From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mx2.suse.de ([195.135.220.15]:49525 "EHLO mx2.suse.de"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1750759AbeDIJYT (ORCPT <rfc822;stable@vger.kernel.org>);
        Mon, 9 Apr 2018 05:24:19 -0400
Date: Mon, 9 Apr 2018 11:24:16 +0200
From: Jean Delvare <jdelvare@suse.de>
To: Sasha Levin <Alexander.Levin@microsoft.com>
Cc: stable@vger.kernel.org, linux-kernel@vger.kernel.org,
        Dmitry Torokhov <dmitry.torokhov@gmail.com>,
        Andy Shevchenko <andy.shevchenko@gmail.com>,
        Linus Walleij <linus.walleij@linaro.org>
Subject: Re: [PATCH AUTOSEL for 4.9 078/293] firmware: dmi_scan: Check DMI
 structure length
Message-ID: <20180409112416.24324f93@endymion>
In-Reply-To: <20180409002239.163177-78-alexander.levin@microsoft.com>
References: <20180409002239.163177-1-alexander.levin@microsoft.com>
        <20180409002239.163177-78-alexander.levin@microsoft.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

On Mon, 9 Apr 2018 00:23:55 +0000, Sasha Levin wrote:
> From: Jean Delvare <jdelvare@suse.de>
> 
> [ Upstream commit a814c3597a6b6040e2ef9459748081a6d5b7312d ]
> 
> Before accessing DMI data to record it for later, we should ensure
> that the DMI structures are large enough to contain the data in
> question.
> 
> Signed-off-by: Jean Delvare <jdelvare@suse.de>
> Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
> Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>
> Cc: Andy Shevchenko <andy.shevchenko@gmail.com>
> Cc: Linus Walleij <linus.walleij@linaro.org>
> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
> ---
>  drivers/firmware/dmi_scan.c | 23 ++++++++++++++++-------
>  1 file changed, 16 insertions(+), 7 deletions(-)
> (...)
> @@ -191,13 +191,14 @@ static void __init dmi_save_ident(const struct dmi_header *dm, int slot,
>  static void __init dmi_save_uuid(const struct dmi_header *dm, int slot,
>  		int index)
>  {
> -	const u8 *d = (u8 *) dm + index;
> +	const u8 *d;
>  	char *s;
>  	int is_ff = 1, is_00 = 1, i;
>  
> -	if (dmi_ident[slot])
> +	if (dmi_ident[slot] || dm->length <= index + 16)

I'm afraid this check is off by one and nobody noticed :-( I'll send a
fix-up patch.

Probably harmless in practice as I have never seen a system with a DMI
type 1 structure of exactly 24 bytes (would be 8 bytes for very old
implementations and at least 25 for anything even remotely recent), but
still not good. Sorry about that.

>  		return;
>  
> +	d = (u8 *) dm + index;
>  	for (i = 0; i < 16 && (is_ff || is_00); i++) {
>  		if (d[i] != 0x00)
>  			is_00 = 0;

-- 
Jean Delvare
SUSE L3 Support