| Message ID | 20180904204016.5038-1-alex.hung@canonical.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | dmicheck: fix incorrect boundary checks for various types | expand |
On 09/05/2018 04:40 AM, Alex Hung wrote: > Fixes include boundary checks for type 17, 26, 27, 28, 29, 38 and 43. > > Signed-off-by: Alex Hung <alex.hung@canonical.com> > --- > src/dmi/dmicheck/dmicheck.c | 18 +++++++++++------- > 1 file changed, 11 insertions(+), 7 deletions(-) > > diff --git a/src/dmi/dmicheck/dmicheck.c b/src/dmi/dmicheck/dmicheck.c > index 8497c2ab..97305eca 100644 > --- a/src/dmi/dmicheck/dmicheck.c > +++ b/src/dmi/dmicheck/dmicheck.c > @@ -1475,11 +1475,13 @@ static void dmicheck_entry(fwts_framework *fw, > dmi_str_check(fw, table, addr, "Serial Number", hdr, 0x18); > dmi_str_check(fw, table, addr, "Asset Tag", hdr, 0x19); > dmi_str_check(fw, table, addr, "Part Number", hdr, 0x1a); > - if (hdr->length < 0x20) > + if (hdr->length < 0x1c) > break; > dmi_reserved_bits_check(fw, table, addr, "Attributes", hdr, sizeof(uint8_t), 0x1b, 4, 7); > + if (hdr->length < 0x20) > + break; > dmi_reserved_bits_check(fw, table, addr, "Extended Size", hdr, sizeof(uint32_t), 0x1c, 31, 31); > - if (hdr->length < 0x28) > + if (hdr->length < 0x3c) > break; > dmi_min_max_uint8_check(fw, table, addr, "Memory Technology", hdr, 0x28, 0x1, 0x7); > dmi_reserved_bits_check(fw, table, addr, "Memory Operating Mode Cap", hdr, sizeof(uint16_t), 0x29, 6, 15); > @@ -1614,7 +1616,7 @@ static void dmicheck_entry(fwts_framework *fw, > > case 26: /* 7.27 */ > table = "Voltage Probe (Type 26)"; > - if (hdr->length < 0x14) > + if (hdr->length < 0x16) > break; > dmi_str_check(fw, table, addr, "Description", hdr, 0x4); > dmi_min_max_mask_uint8_check(fw, table, addr, "Location (bits 0..4)", hdr, 0x5, 0x1, 0xb, 0, 0x1f); > @@ -1623,7 +1625,7 @@ static void dmicheck_entry(fwts_framework *fw, > > case 27: /* 7.28 */ > table = "Cooling Device (Type 27)"; > - if (hdr->length < 0xc) > + if (hdr->length < 0xe) > break; > val = data[0x06] & 0x1f; > if (!(((val >= 0x01) && (val <= 0x09)) || > @@ -1643,7 +1645,7 @@ static void dmicheck_entry(fwts_framework *fw, > > case 28: /* 7.29 */ > table = "Temperature Probe (Type 28)"; > - if (hdr->length < 0x14) > + if (hdr->length < 0x16) > break; > dmi_str_check(fw, table, addr, "Description", hdr, 0x4); > dmi_min_max_mask_uint8_check(fw, table, addr, "Location (bits 0..4)", hdr, 0x5, 0x1, 0xf, 0, 0x1f); > @@ -1652,7 +1654,7 @@ static void dmicheck_entry(fwts_framework *fw, > > case 29: /* 7.30 */ > table = "Electrical Current Probe (Type 29)"; > - if (hdr->length < 0x14) > + if (hdr->length < 0x16) > break; > dmi_str_check(fw, table, addr, "Description", hdr, 0x4); > dmi_min_max_mask_uint8_check(fw, table, addr, "Location (bits 0..4)", hdr, 0x5, 0x1, 0xb, 0, 0x1f); > @@ -1732,6 +1734,8 @@ static void dmicheck_entry(fwts_framework *fw, > > case 38: /* 7.39 */ > table = "IPMI Device Information (Type 38)"; > + if (hdr->length < 0x12) > + break; > dmi_min_max_uint8_check(fw, table, addr, "Interface Type", hdr, 0x4, 0x0, 0x4); > > dmi_reserved_bits_check(fw, table, addr, "Base Addr Modifier/Interrupt Info", hdr, sizeof(uint8_t), 0x10, 2, 2); > @@ -1782,7 +1786,7 @@ static void dmicheck_entry(fwts_framework *fw, > > case 43: /* 7.44 */ > table = "TPM Device (Type 43)"; > - if (hdr->length < 0x16) > + if (hdr->length < 0x1b) > break; > dmi_str_check(fw, table, addr, "Description", hdr, 0x12); > dmi_reserved_bits_check(fw, table, addr, "Characteristics", hdr, sizeof(uint64_t), 0x13, 6, 63); Acked-by: Ivan Hu <ivan.hu@canonical.com>
