[PATCH v2] smbios: Add an explicit bounds check for Type 9 length

[PATCH v2] smbios: Add an explicit bounds check for Type 9 length

[Raymond Mao]

From: Raymond Mao <raymond.mao@riscstar.com>

Fix Coverity Scan defect on Type 9 length.
Type 9 formatted length is built dynamically from peer_grouping_count.
Although peer_grouping_count is a byte, the resulting formatted area
still must fit in the SMBIOS header length field (u8).
Add an explicit bounds check before extending len, so the size used by
map_sysmem() and memset() is guaranteed to be valid and consistent
with hdr.length.

Fixes: a8442c226635 ("smbios: add support for dynamic generation of Type 9 system slot tables")
Addresses-Coverity-ID: CID 645487: Insecure data handling (TAINTED_SCALAR)
Signed-off-by: Raymond Mao <raymond.mao@riscstar.com>
---
Changes in v2:
- return len 0 for errors to align with the existing convention of the
  file. 
 
 lib/smbios.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/smbios.c b/lib/smbios.c
index d5f18c8bd69..fdab5948aad 100644
--- a/lib/smbios.c
+++ b/lib/smbios.c
@@ -1093,6 +1093,9 @@ static int smbios_write_type9_1slot(ulong *current, int handle,
 	 * TODO:
 	 * peer_groups = <peer_grouping_count> * SMBIOS_TYPE9_PGROUP_SIZE
 	 */
+	if (len + pgroups_size > U8_MAX)
+		return 0;
+
 	len += pgroups_size;
 
 	t = map_sysmem(*current, len);
-- 
2.25.1

Re: [PATCH v2] smbios: Add an explicit bounds check for Type 9 length

[Simon Glass]

On 2026-04-22T19:38:45, Raymond Mao <raymondmaoca@gmail.com> wrote:
> smbios: Add an explicit bounds check for Type 9 length
>
> Fix Coverity Scan defect on Type 9 length.
> Type 9 formatted length is built dynamically from peer_grouping_count.
> Although peer_grouping_count is a byte, the resulting formatted area
> still must fit in the SMBIOS header length field (u8).
> Add an explicit bounds check before extending len, so the size used by
> map_sysmem() and memset() is guaranteed to be valid and consistent
> with hdr.length.
>
> Fixes: a8442c226635 ("smbios: add support for dynamic generation of Type 9 system slot tables")
> Addresses-Coverity-ID: CID 645487: Insecure data handling (TAINTED_SCALAR)
> Signed-off-by: Raymond Mao <raymond.mao@riscstar.com>
>
> lib/smbios.c | 3 +++
>  1 file changed, 3 insertions(+)

Reviewed-by: Simon Glass <sjg@chromium.org>

Re: [PATCH v2] smbios: Add an explicit bounds check for Type 9 length

[Ilias Apalodimas]

Thanks Raynond,

On Wed, 22 Apr 2026 at 22:38, Raymond Mao <raymondmaoca@gmail.com> wrote:
>
> From: Raymond Mao <raymond.mao@riscstar.com>
>
> Fix Coverity Scan defect on Type 9 length.
> Type 9 formatted length is built dynamically from peer_grouping_count.
> Although peer_grouping_count is a byte, the resulting formatted area
> still must fit in the SMBIOS header length field (u8).
> Add an explicit bounds check before extending len, so the size used by
> map_sysmem() and memset() is guaranteed to be valid and consistent
> with hdr.length.
>
> Fixes: a8442c226635 ("smbios: add support for dynamic generation of Type 9 system slot tables")
> Addresses-Coverity-ID: CID 645487: Insecure data handling (TAINTED_SCALAR)
> Signed-off-by: Raymond Mao <raymond.mao@riscstar.com>
> ---

Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>


> Changes in v2:
> - return len 0 for errors to align with the existing convention of the
>   file.
>
>  lib/smbios.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/lib/smbios.c b/lib/smbios.c
> index d5f18c8bd69..fdab5948aad 100644
> --- a/lib/smbios.c
> +++ b/lib/smbios.c
> @@ -1093,6 +1093,9 @@ static int smbios_write_type9_1slot(ulong *current, int handle,
>          * TODO:
>          * peer_groups = <peer_grouping_count> * SMBIOS_TYPE9_PGROUP_SIZE
>          */
> +       if (len + pgroups_size > U8_MAX)
> +               return 0;
> +
>         len += pgroups_size;
>
>         t = map_sysmem(*current, len);
> --
> 2.25.1
>