From e0c7cfd702fbc56b2bff5f7ccb0623bd1bda24fe Mon Sep 17 00:00:00 2001
From: "A. Wilcox" <AWilcox@Wilcox-Tech.com>
Date: Thu, 2 Aug 2018 07:05:08 +0000
Subject: user/dmidecode: pull in from Alpine, add upstream-recommended patches

---
 user/dmidecode/security1.patch | 55 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)
 create mode 100644 user/dmidecode/security1.patch

(limited to 'user/dmidecode/security1.patch')

diff --git a/user/dmidecode/security1.patch b/user/dmidecode/security1.patch
new file mode 100644
index 000000000..da4bc9815
--- /dev/null
+++ b/user/dmidecode/security1.patch
@@ -0,0 +1,55 @@
+From 8ff32018e8dd53c26d1f0daef118037fdae58c68 Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Wed, 1 Aug 2018 09:54:45 +0200
+Subject: dmidecode: Avoid OOB read on invalid entry point length
+
+Don't let the entry point checksum verification run beyond the end of
+the buffer holding it (32 bytes).
+
+This bug was discovered by Lionel Debroux using the AFL fuzzer and
+AddressSanitizer.
+
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+---
+ dmidecode.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/dmidecode.c b/dmidecode.c
+index fa6ecf1..474ca7b 100644
+--- a/dmidecode.c
++++ b/dmidecode.c
+@@ -4928,6 +4928,15 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
+ 	u32 ver;
+ 	u64 offset;
+ 
++	/* Don't let checksum run beyond the buffer */
++	if (buf[0x06] > 0x20)
++	{
++		fprintf(stderr,
++			"Entry point length too large (%u bytes, expected %u).\n",
++			(unsigned int)buf[0x06], 0x18U);
++		return 0;
++	}
++
+ 	if (!checksum(buf, buf[0x06]))
+ 		return 0;
+ 
+@@ -4966,6 +4975,15 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
+ {
+ 	u16 ver;
+ 
++	/* Don't let checksum run beyond the buffer */
++	if (buf[0x05] > 0x20)
++	{
++		fprintf(stderr,
++			"Entry point length too large (%u bytes, expected %u).\n",
++			(unsigned int)buf[0x05], 0x1FU);
++		return 0;
++	}
++
+ 	if (!checksum(buf, buf[0x05])
+ 	 || memcmp(buf + 0x10, "_DMI_", 5) != 0
+ 	 || !checksum(buf + 0x10, 0x0F))
+-- 
+cgit v1.0-41-gc330
+
-- 
cgit v1.2.3-60-g2f50