From nobody Tue May 14 23:23:30 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of seabios.org designates
 78.46.105.101 as permitted sender) client-ip=78.46.105.101;
 envelope-from=seabios-bounces@seabios.org; helo=coreboot.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of seabios.org designates 78.46.105.101 as
 permitted sender)  smtp.mailfrom=seabios-bounces@seabios.org;
	dmarc=fail(p=none dis=none)  header.from=redhat.com
Return-Path: <seabios-bounces@seabios.org>
Received: from coreboot.org (coreboot.org [78.46.105.101]) by mx.zohomail.com
	with SMTPS id 1708700752988295.64743151280595;
 Fri, 23 Feb 2024 07:05:52 -0800 (PST)
Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP])
	by coreboot.org (Postfix) with ESMTPA id 9B4BD21667;
	Fri, 23 Feb 2024 15:05:47 +0000 (UTC)
Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP])
	by coreboot.org (Postfix) with ESMTP id C6608214BA
	for <seabios@seabios.org>; Fri, 23 Feb 2024 15:05:28 +0000 (UTC)
Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP])
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-55-yLdpbULRPJaQe30BFmhTww-1; Fri, 23 Feb 2024 10:05:26 -0500
Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id DF16B82DFE2;
	Fri, 23 Feb 2024 15:05:25 +0000 (UTC)
Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 8744E1C06710;
	Fri, 23 Feb 2024 15:05:24 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1708700727;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=MoAiJUWgKuu1MqCr5imJt9Rp3SkPRgtN7RRqnkAijqA=;
	b=O6w4in6iMEu853lJsoGgiOk8WYGW80h1IAv46ZWFXbv+Yp2ZjxUHpOWbRqNuMTuXwk4K/4
	SdINeuYbkLOLP/HnemclFUlydDo/wfXNk9dWDwzMmsGUmnMMDlg4SCd9/zDCHOYR2+eZ/Z
	Fv5jFUoDFGGxknbKvOTyMuDQln46Jt4=
X-MC-Unique: yLdpbULRPJaQe30BFmhTww-1
From: Igor Mammedov <imammedo@redhat.com>
To: seabios@seabios.org
Date: Fri, 23 Feb 2024 16:05:22 +0100
Message-Id: <20240223150522.1488719-1-imammedo@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.7
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Message-ID-Hash: ARBCQN44J45Q7ZOIKITF626AA7IU4BFW
X-Message-ID-Hash: ARBCQN44J45Q7ZOIKITF626AA7IU4BFW
X-MailFrom: imammedo@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-seabios.seabios.org-0;
 header-match-seabios.seabios.org-1; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: gsomlo@gmail.com, kraxel@redhat.com
X-Mailman-Version: 3.3.6b1
Precedence: list
Subject: [SeaBIOS] [PATCH] fix smbios blob length overflow
List-Id: SeaBIOS mailing list <seabios.seabios.org>
Archived-At: 
 <https://mail.coreboot.org/hyperkitty/list/seabios@seabios.org/message/ARBCQN44J45Q7ZOIKITF626AA7IU4BFW/>
List-Archive: <https://mail.coreboot.org/hyperkitty/list/seabios@seabios.org/>
List-Help: <mailto:seabios-request@seabios.org?subject=help>
List-Owner: <mailto:seabios-owner@seabios.org>
List-Post: <mailto:seabios@seabios.org>
List-Subscribe: <mailto:seabios-join@seabios.org>
List-Unsubscribe: <mailto:seabios-leave@seabios.org>
Content-Transfer-Encoding: quoted-printable
Authentication-Results: coreboot.org;
	auth=pass smtp.auth=mailman@coreboot.org
 smtp.mailfrom=seabios-bounces@seabios.org
X-Spamd-Bar: /
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1708700754798100001
Content-Type: text/plain; charset="utf-8"

When tables are more than 64K, size of copied tables will be
truncated due to cast from u32 to u16, and as result only
a small portion of the tables will be copied in the end.
That leads to corrupted tables (a part from QEMU and
remainder is whatever was in memory block allocated for
the tables).

Fix it by making qtables_len 32bit int.

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
---
 src/fw/biostables.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/fw/biostables.c b/src/fw/biostables.c
index 1c09a785..90712d4b 100644
--- a/src/fw/biostables.c
+++ b/src/fw/biostables.c
@@ -499,7 +499,7 @@ smbios_build_tables(struct romfile_s *f_tables,
                     u16 *number_of_structures)
 {
     struct smbios_type_0 *t0;
-    u16 qtables_len, need_t0 =3D 1;
+    u32 qtables_len, need_t0 =3D 1;
     u8 *qtables, *tables;
=20
     if (f_tables->size !=3D *length)
--=20
2.39.3

_______________________________________________
SeaBIOS mailing list -- seabios@seabios.org
To unsubscribe send an email to seabios-leave@seabios.org