summaryrefslogtreecommitdiff
path: root/user/dmidecode
diff options
context:
space:
mode:
Diffstat (limited to 'user/dmidecode')
-rw-r--r--user/dmidecode/APKBUILD34
-rw-r--r--user/dmidecode/correctness1.patch30
-rw-r--r--user/dmidecode/hpe1.patch141
-rw-r--r--user/dmidecode/hpe2.patch36
-rw-r--r--user/dmidecode/security1.patch55
-rw-r--r--user/dmidecode/security2.patch98
6 files changed, 394 insertions, 0 deletions
diff --git a/user/dmidecode/APKBUILD b/user/dmidecode/APKBUILD
new file mode 100644
index 000000000..4c15ce8b9
--- /dev/null
+++ b/user/dmidecode/APKBUILD
@@ -0,0 +1,34 @@
+# Maintainer:
+pkgname=dmidecode
+pkgver=3.1
+pkgrel=1
+pkgdesc="Utility for gathering information about system hardware"
+url="http://www.nongnu.org/dmidecode"
+arch="all"
+options="!check" # No test suite.
+license="GPL-2.0-only"
+subpackages="$pkgname-doc"
+source="http://download.savannah.gnu.org/releases/dmidecode/dmidecode-$pkgver.tar.xz
+ hpe1.patch
+ hpe2.patch
+ correctness1.patch
+ security1.patch
+ security2.patch
+ "
+
+build() {
+ cd "$builddir"
+ make prefix=/usr
+}
+
+package() {
+ cd "$builddir"
+ make prefix=/usr DESTDIR="${pkgdir}" install
+}
+
+sha512sums="226557ad5747a2a2eb54a938543373b9ddcff032d330ca3b9a066cc81c0e137028f606ffedc042e0220b523346e2f2f7abb0e4b8b34a8bd173719aa858519de9 dmidecode-3.1.tar.xz
+30faca2ef81c925278dc1d027a4a7c19ef7c9fc27d11fdf3647fd4d8cd77f524e1d159b7e7873294ece08228a99dedbdb1913f610de8a3975ce027d0570ace89 hpe1.patch
+734e388cc27e89fbaf3a3f5a875c78e04e0dabd92706a9336b504a8be6d3ede72372cc13b860cd32a66d17c8e1cb6a1d881f8fce97d01a28ea299075d0952609 hpe2.patch
+43931cce1824908dcc054e82ad5d5389ce76f6dc643b7610a9a87d59ad54ba4816b4ca16b159b7545dd1c462af956b7a1a19752dde369e24f1d10acab8f173ca correctness1.patch
+d377a7ccd809f019568cfce7eaae35cd3eed076c7347779fbc4b2a949ec81abfdd5142dc74ffd740a1b973c3bb49117537dea1e9f590290ee555dd00abc57fc9 security1.patch
+89fcf20e883ce92245eeb0136e9c6e04f4f038e582f6a46dc1d4621625137efe558ef2bfc5625b1e1576a5276f81ee4ab45a82209b0e65a0259f937bacee174a security2.patch"
diff --git a/user/dmidecode/correctness1.patch b/user/dmidecode/correctness1.patch
new file mode 100644
index 000000000..07f4f7ed7
--- /dev/null
+++ b/user/dmidecode/correctness1.patch
@@ -0,0 +1,30 @@
+From 174387405e98cd94c627832ae23abcb9be7e5623 Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Wed, 31 Jan 2018 18:52:47 +0100
+Subject: dmidecode: Fix firmware version of TPM device
+
+Both the operator (detected by clang, reported by Xorg) and the mask
+for the minor firmware version field of TPM devices were wrong.
+
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+Fixes: 48a8132058a0 ("dmidecode: Add support for structure type 43 (TPM Device)")
+---
+ dmidecode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/dmidecode.c b/dmidecode.c
+index 87faaa9..a593170 100644
+--- a/dmidecode.c
++++ b/dmidecode.c
+@@ -4511,7 +4511,7 @@ static void dmi_decode(const struct dmi_header *h, u16 ver)
+ case 0x02:
+ printf("\tFirmware Revision: %u.%u\n",
+ DWORD(data + 0x0A) >> 16,
+- DWORD(data + 0x0A) && 0xFF);
++ DWORD(data + 0x0A) & 0xFFFF);
+ /*
+ * We skip the next 4 bytes, as their
+ * format is not standardized and their
+--
+cgit v1.0-41-gc330
+
diff --git a/user/dmidecode/hpe1.patch b/user/dmidecode/hpe1.patch
new file mode 100644
index 000000000..ca294d0af
--- /dev/null
+++ b/user/dmidecode/hpe1.patch
@@ -0,0 +1,141 @@
+From ee07a1b4249560d620d05194eb8ff61b40d3ce23 Mon Sep 17 00:00:00 2001
+From: Jerry Hoemann <jerry.hoemann@hpe.com>
+Date: Wed, 13 Sep 2017 15:54:22 -0600
+Subject: dmioem: Reflect HPE's new company name
+
+After Hewlett Packard Enterprise split from Hewlett-Packard, DMI OEM
+tables reflect the new company name. Gen10 and subsequent systems will
+use HPE. Gen9 and prior systems continue to use the old "HP" name.
+
+Signed-off-by: Jerry Hoemann <jerry.hoemann@hpe.com>
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+---
+ dmioem.c | 32 +++++++++++++++++++-------------
+ 1 file changed, 19 insertions(+), 13 deletions(-)
+
+diff --git a/dmioem.c b/dmioem.c
+index 034ad9f..a032344 100644
+--- a/dmioem.c
++++ b/dmioem.c
+@@ -35,6 +35,7 @@ enum DMI_VENDORS
+ VENDOR_UNKNOWN,
+ VENDOR_HP,
+ VENDOR_ACER,
++ VENDOR_HPE,
+ };
+
+ static enum DMI_VENDORS dmi_vendor = VENDOR_UNKNOWN;
+@@ -58,12 +59,14 @@ void dmi_set_vendor(const char *s)
+
+ if (strncmp(s, "HP", len) == 0 || strncmp(s, "Hewlett-Packard", len) == 0)
+ dmi_vendor = VENDOR_HP;
++ else if (strncmp(s, "HPE", len) == 0 || strncmp(s, "Hewlett Packard Enterprise", len) == 0)
++ dmi_vendor = VENDOR_HPE;
+ else if (strncmp(s, "Acer", len) == 0)
+ dmi_vendor = VENDOR_ACER;
+ }
+
+ /*
+- * HP-specific data structures are decoded here.
++ * HPE-specific data structures are decoded here.
+ *
+ * Code contributed by John Cagle and Tyler Bell.
+ */
+@@ -98,14 +101,15 @@ static int dmi_decode_hp(const struct dmi_header *h)
+ u8 *data = h->data;
+ int nic, ptr;
+ u32 feat;
++ const char *company = (dmi_vendor == VENDOR_HP) ? "HP" : "HPE";
+
+ switch (h->type)
+ {
+ case 204:
+ /*
+- * Vendor Specific: HP ProLiant System/Rack Locator
++ * Vendor Specific: HPE ProLiant System/Rack Locator
+ */
+- printf("HP ProLiant System/Rack Locator\n");
++ printf("%s ProLiant System/Rack Locator\n", company);
+ if (h->length < 0x0B) break;
+ printf("\tRack Name: %s\n", dmi_string(h, data[0x04]));
+ printf("\tEnclosure Name: %s\n", dmi_string(h, data[0x05]));
+@@ -119,7 +123,7 @@ static int dmi_decode_hp(const struct dmi_header *h)
+ case 209:
+ case 221:
+ /*
+- * Vendor Specific: HP ProLiant NIC MAC Information
++ * Vendor Specific: HPE ProLiant NIC MAC Information
+ *
+ * This prints the BIOS NIC number,
+ * PCI bus/device/function, and MAC address
+@@ -137,9 +141,10 @@ static int dmi_decode_hp(const struct dmi_header *h)
+ *
+ * Type 221: is deprecated in the latest docs
+ */
+- printf(h->type == 221 ?
+- "HP BIOS iSCSI NIC PCI and MAC Information\n" :
+- "HP BIOS PXE NIC PCI and MAC Information\n");
++ printf("%s %s\n", company,
++ h->type == 221 ?
++ "BIOS iSCSI NIC PCI and MAC Information" :
++ "BIOS PXE NIC PCI and MAC Information");
+ nic = 1;
+ ptr = 4;
+ while (h->length >= ptr + 8)
+@@ -155,7 +160,7 @@ static int dmi_decode_hp(const struct dmi_header *h)
+
+ case 233:
+ /*
+- * Vendor Specific: HP ProLiant NIC MAC Information
++ * Vendor Specific: HPE ProLiant NIC MAC Information
+ *
+ * This prints the BIOS NIC number,
+ * PCI bus/device/function, and MAC address
+@@ -171,7 +176,7 @@ static int dmi_decode_hp(const struct dmi_header *h)
+ * 0x08 | MAC | 32B | MAC addr padded w/ 0s
+ * 0x28 | Port No| BYTE | Each NIC maps to a Port
+ */
+- printf("HP BIOS PXE NIC PCI and MAC Information\n");
++ printf("%s BIOS PXE NIC PCI and MAC Information\n", company);
+ if (h->length < 0x0E) break;
+ /* If the record isn't long enough, we don't have an ID
+ * use 0xFF to use the internal counter.
