, ver << 8,
+                             devmem, flags);
+       if (table == NULL)
+               return 1;
+ 
+        if (opt.flags & FLAG_DUMP_BIN)
+        {
+@@ -5412,27 +5427,43 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
+                memcpy(crafted, buf, 32);
+                overwrite_dmi_address(crafted + 0x10);
+ 
+               dmi_table_dump(table, len);
+                if (!(opt.flags & FLAG_QUIET))
+                        printf("# Writing %d bytes to %s.\n", crafted[0x05],
+                                opt.dumpfile);
+                write_dump(0, crafted[0x05], crafted, opt.dumpfile, 1);
+        }
+       else
+       {
+               dmi_table_decode(table, len, num, ver, flags);
+       }
+
+       free(table);
+ 
+        return 1;
+ }
+ 
+ static int legacy_decode(u8 *buf, const char *devmem, u32 flags)
+ {
+       u16 ver, num;
+       u32 len;
+       u8 *table;
+
+        if (!checksum(buf, 0x0F))
+                return 0;
+ 
+       ver = ((buf[0x0E] & 0xF0) << 4) + (buf[0x0E] & 0x0F);
+        if (!(opt.flags & FLAG_QUIET))
+                printf("Legacy DMI %u.%u present.\n",
+                        buf[0x0E] >> 4, buf[0x0E] & 0x0F);
+ 
+-       dmi_table(DWORD(buf + 0x08), WORD(buf + 0x06), WORD(buf + 0x0C),
+-               ((buf[0x0E] & 0xF0) << 12) + ((buf[0x0E] & 0x0F) << 8),
+-               devmem, flags);
+       /* Maximum length, may get trimmed */
+       len = WORD(buf + 0x06);
+       num = WORD(buf + 0x0C);
+       table = dmi_table_get(DWORD(buf + 0x08), &len, num, ver << 8,
+                             devmem, flags);
+       if (table == NULL)
+               return 1;
+ 
+        if (opt.flags & FLAG_DUMP_BIN)
+        {
+@@ -5441,11 +5472,18 @@ static int legacy_decode(u8 *buf, const char *devmem, u32 flags)
+                memcpy(crafted, buf, 16);
+                overwrite_dmi_address(crafted);
+ 
+               dmi_table_dump(table, len);
+                if (!(opt.flags & FLAG_QUIET))
+                        printf("# Writing %d bytes to %s.\n", 0x0F,
+                                opt.dumpfile);
+                write_dump(0, 0x0F, crafted, opt.dumpfile, 1);
+        }
+       else
+       {
+               dmi_table_decode(table, len, num, ver, flags);
+       }
+
+       free(table);
+ 
+        return 1;
+ }
diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p2.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p2.patch
new file mode 100644
index 0000000000..353c2553f5
--- /dev/null
+++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p2.patch
@@ -0,0 +1,198 @@
+From 58e8a07b1aef0e53af1642b30248255e53e42790 Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Mon, 20 Feb 2023 14:53:25 +0100
+Subject: [PATCH] dmidecode: Write the whole dump file at once
+When option --dump-bin is used, write the whole dump file at once,
+instead of opening and closing the file separately for the table
+and then for the entry point.
+As the file writing function is no longer generic, it gets moved
+from util.c to dmidecode.c.
+One minor functional change resulting from the new implementation is
+that the entry point is written first now, so the messages printed
+are swapped.
+CVE: CVE-2023-30630
+Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=d8cfbc808f38]
+Backport Changes:
+- In the file dmidecode.c, the commit [2241f1d] in v3.3 introduces
+  pr_info(). This is backported to printf() as per v3.2.
