diff options
Diffstat (limited to 'user/dmidecode/security1.patch')
-rw-r--r-- | user/dmidecode/security1.patch | 55 |
1 files changed, 0 insertions, 55 deletions
diff --git a/user/dmidecode/security1.patch b/user/dmidecode/security1.patch deleted file mode 100644 index da4bc9815..000000000 --- a/user/dmidecode/security1.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 8ff32018e8dd53c26d1f0daef118037fdae58c68 Mon Sep 17 00:00:00 2001 -From: Jean Delvare <jdelvare@suse.de> -Date: Wed, 1 Aug 2018 09:54:45 +0200 -Subject: dmidecode: Avoid OOB read on invalid entry point length - -Don't let the entry point checksum verification run beyond the end of -the buffer holding it (32 bytes). - -This bug was discovered by Lionel Debroux using the AFL fuzzer and -AddressSanitizer. - -Signed-off-by: Jean Delvare <jdelvare@suse.de> ---- - dmidecode.c | 18 ++++++++++++++++++ - 1 file changed, 18 insertions(+) - -diff --git a/dmidecode.c b/dmidecode.c -index fa6ecf1..474ca7b 100644 ---- a/dmidecode.c -+++ b/dmidecode.c -@@ -4928,6 +4928,15 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) - u32 ver; - u64 offset; - -+ /* Don't let checksum run beyond the buffer */ -+ if (buf[0x06] > 0x20) -+ { -+ fprintf(stderr, -+ "Entry point length too large (%u bytes, expected %u).\n", -+ (unsigned int)buf[0x06], 0x18U); -+ return 0; -+ } -+ - if (!checksum(buf, buf[0x06])) - return 0; - -@@ -4966,6 +4975,15 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags) - { - u16 ver; - -+ /* Don't let checksum run beyond the buffer */ -+ if (buf[0x05] > 0x20) -+ { -+ fprintf(stderr, -+ "Entry point length too large (%u bytes, expected %u).\n", -+ (unsigned int)buf[0x05], 0x1FU); -+ return 0; -+ } -+ - if (!checksum(buf, buf[0x05]) - || memcmp(buf + 0x10, "_DMI_", 5) != 0 - || !checksum(buf + 0x10, 0x0F)) --- -cgit v1.0-41-gc330 - |