On 04/09/18 21:40, Alex Hung wrote: > Fixes include boundary checks for type 17, 26, 27, 28, 29, 38 and 43. > > Signed-off-by: Alex Hung <alex.hung@canonical.com> > --- > src/dmi/dmicheck/dmicheck.c | 18 +++++++++++------- > 1 file changed, 11 insertions(+), 7 deletions(-) > > diff --git a/src/dmi/dmicheck/dmicheck.c b/src/dmi/dmicheck/dmicheck.c > index 8497c2ab..97305eca 100644 > --- a/src/dmi/dmicheck/dmicheck.c > +++ b/src/dmi/dmicheck/dmicheck.c > @@ -1475,11 +1475,13 @@ static void dmicheck_entry(fwts_framework *fw, > dmi_str_check(fw, table, addr, "Serial Number", hdr, 0x18); > dmi_str_check(fw, table, addr, "Asset Tag", hdr, 0x19); > dmi_str_check(fw, table, addr, "Part Number", hdr, 0x1a); > - if (hdr->length < 0x20) > + if (hdr->length < 0x1c) > break; > dmi_reserved_bits_check(fw, table, addr, "Attributes", hdr, sizeof(uint8_t), 0x1b, 4, 7); > + if (hdr->length < 0x20) > + break; > dmi_reserved_bits_check(fw, table, addr, "Extended Size", hdr, sizeof(uint32_t), 0x1c, 31, 31); > - if (hdr->length < 0x28) > + if (hdr->length < 0x3c) > break; > dmi_min_max_uint8_check(fw, table, addr, "Memory Technology", hdr, 0x28, 0x1, 0x7); > dmi_reserved_bits_check(fw, table, addr, "Memory Operating Mode Cap", hdr, sizeof(uint16_t), 0x29, 6, 15); > @@ -1614,7 +1616,7 @@ static void dmicheck_entry(fwts_framework *fw, > > case 26: /* 7.27 */ > table = "Voltage Probe (Type 26)"; > - if (hdr->length < 0x14) > + if (hdr->length < 0x16) > break; > dmi_str_check(fw, table, addr, "Description", hdr, 0x4); > dmi_min_max_mask_uint8_check(fw, table, addr, "Location (bits 0..4)", hdr, 0x5, 0x1, 0xb, 0, 0x1f); > @@ -1623,7 +1625,7 @@ static void dmicheck_entry(fwts_framework *fw, > > case 27: /* 7.28 */ > table = "Cooling Device (Type 27)"; > - if (hdr->length < 0xc) > + if (hdr->length < 0xe) > break; > val = data[0x06] & 0x1f; > if (!(((val >= 0x01) && (val <= 0x09)) || > @@ -1643,7 +1645,7 @@ static void dmicheck_entry(fwts_framework *fw, > > case 28: /* 7.29 */ > table = "Temperature Probe (Type 28)"; > - if (hdr->length < 0x14) > + if (hdr->length < 0x16) > break; > dmi_str_check(fw, table, addr, "Description", hdr, 0x4); > dmi_min_max_mask_uint8_check(fw, table, addr, "Location (bits 0..4)", hdr, 0x5, 0x1, 0xf, 0, 0x1f); > @@ -1652,7 +1654,7 @@ static void dmicheck_entry(fwts_framework *fw, > > case 29: /* 7.30 */ > table = "Electrical Current Probe (Type 29)"; > - if (hdr->length < 0x14) > + if (hdr->length < 0x16) > break; > dmi_str_check(fw, table, addr, "Description", hdr, 0x4); > dmi_min_max_mask_uint8_check(fw, table, addr, "Location (bits 0..4)", hdr, 0x5, 0x1, 0xb, 0, 0x1f); > @@ -1732,6 +1734,8 @@ static void dmicheck_entry(fwts_framework *fw, > > case 38: /* 7.39 */ > table = "IPMI Device Information (Type 38)"; > + if (hdr->length < 0x12) > + break; > dmi_min_max_uint8_check(fw, table, addr, "Interface Type", hdr, 0x4, 0x0, 0x4); > > dmi_reserved_bits_check(fw, table, addr, "Base Addr Modifier/Interrupt Info", hdr, sizeof(uint8_t), 0x10, 2, 2); > @@ -1782,7 +1786,7 @@ static void dmicheck_entry(fwts_framework *fw, > > case 43: /* 7.44 */ > table = "TPM Device (Type 43)"; > - if (hdr->length < 0x16) > + if (hdr->length < 0x1b) > break; > dmi_str_check(fw, table, addr, "Description", hdr, 0x12); > dmi_reserved_bits_check(fw, table, addr, "Characteristics", hdr, sizeof(uint64_t), 0x13, 6, 63); > Good catches! Acked-by: Colin Ian King <colin.king@canonical.com>