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+Reviewed-by: Jerry Hoemann <jerry.hoemann@hpe.com>
+(cherry picked from commit d8cfbc808f387e87091c25e7d5b8c2bb348bb206)
+Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com>
+---
+ dmidecode.c | 69 +++++++++++++++++++++++++++++++++++++++--------------
+ util.c      | 40 -------------------------------
+ util.h      |  1 -
+ 3 files changed, 51 insertions(+), 59 deletions(-)
+diff --git a/dmidecode.c b/dmidecode.c
+index d6eedd1..b91e53b 100644
+--- a/dmidecode.c
+++ b/dmidecode.c
+@@ -5094,11 +5094,56 @@ static void dmi_table_string(const struct dmi_header *h, const u8 *data, u16 ver
+        }
+ }
+ 
+-static void dmi_table_dump(const u8 *buf, u32 len)
+static int dmi_table_dump(const u8 *ep, u32 ep_len, const u8 *table,
+                         u32 table_len)
+ {
+       FILE *f;
+
+       f = fopen(opt.dumpfile, "wb");
+       if (!f)
+       {
+               fprintf(stderr, "%s: ", opt.dumpfile);
+               perror("fopen");
+               return -1;
+       }
+
+       if (!(opt.flags & FLAG_QUIET))
+               printf("# Writing %d bytes to %s.\n", ep_len, opt.dumpfile);
+       if (fwrite(ep, ep_len, 1, f) != 1)
+       {
+               fprintf(stderr, "%s: ", opt.dumpfile);
+               perror("fwrite");
+               goto err_close;
+       }
+
+       if (fseek(f, 32, SEEK_SET) != 0)
+       {
+               fprintf(stderr, "%s: ", opt.dumpfile);
+               perror("fseek");
+               goto err_close;
+       }
+
+        if (!(opt.flags & FLAG_QUIET))
+-               printf("# Writing %d bytes to %s.\n", len, opt.dumpfile);
+-       write_dump(32, len, buf, opt.dumpfile, 0);
+               printf("# Writing %d bytes to %s.\n", table_len, opt.dumpfile);
+       if (fwrite(table, table_len, 1, f) != 1)
+       {
+               fprintf(stderr, "%s: ", opt.dumpfile);
+               perror("fwrite");
+               goto err_close;
+       }
+
+       if (fclose(f))
+       {
+               fprintf(stderr, "%s: ", opt.dumpfile);
+               perror("fclose");
+               return -1;
+       }
+
+       return 0;
+
+err_close:
+       fclose(f);
+       return -1;
+ }
+ 
+ static void dmi_table_decode(u8 *buf, u32 len, u16 num, u16 ver, u32 flags)
+@@ -5351,11 +5396,7 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
+                memcpy(crafted, buf, 32);
+                overwrite_smbios3_address(crafted);
+ 
+-               dmi_table_dump(table, len);
+-               if (!(opt.flags & FLAG_QUIET))
+-                       printf("# Writing %d bytes to %s.\n", crafted[0x06],
+-                              opt.dumpfile);
+-               write_dump(0, crafted[0x06], crafted, opt.dumpfile, 1);
+               dmi_table_dump(crafted, crafted[0x06], table, len);
+        }
+        else
+        {
+@@ -5427,11 +5468,7 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
+                memcpy(crafted, buf, 32);
+                overwrite_dmi_address(crafted + 0x10);
+ 
+-               dmi_table_dump(table, len);
+-               if (!(opt.flags & FLAG_QUIET))
+-                       printf("# Writing %d bytes to %s.\n", crafted[0x05],
+-                               opt.dumpfile);
+-               write_dump(0, crafted[0x05], crafted, opt.dumpfile, 1);
+               dmi_table_dump(crafted, crafted[0x05], table, len);
+        }
+        else
+        {
+@@ -5472,11 +5509,7 @@ static int legacy_decode(u8 *buf, const char *devmem, u32 flags)
+                memcpy(crafted, buf, 16);
+                overwrite_dmi_address(crafted);
+ 
+-               dmi_table_dump(table, len);
+-               if (!(opt.flags & FLAG_QUIET))
+-                       printf("# Writing %d bytes to %s.\n", 0x0F,
+-                               opt.dumpfile);
+-               write_dump(0, 0x0F, crafted, opt.dumpfile, 1);
+               dmi_table_dump(crafted, 0x0F, table, len);
+        }
+        else
+        {
+diff --git a/util.c b/util.c
+index eeffdae..2e1931c 100644
+--- a/util.c
+++ b/util.c
+@@ -247,46 +247,6 @@ out:
+        return p;
+ }
+ 
+-int write_dump(size_t base, size_t len, const void *data, const char *dumpfile, int add)
+-{
+-       FILE *f;
+-
+-       f = fopen(dumpfile, add ? "r+b" : "wb");
+-       if (!f)
+-       {
+-               fprintf(stderr, "%s: ", dumpfile);
+-               perror("fopen");
+-               return -1;
+-       }
+-
+-       if (fseek(f, base, SEEK_SET) != 0)
+-       {
+-               fprintf(stderr, "%s: ", dumpfile);
+-               perror("fseek");
+-               goto err_close;
+-       }
+-
+-       if (fwrite(data, len, 1, f) != 1)
+-       {
+-               fprintf(stderr, "%s: ", dumpfile);
+-               perror("fwrite");
+-               goto err_close;
+-       }
+-
+-       if (fclose(f))
+-       {
+-               fprintf(stderr, "%s: ", dumpfile);
+-               perror("fclose");
+-               return -1;
+-       }
+-
+-       return 0;
+-
+-err_close:
+-       fclose(f);
+-       return -1;
+-}
+-
+ /* Returns end - start + 1, assuming start < end */
+ u64 u64_range(u64 start, u64 end)
+ {
+diff --git a/util.h b/util.h
+index 3094cf8..ef24eb9 100644
+--- a/util.h
+++ b/util.h
+@@ -27,5 +27,4 @@
+ int checksum(const u8 *buf, size_t len);
+ void *read_file(off_t base, size_t *len, const char *filename);
+ void *mem_chunk(off_t base, size_t len, const char *devmem);
+-int write_dump(size_t base, size_t len, const void *data, const char *dumpfile, int add);
+ u64 u64_range(u64 start, u64 end);
diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630.patch
new file mode 100644
index 0000000000..bf4d060c8c
--- /dev/null
+++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630.patch
@@ -0,0 +1,62 @@
+From b7dacccff32294ea522df32a9391d0218e7600ea Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Mon, 20 Feb 2023 14:53:31 +0100
+Subject: [PATCH] dmidecode: Do not let --dump-bin overwrite an existing file
+Make sure that the file passed to option --dump-bin does not already
+exist. In practice, it is rather unlikely that an honest user would
+want to overwrite an existing dump file, while this possibility
+could be used by a rogue user to corrupt a system file.
