From e0c7cfd702fbc56b2bff5f7ccb0623bd1bda24fe Mon Sep 17 00:00:00 2001 From: "A. Wilcox" Date: Thu, 2 Aug 2018 07:05:08 +0000 Subject: user/dmidecode: pull in from Alpine, add upstream-recommended patches --- user/dmidecode/APKBUILD | 34 +++++++++ user/dmidecode/correctness1.patch | 30 ++++++++ user/dmidecode/hpe1.patch | 141 ++++++++++++++++++++++++++++++++++++++ user/dmidecode/hpe2.patch | 36 ++++++++++ user/dmidecode/security1.patch | 55 +++++++++++++++ user/dmidecode/security2.patch | 98 ++++++++++++++++++++++++++ 6 files changed, 394 insertions(+) create mode 100644 user/dmidecode/APKBUILD create mode 100644 user/dmidecode/correctness1.patch create mode 100644 user/dmidecode/hpe1.patch create mode 100644 user/dmidecode/hpe2.patch create mode 100644 user/dmidecode/security1.patch create mode 100644 user/dmidecode/security2.patch diff --git a/user/dmidecode/APKBUILD b/user/dmidecode/APKBUILD new file mode 100644 index 000000000..4c15ce8b9 --- /dev/null +++ b/user/dmidecode/APKBUILD @@ -0,0 +1,34 @@ +# Maintainer: +pkgname=dmidecode +pkgver=3.1 +pkgrel=1 +pkgdesc="Utility for gathering information about system hardware" +url="http://www.nongnu.org/dmidecode" +arch="all" +options="!check" # No test suite. +license="GPL-2.0-only" +subpackages="$pkgname-doc" +source="http://download.savannah.gnu.org/releases/dmidecode/dmidecode-$pkgver.tar.xz + hpe1.patch + hpe2.patch + correctness1.patch + security1.patch + security2.patch + " + +build() { + cd "$builddir" + make prefix=/usr +} + +package() { + cd "$builddir" + make prefix=/usr DESTDIR="${pkgdir}" install +} + +sha512sums="226557ad5747a2a2eb54a938543373b9ddcff032d330ca3b9a066cc81c0e137028f606ffedc042e0220b523346e2f2f7abb0e4b8b34a8bd173719aa858519de9 dmidecode-3.1.tar.xz +30faca2ef81c925278dc1d027a4a7c19ef7c9fc27d11fdf3647fd4d8cd77f524e1d159b7e7873294ece08228a99dedbdb1913f610de8a3975ce027d0570ace89 hpe1.patch +734e388cc27e89fbaf3a3f5a875c78e04e0dabd92706a9336b504a8be6d3ede72372cc13b860cd32a66d17c8e1cb6a1d881f8fce97d01a28ea299075d0952609 hpe2.patch +43931cce1824908dcc054e82ad5d5389ce76f6dc643b7610a9a87d59ad54ba4816b4ca16b159b7545dd1c462af956b7a1a19752dde369e24f1d10acab8f173ca correctness1.patch +d377a7ccd809f019568cfce7eaae35cd3eed076c7347779fbc4b2a949ec81abfdd5142dc74ffd740a1b973c3bb49117537dea1e9f590290ee555dd00abc57fc9 security1.patch +89fcf20e883ce92245eeb0136e9c6e04f4f038e582f6a46dc1d4621625137efe558ef2bfc5625b1e1576a5276f81ee4ab45a82209b0e65a0259f937bacee174a security2.patch" diff --git a/user/dmidecode/correctness1.patch b/user/dmidecode/correctness1.patch new file mode 100644 index 000000000..07f4f7ed7 --- /dev/null +++ b/user/dmidecode/correctness1.patch @@ -0,0 +1,30 @@ +From 174387405e98cd94c627832ae23abcb9be7e5623 Mon Sep 17 00:00:00 2001 +From: Jean Delvare +Date: Wed, 31 Jan 2018 18:52:47 +0100 +Subject: dmidecode: Fix firmware version of TPM device + +Both the operator (detected by clang, reported by Xorg) and the mask +for the minor firmware version field of TPM devices were wrong. + +Signed-off-by: Jean Delvare +Fixes: 48a8132058a0 ("dmidecode: Add support for structure type 43 (TPM Device)") +--- + dmidecode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/dmidecode.c b/dmidecode.c +index 87faaa9..a593170 100644 +--- a/dmidecode.c ++++ b/dmidecode.c +@@ -4511,7 +4511,7 @@ static void dmi_decode(const struct dmi_header *h, u16 ver) + case 0x02: + printf("\tFirmware Revision: %u.