1. Patchew
  2. QEMU
  3. View series

[PATCH] smbios: Fix buffer overrun when using path= option

Daan De Meyer posted 1 patch 6 days, 8 hours ago 
hw/smbios/smbios.c | 3 +++
1 file changed, 3 insertions(+)
[PATCH] smbios: Fix buffer overrun when using path= option
Posted by Daan De Meyer 6 days, 8 hours ago 
We have to make sure the array of bytes read from the path= file
is null-terminated, otherwise we run into a buffer overrun later on.

Fixes: bb99f4772f54017490e3356ecbb3df25c5d4537f ("hw/smbios: support loading OEM strings values from a file")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2879

Signed-off-by: Daan De Meyer <daan.j.demeyer@gmail.com>
---
 hw/smbios/smbios.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/smbios/smbios.c b/hw/smbios/smbios.c
index 02a09eb9cd..ad4cd6721e 100644
--- a/hw/smbios/smbios.c
+++ b/hw/smbios/smbios.c
@@ -1285,6 +1285,9 @@ static int save_opt_one(void *opaque,
             g_byte_array_append(data, (guint8 *)buf, ret);
         }
 
+        buf[0] = '\0';
+        g_byte_array_append(data, (guint8 *)buf, 1);
+
         qemu_close(fd);
 
         *opt->dest = g_renew(char *, *opt->dest, (*opt->ndest) + 1);
-- 
2.49.0
Re: [PATCH] smbios: Fix buffer overrun when using path= option
Posted by Daniel P. Berrangé 5 days, 20 hours ago 
On Sun, Mar 23, 2025 at 10:35:54PM +0100, Daan De Meyer wrote:
> We have to make sure the array of bytes read from the path= file
> is null-terminated, otherwise we run into a buffer overrun later on.
> 
> Fixes: bb99f4772f54017490e3356ecbb3df25c5d4537f ("hw/smbios: support loading OEM strings values from a file")
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2879
> 
> Signed-off-by: Daan De Meyer <daan.j.demeyer@gmail.com>
> ---
>  hw/smbios/smbios.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/hw/smbios/smbios.c b/hw/smbios/smbios.c
> index 02a09eb9cd..ad4cd6721e 100644
> --- a/hw/smbios/smbios.c
> +++ b/hw/smbios/smbios.c
> @@ -1285,6 +1285,9 @@ static int save_opt_one(void *opaque,
>              g_byte_array_append(data, (guint8 *)buf, ret);
>          }
>  
> +        buf[0] = '\0';
> +        g_byte_array_append(data, (guint8 *)buf, 1);
> +
>          qemu_close(fd);
>  
>          *opt->dest = g_renew(char *, *opt->dest, (*opt->ndest) + 1);

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
Re: [PATCH] smbios: Fix buffer overrun when using path= option
Posted by Daniel P. Berrangé 5 days, 16 hours ago 
CC qemu-stable - this needs cherry-picking into all active stable
branches once accepted.

On Mon, Mar 24, 2025 at 09:12:53AM +0000, Daniel P. Berrangé wrote:
> On Sun, Mar 23, 2025 at 10:35:54PM +0100, Daan De Meyer wrote:
> > We have to make sure the array of bytes read from the path= file
> > is null-terminated, otherwise we run into a buffer overrun later on.
> > 
> > Fixes: bb99f4772f54017490e3356ecbb3df25c5d4537f ("hw/smbios: support loading OEM strings values from a file")
> > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2879
> > 
> > Signed-off-by: Daan De Meyer <daan.j.demeyer@gmail.com>
> > ---
> >  hw/smbios/smbios.c | 3 +++
> >  1 file changed, 3 insertions(+)
> > 
> > diff --git a/hw/smbios/smbios.c b/hw/smbios/smbios.c
> > index 02a09eb9cd..ad4cd6721e 100644
> > --- a/hw/smbios/smbios.c
> > +++ b/hw/smbios/smbios.c
> > @@ -1285,6 +1285,9 @@ static int save_opt_one(void *opaque,
> >              g_byte_array_append(data, (guint8 *)buf, ret);
> >          }
> >  
> > +        buf[0] = '\0';
> > +        g_byte_array_append(data, (guint8 *)buf, 1);
> > +
> >          qemu_close(fd);
> >  
> >          *opt->dest = g_renew(char *, *opt->dest, (*opt->ndest) + 1);
> 
> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
> 
> With regards,
> Daniel
> -- 
> |: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org         -o-            https://fstop138.berrange.com :|
> |: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
> 
> 

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
Re: [PATCH] smbios: Fix buffer overrun when using path= option
Posted by Thomas Huth 5 days, 23 hours ago 
On 23/03/2025 22.35, Daan De Meyer wrote:
> We have to make sure the array of bytes read from the path= file
> is null-terminated, otherwise we run into a buffer overrun later on.
> 
> Fixes: bb99f4772f54017490e3356ecbb3df25c5d4537f ("hw/smbios: support loading OEM strings values from a file")
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2879
> 
> Signed-off-by: Daan De Meyer <daan.j.demeyer@gmail.com>
> ---
>   hw/smbios/smbios.c | 3 +++
>   1 file changed, 3 insertions(+)
> 
> diff --git a/hw/smbios/smbios.c b/hw/smbios/smbios.c
> index 02a09eb9cd..ad4cd6721e 100644
> --- a/hw/smbios/smbios.c
> +++ b/hw/smbios/smbios.c
> @@ -1285,6 +1285,9 @@ static int save_opt_one(void *opaque,
>               g_byte_array_append(data, (guint8 *)buf, ret);
>           }
>   
> +        buf[0] = '\0';
> +        g_byte_array_append(data, (guint8 *)buf, 1);
> +
>           qemu_close(fd);
>   
>           *opt->dest = g_renew(char *, *opt->dest, (*opt->ndest) + 1);

Please make sure to put the maintainers on CC: (done now, for the next time 
please see the MAINTAINERS file or use the scripts/get_maintainers.pl 
script), otherwise your patch might go unnoticed.

  Thomas

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.