+CVE: CVE-2023-30630
+Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=6ca381c1247c]
+Backport Changes:
+- Ignored changes in man/dmidecode.8 file.
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+Reviewed-by: Jerry Hoemann <jerry.hoemann@hpe.com>
+(cherry picked from commit 6ca381c1247c81f74e1ca4e7706f70bdda72e6f2)
+Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com>
+---
+ dmidecode.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+diff --git a/dmidecode.c b/dmidecode.c
+index b91e53b..846d9a1 100644
+--- a/dmidecode.c
+++ b/dmidecode.c
+@@ -60,6 +60,7 @@
+  *    https://www.dmtf.org/sites/default/files/DSP0270_1.0.1.pdf
+  */
+ 
+#include <fcntl.h>
+ #include <stdio.h>
+ #include <string.h>
+ #include <strings.h>
+@@ -5097,13 +5098,22 @@ static void dmi_table_string(const struct dmi_header *h, const u8 *data, u16 ver
+ static int dmi_table_dump(const u8 *ep, u32 ep_len, const u8 *table,
+                          u32 table_len)
+ {
+       int fd;
+        FILE *f;
+ 
+-       f = fopen(opt.dumpfile, "wb");
+       fd = open(opt.dumpfile, O_WRONLY|O_CREAT|O_EXCL, 0666);
+       if (fd == -1)
+       {
+               fprintf(stderr, "%s: ", opt.dumpfile);
+               perror("open");
+               return -1;
+       }
+
+       f = fdopen(fd, "wb");
+        if (!f)
+        {
+                fprintf(stderr, "%s: ", opt.dumpfile);
+-               perror("fopen");
+               perror("fdopen");
+                return -1;
+        }
+ 
diff --git a/meta/recipes-devtools/dmidecode/dmidecode_3.2.bb b/meta/recipes-devtools/dmidecode/dmidecode_3.2.bb
index 63f4061cb7..1e7c38dc8a 100644
--- a/meta/recipes-devtools/dmidecode/dmidecode_3.2.bb
+++ b/meta/recipes-devtools/dmidecode/dmidecode_3.2.bb
@@ -1,10 +1,14 @@
 SUMMARY = "DMI (Desktop Management Interface) table related utilities"
 HOMEPAGE = "http://www.nongnu.org/dmidecode/"
+DESCRIPTION = "Dmidecode reports information about your system's hardware as described in your system BIOS according to the SMBIOS/DMI standard (see a sample output)."
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263"
 SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/dmidecode/${BP}.tar.xz \
           file://0001-Committing-changes-from-do_unpack_extra.patch \
+           file://CVE-2023-30630-dependent_p1.patch \
+           file://CVE-2023-30630-dependent_p2.patch \
+           file://CVE-2023-30630.patch \
           "
 COMPATIBLE_HOST = "(i.86|x86_64|aarch64|arm|powerpc|powerpc64).*-linux"

diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p1.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p1.patch new file mode 100644 index 0000000000..f1d449acbe --- /dev/null +++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p1.patch
@@ -0,0 +1,236 @@
		1	From 24def311c6168d0dfb7c5f0f183b72b709c49265 Mon Sep 17 00:00:00 2001
		2	From: Jean Delvare <jdelvare@suse.de>
		3	Date: Mon, 20 Feb 2023 14:53:21 +0100
		4	Subject: [PATCH] dmidecode: Split table fetching from decoding
		5
		6	Clean up function dmi_table so that it does only one thing:
		7	* dmi_table() is renamed to dmi_table_get(). It now retrieves the
		8	DMI table, but does not process it any longer.
		9	* Decoding or dumping the table is now done in smbios3_decode(),
		10	smbios_decode() and legacy_decode().
