1. Patchew
  2. QEMU
  3. [PULL 0/8] Misc HW patches for 2025-04-08
  4. View patch

[PULL 1/8] smbios: Fix buffer overrun when using path= option

Philippe Mathieu-Daudé posted 8 patches 8 months, 2 weeks ago
[PULL 1/8] smbios: Fix buffer overrun when using path= option
Posted by Philippe Mathieu-Daudé 8 months, 2 weeks ago 
From: Daan De Meyer <daan.j.demeyer@gmail.com>

We have to make sure the array of bytes read from the path= file
is null-terminated, otherwise we run into a buffer overrun later on.

Fixes: bb99f4772f54017490e3356ecbb3df25c5d4537f ("hw/smbios: support loading OEM strings values from a file")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2879

Signed-off-by: Daan De Meyer <daan.j.demeyer@gmail.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Tested-by: Valentin David <valentin.david@canonical.com>
Message-ID: <20250323213622.2581013-1-daan.j.demeyer@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
 hw/smbios/smbios.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/smbios/smbios.c b/hw/smbios/smbios.c
index 02a09eb9cd0..ad4cd6721e6 100644
--- a/hw/smbios/smbios.c
+++ b/hw/smbios/smbios.c
@@ -1285,6 +1285,9 @@ static int save_opt_one(void *opaque,
             g_byte_array_append(data, (guint8 *)buf, ret);
         }
 
+        buf[0] = '\0';
+        g_byte_array_append(data, (guint8 *)buf, 1);
+
         qemu_close(fd);
 
         *opt->dest = g_renew(char *, *opt->dest, (*opt->ndest) + 1);
-- 
2.47.1
Re: [PULL 1/8] smbios: Fix buffer overrun when using path= option
Posted by Daan De Meyer 8 months ago 
CC-ing qemu-stable again to hopefully get this backported to the
stable branches.

Cheers,

Daan

On Tue, 8 Apr 2025 at 20:55, Philippe Mathieu-Daudé <philmd@linaro.org> wrote:
>
> From: Daan De Meyer <daan.j.demeyer@gmail.com>
>
> We have to make sure the array of bytes read from the path= file
> is null-terminated, otherwise we run into a buffer overrun later on.
>
> Fixes: bb99f4772f54017490e3356ecbb3df25c5d4537f ("hw/smbios: support loading OEM strings values from a file")
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2879
>
> Signed-off-by: Daan De Meyer <daan.j.demeyer@gmail.com>
> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
> Tested-by: Valentin David <valentin.david@canonical.com>
> Message-ID: <20250323213622.2581013-1-daan.j.demeyer@gmail.com>
> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
> ---
>  hw/smbios/smbios.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/hw/smbios/smbios.c b/hw/smbios/smbios.c
> index 02a09eb9cd0..ad4cd6721e6 100644
> --- a/hw/smbios/smbios.c
> +++ b/hw/smbios/smbios.c
> @@ -1285,6 +1285,9 @@ static int save_opt_one(void *opaque,
>              g_byte_array_append(data, (guint8 *)buf, ret);
>          }
>
> +        buf[0] = '\0';
> +        g_byte_array_append(data, (guint8 *)buf, 1);
> +
>          qemu_close(fd);
>
>          *opt->dest = g_renew(char *, *opt->dest, (*opt->ndest) + 1);
> --
> 2.47.1
>
Re: [PULL 1/8] smbios: Fix buffer overrun when using path= option
Posted by Philippe Mathieu-Daudé 8 months ago 
Hi Daan,

On 17/4/25 12:11, Daan De Meyer wrote:
> CC-ing qemu-stable again to hopefully get this backported to the
> stable branches.
> 
> Cheers,
> 
> Daan
> 
> On Tue, 8 Apr 2025 at 20:55, Philippe Mathieu-Daudé <philmd@linaro.org> wrote:
>>
>> From: Daan De Meyer <daan.j.demeyer@gmail.com>
>>
>> We have to make sure the array of bytes read from the path= file
>> is null-terminated, otherwise we run into a buffer overrun later on.
>>
>> Fixes: bb99f4772f54017490e3356ecbb3df25c5d4537f ("hw/smbios: support loading OEM strings values from a file")
>> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2879
>>

If you want to be sure a commit is noticed for backport, you
should add

    Cc: qemu-stable@nongnu.org

in your commit description.

Regards,

Phil.

>> Signed-off-by: Daan De Meyer <daan.j.demeyer@gmail.com>
>> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
>> Tested-by: Valentin David <valentin.david@canonical.com>
>> Message-ID: <20250323213622.2581013-1-daan.j.demeyer@gmail.com>
>> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
>> ---
>>   hw/smbios/smbios.c | 3 +++
>>   1 file changed, 3 insertions(+)
>>
>> diff --git a/hw/smbios/smbios.c b/hw/smbios/smbios.c
>> index 02a09eb9cd0..ad4cd6721e6 100644
>> --- a/hw/smbios/smbios.c
>> +++ b/hw/smbios/smbios.c
>> @@ -1285,6 +1285,9 @@ static int save_opt_one(void *opaque,
>>               g_byte_array_append(data, (guint8 *)buf, ret);
>>           }
>>
>> +        buf[0] = '\0';
>> +        g_byte_array_append(data, (guint8 *)buf, 1);
>> +
>>           qemu_close(fd);
>>
>>           *opt->dest = g_renew(char *, *opt->dest, (*opt->ndest) + 1);
>> --
>> 2.47.1
>>
Re: [PULL 1/8] smbios: Fix buffer overrun when using path= option
Posted by Michael Tokarev 8 months ago 
17.04.2025 13:11, Daan De Meyer wrote:
> CC-ing qemu-stable again to hopefully get this backported to the
> stable branches.

Hmm.  I picked it up from the first time, see eg
https://gitlab.com/qemu-project/qemu/-/commits/staging-9.2
(in particular, commit d1960fafecbe1066).

I'm curious, why do you think it has to be Cc'ed again?

Thanks,

/mjt
Re: [PULL 1/8] smbios: Fix buffer overrun when using path= option
Posted by Daan De Meyer 8 months ago 
Apologies, I was unsure whether I should expect a reply on the
original mail after the patch had been applied to stable or not.

Thanks for the confirmation,

Cheers,

Daan

On Thu, 17 Apr 2025 at 15:05, Michael Tokarev <mjt@tls.msk.ru> wrote:
>
> 17.04.2025 13:11, Daan De Meyer wrote:
> > CC-ing qemu-stable again to hopefully get this backported to the
> > stable branches.
>
> Hmm.  I picked it up from the first time, see eg
> https://gitlab.com/qemu-project/qemu/-/commits/staging-9.2
> (in particular, commit d1960fafecbe1066).
>
> I'm curious, why do you think it has to be Cc'ed again?
>
> Thanks,
>
> /mjt

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.