Received: by 10.213.65.68 with SMTP id h4csp2376986imn;
        Mon, 9 Apr 2018 02:27:44 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4/S9qeTYS7RYtMH/WMJZqycTjdXUyESbQBERNZfpXwUYImqC0RjUjTQa7DXJs0NlkGlHwIz
X-Received: by 2002:a17:902:6b07:: with SMTP id o7-v6mr38015655plk.136.1523266064707;
        Mon, 09 Apr 2018 02:27:44 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1523266064; cv=none;
        d=google.com; s=arc-20160816;
        b=biHuWrvNlPbzlWnzr1tt/M/7eKf4N5DqtwVnsj2kDK66wsGQtrB2qYv8N+khV/kzgU
         auP0PsrOzXf7TPUe0DXaSYu3Rae+Ps/rptstU8ycFEVd5P9zfl9KwU1UHj1xRGte6fgt
         +O9C5mqeD2jbJZogtBHZjJIQorDNKAFgW1Q5BJbJIkjp/K7m3EOUWK+QHEUYBU9X1jwC
         XT7ZSc2kKI9jWeD2ao1ojmPPzU975ptaue9LDzQ1ULavwSWsCRxff6MUdGeuHpdENENg
         WaYpEAycZjFSKxoMygsc75IMoKrWuq1PFisdxzaWflQynTTYVxjVq2Tc1nUDUKB8PDec
         /qWw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :organization:references:in-reply-to:message-id:subject:cc:to:from
         :date:arc-authentication-results;
        bh=5K4sSSNxrv0RdUTjpF2JIKGeYKxr7yXU8N2HdFKLmdI=;
        b=a3KbZ9ICkg3M+CqCLdPnsQOHGFUKa0uUGx77XdkDm5LPdIqM/C9F2xSJV+oF4wMf0j
         wYfCLbC+LsoRDaopk3EPBTQ2NICK3NeHFD0HB65yYk3/3EZHaAvo55OvxXrgJ6s1LBGU
         NPggqGqcPdCZqrDFS/aCTnkakostiK+daQTrwRJuDhN94uJ5dnWisr+9qIbp18vqGy+D
         iPl7MrD3TQVays0YquWNZEzB3fi2+qAqseOfIYEeEmZoTJ57hq+/Ub4/Ul3YTlHval6t
         kKcmkx2DFdVkLnkqXX/9N0qErirHQrIJ2iKuarus6dNBVZyXaG2ESgSCzBq2/9qlLb0g
         gMCA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a12si5077473pgd.102.2018.04.09.02.27.06;
        Mon, 09 Apr 2018 02:27:44 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751581AbeDIJYU (ORCPT <rfc822;mailist1go@gmail.com>
        + 99 others); Mon, 9 Apr 2018 05:24:20 -0400
Received: from mx2.suse.de ([195.135.220.15]:49525 "EHLO mx2.suse.de"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1750759AbeDIJYT (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 9 Apr 2018 05:24:19 -0400
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Received: from relay2.suse.de (charybdis-ext.suse.de [195.135.220.254])
        by mx2.suse.de (Postfix) with ESMTP id 14C76AE49;
        Mon,  9 Apr 2018 09:24:18 +0000 (UTC)
Date:   Mon, 9 Apr 2018 11:24:16 +0200
From:   Jean Delvare <jdelvare@suse.de>
To:     Sasha Levin <Alexander.Levin@microsoft.com>
Cc:     stable@vger.kernel.org, linux-kernel@vger.kernel.org,
        Dmitry Torokhov <dmitry.torokhov@gmail.com>,
        Andy Shevchenko <andy.shevchenko@gmail.com>,
        Linus Walleij <linus.walleij@linaro.org>
Subject: Re: [PATCH AUTOSEL for 4.9 078/293] firmware: dmi_scan: Check DMI
 structure length
Message-ID: <20180409112416.24324f93@endymion>
In-Reply-To: <20180409002239.163177-78-alexander.levin@microsoft.com>
References: <20180409002239.163177-1-alexander.levin@microsoft.com>
        <20180409002239.163177-78-alexander.levin@microsoft.com>
Organization: SUSE Linux
X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.31; x86_64-suse-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, 9 Apr 2018 00:23:55 +0000, Sasha Levin wrote:
> From: Jean Delvare <jdelvare@suse.de>
> 
> [ Upstream commit a814c3597a6b6040e2ef9459748081a6d5b7312d ]
> 
> Before accessing DMI data to record it for later, we should ensure
> that the DMI structures are large enough to contain the data in
> question.
> 
> Signed-off-by: Jean Delvare <jdelvare@suse.de>
> Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
> Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>
> Cc: Andy Shevchenko <andy.shevchenko@gmail.com>
> Cc: Linus Walleij <linus.walleij@linaro.org>
> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
> ---
>  drivers/firmware/dmi_scan.c | 23 ++++++++++++++++-------
>  1 file changed, 16 insertions(+), 7 deletions(-)
> (...)
> @@ -191,13 +191,14 @@ static void __init dmi_save_ident(const struct dmi_header *dm, int slot,
>  static void __init dmi_save_uuid(const struct dmi_header *dm, int slot,
>  		int index)
>  {
> -	const u8 *d = (u8 *) dm + index;
> +	const u8 *d;
>  	char *s;
>  	int is_ff = 1, is_00 = 1, i;
>  
> -	if (dmi_ident[slot])
> +	if (dmi_ident[slot] || dm->length <= index + 16)

I'm afraid this check is off by one and nobody noticed :-( I'll send a
fix-up patch.

Probably harmless in practice as I have never seen a system with a DMI
type 1 structure of exactly 24 bytes (would be 8 bytes for very old
implementations and at least 25 for anything even remotely recent), but
still not good. Sorry about that.

>  		return;
>  
> +	d = (u8 *) dm + index;
>  	for (i = 0; i < 16 && (is_ff || is_00); i++) {
>  		if (d[i] != 0x00)
>  			is_00 = 0;

-- 
Jean Delvare
SUSE L3 Support