From patchwork Thu Oct 15 18:25:27 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heinrich Schuchardt X-Patchwork-Id: 1382853 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=fwts-devel-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.a=rsa-sha256 header.s=badeba3b8450 header.b=Lah7bnd8; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4CByQQ5Nqmz9sTL for ; Fri, 16 Oct 2020 05:25:50 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1kT7we-00031c-1s; Thu, 15 Oct 2020 18:25:44 +0000 Received: from mout.gmx.net ([212.227.15.15]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1kT7wc-00030Q-Cz for fwts-devel@lists.ubuntu.com; Thu, 15 Oct 2020 18:25:42 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1602786341; bh=oMFNRoTIFtUKRO3I4cAkNlTR54ouyZIn9WRdeCPnrIY=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date; b=Lah7bnd8ZUywn8x9fR+/cg2x+k6rDiLbIogEceaxnqSTsNJsJFhuZi1PnIR5ta96N 2VcXnPTrKcOsr6fubJUw+S1ZwRTlqpdWAuyZpHvXevaO3CVpRwGA+PUmhcGemQfaMZ E89QK7aU/l72FDuO7dDMWYcrB2u6eFp3iPHsd9I4= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from localhost.localdomain ([178.202.41.107]) by mail.gmx.com (mrgmx004 [212.227.17.184]) with ESMTPSA (Nemesis) id 1MTiU3-1ksoEC1W3x-00U6lO; Thu, 15 Oct 2020 20:25:41 +0200 From: Heinrich Schuchardt To: fwts-devel@lists.ubuntu.com Subject: [PATCH 1/1] lib: avoid bus error in fwts_safe_memcpy Date: Thu, 15 Oct 2020 20:25:27 +0200 Message-Id: <20201015182527.3448-1-xypron.glpk@gmx.de> X-Mailer: git-send-email 2.28.0 MIME-Version: 1.0 X-Provags-ID: V03:K1:qsbb5GXUhdsxuN25TWuXe2k6gEp0iMX06qFpbdmcMpFZOaNn4OR W4q5FkpMKcS/Xr5MpLCVvPWC+c3bttoyR5eOHW67e926Vdi0MTgjq6q5sAAyIyWKC7Xh60j P9ggBjP/fTksGkMO73bppBHXtD/m85X41Tck1uJW3U2ZAvv7xas7uA2is1EgfZKxV3w/Ml9 1g3zBhtpP2+9Ch9zUqqng== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:/2XsUi3Qd0o=:zKQaxwa9sVVeXJog559e6k az5nXRnutEKfLTycQfFFKxLypIvN9Dqojy05Mr1J4SB5NIhfUhKTtImNd3ItM2p3D9AoMgqeN R8VhtSyWR+DScZlX54SMLAej79TvNHE3Cdqu06hMAh/s1nPN3oNc8H5s8DH8OsdFm3whPMSIP nVekLpQuI131s5fWU5aSNGeLLuv7cubGICHGbBKOHgKUd4uWaiLnA7dyZ28Eff8KbOBITIJsr OWPssTQFK1Il+xOUDtl9TSiJIrJPgBMIHRxKaoqAS9zpuhp7lUiWyJmS18eUg7Rbu5ucyuxuh iChCAdkNXm+r7k/5oixkXwVDkfknFhcEoCTGXg7xjhfXThUSSolyFIDtgTqBjY6SeopO14puT VY3NguYOCvU7MyLtm8g0+CpZkglBiASfB8yDeXnA3vibjNfG0TgIZWdS2jQ2zN33He6IXMNnX 2oSzs4WJY2eEDAnypVI98gXtQgvlUPSY3BG+fXto6iNpJYTf2TmqdqxaDlrQDF7Jjc+Um0fkw glHtfhkG1JlfK8zaYsM6skVVLI/X3YZBAc88jJ6uoI5gJC3Q+dzCaIWkEloYSN/OQ8gntYyrp Zmp6i9CAIjT8XBPIb7b3wI8A0hNCey/7GPyWyX52VlauQX61DLotvYeoNQyoI7X8DPlGp2nCH eUW3JEExPAIPv32grOOboBT4qYNSwY7umlTZL6pKQXq1vBf7eV4uqJD9UoOpf6zJB77tnsQro owjgFP0CAqdS5yhUGk7RehP8xfkT6d2aMNiwhTHeM0cm+RyJUqpwgL/M8YWO7qEzzH7+sDDYJ +dY/im9nnEuqxB7fPPSpWy0eBhkQDYrkEpOoIj+GSIshrnoePSht376CCesyjw+RabME42S/r qLci2Zqi326ytPDX9pzQ== X-BeenThere: fwts-devel@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Firmware Test