summaryrefslogtreecommitdiff
path: root/user/dmidecode/security1.patch
diff options
context:
space:
mode:
Diffstat (limited to 'user/dmidecode/security1.patch')
-rw-r--r--user/dmidecode/security1.patch55
1 files changed, 0 insertions, 55 deletions
diff --git a/user/dmidecode/security1.patch b/user/dmidecode/security1.patch
deleted file mode 100644
index da4bc9815..000000000
--- a/user/dmidecode/security1.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 8ff32018e8dd53c26d1f0daef118037fdae58c68 Mon Sep 17 00:00:00 2001
-From: Jean Delvare <jdelvare@suse.de>
-Date: Wed, 1 Aug 2018 09:54:45 +0200
-Subject: dmidecode: Avoid OOB read on invalid entry point length
-
-Don't let the entry point checksum verification run beyond the end of
-the buffer holding it (32 bytes).
-
-This bug was discovered by Lionel Debroux using the AFL fuzzer and
-AddressSanitizer.
-
-Signed-off-by: Jean Delvare <jdelvare@suse.de>
----
- dmidecode.c | 18 ++++++++++++++++++
- 1 file changed, 18 insertions(+)
-
-diff --git a/dmidecode.c b/dmidecode.c
-index fa6ecf1..474ca7b 100644
---- a/dmidecode.c
-+++ b/dmidecode.c
-@@ -4928,6 +4928,15 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
- u32 ver;
- u64 offset;
-
-+ /* Don't let checksum run beyond the buffer */
-+ if (buf[0x06] > 0x20)
-+ {
-+ fprintf(stderr,
-+ "Entry point length too large (%u bytes, expected %u).\n",
-+ (unsigned int)buf[0x06], 0x18U);
-+ return 0;
-+ }
-+
- if (!checksum(buf, buf[0x06]))
- return 0;
-
-@@ -4966,6 +4975,15 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
- {
- u16 ver;
-
-+ /* Don't let checksum run beyond the buffer */
-+ if (buf[0x05] > 0x20)
-+ {
-+ fprintf(stderr,
-+ "Entry point length too large (%u bytes, expected %u).\n",
-+ (unsigned int)buf[0x05], 0x1FU);
-+ return 0;
-+ }
-+
- if (!checksum(buf, buf[0x05])
- || memcmp(buf + 0x10, "_DMI_", 5) != 0
- || !checksum(buf + 0x10, 0x0F))
---
-cgit v1.0-41-gc330
-