%u\n", + DWORD(data + 0x0A) >> 16, +- DWORD(data + 0x0A) && 0xFF); ++ DWORD(data + 0x0A) & 0xFFFF); + /* + * We skip the next 4 bytes, as their + * format is not standardized and their +-- +cgit v1.0-41-gc330 + diff --git a/user/dmidecode/hpe1.patch b/user/dmidecode/hpe1.patch new file mode 100644 index 000000000..ca294d0af --- /dev/null +++ b/user/dmidecode/hpe1.patch @@ -0,0 +1,141 @@ +From ee07a1b4249560d620d05194eb8ff61b40d3ce23 Mon Sep 17 00:00:00 2001 +From: Jerry Hoemann +Date: Wed, 13 Sep 2017 15:54:22 -0600 +Subject: dmioem: Reflect HPE's new company name + +After Hewlett Packard Enterprise split from Hewlett-Packard, DMI OEM +tables reflect the new company name. Gen10 and subsequent systems will +use HPE. Gen9 and prior systems continue to use the old "HP" name. + +Signed-off-by: Jerry Hoemann +Signed-off-by: Jean Delvare +--- + dmioem.c | 32 +++++++++++++++++++------------- + 1 file changed, 19 insertions(+), 13 deletions(-) + +diff --git a/dmioem.c b/dmioem.c +index 034ad9f..a032344 100644 +--- a/dmioem.c ++++ b/dmioem.c +@@ -35,6 +35,7 @@ enum DMI_VENDORS + VENDOR_UNKNOWN, + VENDOR_HP, + VENDOR_ACER, ++ VENDOR_HPE, + }; + + static enum DMI_VENDORS dmi_vendor = VENDOR_UNKNOWN; +@@ -58,12 +59,14 @@ void dmi_set_vendor(const char *s) + + if (strncmp(s, "HP", len) == 0 || strncmp(s, "Hewlett-Packard", len) == 0) + dmi_vendor = VENDOR_HP; ++ else if (strncmp(s, "HPE", len) == 0 || strncmp(s, "Hewlett Packard Enterprise", len) == 0) ++ dmi_vendor = VENDOR_HPE; + else if (strncmp(s, "Acer", len) == 0) + dmi_vendor = VENDOR_ACER; + } + + /* +- * HP-specific data structures are decoded here. ++ * HPE-specific data structures are decoded here. + * + * Code contributed by John Cagle and Tyler Bell. + */ +@@ -98,14 +101,15 @@ static int dmi_decode_hp(const struct dmi_header *h) + u8 *data = h->data; + int nic, ptr; + u32 feat; ++ const char *company = (dmi_vendor == VENDOR_HP) ? "HP" : "HPE"; + + switch (h->type) + { + case 204: + /* +- * Vendor Specific: HP ProLiant System/Rack Locator ++ * Vendor Specific: HPE ProLiant System/Rack Locator + */ +- printf("HP ProLiant System/Rack Locator\n"); ++ printf("%s ProLiant System/Rack Locator\n", company); + if (h->length < 0x0B) break; + printf("\tRack Name: %s\n", dmi_string(h, data[0x04])); + printf("\tEnclosure Name: %s\n", dmi_string(h, data[0x05])); +@@ -119,7 +123,7 @@ static int dmi_decode_hp(const struct dmi_header *h) + case 209: + case 221: + /* +- * Vendor Specific: HP ProLiant NIC MAC Information ++ * Vendor Specific: HPE ProLiant NIC MAC Information + * + * This prints the BIOS NIC number, + * PCI bus/device/function, and MAC address +@@ -137,9 +141,10 @@ static int dmi_decode_hp(const struct dmi_header *h) + * + * Type 221: is deprecated in the latest docs + */ +- printf(h->type == 221 ? +- "HP BIOS iSCSI NIC PCI and MAC Information\n" : +- "HP BIOS PXE NIC PCI and MAC Information\n"); ++ printf("%s %s\n", company, ++ h->type == 221 ? ++ "BIOS iSCSI NIC PCI and MAC Information" : ++ "BIOS PXE NIC PCI and MAC Information"); + nic = 1; + ptr = 4; + while (h->length >= ptr + 8) +@@ -155,7 +160,7 @@ static int dmi_decode_hp(const struct dmi_header *h) + + case 233: + /* +- * Vendor Specific: HP ProLiant NIC MAC Information ++ * Vendor Specific: HPE ProLiant NIC MAC Information + * + * This prints the BIOS NIC number, + * PCI bus/device/function, and MAC address +@@ -171,7 +176,7 @@ static int dmi_decode_hp(const struct dmi_header *h) + * 0x08 | MAC | 32B | MAC addr padded w/ 0s + * 0x28 | Port No| BYTE | Each NIC maps to a Port + */ +- printf("HP BIOS PXE NIC PCI and MAC Information\n"); ++ printf("%s BIOS PXE NIC PCI and MAC Information\n", company); + if (h->length < 0x0E) break; + /* If the record isn't long enough, we don't have an ID + * use 0xFF to use the internal counter. +@@ -183,11 +188,11 @@ static int dmi_decode_hp(const struct dmi_header *h) + + case 212: + /* +- * Vendor Specific: HP 64-bit CRU Information ++ * Vendor Specific: HPE 64-bit CRU Information + * + * Source: hpwdt kernel driver + */ +- printf("HP 64-bit CRU Information\n"); ++ printf("%s 64-bit CRU Information\n", company); + if (h->length < 0x18) break; + printf("\tSignature: 0x%08x", DWORD(data + 0x04)); + if (is_printable(data + 0x04, 4)) +@@ -208,11 +213,11 @@ static int dmi_decode_hp(const struct dmi_header *h) + + case 219: + /* +- * Vendor Specific: HP ProLiant Information ++ * Vendor Specific: HPE ProLiant Information + * + * Source: hpwdt kernel driver + */ +- printf("HP ProLiant Information\n"); ++ printf("%s ProLiant Information\n", company); + if (h->length < 0x08) break; + printf("\tPower Features: 0x%08x\n", DWORD(data + 0x04)); + if (h->length < 0x0C) break; +@@ -281,6 +286,7 @@ int dmi_decode_oem(const struct dmi_header *h) + switch (dmi_vendor) + { + case VENDOR_HP: ++ case VENDOR_HPE: + return dmi_decode_hp(h); + case VENDOR_ACER: + return dmi_decode_acer(h); +-- +cgit v1.0-41-gc330 + diff --git a/user/dmidecode/hpe2.patch b/user/dmidecode/hpe2.patch new file mode 100644 index 000000000..9d9e660b6 --- /dev/null +++ b/user/dmidecode/hpe2.patch @@ -0,0 +1,36 @@ +From 2ba4fab210e23cc97db57217af9a6f3b35a9b666 Mon Sep 17 00:00:00 2001 +From: Jerry Hoemann +Date: Wed, 11 Apr 2018 14:33:20 +0200 +Subject: dmioem: decode HPE UEFI type 219 Misc Features + +The incorrect "Misc Feature" bit in type 219 table was being used to +identify that the platform is capable of booting with UEFI. + +For corresponding kernel change please see: + + commit(c42cbe41727a) + +in linux. + +Signed-off-by: Jerry Hoemann +Signed-off-by: Jean Delvare +--- + dmioem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/dmioem.c b/dmioem.c +index 8a72ac9..1742330 100644 +--- a/dmioem.c ++++ b/dmioem.c +@@ -268,7 +268,7 @@ static int dmi_decode_hp(const struct dmi_header *h) + feat = DWORD(data + 0x10); + printf("\tMisc. Features: 0x%08x\n", feat); + printf("\t\tiCRU: %s\n", feat & 0x0001 ? "Yes" : "No"); +- printf("\t\tUEFI: %s\n", feat & 0x0408 ? "Yes" : "No"); ++ printf("\t\tUEFI: %s\n", feat & 0x1400 ? "Yes" : "No"); + break; + + default: +-- +cgit v1.0-41-gc330 + diff --git a/user/dmidecode/security1.patch b/user/dmidecode/security1.patch new file mode 100644 index 000000000..da4bc9815 --- /dev/null +++ b/user/dmidecode/security1.patch @@ -0,0 +1,55 @@ +From 8ff32018e8dd53c26d1f0daef118037fdae58c68 Mon Sep 17 00:00:00 2001 +From: Jean Delvare +Date: Wed, 1 Aug 2018 09:54:45 +0200 +Subject: dmidecode: Avoid OOB read on invalid entry point length + +Don't let the entry point checksum verification run beyond the end of +the buffer holding it (32 bytes). + +This bug was discovered by Lionel Debroux using the AFL fuzzer and +AddressSanitizer. + +Signed-off-by: Jean Delvare +--- + dmidecode.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/dmidecode.c b/dmidecode.c +index fa6ecf1..474ca7b 100644 +--- a/dmidecode.c ++++ b/dmidecode.c +@@ -4928,6 +4928,15 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) + u32 ver; + u64 offset; + ++ /* Don't let checksum run beyond the buffer */ ++ if (buf[0x06] > 0x20) ++ { ++ fprintf(stderr, ++ "Entry point length too large (%u bytes, expected %u).