lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 17 Apr 2024 19:33:47 +0200
From: Jean Delvare <jdelvare@...e.de>
To: Michael Kelley <mhklinux@...look.com>, Michael Schierl <schierlm@....de>
Cc: "linux-hyperv@...r.kernel.org" <linux-hyperv@...r.kernel.org>, 
	"linux-kernel@...r.kernel.org"
	 <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] firmware: dmi: Stop decoding on broken entry

Hi Michael,

On Wed, 2024-04-17 at 15:43 +0000, Michael Kelley wrote:
> From: Jean Delvare <jdelvare@...e.de> Sent: Wednesday, April 17, 2024 8:34 AM
> > 
> > If a DMI table entry is shorter than 4 bytes, it is invalid. Due to
> > how DMI table parsing works, it is impossible to safely recover from
> > such an error, so we have to stop decoding the table.
> > 
> > Signed-off-by: Jean Delvare <jdelvare@...e.de>
> > Link: https://lore.kernel.org/linux-kernel/Zh2K3-HLXOesT_vZ@liuwe-devbox-debian-v2/T/
> > ---
> > Michael, can you please test this patch and confirm that it prevents
> > the early oops?
> > 
> > The root cause of the DMI table corruption still needs to be
> > investigated.
> > 
> >  drivers/firmware/dmi_scan.c |   11 +++++++++++
> >  1 file changed, 11 insertions(+)
> > 
> > --- linux-6.8.orig/drivers/firmware/dmi_scan.c
> > +++ linux-6.8/drivers/firmware/dmi_scan.c
> > @@ -102,6 +102,17 @@ static void dmi_decode_table(u8 *buf,
> >                 const struct dmi_header *dm = (const struct dmi_header *)data;
> > 
> >                 /*
> > +                * If a short entry is found (less than 4 bytes), not only it
> > +                * is invalid, but we cannot reliably locate the next entry.
> > +                */
> > +               if (dm->length < sizeof(struct dmi_header)) {
> > +                       pr_warn(FW_BUG
> > +                               "Corrupted DMI table (only %d entries processed)\n",
> > +                               i);
> 
> It would be useful to also output the three header fields: type, handle, and length,

I object. The most likely cause for the length being wrong is memory
corruption. We have no idea what caused it, nor what kind of data was
written over the DMI table, so leaking the information to user-space
doesn't sound like a good idea, even if it's only 4 bytes.

Furthermore, the data in question is essentially useless anyway. It is
likely to lead the person investigating the bug into the wrong
direction by interpreting essentially random data as type, handle and
length.

> and perhaps also the offset of the header in the DMI blob (i.e., "data - buf").

I could do that, as it isn't leaking any information, and this could be
used to compute the memory address at which the corruption was
detected, which is probably more useful than the number of the
corrupted entry. Thanks for the suggestion.

> When looking at the error reported by user space dmidecode, the first thing
> I did was add those fields to the error message.

And this did not give you any further insight, did it?

-- 
Jean Delvare
SUSE L3 Support

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