src/fw/biostables.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-)
SeaBIOS implements the SMBIOS 2.1 entry point which is limited to a
maximum length of 0xffff. If the SMBIOS data received from QEMU is large
enough, then adding the type 0 table will cause integer overflow. This
results in fun behaviour such as a KVM crash, or hangs in SeaBIOS.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
src/fw/biostables.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/src/fw/biostables.c b/src/fw/biostables.c
index 0c07833..794b5be 100644
--- a/src/fw/biostables.c
+++ b/src/fw/biostables.c
@@ -462,10 +462,16 @@ smbios_romfile_setup(void)
/* common case: add our own type 0, with 3 strings and 4 '\0's */
u16 t0_len = sizeof(struct smbios_type_0) + strlen(BIOS_NAME) +
strlen(VERSION) + strlen(BIOS_DATE) + 4;
- ep.structure_table_length += t0_len;
- if (t0_len > ep.max_structure_size)
- ep.max_structure_size = t0_len;
- ep.number_of_structures++;
+ if (t0_len > (0xffff - ep.structure_table_length)) {
+ dprintf(1, "Insufficient space (%d bytes) to add SMBIOS type 0 table (%d bytes)\n",
+ 0xffff - ep.structure_table_length, t0_len);
+ need_t0 = 0;
+ } else {
+ ep.structure_table_length += t0_len;
+ if (t0_len > ep.max_structure_size)
+ ep.max_structure_size = t0_len;
+ ep.number_of_structures++;
+ }
}
/* allocate final blob and record its address in the entry point */
--
2.26.2
_______________________________________________
SeaBIOS mailing list -- seabios@seabios.org
To unsubscribe send an email to seabios-leave@seabios.org
On Tue, Sep 08, 2020 at 04:21:03PM +0100, Daniel P. Berrangé wrote:
> SeaBIOS implements the SMBIOS 2.1 entry point which is limited to a
> maximum length of 0xffff. If the SMBIOS data received from QEMU is large
> enough, then adding the type 0 table will cause integer overflow. This
> results in fun behaviour such as a KVM crash, or hangs in SeaBIOS.
Thanks. The patch looks fine to me. However, when I run "git am" on
your email, it's not taking the patch. (Perhaps the email whitespace
got corrupted?)
==============
Applying: smbios: avoid integer overflow adding SMBIOS type 0 table
error: patch failed: src/fw/biostables.c:462
error: src/fw/biostables.c: patch does not apply
Patch failed at 0001 smbios: avoid integer overflow adding SMBIOS type 0 table
hint: Use 'git am --show-current-patch=diff' to see the failed patch
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".
==============
-Kevin
>
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
> src/fw/biostables.c | 14 ++++++++++----
> 1 file changed, 10 insertions(+), 4 deletions(-)
>
> diff --git a/src/fw/biostables.c b/src/fw/biostables.c
> index 0c07833..794b5be 100644
> --- a/src/fw/biostables.c
> +++ b/src/fw/biostables.c
> @@ -462,10 +462,16 @@ smbios_romfile_setup(void)
> /* common case: add our own type 0, with 3 strings and 4 '\0's */
> u16 t0_len = sizeof(struct smbios_type_0) + strlen(BIOS_NAME) +
> strlen(VERSION) + strlen(BIOS_DATE) + 4;
> - ep.structure_table_length += t0_len;
> - if (t0_len > ep.max_structure_size)
> - ep.max_structure_size = t0_len;
> - ep.number_of_structures++;
> + if (t0_len > (0xffff - ep.structure_table_length)) {
> + dprintf(1, "Insufficient space (%d bytes) to add SMBIOS type 0 table (%d bytes)\n",
> + 0xffff - ep.structure_table_length, t0_len);
> + need_t0 = 0;
> + } else {
> + ep.structure_table_length += t0_len;
> + if (t0_len > ep.max_structure_size)
> + ep.max_structure_size = t0_len;
> + ep.number_of_structures++;
> + }
> }
>
> /* allocate final blob and record its address in the entry point */
> --
> 2.26.2
> _______________________________________________
> SeaBIOS mailing list -- seabios@seabios.org
> To unsubscribe send an email to seabios-leave@seabios.org
_______________________________________________
SeaBIOS mailing list -- seabios@seabios.org
To unsubscribe send an email to seabios-leave@seabios.org
On Fri, Sep 11, 2020 at 02:03:23PM -0400, Kevin O'Connor wrote: > On Tue, Sep 08, 2020 at 04:21:03PM +0100, Daniel P. Berrangé wrote: > > SeaBIOS implements the SMBIOS 2.1 entry point which is limited to a > > maximum length of 0xffff. If the SMBIOS data received from QEMU is large > > enough, then adding the type 0 table will cause integer overflow. This > > results in fun behaviour such as a KVM crash, or hangs in SeaBIOS. > > Thanks. The patch looks fine to me. However, when I run "git am" on > your email, it's not taking the patch. (Perhaps the email whitespace > got corrupted?) > > ============== > Applying: smbios: avoid integer overflow adding SMBIOS type 0 table > error: patch failed: src/fw/biostables.c:462 > error: src/fw/biostables.c: patch does not apply > Patch failed at 0001 smbios: avoid integer overflow adding SMBIOS type 0 table > hint: Use 'git am --show-current-patch=diff' to see the failed patch > When you have resolved this problem, run "git am --continue". > If you prefer to skip this patch, run "git am --skip" instead. > To restore the original branch and stop patching, run "git am --abort". > ============== This was just sent using git send-email, so I can't see what would corrupt it on the sending side. In any case, I've got a copy on github you can pull from, on my "smbios-len" branch, this commit: https://github.com/berrange/seabios/commit/4ea6aa9471f79cc81f957d6c0e2bb238d24675e5 Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ SeaBIOS mailing list -- seabios@seabios.org To unsubscribe send an email to seabios-leave@seabios.org
On Mon, Sep 14, 2020 at 10:38:26AM +0100, Daniel P. Berrangé wrote: > On Fri, Sep 11, 2020 at 02:03:23PM -0400, Kevin O'Connor wrote: > > On Tue, Sep 08, 2020 at 04:21:03PM +0100, Daniel P. Berrangé wrote: > > > SeaBIOS implements the SMBIOS 2.1 entry point which is limited to a > > > maximum length of 0xffff. If the SMBIOS data received from QEMU is large > > > enough, then adding the type 0 table will cause integer overflow. This > > > results in fun behaviour such as a KVM crash, or hangs in SeaBIOS. > > > > Thanks. The patch looks fine to me. However, when I run "git am" on > > your email, it's not taking the patch. (Perhaps the email whitespace > > got corrupted?) > > > > ============== > > Applying: smbios: avoid integer overflow adding SMBIOS type 0 table > > error: patch failed: src/fw/biostables.c:462 > > error: src/fw/biostables.c: patch does not apply > > Patch failed at 0001 smbios: avoid integer overflow adding SMBIOS type 0 table > > hint: Use 'git am --show-current-patch=diff' to see the failed patch > > When you have resolved this problem, run "git am --continue". > > If you prefer to skip this patch, run "git am --skip" instead. > > To restore the original branch and stop patching, run "git am --abort". > > ============== > > This was just sent using git send-email, so I can't see what would > corrupt it on the sending side. In any case, I've got a copy on github > you can pull from, on my "smbios-len" branch, this commit: > > https://github.com/berrange/seabios/commit/4ea6aa9471f79cc81f957d6c0e2bb238d24675e5 Okay, thanks, I committed that change. I'm not sure what went wrong with my email. -Kevin _______________________________________________ SeaBIOS mailing list -- seabios@seabios.org To unsubscribe send an email to seabios-leave@seabios.org
On 9/8/20 5:21 PM, Daniel P. Berrangé wrote:
> SeaBIOS implements the SMBIOS 2.1 entry point which is limited to a
> maximum length of 0xffff. If the SMBIOS data received from QEMU is large
> enough, then adding the type 0 table will cause integer overflow. This
> results in fun behaviour such as a KVM crash, or hangs in SeaBIOS.
>
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
> src/fw/biostables.c | 14 ++++++++++----
> 1 file changed, 10 insertions(+), 4 deletions(-)
>
> diff --git a/src/fw/biostables.c b/src/fw/biostables.c
> index 0c07833..794b5be 100644
> --- a/src/fw/biostables.c
> +++ b/src/fw/biostables.c
> @@ -462,10 +462,16 @@ smbios_romfile_setup(void)
> /* common case: add our own type 0, with 3 strings and 4 '\0's */
> u16 t0_len = sizeof(struct smbios_type_0) + strlen(BIOS_NAME) +
> strlen(VERSION) + strlen(BIOS_DATE) + 4;
> - ep.structure_table_length += t0_len;
> - if (t0_len > ep.max_structure_size)
> - ep.max_structure_size = t0_len;
> - ep.number_of_structures++;
> + if (t0_len > (0xffff - ep.structure_table_length)) {
> + dprintf(1, "Insufficient space (%d bytes) to add SMBIOS type 0 table (%d bytes)\n",
> + 0xffff - ep.structure_table_length, t0_len);
> + need_t0 = 0;
> + } else {
> + ep.structure_table_length += t0_len;
> + if (t0_len > ep.max_structure_size)
> + ep.max_structure_size = t0_len;
> + ep.number_of_structures++;
> + }
> }
>
> /* allocate final blob and record its address in the entry point */
>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
_______________________________________________
SeaBIOS mailing list -- seabios@seabios.org
To unsubscribe send an email to seabios-leave@seabios.org
© 2016 - 2025 Red Hat, Inc.