| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 4 Oct 2019 17:20:03 +0200
From: Jean Delvare <jdelvare@...e.de>
To: LKML <linux-kernel@...r.kernel.org>
Cc: Tony Luck <tony.luck@...el.com>, Borislav Petkov <bp@...e.de>
Subject: [PATCH] firmware: dmi: Fix unlikely out-of-bounds read in
save_mem_devices
Before reading the Extended Size field, we should ensure it fits in
the DMI record. There is already a record length check but it does
not cover that field.
It would take a seriously corrupted DMI table to hit that bug, so no
need to worry, but we should still fix it.
Signed-off-by: Jean Delvare <jdelvare@...e.de>
Fixes: 6deae96b42eb ("firmware, DMI: Add function to look up a handle and return DIMM size")
Cc: Tony Luck <tony.luck@...el.com>
Cc: Borislav Petkov <bp@...e.de>
---
drivers/firmware/dmi_scan.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- linux-5.3.orig/drivers/firmware/dmi_scan.c 2019-10-04 16:14:24.575714482 +0200
+++ linux-5.3/drivers/firmware/dmi_scan.c 2019-10-04 16:18:18.878669652 +0200
@@ -408,7 +408,7 @@ static void __init save_mem_devices(cons
bytes = ~0ull;
else if (size & 0x8000)
bytes = (u64)(size & 0x7fff) << 10;
- else if (size != 0x7fff)
+ else if (size != 0x7fff || dm->length < 0x20)
bytes = (u64)size << 20;
else
bytes = (u64)get_unaligned((u32 *)&d[0x1C]) << 20;
--
Jean Delvare
SUSE L3 Support
Powered by blists - more mailing lists