lscpu: fix out-of-bounds read in parse_dmi_table#4431
Open
aizu-m wants to merge 1 commit into
Open
Conversation
parse_dmi_table() walks the SMBIOS structures from the firmware DMI table. The loop only checks that the 4-byte header fits (data + 4 <= buf + len) and that h.length >= 4. It then reads the type 0/1/4 fields at fixed offsets up to data[0x28] and hands the string-number bytes to dmi_string(), which walks the structure's string set. So a truncated final structure, where h.length, a field offset or the string set runs past the end of the table, is read out of bounds; the bytes end up in the CPU model/vendor strings lscpu prints. The table comes from /sys/firmware/dmi/tables, or from /dev/mem when probing a hypervisor. Gate each field read on h.length and stop once a structure (formatted area plus its string set) no longer fits in the buffer, the way dmidecode bounds these reads. Signed-off-by: aizu-m <aizumusheer2@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
parse_dmi_table() reads SMBIOS structure fields by fixed offset and walks their string set after validating only the 4-byte header, so a truncated final structure in the firmware DMI table is read past the end of the buffer; gate each field read on the structure length and stop once a structure no longer fits.