summaryrefslogtreecommitdiff
path: root/user/dmidecode/security1.patch
diff options
context:
space:
mode:
authorA. Wilcox <AWilcox@Wilcox-Tech.com>2018-08-02 07:05:08 +0000
committerA. Wilcox <AWilcox@Wilcox-Tech.com>2018-08-02 07:05:08 +0000
commite0c7cfd702fbc56b2bff5f7ccb0623bd1bda24fe (patch)
tree3945f8c57651648487e02a89da04f5f2574e1824 /user/dmidecode/security1.patch
parent688fa541d5b4a3304e1f0394fa7eecbf499216c9 (diff)
downloadpackages-e0c7cfd702fbc56b2bff5f7ccb0623bd1bda24fe.tar.gz
packages-e0c7cfd702fbc56b2bff5f7ccb0623bd1bda24fe.tar.bz2
packages-e0c7cfd702fbc56b2bff5f7ccb0623bd1bda24fe.tar.xz
packages-e0c7cfd702fbc56b2bff5f7ccb0623bd1bda24fe.zip
user/dmidecode: pull in from Alpine, add upstream-recommended patches
Diffstat (limited to 'user/dmidecode/security1.patch')
-rw-r--r--user/dmidecode/security1.patch55
1 files changed, 55 insertions, 0 deletions
diff --git a/user/dmidecode/security1.patch b/user/dmidecode/security1.patch
new file mode 100644
index 000000000..da4bc9815
--- /dev/null
+++ b/user/dmidecode/security1.patch
@@ -0,0 +1,55 @@
+From 8ff32018e8dd53c26d1f0daef118037fdae58c68 Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Wed, 1 Aug 2018 09:54:45 +0200
+Subject: dmidecode: Avoid OOB read on invalid entry point length
+
+Don't let the entry point checksum verification run beyond the end of
+the buffer holding it (32 bytes).
+
+This bug was discovered by Lionel Debroux using the AFL fuzzer and
+AddressSanitizer.
+
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+---
+ dmidecode.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/dmidecode.c b/dmidecode.c
+index fa6ecf1..474ca7b 100644
+--- a/dmidecode.c
++++ b/dmidecode.c
+@@ -4928,6 +4928,15 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
+ u32 ver;
+ u64 offset;
+
++ /* Don't let checksum run beyond the buffer */
++ if (buf[0x06] > 0x20)
++ {
++ fprintf(stderr,
++ "Entry point length too large (%u bytes, expected %u).\n",
++ (unsigned int)buf[0x06], 0x18U);
++ return 0;
++ }
++
+ if (!checksum(buf, buf[0x06]))
+ return 0;
+
+@@ -4966,6 +4975,15 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
+ {
+ u16 ver;
+
++ /* Don't let checksum run beyond the buffer */
++ if (buf[0x05] > 0x20)
++ {
++ fprintf(stderr,
++ "Entry point length too large (%u bytes, expected %u).\n",
++ (unsigned int)buf[0x05], 0x1FU);
++ return 0;
++ }
++
+ if (!checksum(buf, buf[0x05])
+ || memcmp(buf + 0x10, "_DMI_", 5) != 0
+ || !checksum(buf + 0x10, 0x0F))
+--
+cgit v1.0-41-gc330
+