		11	No functional change.
		12
		13	A side effect of this change is that writing the header and body of
		14	dump files is now done in a single location. This is required to
		15	further consolidate the writing of dump files.
		16
		17	CVE-ID: CVE-2023-30630
		18	Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=39b2dd7b6ab7]
		19
		20	Backport Changes:
		21	- In the file dmidecode.c, the commit [dd593d2] in v3.3 introduces
		22	pr_info(). This is backported to printf() as per v3.2.
		23
		24	Signed-off-by: Jean Delvare <jdelvare@suse.de>
		25	Reviewed-by: Jerry Hoemann <jerry.hoemann@hpe.com>
		26	(cherry picked from commit 39b2dd7b6ab719b920e96ed832cfb4bdd664e808)
		27	Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com>
		28	---
		29	dmidecode.c \| 86 ++++++++++++++++++++++++++++++++++++++---------------
		30	1 file changed, 62 insertions(+), 24 deletions(-)
		31
		32	diff --git a/dmidecode.c b/dmidecode.c
		33	index a3e9d6c..d6eedd1 100644
		34	--- a/dmidecode.c
		35	+++ b/dmidecode.c
		36	@@ -5211,8 +5211,9 @@ static void dmi_table_decode(u8 *buf, u32 len, u16 num, u16 ver, u32 flags)
		37	}
		38	}
		39
		40	-static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
		41	- u32 flags)
		42	+/* Allocates a buffer for the table, must be freed by the caller */
		43	+static u8 dmi_table_get(off_t base, u32 len, u16 num, u32 ver,
		44	+ const char *devmem, u32 flags)
		45	{
		46	u8 *buf;
		47
		48	@@ -5231,7 +5232,7 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
		49	{
		50	if (num)
		51	printf("%u structures occupying %u bytes.\n",
		52	- num, len);
		53	+ num, *len);
		54	if (!(opt.flags & FLAG_FROM_DUMP))
		55	printf("Table at 0x%08llX.\n",
		56	(unsigned long long)base);
		57	@@ -5249,19 +5250,19 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
		58	* would be the result of the kernel truncating the table on
		59	* parse error.
		60	*/
		61	- size_t size = len;
		62	+ size_t size = *len;
		63	buf = read_file(flags & FLAG_NO_FILE_OFFSET ? 0 : base,
		64	&size, devmem);
		65	- if (!(opt.flags & FLAG_QUIET) && num && size != (size_t)len)
		66	+ if (!(opt.flags & FLAG_QUIET) && num && size != (size_t)*len)
		67	{
		68	fprintf(stderr, "Wrong DMI structures length: %u bytes "
		69	"announced, only %lu bytes available.\n",
		70	- len, (unsigned long)size);
		71	+ *len, (unsigned long)size);
		72	}
		73	- len = size;
		74	+ *len = size;
		75	}
		76	else
		77	- buf = mem_chunk(base, len, devmem);
		78	+ buf = mem_chunk(base, *len, devmem);
		79
		80	if (buf == NULL)
		81	{
		82	@@ -5271,15 +5272,9 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
		83	fprintf(stderr,
		84	"Try compiling dmidecode with -DUSE_MMAP.\n");
		85	#endif
		86	- return;
		87	}
		88
		89	- if (opt.flags & FLAG_DUMP_BIN)
		90	- dmi_table_dump(buf, len);
		91	- else
		92	- dmi_table_decode(buf, len, num, ver >> 8, flags);
		93	-
		94	- free(buf);
		95	+ return buf;
		96	}
		97
		98
		99	@@ -5314,8 +5309,9 @@ static void overwrite_smbios3_address(u8 *buf)
		100
		101	static int smbios3_decode(u8 buf, const char devmem, u32 flags)
		102	{
		103	- u32 ver;
		104	+ u32 ver, len;
		105	u64 offset;
		106	+ u8 *table;
		107
		108	/* Don't let checksum run beyond the buffer */
		109	if (buf[0x06] > 0x20)
		110	@@ -5341,8 +5337,12 @@ static int smbios3_decode(u8 buf, const char devmem, u32 flags)
		111	return 0;
		112	}
		113
		114	- dmi_table(((off_t)offset.h << 32) \| offset.l,
		115	- DWORD(buf + 0x0C), 0, ver, devmem, flags \| FLAG_STOP_AT_EOT);
		116	+ /* Maximum length, may get trimmed */
		117	+ len = DWORD(buf + 0x0C);