diff --git a/src/dmi/dmicheck/dmicheck.c b/src/dmi/dmicheck/dmicheck.c index 8497c2ab..97305eca 100644 --- a/src/dmi/dmicheck/dmicheck.c +++ b/src/dmi/dmicheck/dmicheck.c @@ -1475,11 +1475,13 @@ static void dmicheck_entry(fwts_framework *fw, dmi_str_check(fw, table, addr, "Serial Number", hdr, 0x18); dmi_str_check(fw, table, addr, "Asset Tag", hdr, 0x19); dmi_str_check(fw, table, addr, "Part Number", hdr, 0x1a); - if (hdr->length < 0x20) + if (hdr->length < 0x1c) break; dmi_reserved_bits_check(fw, table, addr, "Attributes", hdr, sizeof(uint8_t), 0x1b, 4, 7); + if (hdr->length < 0x20) + break; dmi_reserved_bits_check(fw, table, addr, "Extended Size", hdr, sizeof(uint32_t), 0x1c, 31, 31); - if (hdr->length < 0x28) + if (hdr->length < 0x3c) break; dmi_min_max_uint8_check(fw, table, addr, "Memory Technology", hdr, 0x28, 0x1, 0x7); dmi_reserved_bits_check(fw, table, addr, "Memory Operating Mode Cap", hdr, sizeof(uint16_t), 0x29, 6, 15); @@ -1614,7 +1616,7 @@ static void dmicheck_entry(fwts_framework *fw, case 26: /* 7.27 */ table = "Voltage Probe (Type 26)"; - if (hdr->length < 0x14) + if (hdr->length < 0x16) break; dmi_str_check(fw, table, addr, "Description", hdr, 0x4); dmi_min_max_mask_uint8_check(fw, table, addr, "Location (bits 0..4)", hdr, 0x5, 0x1, 0xb, 0, 0x1f); @@ -1623,7 +1625,7 @@ static void dmicheck_entry(fwts_framework *fw, case 27: /* 7.28 */ table = "Cooling Device (Type 27)"; - if (hdr->length < 0xc) + if (hdr->length < 0xe) break; val = data[0x06] & 0x1f; if (!(((val >= 0x01) && (val <= 0x09)) || @@ -1643,7 +1645,7 @@ static void dmicheck_entry(fwts_framework *fw, case 28: /* 7.29 */ table = "Temperature Probe (Type 28)"; - if (hdr->length < 0x14) + if (hdr->length < 0x16) break; dmi_str_check(fw, table, addr, "Description", hdr, 0x4); dmi_min_max_mask_uint8_check(fw, table, addr, "Location (bits 0..4)", hdr, 0x5, 0x1, 0xf, 0, 0x1f); @@ -1652,7 +1654,7 @@ static void dmicheck_entry(fwts_framework *fw, case 29: /* 7.30 */ table = "Electrical Current Probe (Type 29)"; - if (hdr->length < 0x14) + if (hdr->length < 0x16) break; dmi_str_check(fw, table, addr, "Description", hdr, 0x4); dmi_min_max_mask_uint8_check(fw, table, addr, "Location (bits 0..4)", hdr, 0x5, 0x1, 0xb, 0, 0x1f); @@ -1732,6 +1734,8 @@ static void dmicheck_entry(fwts_framework *fw, case 38: /* 7.39 */ table = "IPMI Device Information (Type 38)"; + if (hdr->length < 0x12) + break; dmi_min_max_uint8_check(fw, table, addr, "Interface Type", hdr, 0x4, 0x0, 0x4); dmi_reserved_bits_check(fw, table, addr, "Base Addr Modifier/Interrupt Info", hdr, sizeof(uint8_t), 0x10, 2, 2); @@ -1782,7 +1786,7 @@ static void dmicheck_entry(fwts_framework *fw, case 43: /* 7.44 */ table = "TPM Device (Type 43)"; - if (hdr->length < 0x16) + if (hdr->length < 0x1b) break; dmi_str_check(fw, table, addr, "Description", hdr, 0x12); dmi_reserved_bits_check(fw, table, addr, "Characteristics", hdr, sizeof(uint64_t), 0x13, 6, 63);
Fixes include boundary checks for type 17, 26, 27, 28, 29, 38 and 43. Signed-off-by: Alex Hung <alex.hung@canonical.com> --- src/dmi/dmicheck/dmicheck.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-)