From patchwork Thu Oct 15 22:21:00 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heinrich Schuchardt X-Patchwork-Id: 1382955 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=fwts-devel-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.a=rsa-sha256 header.s=badeba3b8450 header.b=ASGGv4S8; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4CC3f82SnLz9sTD for ; Fri, 16 Oct 2020 09:21:18 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1kTBcT-0002eI-SU; Thu, 15 Oct 2020 22:21:09 +0000 Received: from mout.gmx.net ([212.227.15.19]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1kTBcR-0002eC-LM for fwts-devel@lists.ubuntu.com; Thu, 15 Oct 2020 22:21:07 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1602800467; bh=S0WVFme8dBOOhwkPHmr4ImEhV0vKGGkocNCzdOx/WuM=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date; b=ASGGv4S8CzEa65vpy1atmub/v4UdiplMms/t/ERWcVcECR3PuK9mKZOjL7EHASSIe hhl223WOPLLdEAnKLSwU6WVeIkPLODD5rjsb2B7jdvqfxuRpkMY/PsbdKUX7UCUgBl s87uKwlJjG5TsyVM5wCFLTVOEWLwlmyEOarsw6f0= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from localhost.localdomain ([178.202.41.107]) by mail.gmx.com (mrgmx004 [212.227.17.184]) with ESMTPSA (Nemesis) id 1MSt8W-1kszgC3H14-00UNH2; Fri, 16 Oct 2020 00:21:06 +0200 From: Heinrich Schuchardt To: Colin Ian King Subject: [PATCH v2 1/1] lib: avoid bus error in fwts_safe_memcpy Date: Fri, 16 Oct 2020 00:21:00 +0200 Message-Id: <20201015222100.5880-1-xypron.glpk@gmx.de> X-Mailer: git-send-email 2.28.0 MIME-Version: 1.0 X-Provags-ID: V03:K1:ItNj3kWfdeYiHoIq5nVcE8VWB2zBDhNPg/Nk+3nr1Jp+1tuhd02 dfflgVNF8ynQpBlUg2Jxr7m9BoA8YKNXgtckf9LzEfhqh7cc5SmtVUEmMQY15amU3+5n94I 7eVvCqXmXbM775Mh9N20/nr8itBTf81Ul7LOvwrCz9WyAkFgJeJan2cGr+1S0eFovXJRt/r nyTAMpaOzEdH0GcLjvM8A== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:/N63JhlEQhs=:Y2G3/qGPAXrht6aP93PTIs zMVVsgb8CkQF34U/oqT1gkyin6NgBr8nZlzrUjwFuUD8h1gCnxBAAM8NLREyM6NNq/aOWyOij fBkFS90ylkLmwkhPS2tmEtD9EL0qqhfYjHFZGzyByuVDW2bO9ciPbqRkkvcR5pOWa3p6btRbJ 9Q4LANuAqDJAvt0HnXM6UayHXgEXWTepr0V+Wc1h13vGg3Ifs9wUelm1J+20li9G0rklVhx+3 FOH2n1Sqzm4pt9WAnBRWcxFTXIbQSRadHrllnysmI/4zKTjYS/oh1D/y0XS4aRvro8ovBgxZZ ZxC/FNCnj7X+dFydZvloPZiVxFU9fG2VAXIsbF3+xTPBV6v/xBIDiyM/fDoky+sOw+lvkeCjk j66MLgdeCDsAdYC+QgMmR55OSbiTF3e6SVLw8yyKuuyZRO0moMG1j/VjH9wsDH5StMP5t3qZl YE2OU8RQE/HPVadmnNbxVEMwwjFbYbnQiMkpuoeIc8Ag/mmaRPQMmOqIBqiPYlfkIVJGxQSiv SITMptbXYGW/8Hc/sg4V81AFM5vVSg/HaGQ2DtAu0Dnj86OAPultLrFNnWoeAKgfcpK3am45V KVOhMsx4jufPD/n3MDHLEgyZM7OQcYPFmqJTwJe1C4aAZDdEnz481i8Hwq2E06YfewiEBS4oK 1DzIzM6lGjadNVV1DHE6mJmq0ZjNKc1VDTkuY3/Mp7PJca6qJWIvMPWsw+iy4SZnBBnTlmNzc +fhJnly+eJkztls3igOZAagAnKxo0LiTVsL5IRRgHZRSuLulc+VB5IiwmgnO5P2R+dxEPwzqN jS7lvS+niy3LRSH48mnSVwxs9tKXQhEbG/twkGzo7edrtcjHBDsAnmlczU21z4jZC5zHAcDxv A0vxDHLl4YwzOWPA4R5w== X-BeenThere: fwts-devel@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Firmware Test Suite Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Heinrich Schuchardt , fwts-devel@lists.ubuntu.com Errors-To: fwts-devel-bounces@lists.ubuntu.com Sender: "fwts-devel" The glibc 2.31 implementation of memcpy() may read 8 bytes at once, even if this exceeds the source buffer. This can lead to a bus error. Without this patch 'sudo fwts dmicheck -' results in an error when reading the SMBIOS table on my system: Test 1 of 4: Find and test SMBIOS Table Entry Points. This test tries to find and sanity check the SMBIOS data structures. Cannot read mmap'd SMBIOS entry at 0x0x7aef3000 SMBIOS entry loaded from /sys/firmware/dmi/tables/smbios_entry_point FAILED [HIGH] SMBIOSNoEntryPoint: Test 1, Could not find any SMBIOS Table Entry Points. Test 2 of 4: Test DMI/SMBIOS tables for errors. SKIPPED: Test 2, Cannot find SMBIOS or DMI table entry, skip the test. The reason is a bus error caught inside fwts_safe_memcpy(): Caught SIGNAL 7 (Bus error), aborting. Backtrace: 0x0000ffff8e77d848 fwts/src/lib/src/.libs/libfwts.so.1(+0x16848) 0x0000ffff8e8fc7bc linux-vdso.so.1(__kernel_rt_sigreturn+0) 0x0000ffff8e6617ac /lib/aarch64-linux-gnu/libc.so.6(+0x887ac) 0x0000ffff8e7922a4 fwts/src/lib/src/.libs/libfwts.so.1(fwts_safe_memcpy+0x44) 0x0000ffff8e78f84c fwts/src/lib/src/.libs/libfwts.so.1(fwts_smbios_find_entry+0x6c) The bus error is avoided by replacing memcpy() with a copy loop that does not read outside the copied range: PASSED: Test 1, SMBIOS Table Entry Point Checksum is valid. PASSED: Test 1, SMBIOS Table Entry Point Length is valid. PASSED: Test 1, SMBIOS Table Entry Intermediate Anchor String _DMI_ is valid. PASSED: Test 1, SMBIOS Table Entry Point Intermediate Checksum is valid. SMBIOS table loaded from /sys/firmware/dmi/tables/DMI PASSED: Test 1, SMBIOS Table Entry Structure Table Address and Length looks valid. Test 2 of 4: Test DMI/SMBIOS tables for errors. SMBIOS table loaded from /sys/firmware/dmi/tables/DMI PASSED: Test 2, Entry @ 0x7aef3020 'BIOS Information (Type 0)' PASSED: Test 2, Entry @ 0x7aef3065 'System Information (Type 1)' PASSED: Test 2, Entry @ 0x7aef30b2 'Base Board Information (Type 2)' PASSED: Test 2, Entry @ 0x7aef30e0 'Chassis Information (Type 3)' Signed-off-by: Heinrich Schuchardt Acked-by: Alex Hung Acked-by: Ivan Hu --- v2: move variable declaration to start of function --- src/lib/src/fwts_safe_mem.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) -- 2.28.0 diff --git a/src/lib/src/fwts_safe_mem.c b/src/lib/src/fwts_safe_mem.c index 2121d73c..15522b64 100644 --- a/src/lib/src/fwts_safe_mem.c +++ b/src/lib/src/fwts_safe_mem.c @@ -48,12 +48,15 @@ static void sig_handler(int dummy) */ int OPTIMIZE0 fwts_safe_memcpy(void *dst, const void *src, const size_t n) { + size_t i; + if (sigsetjmp(jmpbuf, 1) != 0) return FWTS_ERROR; fwts_sig_handler_set(SIGSEGV, sig_handler, &old_segv_action); fwts_sig_handler_set(SIGBUS, sig_handler, &old_bus_action); - memcpy(dst, src, n); + for (i = n; i; --i) + *(char *)dst++ = *(char *)src++; fwts_sig_handler_restore(SIGSEGV, &old_segv_action); fwts_sig_handler_restore(SIGBUS, &old_bus_action);