		118	+ table = dmi_table_get(((off_t)offset.h << 32) \| offset.l, &len, 0, ver,
		119	+ devmem, flags \| FLAG_STOP_AT_EOT);
		120	+ if (table == NULL)
		121	+ return 1;
		122
		123	if (opt.flags & FLAG_DUMP_BIN)
		124	{
		125	@@ -5351,18 +5351,28 @@ static int smbios3_decode(u8 buf, const char devmem, u32 flags)
		126	memcpy(crafted, buf, 32);
		127	overwrite_smbios3_address(crafted);
		128
		129	+ dmi_table_dump(table, len);
		130	if (!(opt.flags & FLAG_QUIET))
		131	printf("# Writing %d bytes to %s.\n", crafted[0x06],
		132	opt.dumpfile);
		133	write_dump(0, crafted[0x06], crafted, opt.dumpfile, 1);
		134	}
		135	+ else
		136	+ {
		137	+ dmi_table_decode(table, len, 0, ver >> 8,
		138	+ flags \| FLAG_STOP_AT_EOT);
		139	+ }
		140	+
		141	+ free(table);
		142
		143	return 1;
		144	}
		145
		146	static int smbios_decode(u8 buf, const char devmem, u32 flags)
		147	{
		148	- u16 ver;
		149	+ u16 ver, num;
		150	+ u32 len;
		151	+ u8 *table;
		152
		153	/* Don't let checksum run beyond the buffer */
		154	if (buf[0x05] > 0x20)
		155	@@ -5402,8 +5412,13 @@ static int smbios_decode(u8 buf, const char devmem, u32 flags)
		156	printf("SMBIOS %u.%u present.\n",
		157	ver >> 8, ver & 0xFF);
		158
		159	- dmi_table(DWORD(buf + 0x18), WORD(buf + 0x16), WORD(buf + 0x1C),
		160	- ver << 8, devmem, flags);
		161	+ /* Maximum length, may get trimmed */
		162	+ len = WORD(buf + 0x16);
		163	+ num = WORD(buf + 0x1C);
		164	+ table = dmi_table_get(DWORD(buf + 0x18), &len, num, ver << 8,
		165	+ devmem, flags);
		166	+ if (table == NULL)
		167	+ return 1;
		168
		169	if (opt.flags & FLAG_DUMP_BIN)
		170	{
		171	@@ -5412,27 +5427,43 @@ static int smbios_decode(u8 buf, const char devmem, u32 flags)
		172	memcpy(crafted, buf, 32);
		173	overwrite_dmi_address(crafted + 0x10);
		174
		175	+ dmi_table_dump(table, len);
		176	if (!(opt.flags & FLAG_QUIET))
		177	printf("# Writing %d bytes to %s.\n", crafted[0x05],
		178	opt.dumpfile);
		179	write_dump(0, crafted[0x05], crafted, opt.dumpfile, 1);
		180	}
		181	+ else
		182	+ {
		183	+ dmi_table_decode(table, len, num, ver, flags);
		184	+ }
		185	+
		186	+ free(table);
		187
		188	return 1;
		189	}
		190
		191	static int legacy_decode(u8 buf, const char devmem, u32 flags)
		192	{
		193	+ u16 ver, num;
		194	+ u32 len;
		195	+ u8 *table;
		196	+
		197	if (!checksum(buf, 0x0F))
		198	return 0;
		199
		200	+ ver = ((buf[0x0E] & 0xF0) << 4) + (buf[0x0E] & 0x0F);
		201	if (!(opt.flags & FLAG_QUIET))
		202	printf("Legacy DMI %u.%u present.\n",
		203	buf[0x0E] >> 4, buf[0x0E] & 0x0F);
		204
		205	- dmi_table(DWORD(buf + 0x08), WORD(buf + 0x06), WORD(buf + 0x0C),
		206	- ((buf[0x0E] & 0xF0) << 12) + ((buf[0x0E] & 0x0F) << 8),
		207	- devmem, flags);
		208	+ /* Maximum length, may get trimmed */
		209	+ len = WORD(buf + 0x06);
		210	+ num = WORD(buf + 0x0C);
		211	+ table = dmi_table_get(DWORD(buf + 0x08), &len, num, ver << 8,
		212	+ devmem, flags);
		213	+ if (table == NULL)
		214	+ return 1;
		215
		216	if (opt.flags & FLAG_DUMP_BIN)
		217	{
		218	@@ -5441,11 +5472,18 @@ static int legacy_decode(u8 buf, const char devmem, u32 flags)
		219	memcpy(crafted, buf, 16);
		220	overwrite_dmi_address(crafted);
		221
		222	+ dmi_table_dump(table, len);
		223	if (!(opt.flags & FLAG_QUIET))
		224	printf("# Writing %d bytes to %s.\n", 0x0F,
		225	opt.dumpfile);
		226	write_dump(0, 0x0F, crafted, opt.dumpfile, 1);
		227	}
		228	+ else
		229	+ {
		230	+ dmi_table_decode(table, len, num, ver, flags);
		231	+ }
		232	+
		233	+ free(table);
		234
		235	return 1;
		236	}


diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p2.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p2.patch new file mode 100644 index 0000000000..353c2553f5 --- /dev/null +++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p2.patch
@@ -0,0 +1,198 @@
		1	From 58e8a07b1aef0e53af1642b30248255e53e42790 Mon Sep 17 00:00:00 2001
		2	From: Jean Delvare <jdelvare@suse.de>
		3	Date: Mon, 20 Feb 2023 14:53:25 +0100
		4	Subject: [PATCH] dmidecode: Write the whole dump file at once
		5
		6	When option --dump-bin is used, write the whole dump file at once,
		7	instead of opening and closing the file separately for the table
		8	and then for the entry point.
		9
		10	As the file writing function is no longer generic, it gets moved
		11	from util.c to dmidecode.c.
		12
		13	One minor functional change resulting from the new implementation is
		14	that the entry point is written first now, so the messages printed
		15	are swapped.
		16
		17	CVE: CVE-2023-30630
		18	Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=d8cfbc808f38]
		19
		20	Backport Changes:
		21	- In the file dmidecode.c, the commit [2241f1d] in v3.3 introduces
		22	pr_info(). This is backported to printf() as per v3.2.
		23
		24	Signed-off-by: Jean Delvare <jdelvare@suse.de>
		25	Reviewed-by: Jerry Hoemann <jerry.hoemann@hpe.com>
		26	(cherry picked from commit d8cfbc808f387e87091c25e7d5b8c2bb348bb206)
		27	Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com>
		28
		29	---
		30	dmidecode.c \| 69 +++++++++++++++++++++++++++++++++++++++--------------
		31	util.c \| 40 -------------------------------
		32	util.h \| 1 -
		33	3 files changed, 51 insertions(+), 59 deletions(-)
		34
		35	diff --git a/dmidecode.c b/dmidecode.c
		36	index d6eedd1..b91e53b 100644
		37	--- a/dmidecode.c
		38	+++ b/dmidecode.c
		39	@@ -5094,11 +5094,56 @@ static void dmi_table_string(const struct dmi_header h, const u8 data, u16 ver
		40	}
		41	}
		42
		43	-static void dmi_table_dump(const u8 *buf, u32 len)
		44	+static int dmi_table_dump(const u8 ep, u32 ep_len, const u8 table,
		45	+ u32 table_len)
		46	{
		47	+ FILE *f;
		48	+
		49	+ f = fopen(opt.dumpfile, "wb");
		50	+ if (!f)
		51	+ {
		52	+ fprintf(stderr, "%s: ", opt.dumpfile);
		53	+ perror("fopen");
		54	+ return -1;
		55	+ }
		56	+
		57	+ if (!(opt.flags & FLAG_QUIET))
		58	+ printf("# Writing %d bytes to %s.\n", ep_len, opt.dumpfile);
		59	+ if (fwrite(ep, ep_len, 1, f) != 1)
		60	+ {
		61	+ fprintf(stderr, "%s: ", opt.dumpfile);
		62	+ perror("fwrite");
		63	+ goto err_close;
		64	+ }
		65	+
		66	+ if (fseek(f, 32, SEEK_SET) != 0)
		67	+ {
		68	+ fprintf(stderr, "%s: ", opt.dumpfile);
		69	+ perror("fseek");
		70	+ goto err_close;
		71	+ }
		72	+
		73	if (!(opt.flags & FLAG_QUIET))
		74	- printf("# Writing %d bytes to %s.\n", len, opt.dumpfile);
		75	- write_dump(32, len, buf, opt.dumpfile, 0);
		76	+ printf("# Writing %d bytes to %s.\n", table_len, opt.dumpfile);
		77	+ if (fwrite(table, table_len, 1, f) != 1)
		78	+ {
		79	+ fprintf(stderr, "%s: ", opt.dumpfile);
		80	+ perror("fwrite");
		81	+ goto err_close;
		82	+ }
		83	+
		84	+ if (fclose(f))
		85	+ {
		86	+ fprintf(stderr, "%s: ", opt.dumpfile);
		87	+ perror("fclose");
		88	+ return -1;
		89	+ }
		90	+
		91	+ return 0;
		92	+
		93	+err_close:
		94	+ fclose(f);
		95	+ return -1;
		96	}
		97
		98	static void dmi_table_decode(u8 *buf, u32 len, u16 num, u16 ver, u32 flags)
		99	@@ -5351,11 +5396,7 @@ static int smbios3_decode(u8 buf, const char devmem, u32 flags)
		100	memcpy(crafted, buf, 32);
		101	overwrite_smbios3_address(crafted);
		102
