Received-SPF: pass (google.com: domain of linux-kernel+bounces-148841-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161;
From: Michael Kelley <mhklinux@outlook.com>
To: Jean Delvare <jdelvare@suse.de>, Michael Schierl <schierlm@gmx.de>
CC: "linux-hyperv@vger.kernel.org" <linux-hyperv@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: RE: [PATCH] firmware: dmi: Stop decoding on broken entry
Thread-Topic: [PATCH] firmware: dmi: Stop decoding on broken entry
Thread-Index: AQHakNyeQHU2XdbvxkyqvOE9tFpqPLFsmKbA
Date: Wed, 17 Apr 2024 15:43:49 +0000
Message-ID:
 <SN6PR02MB415755044A025D66B4BC8955D40F2@SN6PR02MB4157.namprd02.prod.outlook.com>
References: <b702b36b90b63b615d41e778570707043ea81551.camel@suse.de>
In-Reply-To: <b702b36b90b63b615d41e778570707043ea81551.camel@suse.de>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0:
 =?us-ascii?Q?kHXGmgO3TNYTX9iw8ZF125FF2sKrp3sHRf/LO7pzAEIaryqvlT1GogSuFINJ?=
 =?us-ascii?Q?49k7em7KK66FL/UM7/03H7v0UqAgQy+79oo2g81S7sa1JUkkukF7p4DmrtWn?=
 =?us-ascii?Q?qXdxmyyS2Tcv+B+N12yCIldWTOkIvateqwGxmmIQf9x6y3XxFL5L/U8OJaVc?=
 =?us-ascii?Q?bIzanrUmBF6XlLHAbnvMIL0bY3E4EPgAvu/JCFVPiVUs7X7A2eVzV1p1dEiE?=
 =?us-ascii?Q?ulE6Cq83yKdOyRiN8b01FWHPvrPQ0hVwjFxsWVO7Y2HmTBiLCwCAX4Vyv3aX?=
 =?us-ascii?Q?Qc+VGeum/dpkbl/3hWpqcJiTLDjedWPmVwkL+798ezCdy6naCNOkR8RyjXT9?=
 =?us-ascii?Q?cLESdJU2mw6X/w2rCb8DIZrCiBVK3Ap9aPRn4qiQ5w8/0CuuYxjwrYRymCsu?=
 =?us-ascii?Q?0bwJmVW/cmTXhP6B/2tVJKmf1r/yP7+9IuaTkz7zJX74xgpYulFuCOVEiCgQ?=
 =?us-ascii?Q?qIznLq1hnyD3qKJbQndNAvaTWsd2NEYJK/H3Ok7syutvZZBSKL9WS4OS6tSC?=
 =?us-ascii?Q?mfq6VlGx/8p1FdvKSFvXc9qkDycw4Qtv/HXKEoCvtkVVsTsoovkOQeYZodG/?=
 =?us-ascii?Q?6MPbPfF5qPhz2GwYuO4DychiRGIJC0gaxaBQcfIBj+XpiXIlXxm+ecjK0+FQ?=
 =?us-ascii?Q?kCHGVLNCtQsyPY+H3h33kguADwEKK8F1pI81zTZ4YwMyS1QsRi6PtbP+hgFM?=
 =?us-ascii?Q?xcelMY1k1u1xwzAqiVaGHtmtKPKW7r6nUSFK3aBq4O4lnjVwlenuxnhPW1we?=
 =?us-ascii?Q?53ZG2/AbHl73UWHV6iYX9W4Z8rykZWH8EsOUaBusxAJEOwawGfS/KUig65xx?=
 =?us-ascii?Q?bzaZywJTm+fMXVqNGt66nPeUqv7d3U/Vy66uyFmaOq2aMyH4YpONLZ5mQ+wX?=
 =?us-ascii?Q?IvNZ34rWQQYZTkJnsbHSUAU60QlLC0nkb6KocOmyHIYjkH8ycyOXbIYrrrfa?=
 =?us-ascii?Q?2Ro6aPUKE8COwr81swhW00JpLuKMUl3h0D4q94fNxiwMPX/1Dm/qDuQpI4Nr?=
 =?us-ascii?Q?35oxtUdlpVw00ubkwjHnSBqXrWWGwBWEtN/q1j7AZPGRQfrz25VNwIYudQdP?=
 =?us-ascii?Q?I4O5AR0gzuQB8obJPbu9iacLyrbYfqercGEIfowsL698o+cT1JoIi4wGrIUm?=
 =?us-ascii?Q?Fg6R3ubPRcYQI9OBwEvekzKFvubbFbGSlW6Oj0j2BO6KEwfyzVg+YZZ2z8lT?=
 =?us-ascii?Q?+QwLftQQiXfsP1TqW/I9y1t5TvEEYYw2oUB6Iw=3D=3D?=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SN6PR02MB4157.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 31262e71-8338-4f63-beba-08dc5ef52cfd
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Apr 2024 15:43:49.4010
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ2PR02MB9894

From: Jean Delvare <jdelvare@suse.de> Sent: Wednesday, April 17, 2024 8:34 =
AM
>=20
> If a DMI table entry is shorter than 4 bytes, it is invalid. Due to
> how DMI table parsing works, it is impossible to safely recover from
> such an error, so we have to stop decoding the table.
>=20
> Signed-off-by: Jean Delvare <jdelvare@suse.de>
> Link: https://lore.kernel.org/linux-kernel/Zh2K3-HLXOesT_vZ@liuwe-devbox-=
debian-v2/T/
> ---
> Michael, can you please test this patch and confirm that it prevents
> the early oops?
>=20
> The root cause of the DMI table corruption still needs to be
> investigated.
>=20
>  drivers/firmware/dmi_scan.c |   11 +++++++++++
>  1 file changed, 11 insertions(+)
>=20
> --- linux-6.8.orig/drivers/firmware/dmi_scan.c
> +++ linux-6.8/drivers/firmware/dmi_scan.c
> @@ -102,6 +102,17 @@ static void dmi_decode_table(u8 *buf,
>  		const struct dmi_header *dm =3D (const struct dmi_header *)data;
>=20
>  		/*
> +		 * If a short entry is found (less than 4 bytes), not only it
> +		 * is invalid, but we cannot reliably locate the next entry.
> +		 */
> +		if (dm->length < sizeof(struct dmi_header)) {
> +			pr_warn(FW_BUG
> +				"Corrupted DMI table (only %d entries processed)\n",
> +				i);

It would be useful to also output the three header fields: type, handle, an=
d length,
and perhaps also the offset of the header in the DMI blob (i.e., "data - bu=
f").
When looking at the error reported by user space dmidecode, the first thing
I did was add those fields to the error message.

Michael=20

> +			break;
> +		}
> +
> +		/*
>  		 *  We want to know the total length (formatted area and
>  		 *  strings) before decoding to make sure we won't run off the
>  		 *  table in dmi_decode or dmi_string
>=20
> --
> Jean Delvare
> SUSE L3 Support