Suite Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Heinrich Schuchardt Errors-To: fwts-devel-bounces@lists.ubuntu.com Sender: "fwts-devel" The glibc 2.31 implementation of memcpy() may read 8 bytes at once, even if this exceeds the source buffer. This can lead to a bus error. Without this patch 'sudo fwts dmicheck -' results in an error when reading the SMBIOS table on my system: Test 1 of 4: Find and test SMBIOS Table Entry Points. This test tries to find and sanity check the SMBIOS data structures. Cannot read mmap'd SMBIOS entry at 0x0x7aef3000 SMBIOS entry loaded from /sys/firmware/dmi/tables/smbios_entry_point FAILED [HIGH] SMBIOSNoEntryPoint: Test 1, Could not find any SMBIOS Table Entry Points. Test 2 of 4: Test DMI/SMBIOS tables for errors. SKIPPED: Test 2, Cannot find SMBIOS or DMI table entry, skip the test. The reason is a bus error caught inside fwts_safe_memcpy(): Caught SIGNAL 7 (Bus error), aborting. Backtrace: 0x0000ffff8e77d848 fwts/src/lib/src/.libs/libfwts.so.1(+0x16848) 0x0000ffff8e8fc7bc linux-vdso.so.1(__kernel_rt_sigreturn+0) 0x0000ffff8e6617ac /lib/aarch64-linux-gnu/libc.so.6(+0x887ac) 0x0000ffff8e7922a4 fwts/src/lib/src/.libs/libfwts.so.1(fwts_safe_memcpy+0x44) 0x0000ffff8e78f84c fwts/src/lib/src/.libs/libfwts.so.1(fwts_smbios_find_entry+0x6c) The bus error is avoided by replacing memcpy() with a copy loop that does not read outside the copied range: PASSED: Test 1, SMBIOS Table Entry Point Checksum is valid. PASSED: Test 1, SMBIOS Table Entry Point Length is valid. PASSED: Test 1, SMBIOS Table Entry Intermediate Anchor String _DMI_ is valid. PASSED: Test 1, SMBIOS Table Entry Point Intermediate Checksum is valid. SMBIOS table loaded from /sys/firmware/dmi/tables/DMI PASSED: Test 1, SMBIOS Table Entry Structure Table Address and Length looks valid. Test 2 of 4: Test DMI/SMBIOS tables for errors. SMBIOS table loaded from /sys/firmware/dmi/tables/DMI PASSED: Test 2, Entry @ 0x7aef3020 'BIOS Information (Type 0)' PASSED: Test 2, Entry @ 0x7aef3065 'System Information (Type 1)' PASSED: Test 2, Entry @ 0x7aef30b2 'Base Board Information (Type 2)' PASSED: Test 2, Entry @ 0x7aef30e0 'Chassis Information (Type 3)' Signed-off-by: Heinrich Schuchardt --- src/lib/src/fwts_safe_mem.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) -- 2.28.0 diff --git a/src/lib/src/fwts_safe_mem.c b/src/lib/src/fwts_safe_mem.c index 2121d73c..abe6500c 100644 --- a/src/lib/src/fwts_safe_mem.c +++ b/src/lib/src/fwts_safe_mem.c @@ -53,7 +53,8 @@ int OPTIMIZE0 fwts_safe_memcpy(void *dst, const void *src, const size_t n) fwts_sig_handler_set(SIGSEGV, sig_handler, &old_segv_action); fwts_sig_handler_set(SIGBUS, sig_handler, &old_bus_action); - memcpy(dst, src, n); + for (size_t i = n; i; --i) + *(char *)dst++ = *(char *)src++; fwts_sig_handler_restore(SIGSEGV, &old_segv_action); fwts_sig_handler_restore(SIGBUS, &old_bus_action);