From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-sn1nam02on0133.outbound.protection.outlook.com ([104.47.36.133]:9440 "EHLO NAM02-SN1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1756623AbeDIAfz (ORCPT ); Sun, 8 Apr 2018 20:35:55 -0400 From: Sasha Levin To: "stable@vger.kernel.org" , "linux-kernel@vger.kernel.org" CC: Jean Delvare , Dmitry Torokhov , Andy Shevchenko , Linus Walleij , Sasha Levin Subject: [PATCH AUTOSEL for 4.4 040/162] firmware: dmi_scan: Check DMI structure length Date: Mon, 9 Apr 2018 00:28:11 +0000 Message-ID: <20180409002738.163941-40-alexander.levin@microsoft.com> References: <20180409002738.163941-1-alexander.levin@microsoft.com> In-Reply-To: <20180409002738.163941-1-alexander.levin@microsoft.com> Content-Language: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org List-ID: From: Jean Delvare [ Upstream commit a814c3597a6b6040e2ef9459748081a6d5b7312d ] Before accessing DMI data to record it for later, we should ensure that the DMI structures are large enough to contain the data in question. Signed-off-by: Jean Delvare Reviewed-by: Mika Westerberg Cc: Dmitry Torokhov Cc: Andy Shevchenko Cc: Linus Walleij Signed-off-by: Sasha Levin --- drivers/firmware/dmi_scan.c | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/drivers/firmware/dmi_scan.c b/drivers/firmware/dmi_scan.c index f1d4881dd2fc..e8eea181a601 100644 --- a/drivers/firmware/dmi_scan.c +++ b/drivers/firmware/dmi_scan.c @@ -178,7 +178,7 @@ static void __init dmi_save_ident(const struct dmi_head= er *dm, int slot, const char *d =3D (const char *) dm; const char *p; =20 - if (dmi_ident[slot]) + if (dmi_ident[slot] || dm->length <=3D string) return; =20 p =3D dmi_string(dm, d[string]); @@ -191,13 +191,14 @@ static void __init dmi_save_ident(const struct dmi_he= ader *dm, int slot, static void __init dmi_save_uuid(const struct dmi_header *dm, int slot, int index) { - const u8 *d =3D (u8 *) dm + index; + const u8 *d; char *s; int is_ff =3D 1, is_00 =3D 1, i; =20 - if (dmi_ident[slot]) + if (dmi_ident[slot] || dm->length <=3D index + 16) return; =20 + d =3D (u8 *) dm + index; for (i =3D 0; i < 16 && (is_ff || is_00); i++) { if (d[i] !=3D 0x00) is_00 =3D 0; @@ -228,16 +229,17 @@ static void __init dmi_save_uuid(const struct dmi_hea= der *dm, int slot, static void __init dmi_save_type(const struct dmi_header *dm, int slot, int index) { - const u8 *d =3D (u8 *) dm + index; + const u8 *d; char *s; =20 - if (dmi_ident[slot]) + if (dmi_ident[slot] || dm->length <=3D index) return; =20 s =3D dmi_alloc(4); if (!s) return; =20 + d =3D (u8 *) dm + index; sprintf(s, "%u", *d & 0x7F); dmi_ident[slot] =3D s; } @@ -278,9 +280,13 @@ static void __init dmi_save_devices(const struct dmi_h= eader *dm) =20 static void __init dmi_save_oem_strings_devices(const struct dmi_header *d= m) { - int i, count =3D *(u8 *)(dm + 1); + int i, count; struct dmi_device *dev; =20 + if (dm->length < 0x05) + return; + + count =3D *(u8 *)(dm + 1); for (i =3D 1; i <=3D count; i++) { const char *devname =3D dmi_string(dm, i); =20 @@ -347,6 +353,9 @@ static void __init dmi_save_extended_devices(const stru= ct dmi_header *dm) { const u8 *d =3D (u8 *) dm + 5; =20 + if (dm->length < 0x0B) + return; + /* Skip disabled device */ if ((*d & 0x80) =3D=3D 0) return; @@ -368,7 +377,7 @@ static void __init save_mem_devices(const struct dmi_he= ader *dm, void *v) const char *d =3D (const char *)dm; static int nr; =20 - if (dm->type !=3D DMI_ENTRY_MEM_DEVICE) + if (dm->type !=3D DMI_ENTRY_MEM_DEVICE || dm->length < 0x12) return; if (nr >=3D dmi_memdev_nr) { pr_warn(FW_BUG "Too many DIMM entries in SMBIOS table\n"); --=20 2.15.1