+@@ -183,11 +188,11 @@ static int dmi_decode_hp(const struct dmi_header *h)
+
+ case 212:
+ /*
+- * Vendor Specific: HP 64-bit CRU Information
++ * Vendor Specific: HPE 64-bit CRU Information
+ *
+ * Source: hpwdt kernel driver
+ */
+- printf("HP 64-bit CRU Information\n");
++ printf("%s 64-bit CRU Information\n", company);
+ if (h->length < 0x18) break;
+ printf("\tSignature: 0x%08x", DWORD(data + 0x04));
+ if (is_printable(data + 0x04, 4))
+@@ -208,11 +213,11 @@ static int dmi_decode_hp(const struct dmi_header *h)
+
+ case 219:
+ /*
+- * Vendor Specific: HP ProLiant Information
++ * Vendor Specific: HPE ProLiant Information
+ *
+ * Source: hpwdt kernel driver
+ */
+- printf("HP ProLiant Information\n");
++ printf("%s ProLiant Information\n", company);
+ if (h->length < 0x08) break;
+ printf("\tPower Features: 0x%08x\n", DWORD(data + 0x04));
+ if (h->length < 0x0C) break;
+@@ -281,6 +286,7 @@ int dmi_decode_oem(const struct dmi_header *h)
+ switch (dmi_vendor)
+ {
+ case VENDOR_HP:
++ case VENDOR_HPE:
+ return dmi_decode_hp(h);
+ case VENDOR_ACER:
+ return dmi_decode_acer(h);
+--
+cgit v1.0-41-gc330
+
diff --git a/user/dmidecode/hpe2.patch b/user/dmidecode/hpe2.patch
new file mode 100644
index 000000000..9d9e660b6
--- /dev/null
+++ b/user/dmidecode/hpe2.patch
@@ -0,0 +1,36 @@
+From 2ba4fab210e23cc97db57217af9a6f3b35a9b666 Mon Sep 17 00:00:00 2001
+From: Jerry Hoemann <jerry.hoemann@hpe.com>
+Date: Wed, 11 Apr 2018 14:33:20 +0200
+Subject: dmioem: decode HPE UEFI type 219 Misc Features
+
+The incorrect "Misc Feature" bit in type 219 table was being used to
+identify that the platform is capable of booting with UEFI.
+
+For corresponding kernel change please see:
+
+ commit(c42cbe41727a)
+
+in linux.
+
+Signed-off-by: Jerry Hoemann <jerry.hoemann@hpe.com>
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+---
+ dmioem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/dmioem.c b/dmioem.c
+index 8a72ac9..1742330 100644
+--- a/dmioem.c
++++ b/dmioem.c
+@@ -268,7 +268,7 @@ static int dmi_decode_hp(const struct dmi_header *h)
+ feat = DWORD(data + 0x10);
+ printf("\tMisc. Features: 0x%08x\n", feat);
+ printf("\t\tiCRU: %s\n", feat & 0x0001 ? "Yes" : "No");
+- printf("\t\tUEFI: %s\n", feat & 0x0408 ? "Yes" : "No");
++ printf("\t\tUEFI: %s\n", feat & 0x1400 ? "Yes" : "No");
+ break;
+
+ default:
+--
+cgit v1.0-41-gc330
+
diff --git a/user/dmidecode/security1.patch b/user/dmidecode/security1.patch
new file mode 100644
index 000000000..da4bc9815
--- /dev/null
+++ b/user/dmidecode/security1.patch
@@ -0,0 +1,55 @@
+From 8ff32018e8dd53c26d1f0daef118037fdae58c68 Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Wed, 1 Aug 2018 09:54:45 +0200
+Subject: dmidecode: Avoid OOB read on invalid entry point length
+
+Don't let the entry point checksum verification run beyond the end of
+the buffer holding it (32 bytes).
+
+This bug was discovered by Lionel Debroux using the AFL fuzzer and
+AddressSanitizer.
