| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 27 Apr 2015 18:17:15 +0300
From: "Ivan.khoronzhuk" <ivan.khoronzhuk@...ballogic.com>
To: Jean Delvare <jdelvare@...e.de>,
LKML <linux-kernel@...r.kernel.org>
CC: Roy Franz <roy.franz@...aro.org>,
Matt Fleming <matt.fleming@...el.com>
Subject: Re: [PATCH] firmware: dmi_scan: Trim DMI table length before exporting
it
Hi, Jean
On 26.04.15 23:47, Jean Delvare wrote:
> The SMBIOS v3 entry points specify a maximum length for the DMI table,
> not the exact length. Thus there may be garbage after the end-of-table
> marker, which we don't want to export to user-space. Adjust dmi_len
> when we find the end-of-table marker, so that only the actual table
> payload is exported.
According to above it seems that change doesn't affect SMBIOS < 3.
>
> Signed-off-by: Jean Delvare <jdelvare@...e.de>
> Cc: Ivan Khoronzhuk <ivan.khoronzhuk@...ballogic.com>
> ---
> drivers/firmware/dmi_scan.c | 15 ++++++++++-----
> 1 file changed, 10 insertions(+), 5 deletions(-)
>
> --- linux-4.1-rc0.orig/drivers/firmware/dmi_scan.c 2015-04-26 18:56:15.657111185 +0200
> +++ linux-4.1-rc0/drivers/firmware/dmi_scan.c 2015-04-26 22:42:59.183547584 +0200
> @@ -108,15 +108,19 @@ static void dmi_decode_table(u8 *buf,
> if (data - buf < dmi_len - 1)
> decode(dm, private_data);
>
> + data += 2;
> + i++;
> +
> /*
> * 7.45 End-of-Table (Type 127) [SMBIOS reference spec v3.0.0]
> */
> if (dm->type == DMI_ENTRY_END_OF_TABLE)
> break;
> -
> - data += 2;
> - i++;
> }
> +
> + /* Trim DMI table length if needed */
> + if (dmi_len > data - buf)
> + dmi_len = data - buf;
Why is it checked here? Wouldn't be better to simply assign: dmi_len =
data - buf;
I guess it's supposed to not trim table in case of exit by i<dmi_num or
even !dmi_num.
But in this case, probably, it be better to do it in the cycle:
if (dmi->type == DMI_ENTRY_END_OF_TABLE) {
dmi_len = data - buf;
break;
}
just to avoid redundant check.
But question is, what if we exit by i<dmi_num?
Wouldn't be better to trim buffer in such case also?
> }
>
> static phys_addr_t dmi_base;
> @@ -125,8 +129,9 @@ static int __init dmi_walk_early(void (*
> void *))
> {
> u8 *buf;
> + u32 orig_dmi_len = dmi_len;
>
> - buf = dmi_early_remap(dmi_base, dmi_len);
> + buf = dmi_early_remap(dmi_base, orig_dmi_len);
> if (buf == NULL)
> return -1;
>
> @@ -134,7 +139,7 @@ static int __init dmi_walk_early(void (*
>
> add_device_randomness(buf, dmi_len);
>
> - dmi_early_unmap(buf, dmi_len);
> + dmi_early_unmap(buf, orig_dmi_len);
> return 0;
> }
>
>
--
Regards,
Ivan Khoronzhuk
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists