| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <553674D2.10407@globallogic.com> Date: Tue, 21 Apr 2015 19:03:30 +0300 From: "Ivan.khoronzhuk" <ivan.khoronzhuk@...ballogic.com> To: Jean Delvare <jdelvare@...e.de> CC: linux-kernel@...r.kernel.org, matt.fleming@...el.com, ard.biesheuvel@...aro.org, grant.likely@...aro.org, linux-api@...r.kernel.org, linux-doc@...r.kernel.org, mikew@...gle.com, dmidecode-devel@...gnu.org, leif.lindholm@...aro.org, msalter@...hat.com, roy.franz@...aro.org Subject: Re: [Patch v2 2/3] firmware: dmi_scan: add SBMIOS entry and DMI tables Jean, On 21.04.15 18:36, Jean Delvare wrote: > Hi again Ivan, > > On Mon, 20 Apr 2015 13:19:46 +0300, Ivan Khoronzhuk wrote: >> + bin_attr_DMI.size = dmi_len; >> + bin_attr_DMI.private = dmi_table; >> + ret = sysfs_create_bin_file(tables_kobj, &bin_attr_DMI); >> + if (!ret) >> + return 0; > I just found that more work is needed here for the SMBIOS v3 entry > point case. These entry points do not specify the exact length of the > table, but only its maximum. The real world sample I have access to > indeed specifies a maximum length of 6419 bytes, but the actual table > only spans over 2373 bytes. It is properly terminated with a type 127 > DMI structure, so the kernel table parser ignores the garbage after it. > The garbage is however exported to user-space above. > > I taught dmidecode to ignore the garbage, but there are two problem > left here. First problem is a waste of memory. Minor issue I suppose, > who cares about a few kilobytes these days. > > Second problem is a security problem. We are leaking the contents of > physical memory to user-space. In my case it's filled with 0xffs so no > big deal. But what if actual data happens to be stored there? It > definitely shouldn't go to user-space. > > So dmi_len needs to be trimmed to the actual table size before the > attribute above is created. I have an idea how this could be > implemented easily, let me give it a try. > > Maybe we should trim the length for previous implementations, too. > There is no reason to walk past a type 127 structure anyway, ever. > It can happen of-cause, I've also thought about that sometime ago, but forget...). I've sent the updated series already. Let me know when your fix will be ready and I will re-base the series if it has conflicts. -- Regards, Ivan Khoronzhuk -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists