| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 08 Jul 2013 17:49:14 +0200 From: Jean Delvare <jdelvare@...e.de> To: Ben Hutchings <ben@...adent.org.uk> Cc: linux-kernel <linux-kernel@...r.kernel.org>, Andrew Morton <akpm@...ux-foundation.org> Subject: Suspect loop in dmi_scan_machine() Hi Ben, I am looking at this commit of yours: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/drivers/firmware/dmi_scan.c?id=79bae42d51a5d498500c890c19ef76df41d2bf59 and am a little worried about the for loop in dmi_scan_machine() (non-EFI case): * The first iteration looks wrong, as you're resetting the lower half of buf to 0 instead of initializing it with the 16 first bytes of p. So if a system as its SMBIOS entry point at 0xF0000, your code won't see it. Thankfully it will get the DMI entry point, but if the version is in the SMBIOS entry point, it will be missed. * The last iteration looks wrong too, as you are reading from offsets 0x10000-0x1000F of an iomap area of size 0x10000, i.e. beyond the end of the area. You'll hit that on a machine without SMBIOS/DMI. I'm not sure what exactly happens when calling memcpy_fromio() on an unmapped area but I'm reasonably certain this is bad and shouldn't be attempted. Also, the code only looks for the DMI entry point in the second half of the buffer, so it would also miss a legacy DMI entry point at 0xF0000. Thoughts? -- Jean Delvare Suse L3 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists