From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E1390EB64DC for ; Wed, 19 Jul 2023 00:06:52 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.3072.1689725205157896955 for ; Tue, 18 Jul 2023 17:06:45 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@windriver.com header.s=pps06212021 header.b=T+WMd+j5; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=6564318ea4=randy.macleod@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 36INFr1d009150 for ; Tue, 18 Jul 2023 17:06:44 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-type:message-id:date:subject:to:cc:references:from :in-reply-to:mime-version; s=PPS06212021; bh=7oa0AmPsFSNMlRfEN2R Sp7ZaJUznz3kxplRe+ANHcoM=; b=T+WMd+j5Ycl0uLuJ5MJBaCD1JVuq+81J+E6 5IZR6ZdiwDYtaEDvfWKFEkJtDQ0GRKqaY87LbQETY0GDXOYZtzLp5h18CXMP75SJ V1yQrFY+pjkbH31GrFSbrFmsE7rb7y/uOjOiak9uubdZ6A+G+gnaWprhvkLLiOWB 7Ja9SE8YygO9RC7UmQDKlh6ZnTAo5FCBnW5GJH/OYdbR7kLw3efeFQccWGxsvEpM LyXqb0dNMTgHIGlMjtIPJZELCGRwZZAZGF28VizbbDJiBGdWa+Y9qEUkx7TTyRdI pwFiprK2O2zq8l2/3uL3/q0doZfAOFoxVgxGZuS6nyX8VwggPww== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3rupqyb6fd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 18 Jul 2023 17:06:44 -0700 (PDT) Received: from m0250810.ppops.net (m0250810.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.22/8.17.1.22) with ESMTP id 36J06hAE012766; Tue, 18 Jul 2023 17:06:43 -0700 Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2107.outbound.protection.outlook.com [104.47.70.107]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3rupqyb6fc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 18 Jul 2023 17:06:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=M/1yyfRtsOu0qxBNruxG9I7amyE/55InyIQgo6GhMuFKsI3HyjEE8sczZV6eMkn8NSLp1xbqBoIkGUDb8cXbrX5iDGlG3WlEu4vOXc+48NEfNcZ2ZtoiwsLgAoTm3SFXAdeZvtWlv4r+cuJpeVznm3y9u/33KGun2lf1u1PtqzyQMAu6n1ku9Igwy5NO2vX04oIG8S7dU7JQqdh2zRMs1pm7sWsr5I5fkciOQ571WDIznt4NfaOQkt464byQC/t2ldG0aiiKSUh+QzHOjiMuZrok8AYuL6H0PEMleaQEGIHyBV5qhoJ9lv1rxAgFk5dhapmXbl8Ydf+ly6hCZdGRSA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=7oa0AmPsFSNMlRfEN2RSp7ZaJUznz3kxplRe+ANHcoM=; b=Vnd+17Bv4nZ/d+zv1eR2ZHqr4YYKo82m9ZTx9nqxxTcuz2aO9tPgxiq0aHLDhBAoDMZzBft7+IMPh8DmLDgizVmagM0YrOXMHFXr/FpBBDB+dEPlaRvtjVPmTQsXkWgFCJoxwRXolanWywPHIzI4cdb7ctplbHJwxN0vwblyvLWnz8KQjQuce5DA5MtVIryv5to2Ri2bULkSMuSXsp9ol4auS2MVfyO6J7K2W42WDw7Tc8uztRtYERNaDofwSbFga5QVuy00/xN9kM+QGMkAW6orLUGZdZ0xE9pxWdAQ+NdvgYwLUp4oNZ1BZYvb2baRO3++K0kRjrcRMO3/PhDsuQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM6PR11MB3994.namprd11.prod.outlook.com (2603:10b6:5:193::19) by CO6PR11MB5571.namprd11.prod.outlook.com (2603:10b6:5:35f::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6609.24; Wed, 19 Jul 2023 00:06:39 +0000 Received: from DM6PR11MB3994.namprd11.prod.outlook.com ([fe80::144:140c:a640:f799]) by DM6PR11MB3994.namprd11.prod.outlook.com ([fe80::144:140c:a640:f799%7]) with mapi id 15.20.6588.031; Wed, 19 Jul 2023 00:06:38 +0000 Content-Type: multipart/alternative; boundary="------------VUYbZK5MtPoMtVhokSUj66G8" Message-ID: Date: Tue, 18 Jul 2023 20:06:34 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0 Subject: Re: [OE-core][mickledore 02/26] dmidecode: fix CVE-2023-30630 Content-Language: en-CA To: Steve Sakoman Cc: openembedded-core@lists.openembedded.org, Yogita.Urade@windriver.com, Kang Kai References: <2bccf919-d8fe-6cb6-c913-ccfdad357f7a@windriver.com> From: Randy MacLeod In-Reply-To: X-ClientProxiedBy: SJ0PR03CA0067.namprd03.prod.outlook.com (2603:10b6:a03:331::12) To DM6PR11MB3994.namprd11.prod.outlook.com (2603:10b6:5:193::19) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DM6PR11MB3994:EE_|CO6PR11MB5571:EE_ X-MS-Office365-Filtering-Correlation-Id: a988ce12-5d26-4ea2-87de-08db87ec05c2 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: jBqhX1mT43IwXAufk3I4D70tsqERs/u5Mk3UMPNoFZJrnWCncjCJ4AjSfQBPBlc6xMjdmyMXT0lzXhpapMLAqu2jb1E6BI2Mn93lMov87pjORdIMuwK2EflEAVqRmnCo0D9ZAUkjLGd+3nJyIDnI+ETEjSaWWZ9qDto0b1QnKQWACrAI6FRZvOhDxqf6ipxis7QXt/tLPHYTs7RIK4GJzm5etwPO+UK9CDuEWggE72aZzckO9goE/zyGIZ8W03Wgra9K5/hwc4T74d4xU/ehU2c7uz5iDliz6aTJVSeidi18wYWWycTzxyoDxl33mdkGAmdw5IBq2eLwuVSiC5LONQTKCCA5kLkVQSzbEXQgiVBmiQIZYKUoSnvC3otlgh0S1ria85syfs15+QfbO2CFtGTyjxtHG677pd0AnJm/4y996gcSdHZ5rcdtj6XEuhOahoUA05OakvS6zHWfubUCyK379cf+Y0czbmUMdRfAgL/4Oo1NI/lxzmWNwWTtWLbeT70NoYk+xxHD9pL+MuhXA70E0ByWfqS37egzL36NINcwBQW4S1D0oGzKrvj/TddwhSHciSC2u09yR7Ow++og5opYdfBRiu4Q0fPWd/f9BhRvCRplOfD71DUfgODOsc/pSdoIOTVfIhatww8Qwocutw== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM6PR11MB3994.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230028)(4636009)(366004)(396003)(376002)(39850400004)(136003)(346002)(451199021)(6666004)(6512007)(6486002)(966005)(33964004)(478600001)(107886003)(2616005)(53546011)(6506007)(186003)(26005)(30864003)(2906002)(66946007)(66556008)(66476007)(6916009)(4326008)(316002)(21615005)(8936002)(8676002)(5660300002)(41300700001)(38100700002)(166002)(36756003)(86362001)(31696002)(83380400001)(31686004)(66899021)(45980500001)(43740500002)(559001)(579004);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?MElCUXdLTDZ4MStJN2JRSDU1aDFId3g0MXhXMW9IcFhlTG9XQUdFamFjSG1O?= =?utf-8?B?K0JFbkh6dXVvUDRhMG1PcFhKZ04yM3hIS3owaTVoUWpUQVNWWWFOM3pFdm1I?= =?utf-8?B?di9mUTlFay94ZG13ZjVpOGg2MzdYbjkvb2NPUFhMVmVVV2wvcGgvQXIvSlht?= =?utf-8?B?V1JDZDFZNzlVUmw4OEorUEY4Ty9sQlRMNktoRWwrM3NUWWVQdUZxaVZxcTRR?= =?utf-8?B?dXdsaHZLS2FmU0pYZHBUZmI0S0p6RXFEZmpoa0poQUFWc1U5WDdUWUt1c2RE?= =?utf-8?B?M2RMdlEzKzNMcjdzTURWMjJjRjhJSTk1VzNZWTZRUXJNVjdIakYwN1dYY0Qv?= =?utf-8?B?bFpGeHJCZnI1dXNvVEVVZUVHaTVuMlhTSHV3TlFaLzlSTEpSSHMrUGpNeGhh?= =?utf-8?B?aTdKZnJzdWNUbGlTWlcvS21TU2QxTFlqWEJKS3pQR1BoS3Y1T2dvQlUwMXVF?= =?utf-8?B?K1lSdDRWZHErWkY2MW1QcXZqNmZFVzZvSkV1MGVQRktUQytXTWhLUTkyZHMw?= =?utf-8?B?cHI0VjhHN01UWG9oRWNEMmZNb2pudDg0OVZpYk1ERk5haVUwSGh5a3JTeU5u?= =?utf-8?B?WTk2ZEkyc0ZXcHNDM3V0VjRodEQxcDQ5SGh1RG8vTk5rUDJUUWtUMTB1K1Yr?= =?utf-8?B?cndUQys5MEpUajZQVHRKTjVuQ1REMndxTjFGTnNXNk5Wdm9PbFZGM0xBQXZ6?= =?utf-8?B?NUdxc2pyd2Z2UE84bERPVUtzakJTTHp2UXZpMkgzQVVhbENlZmwwUVZONXIr?= =?utf-8?B?QkJORGtUQ2xxaVdsM0E5UmNxa2Zac0Q0TVh0bm42NGV0QnNFQklkOUJvbmpN?= =?utf-8?B?dDRuOVhXQ29BeHBsNnU3UFk3Q0gyZzlESisrV1pjdmVWVVV6QURVUFZzOER3?= =?utf-8?B?QVdqYjg0R3RscTR6SkZ2ZlNoVDBnYkQ3aW5lOEpMV09VcW9EdUtmalRUTUsr?= =?utf-8?B?bXR4cXozVEFlZkNpbmtOa0RiaWVnSGsxSWd3Z2N2Y1dYd2pXeHhJdWFOME8v?= =?utf-8?B?Q1JydTJDYmJMRitLaG9uK1RmWjZHVFMzQ1FFdjdiNks0dXh3N3JOeXFnUlBD?= =?utf-8?B?SjR2VFFrMXRUdHRlTzRrUnhzSm5RVjFTZFd0K2RvL2hZSjFFQnhLRlByMmlm?= =?utf-8?B?Ym5FT2ZDb21ZREFXQ2pFYnRMSjFPZGorSW9LNkhiajdUQklQWEdyQ3pxQ3F1?= =?utf-8?B?cmFsc21CK2JnR2YvcmlJaHhOYTJZUi9vT0JHbTVmcTEzOGt4MzRuOWFPeWlD?= =?utf-8?B?VVd0OVIwWDFLMmZYMkJxUGFDY3ZzZCtobzc0QXhtc1hwaGo0QWhwaiswMTVY?= =?utf-8?B?bmtIQkhSdzZpR2NuR2xyMUMzZVFWY29QbFFCZHZwS2JUaExrR2JENkk1VVpK?= =?utf-8?B?VjFYOTlNZUgrSGsyRVJsUFNYMFAvL05HR1FmZDA1ZUw2MkRJZEliZitvQmlQ?= =?utf-8?B?WTE2MnpSOGlFRUgveW1JclMwQnpMOVNuVnNmTmt0QnlNK29wVHVSSDZBUDhN?= =?utf-8?B?Ukp0ZGJIaWJ0d0QxbVFhUXh1aEloKzdlbFcvNW4wTlpOVldxR050WkhROFcr?= =?utf-8?B?R2pIVjhOOUVjMS9UNUVjRDZ3ZkVuTlBUejE1dGNjYllvakQrd085b3JVQlpG?= =?utf-8?B?WUtCYWUrLzdWWEJFY1dlVC9oS3lMNGMvcElGM2FIZitwaVVRWDNrQ2pFYjhK?= =?utf-8?B?Wm1wT05TVXhxMDNjOVdFRnQ0aFZGbDQ5NUEvd0VkZ05LcWluSjJlZ3owbTJR?= =?utf-8?B?Skt0QTJ5cmFySzJJdDVONXNKOFZkdkxoQlV5TFNFWC9UQ29xY2lHdWlwNmNu?= =?utf-8?B?cS9sZVBCL0hIZFE0dE1UcVBPVTFraTllM0tsUEF3OVU3eTVhZi83RkNIRUZ2?= =?utf-8?B?R3VLdGI2N3g1cndQNEY4eVpJUVA2VThYcmNIZEhlNHlYSW5YbklhYzFoT0RX?= =?utf-8?B?UDljM3J6TEJETG4wRzExS2FaRmVwYnN5eHVGM2VidXB4Ry9Ta3NzQU51SHI1?= =?utf-8?B?UUl4VmU2cUZuOGNablhUVG1lWWd1c0l0WkN0eDVDV2diY1lQL1VKREt6UFlN?= =?utf-8?B?cjhtMlpEZFFkOU1BSmsvcktRcWFDZC9heDcxOEM3Yi9xbytGaWo1YWx4WXNZ?= =?utf-8?B?OXBOcEhid1lQN3RsclNuMmZENnV4NTIvSVNyNUxNWDlseU04VkhKQ0tIbFRO?= =?utf-8?B?Q2c9PQ==?= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: a988ce12-5d26-4ea2-87de-08db87ec05c2 X-MS-Exchange-CrossTenant-AuthSource: DM6PR11MB3994.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Jul 2023 00:06:38.5280 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: VmDz9eW+wNn55JxHL8bebOKU/b3Zeg1vtsTSb+H9LH5CbD6s9JnmRHz/tTPVNr4VsCzvNXU8HT195PdTtqcDhH/N5s5zA4TWSLM+SSzc958= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO6PR11MB5571 X-Proofpoint-GUID: NRNdpj-2jrXw_EmF0wPyyPa-b4n0wybJ X-Proofpoint-ORIG-GUID: Z3ATkHmPycIjBUky7IUGEqm1LALfEhTL X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-07-18_19,2023-07-18_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 spamscore=0 clxscore=1015 mlxscore=0 impostorscore=0 bulkscore=0 mlxlogscore=999 malwarescore=0 lowpriorityscore=0 priorityscore=1501 adultscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2306200000 definitions=main-2307180213 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 19 Jul 2023 00:06:52 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/184563 --------------VUYbZK5MtPoMtVhokSUj66G8 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by mx0a-0064b401.pphosted.com id 36INFr1d009150 On 2023-07-18 18:32, Steve Sakoman wrote: > On Tue, Jul 18, 2023 at 11:49=E2=80=AFAM Randy MacLeod > wrote: >> Add Kai, >> >> On 2023-07-14 18:32, Steve Sakoman via lists.openembedded.org wrote: >> >> From: Yogita Urade >> >> Dmidecode before 3.5 allows -dump-bin to overwrite a local file. >> This has security relevance because, for example, execution of >> Dmidecode via Sudo is plausible. >> >> References: >> https://nvd.nist.gov/vuln/detail/CVE-2023-30630 >> https://lists.nongnu.org/archive/html/dmidecode-devel/2023-04/msg00016= .html >> https://lists.nongnu.org/archive/html/dmidecode-devel/2023-04/msg00017= .html >> >> Signed-off-by: Yogita Urade >> Signed-off-by: Steve Sakoman >> --- >> .../dmidecode/CVE-2023-30630_1.patch | 237 ++++++++++++++++= ++ >> .../dmidecode/CVE-2023-30630_2.patch | 81 ++++++ >> .../dmidecode/CVE-2023-30630_3.patch | 69 +++++ >> .../dmidecode/CVE-2023-30630_4.patch | 137 ++++++++++ >> >> >> Summary: >> >> I think this can merge but we should agree on how to handle dmide= code. >> >> >> Details: >> >> These changes work but it's bringing back 4 patches rather than bumpin= g the version to 3.5 >> and picking up 2 patches. My conclusion is that it's okay but we shoul= d probably talk >> about how to maintain dmidecode since it just produces a bunch of prog= rams for dumping >> HW DMI/SMBIOS info and doesn't provide a runtime ABI, we can probably = update to 3.5 >> ( or even 3.6 when that's out). >> >> Do you agree Steve? > You'll always get the same answer from me: no version bumps that > implement new features/apis. Bug/security fixes only. > > If there is a strong case to be made for something outside this > policy, it should go to the TSC for consideration. > > I don't want our stable branches to start resembling the kernel > "stable" branches ... > > So, yes, I think we should merge this patch rather than version bump :-= ) Ok, that works for me and if there's no follow-up for Yogita, that's=20 also good news. I may ping the upstream devs to see if they really are following a semantic versioning scheme (1). My goal was to not only get the CVEs fixed but to get the additional decode info to better support new hardwar= e. I suppose that even for simple executables like this, it's possible that=20 something changed in the output format or the one or two changes that seem suspect, could cause problems for someone and so we should be more conservative an= d by keeping the number of exceptions to a minimum, we usually make=20 maintenance easier. Thanks for the comments, ../Randy 1) https://semver.org/ > Steve > >> The patches back-ported are: >> >> =E2=9D=AF rg -i "subject: \[PATCH\]" /tmp/dmidecode-mickledore-cve.eml >> 201:+Subject: [PATCH] dmidecode: Write the whole dump file at once >> 444:+Subject: [PATCH] dmidecode: Do not let --dump-bin overwrite an ex= isting file >> 531:+Subject: [PATCH] Consistently use read_file() when reading from a= dump file >> 606:+Subject: [PATCH] Don't read beyond sysfs entry point buffer >> >> >> Two of these patches would be picked up if we update mickledore to 3.5= - so let's look at what changed: >> >> =E2=9D=AF git log --oneline dmidecode-3-4..dmidecode-3-5 >> >> 484f893 (tag: dmidecode-3-5) Set the version to 3.5 >> 8baf2f5 Fix a build warning when USE_MMAP isn't set >> b9ebecc dmioem: HPE type 242: Fix ID on 32-bit systems >> 189ca35 Ensure /dev/mem is a character device file >> 8427888 dmidecode: Use the right variable for -s bios-revision/firmwar= e-revision >> 6ca381c dmidecode: Do not let --dump-bin overwrite an existing file <-= --------- Added. >> d8cfbc8 dmidecode: Write the whole dump file at once = <---------- Added. >> 39b2dd7 dmidecode: Split table fetching from decoding >> 11b168f dmioem: Avoid intermediate buffer (HPE type 216) >> 9d2bbd5 dmioem: Decode HPE OEM Record 216 >> 3d68350 dmidecode: Drop the CPUID exception list >> c1a2520 dmidecode: Add a --no-quirks option >> 67dc0b2 dmidecode: Fortify entry point length checks >> f801673 dmioem: Typo fix (Virutal -> Virtual) >> 90d1323 dmioem: Decode HPE OEM Record 242 >> f50b925 dmioem: Update HPE OEM Record 238 >> ac24b67 dmioem: Decode HPE OEM Record 230 >> c3357b5 dmioem: Fix segmentation fault in dmi_hp_240_attr() >> a1a2258 dmioem: Decode HPE OEM Record 224 >> fb8766a NEWS: Fix typo >> >> >> My summary of the changes above: >> >> - support additional HW, >> >> - fix bugs, typos and build warnings. >> >> - internal program restructuring: 39b2dd7 dmidecode: Split table fet= ching from decoding >> >> I was a bit concerned about: >> >> 3d68350 dmidecode: Drop the CPUID exception list >> >> but it's pretty arcane (1) and only affects HW from 2008 or earlier >> >> so we should be okay with that change! >> >> >> Steve, >> >> Do you agree? >> >> Thanks, >> >> ../Randy >> >> >> >> 1) >> >> commit 3d6835047f80691678e5db3127f9d573956413f0 >> Author: Jean Delvare >> Date: Fri Dec 16 04:37:04 2022 >> >> dmidecode: Drop the CPUID exception list >> >> Back in 2003, I had a system where the CPU type was not set. I ad= ded >> a quirk so that it would still be recognized as x86, and the CPUI= D >> could be decoded. >> >> A few more exceptions where added over the years, but in effect, = the >> list was last modified in 2008. >> >> Having such an exception list isn't actually a good idea, for the >> following reasons: >> * It requires endless maintenance work if we want to keep it >> up-to-date. >> * It adds some (admittedly minimal) burden to the sane systems. >> * If we were to add more entries to the exception list, it would= n't >> scale well (linear algorithmic complexity). This could be impr= oved >> but at the cost of more complex code. >> * It sends the wrong message to the hardware manufacturers ("You= can >> get things wrong, we'll add a workaround on our side.") >> >> Therefore I would like to get rid of this exception list. Doing s= o >> has the nice side effect of simplifying the code and making the >> binary smaller. >> >> If anyone really needs the CPUID information on such non-complian= t >> systems, there are other ways to retrieve it, such as lscpu or >> /proc/cpuinfo. >> >> https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=3D3d6835= 047f80691678e5db3127f9d573956413f0 >> >> >> >> .../dmidecode/dmidecode_3.4.bb | 4 + >> 5 files changed, 528 insertions(+) >> create mode 100644 meta/recipes-devtools/dmidecode/dmidecode/CVE-202= 3-30630_1.patch >> create mode 100644 meta/recipes-devtools/dmidecode/dmidecode/CVE-202= 3-30630_2.patch >> create mode 100644 meta/recipes-devtools/dmidecode/dmidecode/CVE-202= 3-30630_3.patch >> create mode 100644 meta/recipes-devtools/dmidecode/dmidecode/CVE-202= 3-30630_4.patch >> >> diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_= 1.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1.patc= h >> new file mode 100644 >> index 0000000000..53480d6299 >> --- /dev/null >> +++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1.patch >> @@ -0,0 +1,237 @@ >> +From d8cfbc808f387e87091c25e7d5b8c2bb348bb206 Mon Sep 17 00:00:00 20= 01 >> +From: Jean Delvare >> +Date: Tue, 27 Jun 2023 09:40:23 +0000 >> +Subject: [PATCH] dmidecode: Write the whole dump file at once >> + >> +When option --dump-bin is used, write the whole dump file at once, >> +instead of opening and closing the file separately for the table >> +and then for the entry point. >> + >> +As the file writing function is no longer generic, it gets moved >> +from util.c to dmidecode.c. >> + >> +One minor functional change resulting from the new implementation is >> +that the entry point is written first now, so the messages printed >> +are swapped. >> + >> +Signed-off-by: Jean Delvare >> +Reviewed-by: Jerry Hoemann >> + >> +CVE: CVE-2023-30630 >> + >> +Reference:https://github.com/mirror/dmidecode/commit/39b2dd7b6ab719b9= 20e96ed832cfb4bdd664e808 >> + >> +Upstream-Status: Backport [https://github.com/mirror/dmidecode/commit= /d8cfbc808f387e87091c25e7d5b8c2bb348bb206] >> + >> +Signed-off-by: Yogita Urade >> +--- >> + dmidecode.c | 79 +++++++++++++++++++++++++++++++++++++++------------= -- >> + util.c | 40 --------------------------- >> + util.h | 1 - >> + 3 files changed, 58 insertions(+), 62 deletions(-) >> + >> +diff --git a/dmidecode.c b/dmidecode.c >> +index 9aeff91..5477309 100644 >> +--- a/dmidecode.c >> ++++ b/dmidecode.c >> +@@ -5427,11 +5427,56 @@ static void dmi_table_string(const struct dmi= _header *h, const u8 *data, u16 ver >> + } >> + } >> + >> +-static void dmi_table_dump(const u8 *buf, u32 len) >> ++static int dmi_table_dump(const u8 *ep, u32 ep_len, const u8 *table, >> ++ u32 table_len) >> + { >> ++ FILE *f; >> ++ >> ++ f =3D fopen(opt.dumpfile, "wb"); >> ++ if (!f) >> ++ { >> ++ fprintf(stderr, "%s: ", opt.dumpfile); >> ++ perror("fopen"); >> ++ return -1; >> ++ } >> ++ >> ++ if (!(opt.flags & FLAG_QUIET)) >> ++ pr_comment("Writing %d bytes to %s.", ep_len, opt.dumpfile); >> ++ if (fwrite(ep, ep_len, 1, f) !=3D 1) >> ++ { >> ++ fprintf(stderr, "%s: ", opt.dumpfile); >> ++ perror("fwrite"); >> ++ goto err_close; >> ++ } >> ++ >> ++ if (fseek(f, 32, SEEK_SET) !=3D 0) >> ++ { >> ++ fprintf(stderr, "%s: ", opt.dumpfile); >> ++ perror("fseek"); >> ++ goto err_close; >> ++ } >> ++ >> + if (!(opt.flags & FLAG_QUIET)) >> +- pr_comment("Writing %d bytes to %s.", len, opt.dumpfile); >> +- write_dump(32, len, buf, opt.dumpfile, 0); >> ++ pr_comment("Writing %d bytes to %s.", table_len, opt.dumpfile); >> ++ if (fwrite(table, table_len, 1, f) !=3D 1) >> ++ { >> ++ fprintf(stderr, "%s: ", opt.dumpfile); >> ++ perror("fwrite"); >> ++ goto err_close; >> ++ } >> ++ >> ++ if (fclose(f)) >> ++ { >> ++ fprintf(stderr, "%s: ", opt.dumpfile); >> ++ perror("fclose"); >> ++ return -1; >> ++ } >> ++ >> ++ return 0; >> ++ >> ++err_close: >> ++ fclose(f); >> ++ return -1; >> + } >> + >> + static void dmi_table_decode(u8 *buf, u32 len, u16 num, u16 ver, u32= flags) >> +@@ -5648,11 +5693,6 @@ static void dmi_table(off_t base, u32 len, u16= num, u32 ver, const char *devmem, >> + return; >> + } >> + >> +- if (opt.flags & FLAG_DUMP_BIN) >> +- dmi_table_dump(buf, len); >> +- else >> +- dmi_table_decode(buf, len, num, ver >> 8, flags); >> +- >> + free(buf); >> + } >> + >> +@@ -5688,8 +5728,9 @@ static void overwrite_smbios3_address(u8 *buf) >> + >> + static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) >> + { >> +- u32 ver; >> ++ u32 ver, len; >> + u64 offset; >> ++ u8 *table; >> + >> + /* Don't let checksum run beyond the buffer */ >> + if (buf[0x06] > 0x20) >> +@@ -5725,10 +5766,7 @@ static int smbios3_decode(u8 *buf, const char = *devmem, u32 flags) >> + memcpy(crafted, buf, 32); >> + overwrite_smbios3_address(crafted); >> + >> +- if (!(opt.flags & FLAG_QUIET)) >> +- pr_comment("Writing %d bytes to %s.", crafted[0x06], >> +- opt.dumpfile); >> +- write_dump(0, crafted[0x06], crafted, opt.dumpfile, 1); >> ++ dmi_table_dump(crafted, crafted[0x06], table, len); >> + } >> + >> + return 1; >> +@@ -5737,6 +5775,8 @@ static int smbios3_decode(u8 *buf, const char *= devmem, u32 flags) >> + static int smbios_decode(u8 *buf, const char *devmem, u32 flags) >> + { >> + u16 ver; >> ++ u32 len; >> ++ u8 *table; >> + >> + /* Don't let checksum run beyond the buffer */ >> + if (buf[0x05] > 0x20) >> +@@ -5786,10 +5826,7 @@ static int smbios_decode(u8 *buf, const char *= devmem, u32 flags) >> + memcpy(crafted, buf, 32); >> + overwrite_dmi_address(crafted + 0x10); >> + >> +- if (!(opt.flags & FLAG_QUIET)) >> +- pr_comment("Writing %d bytes to %s.", crafted[0x05], >> +- opt.dumpfile); >> +- write_dump(0, crafted[0x05], crafted, opt.dumpfile, 1); >> ++ dmi_table_dump(crafted, crafted[0x05], table, len); >> + } >> + >> + return 1; >> +@@ -5797,6 +5834,9 @@ static int smbios_decode(u8 *buf, const char *d= evmem, u32 flags) >> + >> + static int legacy_decode(u8 *buf, const char *devmem, u32 flags) >> + { >> ++ u32 len; >> ++ u8 *table; >> ++ >> + if (!checksum(buf, 0x0F)) >> + return 0; >> + >> +@@ -5815,10 +5855,7 @@ static int legacy_decode(u8 *buf, const char *= devmem, u32 flags) >> + memcpy(crafted, buf, 16); >> + overwrite_dmi_address(crafted); >> + >> +- if (!(opt.flags & FLAG_QUIET)) >> +- pr_comment("Writing %d bytes to %s.", 0x0F, >> +- opt.dumpfile); >> +- write_dump(0, 0x0F, crafted, opt.dumpfile, 1); >> ++ dmi_table_dump(crafted, 0x0F, table, len); >> + } >> + >> + return 1; >> +diff --git a/util.c b/util.c >> +index 04aaadd..1547096 100644 >> +--- a/util.c >> ++++ b/util.c >> +@@ -259,46 +259,6 @@ out: >> + return p; >> + } >> + >> +-int write_dump(size_t base, size_t len, const void *data, const char= *dumpfile, int add) >> +-{ >> +- FILE *f; >> +- >> +- f =3D fopen(dumpfile, add ? "r+b" : "wb"); >> +- if (!f) >> +- { >> +- fprintf(stderr, "%s: ", dumpfile); >> +- perror("fopen"); >> +- return -1; >> +- } >> +- >> +- if (fseek(f, base, SEEK_SET) !=3D 0) >> +- { >> +- fprintf(stderr, "%s: ", dumpfile); >> +- perror("fseek"); >> +- goto err_close; >> +- } >> +- >> +- if (fwrite(data, len, 1, f) !=3D 1) >> +- { >> +- fprintf(stderr, "%s: ", dumpfile); >> +- perror("fwrite"); >> +- goto err_close; >> +- } >> +- >> +- if (fclose(f)) >> +- { >> +- fprintf(stderr, "%s: ", dumpfile); >> +- perror("fclose"); >> +- return -1; >> +- } >> +- >> +- return 0; >> +- >> +-err_close: >> +- fclose(f); >> +- return -1; >> +-} >> +- >> + /* Returns end - start + 1, assuming start < end */ >> + u64 u64_range(u64 start, u64 end) >> + { >> +diff --git a/util.h b/util.h >> +index 3094cf8..ef24eb9 100644 >> +--- a/util.h >> ++++ b/util.h >> +@@ -27,5 +27,4 @@ >> + int checksum(const u8 *buf, size_t len); >> + void *read_file(off_t base, size_t *len, const char *filename); >> + void *mem_chunk(off_t base, size_t len, const char *devmem); >> +-int write_dump(size_t base, size_t len, const void *data, const char= *dumpfile, int add); >> + u64 u64_range(u64 start, u64 end); >> +-- >> +2.35.5 >> diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_= 2.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_2.patc= h >> new file mode 100644 >> index 0000000000..dcc87d2326 >> --- /dev/null >> +++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_2.patch >> @@ -0,0 +1,81 @@ >> +From 6ca381c1247c81f74e1ca4e7706f70bdda72e6f2 Mon Sep 17 00:00:00 200= 1 >> +From: Jean Delvare >> +Date: Tue, 27 Jun 2023 10:03:53 +0000 >> +Subject: [PATCH] dmidecode: Do not let --dump-bin overwrite an existi= ng file >> + >> +Make sure that the file passed to option --dump-bin does not already >> +exist. In practice, it is rather unlikely that an honest user would >> +want to overwrite an existing dump file, while this possibility >> +could be used by a rogue user to corrupt a system file. >> + >> +Signed-off-by: Jean Delvare >> +Reviewed-by: Jerry Hoemann >> + >> +CVE: CVE-2023-30630 >> + >> +Upstream-Status: Backport >> +[https://github.com/mirror/dmidecode/commit/6ca381c1247c81f74e1ca4e77= 06f70bdda72e6f2] >> + >> +Signed-off-by: Yogita Urade >> +--- >> + dmidecode.c | 14 ++++++++++++-- >> + man/dmidecode.8 | 3 ++- >> + 2 files changed, 14 insertions(+), 3 deletions(-) >> + >> +diff --git a/dmidecode.c b/dmidecode.c >> +index 5477309..98f9692 100644 >> +--- a/dmidecode.c >> ++++ b/dmidecode.c >> +@@ -60,6 +60,7 @@ >> + *https://www.dmtf.org/sites/default/files/DSP0270_1.0.1.pdf >> + */ >> + >> ++#include >> + #include >> + #include >> + #include >> +@@ -5430,13 +5431,22 @@ static void dmi_table_string(const struct dmi= _header *h, const u8 *data, u16 ver >> + static int dmi_table_dump(const u8 *ep, u32 ep_len, const u8 *table, >> + u32 table_len) >> + { >> ++ int fd; >> + FILE *f; >> + >> +- f =3D fopen(opt.dumpfile, "wb"); >> ++ fd =3D open(opt.dumpfile, O_WRONLY|O_CREAT|O_EXCL, 0666); >> ++ if (fd =3D=3D -1) >> ++ { >> ++ fprintf(stderr, "%s: ", opt.dumpfile); >> ++ perror("open"); >> ++ return -1; >> ++ } >> ++ >> ++ f =3D fdopen(fd, "wb"); >> + if (!f) >> + { >> + fprintf(stderr, "%s: ", opt.dumpfile); >> +- perror("fopen"); >> ++ perror("fdopen"); >> + return -1; >> + } >> + >> +diff --git a/man/dmidecode.8 b/man/dmidecode.8 >> +index ed066b3..3a732c0 100644 >> +--- a/man/dmidecode.8 >> ++++ b/man/dmidecode.8 >> +@@ -1,4 +1,4 @@ >> +-.TH DMIDECODE 8 "January 2019" "dmidecode" >> ++.TH DMIDECODE 8 "February 2023" "dmidecode" >> + .\" >> + .SH NAME >> + dmidecode \- \s-1DMI\s0 table decoder >> +@@ -159,6 +159,7 @@ hexadecimal and \s-1ASCII\s0. This option is main= ly useful for debugging. >> + Do not decode the entries, instead dump the DMI data to a file in bi= nary >> + form. The generated file is suitable to pass to \fB--from-dump\fP >> + later. >> ++\fIFILE\fP must not exist. >> + .TP >> + .BR " " " " "--from-dump \fIFILE\fP" >> + Read the DMI data from a binary file previously generated using >> +-- >> +2.35.5 >> diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_= 3.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_3.patc= h >> new file mode 100644 >> index 0000000000..01d0d1f867 >> --- /dev/null >> +++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_3.patch >> @@ -0,0 +1,69 @@ >> +From c76ddda0ba0aa99a55945e3290095c2ec493c892 Mon Sep 17 00:00:00 200= 1 >> +From: Jean Delvare >> +Date: Tue, 27 Jun 2023 10:25:50 +0000 >> +Subject: [PATCH] Consistently use read_file() when reading from a dum= p file >> + >> +Use read_file() instead of mem_chunk() to read the entry point from a >> +dump file. This is faster, and consistent with how we then read the >> +actual DMI table from that dump file. >> + >> +This made no functional difference so far, which is why it went >> +unnoticed for years. But now that a file type check was added to the >> +mem_chunk() function, we must stop using it to read from regular >> +files. >> + >> +This will again allow root to use the --from-dump option. >> + >> +Signed-off-by: Jean Delvare >> +Tested-by: Jerry Hoemann >> + >> +CVE: CVE-2023-30630 >> + >> +Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/dmide= code.git/commit/?id=3Dc76ddda0ba0aa99a55945e3290095c2ec493c892] >> + >> +Signed-off-by: Yogita Urade >> +--- >> + dmidecode.c | 11 +++++++++-- >> + 1 file changed, 9 insertions(+), 2 deletions(-) >> + >> +diff --git a/dmidecode.c b/dmidecode.c >> +index 98f9692..b4dbc9d 100644 >> +--- a/dmidecode.c >> ++++ b/dmidecode.c >> +@@ -5997,17 +5997,25 @@ int main(int argc, char * const argv[]) >> + pr_comment("dmidecode %s", VERSION); >> + >> + /* Read from dump if so instructed */ >> ++ size =3D 0x20; >> + if (opt.flags & FLAG_FROM_DUMP) >> + { >> + if (!(opt.flags & FLAG_QUIET)) >> + pr_info("Reading SMBIOS/DMI data from file %s.", >> + opt.dumpfile); >> +- if ((buf =3D mem_chunk(0, 0x20, opt.dumpfile)) =3D=3D NULL) >> ++ if ((buf =3D read_file(0, &size, opt.dumpfile)) =3D=3D= NULL) >> + { >> + ret =3D 1; >> + goto exit_free; >> + } >> + >> ++ /* Truncated entry point can't be processed */ >> ++ if (size < 0x20) >> ++ { >> ++ ret =3D 1; >> ++ goto done; >> ++ } >> ++ >> + if (memcmp(buf, "_SM3_", 5) =3D=3D 0) >> + { >> + if (smbios3_decode(buf, opt.dumpfile, 0)) >> +@@ -6031,7 +6039,6 @@ int main(int argc, char * const argv[]) >> + * contain one of several types of entry points, so read enough for >> + * the largest one, then determine what type it contains. >> + */ >> +- size =3D 0x20; >> + if (!(opt.flags & FLAG_NO_SYSFS) >> + && (buf =3D read_file(0, &size, SYS_ENTRY_FILE)) !=3D NULL) >> + { >> +-- >> +2.40.0 >> diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_= 4.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_4.patc= h >> new file mode 100644 >> index 0000000000..5fa72b4f9b >> --- /dev/null >> +++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_4.patch >> @@ -0,0 +1,137 @@ >> +From 2b83c4b898f8325313162f588765411e8e3e5561 Mon Sep 17 00:00:00 200= 1 >> +From: Jean Delvare >> +Date: Tue, 27 Jun 2023 10:58:11 +0000 >> +Subject: [PATCH] Don't read beyond sysfs entry point buffer >> + >> +Functions smbios_decode() and smbios3_decode() include a check >> +against buffer overrun. This check assumes that the buffer length is >> +always 32 bytes. This is true when reading from /dev/mem or from a >> +dump file, however when reading from sysfs, the buffer length is the >> +size of the actual sysfs attribute file, typically 31 bytes for an >> +SMBIOS 2.x entry point and 24 bytes for an SMBIOS 3.x entry point. >> + >> +In the unlikely event of a malformed entry point, with encoded length >> +larger than expected but smaller than or equal to 32, we would hit a >> +buffer overrun. So properly pass the actual buffer length as an >> +argument and perform the check against it. >> + >> +In practice, this will never happen, because on the Linux kernel >> +side, the size of the sysfs attribute file is decided from the entry >> +point length field. So it is technically impossible for them not to >> +match. But user-space code should not make such assumptions. >> + >> +Signed-off-by: Jean Delvare >> + >> +CVE: CVE-2023-30630 >> + >> +Upstream-Status: Backport >> +[https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=3D2b83= c4b898f8325313162f588765411e8e3e5561] >> + >> +Signed-off-by: Yogita Urade >> +--- >> + dmidecode.c | 24 ++++++++++++------------ >> + 1 file changed, 12 insertions(+), 12 deletions(-) >> + >> +diff --git a/dmidecode.c b/dmidecode.c >> +index b4dbc9d..870d94e 100644 >> +--- a/dmidecode.c >> ++++ b/dmidecode.c >> +@@ -5736,14 +5736,14 @@ static void overwrite_smbios3_address(u8 *buf= ) >> + buf[0x17] =3D 0; >> + } >> + >> +-static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) >> ++static int smbios3_decode(u8 *buf, size_t buf_len, const char *devme= m, u32 flags) >> + { >> + u32 ver, len; >> + u64 offset; >> + u8 *table; >> + >> + /* Don't let checksum run beyond the buffer */ >> +- if (buf[0x06] > 0x20) >> ++ if (buf[0x06] > buf_len) >> + { >> + fprintf(stderr, >> + "Entry point length too large (%u bytes, expected %u).\n", >> +@@ -5782,14 +5782,14 @@ static int smbios3_decode(u8 *buf, const char= *devmem, u32 flags) >> + return 1; >> + } >> + >> +-static int smbios_decode(u8 *buf, const char *devmem, u32 flags) >> ++static int smbios_decode(u8 *buf, size_t buf_len, const char *devmem= , u32 flags) >> + { >> + u16 ver; >> + u32 len; >> + u8 *table; >> + >> + /* Don't let checksum run beyond the buffer */ >> +- if (buf[0x05] > 0x20) >> ++ if (buf[0x05] > buf_len) >> + { >> + fprintf(stderr, >> + "Entry point length too large (%u bytes, expected %u).\n", >> +@@ -6018,12 +6018,12 @@ int main(int argc, char * const argv[]) >> + >> + if (memcmp(buf, "_SM3_", 5) =3D=3D 0) >> + { >> +- if (smbios3_decode(buf, opt.dumpfile, 0)) >> ++ if (smbios3_decode(buf, size, opt.dumpfile, = 0)) >> + found++; >> + } >> + else if (memcmp(buf, "_SM_", 4) =3D=3D 0) >> + { >> +- if (smbios_decode(buf, opt.dumpfile, 0)) >> ++ if (smbios_decode(buf, size, opt.dumpfile, 0= )) >> + found++; >> + } >> + else if (memcmp(buf, "_DMI_", 5) =3D=3D 0) >> +@@ -6046,12 +6046,12 @@ int main(int argc, char * const argv[]) >> + pr_info("Getting SMBIOS data from sysfs."); >> + if (size >=3D 24 && memcmp(buf, "_SM3_", 5) =3D=3D 0) >> + { >> +- if (smbios3_decode(buf, SYS_TABLE_FILE, FLAG_NO_FILE_OFFSET)) >> ++ if (smbios3_decode(buf, size, SYS_TABLE_FILE= , FLAG_NO_FILE_OFFSET)) >> + found++; >> + } >> + else if (size >=3D 31 && memcmp(buf, "_SM_", 4) =3D=3D 0) >> + { >> +- if (smbios_decode(buf, SYS_TABLE_FILE, FLAG_NO_FILE_OFFSET)) >> ++ if (smbios_decode(buf, size, SYS_TABLE_FILE,= FLAG_NO_FILE_OFFSET)) >> + found++; >> + } >> + else if (size >=3D 15 && memcmp(buf, "_DMI_", 5) =3D=3D 0) >> +@@ -6088,12 +6088,12 @@ int main(int argc, char * const argv[]) >> + >> + if (memcmp(buf, "_SM3_", 5) =3D=3D 0) >> + { >> +- if (smbios3_decode(buf, opt.devmem, 0)) >> ++ if (smbios3_decode(buf, 0x20, opt.devmem, 0)) >> + found++; >> + } >> + else if (memcmp(buf, "_SM_", 4) =3D=3D 0) >> + { >> +- if (smbios_decode(buf, opt.devmem, 0)) >> ++ if (smbios_decode(buf, 0x20, opt.devmem, 0)) >> + found++; >> + } >> + goto done; >> +@@ -6114,7 +6114,7 @@ memory_scan: >> + { >> + if (memcmp(buf + fp, "_SM3_", 5) =3D=3D 0) >> + { >> +- if (smbios3_decode(buf + fp, opt.devmem, 0)) >> ++ if (smbios3_decode(buf + fp, 0x20, opt.devme= m, 0)) >> + { >> + found++; >> + goto done; >> +@@ -6127,7 +6127,7 @@ memory_scan: >> + { >> + if (memcmp(buf + fp, "_SM_", 4) =3D=3D 0 && fp <=3D 0xFFE0) >> + { >> +- if (smbios_decode(buf + fp, opt.devmem, 0)) >> ++ if (smbios_decode(buf + fp, 0x20, opt.devmem= , 0)) >> + { >> + found++; >> + goto done; >> +-- >> +2.35.5 >> diff --git a/meta/recipes-devtools/dmidecode/dmidecode_3.4.bb b/meta/r= ecipes-devtools/dmidecode/dmidecode_3.4.bb >> index bc741046dd..4d5255df64 100644 >> --- a/meta/recipes-devtools/dmidecode/dmidecode_3.4.bb >> +++ b/meta/recipes-devtools/dmidecode/dmidecode_3.4.bb >> @@ -6,6 +6,10 @@ LIC_FILES_CHKSUM =3D"file://LICENSE;md5=3Db234ee4d69f= 5fce4486a80fdaf4a4263" >> >> SRC_URI =3D "${SAVANNAH_NONGNU_MIRROR}/dmidecode/${BP}.tar.xz \ >> file://0001-Committing-changes-from-do_unpack_extra.patch= \ >> +file://CVE-2023-30630_1.patch \ >> +file://CVE-2023-30630_2.patch \ >> +file://CVE-2023-30630_3.patch \ >> +file://CVE-2023-30630_4.patch \ >> " >> >> COMPATIBLE_HOST =3D "(i.86|x86_64|aarch64|arm|powerpc|powerpc64).*-l= inux" >> >> >> -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- >> Links: You receive all messages sent to this group. >> View/Reply Online (#184284):https://lists.openembedded.org/g/openembed= ded-core/message/184284 >> Mute This Topic:https://lists.openembedded.org/mt/100151225/3616765 >> Group Owner:openembedded-core+owner@lists.openembedded.org >> Unsubscribe:https://lists.openembedded.org/g/openembedded-core/unsub = [randy.macleod@windriver.com] >> -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- >> >> >> -- >> # Randy MacLeod >> # Wind River Linux --=20 # Randy MacLeod # Wind River Linux --------------VUYbZK5MtPoMtVhokSUj66G8 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by mx0a-0064b401.pphosted.com id 36INFr1d009150
On 2023-07-18 18:32, Steve Sakoman wrote:
On Tue, Jul 18, 2023 at 11:4=
9=E2=80=AFAM Randy MacLeod
<randy.macleod@windriver.com> wrote:

Add Kai,

On 2023-07-14 18:32, Steve Sakoman via lists.openembedded.org wrote:

From: Yogita Urade <yogita.urade@windriver.com>

Dmidecode before 3.5 allows -dump-bin to overwrite a local file.
This has security relevance because, for example, execution of
Dmidecode via Sudo is plausible.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-30630
https://lists.nongnu.org/a=
rchive/html/dmidecode-devel/2023-04/msg00016.html
https://lists.nongnu.org/a=
rchive/html/dmidecode-devel/2023-04/msg00017.html

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../dmidecode/CVE-2023-30630_1.patch          | 237 ++++++++++++++++++
 .../dmidecode/CVE-2023-30630_2.patch          |  81 ++++++
 .../dmidecode/CVE-2023-30630_3.patch          |  69 +++++
 .../dmidecode/CVE-2023-30630_4.patch          | 137 ++++++++++


Summary:

    I think this can merge but we should agree on how to handle dmidecode.


Details:

These changes work but it's bringing back 4 patches rather than bumping t=
he version to 3.5
and picking up 2 patches. My conclusion is that it's okay but we should p=
robably talk
about how to maintain dmidecode since it just produces a bunch of program=
s for dumping
HW DMI/SMBIOS info and doesn't provide a runtime ABI, we can probably upd=
ate to 3.5
( or even 3.6 when that's out).

Do you agree Steve?

You'll always get the same a=
nswer from me: no version bumps that
implement new features/apis.  Bug/security fixes only.

If there is a strong case to be made for something outside this
policy, it should go to the TSC for consideration.

I don't want our stable branches to start resembling the kernel
"stable" branches ...

So, yes, I think we should merge this patch rather than version bump :-)<=
/pre>

Ok, that works for me and if there's no follow-up for Yogita, that's also good news.

I may ping the upstream devs to see if they really are following a semantic versioning scheme (1). My goal was to not only get the CVEs
fixed but to get the additional decode info to better support new hardware.

I suppose that even for simple executables like this, it's possible that something
changed in the output format or the one or two changes that seem suspect,
could cause problems for someone and so we should be more conservative and
by keeping the number of exceptions to a minimum, we usually make maintenance easier.

Thanks for the comments,

../Randy

1)

ht= tps://semver.org/

Steve


The patches back-ported ar=
e:

=E2=9D=AF rg -i "subject: \[PATCH\]" /tmp/dmidecode-mickledore-=
cve.eml
201:+Subject: [PATCH] dmidecode: Write the whole dump file at once
444:+Subject: [PATCH] dmidecode: Do not let --dump-bin overwrite an exist=
ing file
531:+Subject: [PATCH] Consistently use read_file() when reading from a du=
mp file
606:+Subject: [PATCH] Don't read beyond sysfs entry point buffer


Two of these patches would be picked up if we update mickledore to 3.5 - =
so let's look at what changed:

=E2=9D=AF git log --oneline dmidecode-3-4..dmidecode-3-5

484f893 (tag: dmidecode-3-5) Set the version to 3.5
8baf2f5 Fix a build warning when USE_MMAP isn't set
b9ebecc dmioem: HPE type 242: Fix ID on 32-bit systems
189ca35 Ensure /dev/mem is a character device file
8427888 dmidecode: Use the right variable for -s bios-revision/firmware-r=
evision
6ca381c dmidecode: Do not let --dump-bin overwrite an existing file <-=
--------- Added.
d8cfbc8 dmidecode: Write the whole dump file at once                     =
  <---------- Added.
39b2dd7 dmidecode: Split table fetching from decoding
11b168f dmioem: Avoid intermediate buffer (HPE type 216)
9d2bbd5 dmioem: Decode HPE OEM Record 216
3d68350 dmidecode: Drop the CPUID exception list
c1a2520 dmidecode: Add a --no-quirks option
67dc0b2 dmidecode: Fortify entry point length checks
f801673 dmioem: Typo fix (Virutal -> Virtual)
90d1323 dmioem: Decode HPE OEM Record 242
f50b925 dmioem: Update HPE OEM Record 238
ac24b67 dmioem: Decode HPE OEM Record 230
c3357b5 dmioem: Fix segmentation fault in dmi_hp_240_attr()
a1a2258 dmioem: Decode HPE OEM Record 224
fb8766a NEWS: Fix typo


My summary of the changes above:

 - support additional HW,

 -  fix bugs, typos and build warnings.

 - internal program restructuring: 39b2dd7 dmidecode: Split table fetchin=
g from decoding

I was a bit concerned about:

   3d68350 dmidecode: Drop the CPUID exception list

but it's pretty arcane (1) and only affects HW from 2008 or earlier

so we should be okay with that change!


Steve,

Do you agree?

Thanks,

../Randy



1)

commit 3d6835047f80691678e5db3127f9d573956413f0
Author: Jean Delvare <jdelvare@suse.de>
Date:   Fri Dec 16 04:37:04 2022

    dmidecode: Drop the CPUID exception list

    Back in 2003, I had a system where the CPU type was not set. I added
    a quirk so that it would still be recognized as x86, and the CPUID
    could be decoded.

    A few more exceptions where added over the years, but in effect, the
    list was last modified in 2008.

    Having such an exception list isn't actually a good idea, for the
    following reasons:
     * It requires endless maintenance work if we want to keep it
       up-to-date.
     * It adds some (admittedly minimal) burden to the sane systems.
     * If we were to add more entries to the exception list, it wouldn't
       scale well (linear algorithmic complexity). This could be improved
       but at the cost of more complex code.
     * It sends the wrong message to the hardware manufacturers ("Yo=
u can
       get things wrong, we'll add a workaround on our side.")

    Therefore I would like to get rid of this exception list. Doing so
    has the nice side effect of simplifying the code and making the
    binary smaller.

    If anyone really needs the CPUID information on such non-compliant
    systems, there are other ways to retrieve it, such as lscpu or
    /proc/cpuinfo.

https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=3D3d6835=
047f80691678e5db3127f9d573956413f0



 .../dmidecode/dmidecode_3.4.bb                |   4 +
 5 files changed, 528 insertions(+)
 create mode 100644 meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30=
630_1.patch
 create mode 100644 meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30=
630_2.patch
 create mode 100644 meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30=
630_3.patch
 create mode 100644 meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30=
630_4.patch

diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1.p=
atch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1.patch
new file mode 100644
index 0000000000..53480d6299
--- /dev/null
+++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1.patch
@@ -0,0 +1,237 @@
+From  d8cfbc808f387e87091c25e7d5b8c2bb348bb206 Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Tue, 27 Jun 2023 09:40:23 +0000
+Subject: [PATCH] dmidecode: Write the whole dump file at once
+
+When option --dump-bin is used, write the whole dump file at once,
+instead of opening and closing the file separately for the table
+and then for the entry point.
+
+As the file writing function is no longer generic, it gets moved
+from util.c to dmidecode.c.
+
+One minor functional change resulting from the new implementation is
+that the entry point is written first now, so the messages printed
+are swapped.
+
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+Reviewed-by: Jerry Hoemann <jerry.hoemann@hpe.com>
+
+CVE: CVE-2023-30630
+
+Reference: https:=
//github.com/mirror/dmidecode/commit/39b2dd7b6ab719b920e96ed832cfb4bdd664=
e808
+
+Upstream-Status: Backport [https://github.com/mirror/dmidecode/commit/d8cfbc808f387e87091c=
25e7d5b8c2bb348bb206]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ dmidecode.c | 79 +++++++++++++++++++++++++++++++++++++++--------------
+ util.c      | 40 ---------------------------
+ util.h      |  1 -
+ 3 files changed, 58 insertions(+), 62 deletions(-)
+
+diff --git a/dmidecode.c b/dmidecode.c
+index 9aeff91..5477309 100644
+--- a/dmidecode.c
++++ b/dmidecode.c
+@@ -5427,11 +5427,56 @@ static void dmi_table_string(const struct dmi_he=
ader *h, const u8 *data, u16 ver
+ }
+ }
+
+-static void dmi_table_dump(const u8 *buf, u32 len)
++static int dmi_table_dump(const u8 *ep, u32 ep_len, const u8 *table,
++  u32 table_len)
+ {
++ FILE *f;
++
++ f =3D fopen(opt.dumpfile, "wb");
++ if (!f)
++ {
++ fprintf(stderr, "%s: ", opt.dumpfile);
++ perror("fopen");
++ return -1;
++ }
++
++ if (!(opt.flags & FLAG_QUIET))
++ pr_comment("Writing %d bytes to %s.", ep_len, opt.dumpfile);
++ if (fwrite(ep, ep_len, 1, f) !=3D 1)
++ {
++ fprintf(stderr, "%s: ", opt.dumpfile);
++ perror("fwrite");
++ goto err_close;
++ }
++
++ if (fseek(f, 32, SEEK_SET) !=3D 0)
++ {
++ fprintf(stderr, "%s: ", opt.dumpfile);
++ perror("fseek");
++ goto err_close;
++ }
++
+ if (!(opt.flags & FLAG_QUIET))
+- pr_comment("Writing %d bytes to %s.", len, opt.dumpfile);
+- write_dump(32, len, buf, opt.dumpfile, 0);
++ pr_comment("Writing %d bytes to %s.", table_len, opt.dumpfil=
e);
++ if (fwrite(table, table_len, 1, f) !=3D 1)
++ {
++ fprintf(stderr, "%s: ", opt.dumpfile);
++ perror("fwrite");
++ goto err_close;
++ }
++
++ if (fclose(f))
++ {
++ fprintf(stderr, "%s: ", opt.dumpfile);
++ perror("fclose");
++ return -1;
++ }
++
++ return 0;
++
++err_close:
++ fclose(f);
++ return -1;
+ }
+
+ static void dmi_table_decode(u8 *buf, u32 len, u16 num, u16 ver, u32 fl=
ags)
+@@ -5648,11 +5693,6 @@ static void dmi_table(off_t base, u32 len, u16 nu=
m, u32 ver, const char *devmem,
+ return;
+ }
+
+- if (opt.flags & FLAG_DUMP_BIN)
+- dmi_table_dump(buf, len);
+- else
+- dmi_table_decode(buf, len, num, ver >> 8, flags);
+-
+ free(buf);
+ }
+
+@@ -5688,8 +5728,9 @@ static void overwrite_smbios3_address(u8 *buf)
+
+ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
+ {
+- u32 ver;
++ u32 ver, len;
+ u64 offset;
++ u8 *table;
+
+ /* Don't let checksum run beyond the buffer */
+ if (buf[0x06] > 0x20)
+@@ -5725,10 +5766,7 @@ static int smbios3_decode(u8 *buf, const char *de=
vmem, u32 flags)
+ memcpy(crafted, buf, 32);
+ overwrite_smbios3_address(crafted);
+
+- if (!(opt.flags & FLAG_QUIET))
+- pr_comment("Writing %d bytes to %s.", crafted[0x06],
+-   opt.dumpfile);
+- write_dump(0, crafted[0x06], crafted, opt.dumpfile, 1);
++ dmi_table_dump(crafted, crafted[0x06], table, len);
+ }
+
+ return 1;
+@@ -5737,6 +5775,8 @@ static int smbios3_decode(u8 *buf, const char *dev=
mem, u32 flags)
+ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
+ {
+ u16 ver;
++ u32 len;
++        u8 *table;
+
+ /* Don't let checksum run beyond the buffer */
+ if (buf[0x05] > 0x20)
+@@ -5786,10 +5826,7 @@ static int smbios_decode(u8 *buf, const char *dev=
mem, u32 flags)
+ memcpy(crafted, buf, 32);
+ overwrite_dmi_address(crafted + 0x10);
+
+- if (!(opt.flags & FLAG_QUIET))
+- pr_comment("Writing %d bytes to %s.", crafted[0x05],
+-   opt.dumpfile);
+- write_dump(0, crafted[0x05], crafted, opt.dumpfile, 1);
++ dmi_table_dump(crafted, crafted[0x05], table, len);
+ }
+
+ return 1;
+@@ -5797,6 +5834,9 @@ static int smbios_decode(u8 *buf, const char *devm=
em, u32 flags)
+
+ static int legacy_decode(u8 *buf, const char *devmem, u32 flags)
+ {
++ u32 len;
++ u8 *table;
++
+ if (!checksum(buf, 0x0F))
+ return 0;
+
+@@ -5815,10 +5855,7 @@ static int legacy_decode(u8 *buf, const char *dev=
mem, u32 flags)
+ memcpy(crafted, buf, 16);
+ overwrite_dmi_address(crafted);
+
+- if (!(opt.flags & FLAG_QUIET))
+- pr_comment("Writing %d bytes to %s.", 0x0F,
+-   opt.dumpfile);
+- write_dump(0, 0x0F, crafted, opt.dumpfile, 1);
++ dmi_table_dump(crafted, 0x0F, table, len);
+ }
+
+ return 1;
+diff --git a/util.c b/util.c
+index 04aaadd..1547096 100644
+--- a/util.c
++++ b/util.c
+@@ -259,46 +259,6 @@ out:
+ return p;
+ }
+
+-int write_dump(size_t base, size_t len, const void *data, const char *d=
umpfile, int add)
+-{
+- FILE *f;
+-
+- f =3D fopen(dumpfile, add ? "r+b" : "wb");
+- if (!f)
+- {
+- fprintf(stderr, "%s: ", dumpfile);
+- perror("fopen");
+- return -1;
+- }
+-
+- if (fseek(f, base, SEEK_SET) !=3D 0)
+- {
+- fprintf(stderr, "%s: ", dumpfile);
+- perror("fseek");
+- goto err_close;
+- }
+-
+- if (fwrite(data, len, 1, f) !=3D 1)
+- {
+- fprintf(stderr, "%s: ", dumpfile);
+- perror("fwrite");
+- goto err_close;
+- }
+-
+- if (fclose(f))
+- {
+- fprintf(stderr, "%s: ", dumpfile);
+- perror("fclose");
+- return -1;
+- }
+-
+- return 0;
+-
+-err_close:
+- fclose(f);
+- return -1;
+-}
+-
+ /* Returns end - start + 1, assuming start < end */
+ u64 u64_range(u64 start, u64 end)
+ {
+diff --git a/util.h b/util.h
+index 3094cf8..ef24eb9 100644
+--- a/util.h
++++ b/util.h
+@@ -27,5 +27,4 @@
+ int checksum(const u8 *buf, size_t len);
+ void *read_file(off_t base, size_t *len, const char *filename);
+ void *mem_chunk(off_t base, size_t len, const char *devmem);
+-int write_dump(size_t base, size_t len, const void *data, const char *d=
umpfile, int add);
+ u64 u64_range(u64 start, u64 end);
+--
+2.35.5
diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_2.p=
atch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_2.patch
new file mode 100644
index 0000000000..dcc87d2326
--- /dev/null
+++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_2.patch
@@ -0,0 +1,81 @@
+From 6ca381c1247c81f74e1ca4e7706f70bdda72e6f2 Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Tue, 27 Jun 2023 10:03:53 +0000
+Subject: [PATCH] dmidecode: Do not let --dump-bin overwrite an existing =
file
+
+Make sure that the file passed to option --dump-bin does not already
+exist. In practice, it is rather unlikely that an honest user would
+want to overwrite an existing dump file, while this possibility
+could be used by a rogue user to corrupt a system file.
+
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+Reviewed-by: Jerry Hoemann <jerry.hoemann@hpe.com>
+
+CVE: CVE-2023-30630
+
+Upstream-Status: Backport
+[https://github.c=
om/mirror/dmidecode/commit/6ca381c1247c81f74e1ca4e7706f70bdda72e6f2]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ dmidecode.c     | 14 ++++++++++++--
+ man/dmidecode.8 |  3 ++-
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/dmidecode.c b/dmidecode.c
+index 5477309..98f9692 100644
+--- a/dmidecode.c
++++ b/dmidecode.c
+@@ -60,6 +60,7 @@
+  *    https://www.dmtf.org/sites/default/=
files/DSP0270_1.0.1.pdf
+  */
+
++#include <fcntl.h>
+ #include <stdio.h>
+ #include <string.h>
+ #include <strings.h>
+@@ -5430,13 +5431,22 @@ static void dmi_table_string(const struct dmi_he=
ader *h, const u8 *data, u16 ver
+ static int dmi_table_dump(const u8 *ep, u32 ep_len, const u8 *table,
+  u32 table_len)
+ {
++ int fd;
+ FILE *f;
+
+- f =3D fopen(opt.dumpfile, "wb");
++ fd =3D open(opt.dumpfile, O_WRONLY|O_CREAT|O_EXCL, 0666);
++ if (fd =3D=3D -1)
++ {
++ fprintf(stderr, "%s: ", opt.dumpfile);
++ perror("open");
++ return -1;
++ }
++
++ f =3D fdopen(fd, "wb");
+ if (!f)
+ {
+ fprintf(stderr, "%s: ", opt.dumpfile);
+- perror("fopen");
++ perror("fdopen");
+ return -1;
+ }
+
+diff --git a/man/dmidecode.8 b/man/dmidecode.8
+index ed066b3..3a732c0 100644
+--- a/man/dmidecode.8
++++ b/man/dmidecode.8
+@@ -1,4 +1,4 @@
+-.TH DMIDECODE 8 "January 2019" "dmidecode"
++.TH DMIDECODE 8 "February 2023" "dmidecode"
+ .\"
+ .SH NAME
+ dmidecode \- \s-1DMI\s0 table decoder
+@@ -159,6 +159,7 @@ hexadecimal and \s-1ASCII\s0. This option is mainly =
useful for debugging.
+ Do not decode the entries, instead dump the DMI data to a file in binar=
y
+ form. The generated file is suitable to pass to \fB--from-dump\fP
+ later.
++\fIFILE\fP must not exist.
+ .TP
+ .BR "  " "  " "--from-dump \fIFILE\fP"
+ Read the DMI data from a binary file previously generated using
+--
+2.35.5
diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_3.p=
atch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_3.patch
new file mode 100644
index 0000000000..01d0d1f867
--- /dev/null
+++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_3.patch
@@ -0,0 +1,69 @@
+From c76ddda0ba0aa99a55945e3290095c2ec493c892 Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Tue, 27 Jun 2023 10:25:50 +0000
+Subject: [PATCH] Consistently use read_file() when reading from a dump f=
ile
+
+Use read_file() instead of mem_chunk() to read the entry point from a
+dump file. This is faster, and consistent with how we then read the
+actual DMI table from that dump file.
+
+This made no functional difference so far, which is why it went
+unnoticed for years. But now that a file type check was added to the
+mem_chunk() function, we must stop using it to read from regular
+files.
+
+This will again allow root to use the --from-dump option.
+
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+Tested-by: Jerry Hoemann <jerry.hoemann@hpe.com>
+
+CVE: CVE-2023-30630
+
+Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/dmide=
code.git/commit/?id=3Dc76ddda0ba0aa99a55945e3290095c2ec493c892]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ dmidecode.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/dmidecode.c b/dmidecode.c
+index 98f9692..b4dbc9d 100644
+--- a/dmidecode.c
++++ b/dmidecode.c
+@@ -5997,17 +5997,25 @@ int main(int argc, char * const argv[])
+ pr_comment("dmidecode %s", VERSION);
+
+ /* Read from dump if so instructed */
++        size =3D 0x20;
+ if (opt.flags & FLAG_FROM_DUMP)
+ {
+ if (!(opt.flags & FLAG_QUIET))
+ pr_info("Reading SMBIOS/DMI data from file %s.",
+ opt.dumpfile);
+- if ((buf =3D mem_chunk(0, 0x20, opt.dumpfile)) =3D=3D NULL)
++                if ((buf =3D read_file(0, &size, opt.dumpfile)) =3D=
=3D NULL)
+ {
+ ret =3D 1;
+ goto exit_free;
+ }
+
++                /* Truncated entry point can't be processed */
++                if (size < 0x20)
++                {
++                        ret =3D 1;
++                        goto done;
++                }
++
+ if (memcmp(buf, "_SM3_", 5) =3D=3D 0)
+ {
+ if (smbios3_decode(buf, opt.dumpfile, 0))
+@@ -6031,7 +6039,6 @@ int main(int argc, char * const argv[])
+ * contain one of several types of entry points, so read enough for
+ * the largest one, then determine what type it contains.
+ */
+- size =3D 0x20;
+ if (!(opt.flags & FLAG_NO_SYSFS)
+ && (buf =3D read_file(0, &size, SYS_ENTRY_FILE)) !=3D NULL)
+ {
+--
+2.40.0
diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_4.p=
atch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_4.patch
new file mode 100644
index 0000000000..5fa72b4f9b
--- /dev/null
+++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_4.patch
@@ -0,0 +1,137 @@
+From 2b83c4b898f8325313162f588765411e8e3e5561 Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Tue, 27 Jun 2023 10:58:11 +0000
+Subject: [PATCH] Don't read beyond sysfs entry point buffer
+
+Functions smbios_decode() and smbios3_decode() include a check
+against buffer overrun. This check assumes that the buffer length is
+always 32 bytes. This is true when reading from /dev/mem or from a
+dump file, however when reading from sysfs, the buffer length is the
+size of the actual sysfs attribute file, typically 31 bytes for an
+SMBIOS 2.x entry point and 24 bytes for an SMBIOS 3.x entry point.
+
+In the unlikely event of a malformed entry point, with encoded length
+larger than expected but smaller than or equal to 32, we would hit a
+buffer overrun. So properly pass the actual buffer length as an
+argument and perform the check against it.
+
+In practice, this will never happen, because on the Linux kernel
+side, the size of the sysfs attribute file is decided from the entry
+point length field. So it is technically impossible for them not to
+match. But user-space code should not make such assumptions.
+
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+
+CVE: CVE-2023-30630
+
+Upstream-Status: Backport
+[https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=3D2b83=
c4b898f8325313162f588765411e8e3e5561]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ dmidecode.c | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/dmidecode.c b/dmidecode.c
+index b4dbc9d..870d94e 100644
+--- a/dmidecode.c
++++ b/dmidecode.c
+@@ -5736,14 +5736,14 @@ static void overwrite_smbios3_address(u8 *buf)
+ buf[0x17] =3D 0;
+ }
+
+-static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
++static int smbios3_decode(u8 *buf, size_t buf_len, const char *devmem, =
u32 flags)
+ {
+ u32 ver, len;
+ u64 offset;
+ u8 *table;
+
+ /* Don't let checksum run beyond the buffer */
+- if (buf[0x06] > 0x20)
++        if (buf[0x06] > buf_len)
+ {
+ fprintf(stderr,
+ "Entry point length too large (%u bytes, expected %u).\n",
+@@ -5782,14 +5782,14 @@ static int smbios3_decode(u8 *buf, const char *d=
evmem, u32 flags)
+ return 1;
+ }
+
+-static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
++static int smbios_decode(u8 *buf, size_t buf_len, const char *devmem, u=
32 flags)
+ {
+ u16 ver;
+ u32 len;
+         u8 *table;
+
+ /* Don't let checksum run beyond the buffer */
+- if (buf[0x05] > 0x20)
++        if (buf[0x05] > buf_len)
+ {
+ fprintf(stderr,
+ "Entry point length too large (%u bytes, expected %u).\n",
+@@ -6018,12 +6018,12 @@ int main(int argc, char * const argv[])
+
+ if (memcmp(buf, "_SM3_", 5) =3D=3D 0)
+ {
+- if (smbios3_decode(buf, opt.dumpfile, 0))
++                        if (smbios3_decode(buf, size, opt.dumpfile, 0))
+ found++;
+ }
+ else if (memcmp(buf, "_SM_", 4) =3D=3D 0)
+ {
+- if (smbios_decode(buf, opt.dumpfile, 0))
++                        if (smbios_decode(buf, size, opt.dumpfile, 0))
+ found++;
+ }
+ else if (memcmp(buf, "_DMI_", 5) =3D=3D 0)
+@@ -6046,12 +6046,12 @@ int main(int argc, char * const argv[])
+ pr_info("Getting SMBIOS data from sysfs.");
+ if (size >=3D 24 && memcmp(buf, "_SM3_", 5) =3D=3D=
 0)
+ {
+- if (smbios3_decode(buf, SYS_TABLE_FILE, FLAG_NO_FILE_OFFSET))
++                        if (smbios3_decode(buf, size, SYS_TABLE_FILE, F=
LAG_NO_FILE_OFFSET))
+ found++;
+ }
+ else if (size >=3D 31 && memcmp(buf, "_SM_", 4) =3D=
=3D 0)
+ {
+- if (smbios_decode(buf, SYS_TABLE_FILE, FLAG_NO_FILE_OFFSET))
++                        if (smbios_decode(buf, size, SYS_TABLE_FILE, FL=
AG_NO_FILE_OFFSET))
+ found++;
+ }
+ else if (size >=3D 15 && memcmp(buf, "_DMI_", 5) =3D=
=3D 0)
+@@ -6088,12 +6088,12 @@ int main(int argc, char * const argv[])
+
+ if (memcmp(buf, "_SM3_", 5) =3D=3D 0)
+ {
+- if (smbios3_decode(buf, opt.devmem, 0))
++                if (smbios3_decode(buf, 0x20, opt.devmem, 0))
+ found++;
+ }
+ else if (memcmp(buf, "_SM_", 4) =3D=3D 0)
+ {
+- if (smbios_decode(buf, opt.devmem, 0))
++                if (smbios_decode(buf, 0x20, opt.devmem, 0))
+ found++;
+ }
+ goto done;
+@@ -6114,7 +6114,7 @@ memory_scan:
+ {
+ if (memcmp(buf + fp, "_SM3_", 5) =3D=3D 0)
+ {
+- if (smbios3_decode(buf + fp, opt.devmem, 0))
++                        if (smbios3_decode(buf + fp, 0x20, opt.devmem, =
0))
+ {
+ found++;
+ goto done;
+@@ -6127,7 +6127,7 @@ memory_scan:
+ {
+ if (memcmp(buf + fp, "_SM_", 4) =3D=3D 0 && fp <=3D=
 0xFFE0)
+ {
+- if (smbios_decode(buf + fp, opt.devmem, 0))
++                        if (smbios_decode(buf + fp, 0x20, opt.devmem, 0=
))
+ {
+ found++;
+ goto done;
+--
+2.35.5
diff --git a/meta/recipes-devtools/dmidecode/dmidecode_3.4.bb b/meta/reci=
pes-devtools/dmidecode/dmidecode_3.4.bb
index bc741046dd..4d5255df64 100644
--- a/meta/recipes-devtools/dmidecode/dmidecode_3.4.bb
+++ b/meta/recipes-devtools/dmidecode/dmidecode_3.4.bb
@@ -6,6 +6,10 @@ LIC_FILES_CHKSUM =3D "file=
://LICENSE;md5=3Db234ee4d69f5fce4486a80fdaf4a4263"

 SRC_URI =3D "${SAVANNAH_NONGNU_MIRROR}/dmidecode/${BP}.tar.xz \
            file://0001-Committing-changes-f=
rom-do_unpack_extra.patch \
+           file://CVE-2023-30630_1.patch \
+           file://CVE-2023-30630_2.patch \
+           file://CVE-2023-30630_3.patch \
+           file://CVE-2023-30630_4.patch \
            "

 COMPATIBLE_HOST =3D "(i.86|x86_64|aarch64|arm|powerpc|powerpc64).*-=
linux"


-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Links: You receive all messages sent to this group.
View/Reply Online (#184284): https:/=
/lists.openembedded.org/g/openembedded-core/message/184284
Mute This Topic: https://lists.openembedded.org/mt=
/100151225/3616765
Group Owner: openembedded-core+owner@lists.op=
enembedded.org
Unsubscribe: https://lists.openembedded.org/g=
/openembedded-core/unsub [randy.macleod@windriver.com]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-


--
# Randy MacLeod
# Wind River Linux



--=20
# Randy MacLeod
# Wind River Linux
--------------VUYbZK5MtPoMtVhokSUj66G8--