		103	- dmi_table_dump(table, len);
		104	- if (!(opt.flags & FLAG_QUIET))
		105	- printf("# Writing %d bytes to %s.\n", crafted[0x06],
		106	- opt.dumpfile);
		107	- write_dump(0, crafted[0x06], crafted, opt.dumpfile, 1);
		108	+ dmi_table_dump(crafted, crafted[0x06], table, len);
		109	}
		110	else
		111	{
		112	@@ -5427,11 +5468,7 @@ static int smbios_decode(u8 buf, const char devmem, u32 flags)
		113	memcpy(crafted, buf, 32);
		114	overwrite_dmi_address(crafted + 0x10);
		115
		116	- dmi_table_dump(table, len);
		117	- if (!(opt.flags & FLAG_QUIET))
		118	- printf("# Writing %d bytes to %s.\n", crafted[0x05],
		119	- opt.dumpfile);
		120	- write_dump(0, crafted[0x05], crafted, opt.dumpfile, 1);
		121	+ dmi_table_dump(crafted, crafted[0x05], table, len);
		122	}
		123	else
		124	{
		125	@@ -5472,11 +5509,7 @@ static int legacy_decode(u8 buf, const char devmem, u32 flags)
		126	memcpy(crafted, buf, 16);
		127	overwrite_dmi_address(crafted);
		128
		129	- dmi_table_dump(table, len);
		130	- if (!(opt.flags & FLAG_QUIET))
		131	- printf("# Writing %d bytes to %s.\n", 0x0F,
		132	- opt.dumpfile);
		133	- write_dump(0, 0x0F, crafted, opt.dumpfile, 1);
		134	+ dmi_table_dump(crafted, 0x0F, table, len);
		135	}
		136	else
		137	{
		138	diff --git a/util.c b/util.c
		139	index eeffdae..2e1931c 100644
		140	--- a/util.c
		141	+++ b/util.c
		142	@@ -247,46 +247,6 @@ out:
		143	return p;
		144	}
		145
		146	-int write_dump(size_t base, size_t len, const void data, const char dumpfile, int add)
		147	-{
		148	- FILE *f;
		149	-
		150	- f = fopen(dumpfile, add ? "r+b" : "wb");
		151	- if (!f)
		152	- {
		153	- fprintf(stderr, "%s: ", dumpfile);
		154	- perror("fopen");
		155	- return -1;
		156	- }
		157	-
		158	- if (fseek(f, base, SEEK_SET) != 0)
		159	- {
		160	- fprintf(stderr, "%s: ", dumpfile);
		161	- perror("fseek");
		162	- goto err_close;
		163	- }
		164	-
		165	- if (fwrite(data, len, 1, f) != 1)
		166	- {
		167	- fprintf(stderr, "%s: ", dumpfile);
		168	- perror("fwrite");
		169	- goto err_close;
		170	- }
		171	-
		172	- if (fclose(f))
		173	- {
		174	- fprintf(stderr, "%s: ", dumpfile);
		175	- perror("fclose");
		176	- return -1;
		177	- }
		178	-
		179	- return 0;
		180	-
		181	-err_close:
		182	- fclose(f);
		183	- return -1;
		184	-}
		185	-
		186	/* Returns end - start + 1, assuming start < end */
		187	u64 u64_range(u64 start, u64 end)
		188	{
		189	diff --git a/util.h b/util.h
		190	index 3094cf8..ef24eb9 100644
		191	--- a/util.h
		192	+++ b/util.h
		193	@@ -27,5 +27,4 @@
		194	int checksum(const u8 *buf, size_t len);
		195	void read_file(off_t base, size_t len, const char *filename);
		196	void mem_chunk(off_t base, size_t len, const char devmem);
		197	-int write_dump(size_t base, size_t len, const void data, const char dumpfile, int add);
		198	u64 u64_range(u64 start, u64 end);


diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630.patch new file mode 100644 index 0000000000..bf4d060c8c --- /dev/null +++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630.patch
@@ -0,0 +1,62 @@
		1	From b7dacccff32294ea522df32a9391d0218e7600ea Mon Sep 17 00:00:00 2001
		2	From: Jean Delvare <jdelvare@suse.de>
		3	Date: Mon, 20 Feb 2023 14:53:31 +0100
		4	Subject: [PATCH] dmidecode: Do not let --dump-bin overwrite an existing file
		5
		6	Make sure that the file passed to option --dump-bin does not already
		7	exist. In practice, it is rather unlikely that an honest user would
		8	want to overwrite an existing dump file, while this possibility
		9	could be used by a rogue user to corrupt a system file.