\n", ++ (unsigned int)buf[0x06], 0x18U); ++ return 0; ++ } ++ + if (!checksum(buf, buf[0x06])) + return 0; + +@@ -4966,6 +4975,15 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags) + { + u16 ver; + ++ /* Don't let checksum run beyond the buffer */ ++ if (buf[0x05] > 0x20) ++ { ++ fprintf(stderr, ++ "Entry point length too large (%u bytes, expected %u).\n", ++ (unsigned int)buf[0x05], 0x1FU); ++ return 0; ++ } ++ + if (!checksum(buf, buf[0x05]) + || memcmp(buf + 0x10, "_DMI_", 5) != 0 + || !checksum(buf + 0x10, 0x0F)) +-- +cgit v1.0-41-gc330 + diff --git a/user/dmidecode/security2.patch b/user/dmidecode/security2.patch new file mode 100644 index 000000000..c758f2ff3 --- /dev/null +++ b/user/dmidecode/security2.patch @@ -0,0 +1,98 @@ +From 4cbba9a8e76ffc640eaf7dd25acbd3c1c6504669 Mon Sep 17 00:00:00 2001 +From: Jean Delvare +Date: Wed, 1 Aug 2018 09:54:51 +0200 +Subject: dmidecode: Validate structure completeness before decoding + +Ensure that the whole DMI structure fits in the announced table +length before performing any action on it. Otherwise we might end up +reading beyond the end of our memory buffer. + +This bug was discovered by Lionel Debroux using the AFL fuzzer and +AddressSanitizer. Its probability is very low, as it requires a DMI +table corrupted in one of two very specific ways to trigger. + +This bug exists since dmidecode version 2.9, although it is hard to +test because option --from-dump was only introduced in version 2.10. + +Signed-off-by: Jean Delvare +--- + dmidecode.c | 39 ++++++++++++++++++++++----------------- + 1 file changed, 22 insertions(+), 17 deletions(-) + +diff --git a/dmidecode.c b/dmidecode.c +index 474ca7b..76faed9 100644 +--- a/dmidecode.c ++++ b/dmidecode.c +@@ -4754,6 +4754,7 @@ static void dmi_table_decode(u8 *buf, u32 len, u16 num, u16 ver, u32 flags) + } + break; + } ++ i++; + + /* In quiet mode, stop decoding at end of table marker */ + if ((opt.flags & FLAG_QUIET) && h.type == 127) +@@ -4764,6 +4765,22 @@ static void dmi_table_decode(u8 *buf, u32 len, u16 num, u16 ver, u32 flags) + printf("Handle 0x%04X, DMI type %d, %d bytes\n", + h.handle, h.type, h.length); + ++ /* Look for the next handle */ ++ next = data + h.length; ++ while ((unsigned long)(next - buf + 1) < len ++ && (next[0] != 0 || next[1] != 0)) ++ next++; ++ next += 2; ++ ++ /* Make sure the whole structure fits in the table */ ++ if ((unsigned long)(next - buf) > len) ++ { ++ if (display && !(opt.flags & FLAG_QUIET)) ++ printf("\t\n\n"); ++ data = next; ++ break; ++ } ++ + /* assign vendor for vendor-specific decodes later */ + if (h.type == 1 && h.length >= 5) + dmi_set_vendor(dmi_string(&h, data[0x04])); +@@ -4772,33 +4789,21 @@ static void dmi_table_decode(u8 *buf, u32 len, u16 num, u16 ver, u32 flags) + if (h.type == 34) + dmi_fixup_type_34(&h, display); + +- /* look for the next handle */ +- next = data + h.length; +- while ((unsigned long)(next - buf + 1) < len +- && (next[0] != 0 || next[1] != 0)) +- next++; +- next += 2; + if (display) + { +- if ((unsigned long)(next - buf) <= len) ++ if (opt.flags & FLAG_DUMP) + { +- if (opt.flags & FLAG_DUMP) +- { +- dmi_dump(&h, "\t"); +- printf("\n"); +- } +- else +- dmi_decode(&h, ver); ++ dmi_dump(&h, "\t"); ++ printf("\n"); + } +- else if (!(opt.flags & FLAG_QUIET)) +- printf("\t\n\n"); ++ else ++ dmi_decode(&h, ver); + } + else if (opt.string != NULL + && opt.string->type == h.type) + dmi_table_string(&h, data, ver); + + data = next; +- i++; + + /* SMBIOS v3 requires stopping at this marker */ + if (h.type == 127 && (flags & FLAG_STOP_AT_EOT)) +-- +cgit v1.0-41-gc330 + -- cgit v1.2.3-70-g09d2