+
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+---
+ dmidecode.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/dmidecode.c b/dmidecode.c
+index fa6ecf1..474ca7b 100644
+--- a/dmidecode.c
++++ b/dmidecode.c
+@@ -4928,6 +4928,15 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
+ u32 ver;
+ u64 offset;
+
++ /* Don't let checksum run beyond the buffer */
++ if (buf[0x06] > 0x20)
++ {
++ fprintf(stderr,
++ "Entry point length too large (%u bytes, expected %u).\n",
++ (unsigned int)buf[0x06], 0x18U);
++ return 0;
++ }
++
+ if (!checksum(buf, buf[0x06]))
+ return 0;
+
+@@ -4966,6 +4975,15 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
+ {
+ u16 ver;
+
++ /* Don't let checksum run beyond the buffer */
++ if (buf[0x05] > 0x20)
++ {
++ fprintf(stderr,
++ "Entry point length too large (%u bytes, expected %u).\n",
++ (unsigned int)buf[0x05], 0x1FU);
++ return 0;
++ }
++
+ if (!checksum(buf, buf[0x05])
+ || memcmp(buf + 0x10, "_DMI_", 5) != 0
+ || !checksum(buf + 0x10, 0x0F))
+--
+cgit v1.0-41-gc330
+
diff --git a/user/dmidecode/security2.patch b/user/dmidecode/security2.patch
new file mode 100644
index 000000000..c758f2ff3
--- /dev/null
+++ b/user/dmidecode/security2.patch
@@ -0,0 +1,98 @@
+From 4cbba9a8e76ffc640eaf7dd25acbd3c1c6504669 Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Wed, 1 Aug 2018 09:54:51 +0200
+Subject: dmidecode: Validate structure completeness before decoding
+
+Ensure that the whole DMI structure fits in the announced table
+length before performing any action on it. Otherwise we might end up
+reading beyond the end of our memory buffer.
+
+This bug was discovered by Lionel Debroux using the AFL fuzzer and
+AddressSanitizer. Its probability is very low, as it requires a DMI
+table corrupted in one of two very specific ways to trigger.
+
+This bug exists since dmidecode version 2.9, although it is hard to
+test because option --from-dump was only introduced in version 2.10.
+
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+---
+ dmidecode.c | 39 ++++++++++++++++++++++-----------------
+ 1 file changed, 22 insertions(+), 17 deletions(-)
+
+diff --git a/dmidecode.c b/dmidecode.c
+index 474ca7b..76faed9 100644
+--- a/dmidecode.c
++++ b/dmidecode.c
+@@ -4754,6 +4754,7 @@ static void dmi_table_decode(u8 *buf, u32 len, u16 num, u16 ver, u32 flags)
+ }
+ break;
+ }
++ i++;
+
+ /* In quiet mode, stop decoding at end of table marker */
+ if ((opt.flags & FLAG_QUIET) && h.type == 127)
+@@ -4764,6 +4765,22 @@ static void dmi_table_decode(u8 *buf, u32 len, u16 num, u16 ver, u32 flags)
+ printf("Handle 0x%04X, DMI type %d, %d bytes\n",
+ h.handle, h.type, h.length);
+
++ /* Look for the next handle */
++ next = data + h.length;
++ while ((unsigned long)(next - buf + 1) < len
++ && (next[0] != 0 || next[1] != 0))
++ next++;
++ next += 2;
++
++ /* Make sure the whole structure fits in the table */
++ if ((unsigned long)(next - buf) > len)
++ {
++ if (display && !(opt.flags & FLAG_QUIET))
++ printf("\t<TRUNCATED>\n\n");
++ data = next;
++ break;
++ }
++
+ /* assign vendor for vendor-specific decodes later */
+ if (h.type == 1 && h.length >= 5)
+ dmi_set_vendor(dmi_string(&h, data[0x04]));
+@@ -4772,33 +4789,21 @@ static void dmi_table_decode(u8 *buf, u32 len, u16 num, u16 ver, u32 flags)
+ if (h.type == 34)
+ dmi_fixup_type_34(&h, display);
+
+- /* look for the next handle */
+- next = data + h.length;
+- while ((unsigned long)(next - buf + 1) < len
+- && (next[0] != 0 || next[1] != 0))
+- next++;
+- next += 2;
+ if (display)
+ {
+- if ((unsigned long)(next - buf) <= len)
++ if (opt.flags & FLAG_DUMP)
+ {
+- if (opt.flags & FLAG_DUMP)
+- {
+- dmi_dump(&h, "\t");
+- printf("\n");
+- }
+- else
+- dmi_decode(&h, ver);
++ dmi_dump(&h, "\t");
++ printf("\n");
+ }
+- else if (!(opt.flags & FLAG_QUIET))
+- printf("\t<TRUNCATED>\n\n");
++ else
++ dmi_decode(&h, ver);
+ }
+ else if (opt.string != NULL
+ && opt.string->type == h.type)
+ dmi_table_string(&h, data, ver);
+
+ data = next;
+- i++;
+
+ /* SMBIOS v3 requires stopping at this marker */
+ if (h.type == 127 && (flags & FLAG_STOP_AT_EOT))
+--
+cgit v1.0-41-gc330
+