		10
		11	CVE: CVE-2023-30630
		12	Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=6ca381c1247c]
		13
		14	Backport Changes:
		15	- Ignored changes in man/dmidecode.8 file.
		16
		17	Signed-off-by: Jean Delvare <jdelvare@suse.de>
		18	Reviewed-by: Jerry Hoemann <jerry.hoemann@hpe.com>
		19	(cherry picked from commit 6ca381c1247c81f74e1ca4e7706f70bdda72e6f2)
		20	Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com>
		21
		22	---
		23	dmidecode.c \| 14 ++++++++++++--
		24	1 file changed, 12 insertions(+), 2 deletions(-)
		25
		26	diff --git a/dmidecode.c b/dmidecode.c
		27	index b91e53b..846d9a1 100644
		28	--- a/dmidecode.c
		29	+++ b/dmidecode.c
		30	@@ -60,6 +60,7 @@
		31	* https://www.dmtf.org/sites/default/files/DSP0270_1.0.1.pdf
		32	*/
		33
		34	+#include <fcntl.h>
		35	#include <stdio.h>
		36	#include <string.h>
		37	#include <strings.h>
		38	@@ -5097,13 +5098,22 @@ static void dmi_table_string(const struct dmi_header h, const u8 data, u16 ver
		39	static int dmi_table_dump(const u8 ep, u32 ep_len, const u8 table,
		40	u32 table_len)
		41	{
		42	+ int fd;
		43	FILE *f;
		44
		45	- f = fopen(opt.dumpfile, "wb");
		46	+ fd = open(opt.dumpfile, O_WRONLY\|O_CREAT\|O_EXCL, 0666);
		47	+ if (fd == -1)
		48	+ {
		49	+ fprintf(stderr, "%s: ", opt.dumpfile);
		50	+ perror("open");
		51	+ return -1;
		52	+ }
		53	+
		54	+ f = fdopen(fd, "wb");
		55	if (!f)
		56	{
		57	fprintf(stderr, "%s: ", opt.dumpfile);
		58	- perror("fopen");
		59	+ perror("fdopen");
		60	return -1;
		61	}
		62


diff --git a/meta/recipes-devtools/dmidecode/dmidecode_3.2.bb b/meta/recipes-devtools/dmidecode/dmidecode_3.2.bb index 63f4061cb7..1e7c38dc8a 100644 --- a/meta/recipes-devtools/dmidecode/dmidecode_3.2.bb +++ b/meta/recipes-devtools/dmidecode/dmidecode_3.2.bb
@@ -1,10 +1,14 @@
1	SUMMARY = "DMI (Desktop Management Interface) table related utilities"	1	SUMMARY = "DMI (Desktop Management Interface) table related utilities"
2	HOMEPAGE = "http://www.nongnu.org/dmidecode/"	2	HOMEPAGE = "http://www.nongnu.org/dmidecode/"
		3	DESCRIPTION = "Dmidecode reports information about your system's hardware as described in your system BIOS according to the SMBIOS/DMI standard (see a sample output)."
3	LICENSE = "GPLv2"	4	LICENSE = "GPLv2"
4	LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263"	5	LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263"
5		6
6	SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/dmidecode/${BP}.tar.xz \	7	SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/dmidecode/${BP}.tar.xz \
7	file://0001-Committing-changes-from-do_unpack_extra.patch \	8	file://0001-Committing-changes-from-do_unpack_extra.patch \
		9	file://CVE-2023-30630-dependent_p1.patch \
		10	file://CVE-2023-30630-dependent_p2.patch \
		11	file://CVE-2023-30630.patch \
8	"	12	"
9		13
10	COMPATIBLE_HOST = "(i.86\|x86_64\|aarch64\|arm\|powerpc\|powerpc64).*-linux"	14	COMPATIBLE_HOST = "(i.86\|x86_64\|aarch64\|arm\|powerpc\|powerpc64).*-linux"