From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.6 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 03523C43461 for ; Mon, 14 Sep 2020 08:04:28 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 63F6120719 for ; Mon, 14 Sep 2020 08:04:27 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="Aj6KwvRU" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 63F6120719 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:58702 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kHjTO-0006wF-7V for qemu-devel@archiver.kernel.org; Mon, 14 Sep 2020 04:04:26 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:59516) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kHjSa-0006Jy-U1 for qemu-devel@nongnu.org; Mon, 14 Sep 2020 04:03:36 -0400 Received: from us-smtp-delivery-1.mimecast.com ([207.211.31.120]:26203 helo=us-smtp-1.mimecast.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.90_1) (envelope-from ) id 1kHjSZ-0007fu-66 for qemu-devel@nongnu.org; Mon, 14 Sep 2020 04:03:36 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1600070614; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=aiDZgeNbyclc5yUuS6lA1n4VxDbGBZGk1YIBfRGsC00=; b=Aj6KwvRUurMaeXrUkt1xmhli1Fvbo/v/5voiuBfOVpTa1FTqL1hnNN1LFoyv0TalEAM8qa pAwVL5UdbIu4hJXSSjNXMAeV3/a64EefrCSd48PCJ3UOuJQBfVcpz3S0wvQILoQIHs+h31 pAI212clX4RdqfF8dy+ky89jOYpYEUY= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-273-GgoTZMe2MC2insgCAihLNw-1; Mon, 14 Sep 2020 04:03:30 -0400 X-MC-Unique: GgoTZMe2MC2insgCAihLNw-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 057C180F057; Mon, 14 Sep 2020 08:03:29 +0000 (UTC) Received: from localhost (unknown [10.43.2.114]) by smtp.corp.redhat.com (Postfix) with ESMTP id 0A4966E70B; Mon, 14 Sep 2020 08:03:04 +0000 (UTC) Date: Mon, 14 Sep 2020 10:02:52 +0200 From: Igor Mammedov To: "Daniel P. =?UTF-8?B?QmVycmFuZ8Op?=" , "Michael S. Tsirkin" Subject: Re: [PATCH 2/5] hw/smbios: report error if table size is too large Message-ID: <20200914100252.25b2fa79@redhat.com> In-Reply-To: <20200908165438.1008942-3-berrange@redhat.com> References: <20200908165438.1008942-1-berrange@redhat.com> <20200908165438.1008942-3-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=imammedo@redhat.com X-Mimecast-Spam-Score: 0.002 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=207.211.31.120; envelope-from=imammedo@redhat.com; helo=us-smtp-1.mimecast.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/09/14 01:36:47 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] [fuzzy] X-Spam_score_int: -37 X-Spam_score: -3.8 X-Spam_bar: --- X-Spam_report: (-3.8 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.695, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , Eduardo Habkost , qemu-devel@nongnu.org, Markus Armbruster , qemu-arm@nongnu.org, Paolo Bonzini , Laszlo Ersek , Richard Henderson Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" On Tue, 8 Sep 2020 17:54:35 +0100 Daniel P. Berrang=C3=A9 wrote: > The SMBIOS 2.1 entry point uses a uint16 data type for reporting the > total length of the tables. If the user passes -smbios configuration to > QEMU that causes the table size to exceed this limit then various bad > behaviours result, including >=20 > - firmware hangs in an infinite loop > - firmware triggers a KVM crash on bad memory access > - firmware silently discards user's SMBIOS data replacing it with > a generic data set. >=20 > Limiting the size to 0xffff in QEMU avoids triggering most of these > problems. There is a remaining bug in SeaBIOS which tries to prepend its > own data for table 0, and does not check whether there is sufficient > space before attempting this. >=20 > Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Igor Mammedov even if we not going to add support for large entries, this patch is good on it's own, so others won't have to deal with debugging misconfiguration, and get a clear error instead. Michael, Can you take this patch via your tree? > --- > hw/smbios/smbios.c | 14 ++++++++++++++ > 1 file changed, 14 insertions(+) >=20 > diff --git a/hw/smbios/smbios.c b/hw/smbios/smbios.c > index 8450fad285..3c87be6c91 100644 > --- a/hw/smbios/smbios.c > +++ b/hw/smbios/smbios.c > @@ -365,6 +365,13 @@ static void smbios_register_config(void) > =20 > opts_init(smbios_register_config); > =20 > +/* > + * The SMBIOS 2.1 "structure table length" field in the > + * entry point uses a 16-bit integer, so we're limited > + * in total table size > + */ > +#define SMBIOS_21_MAX_TABLES_LEN 0xffff > + > static void smbios_validate_table(MachineState *ms) > { > uint32_t expect_t4_count =3D smbios_legacy ? > @@ -375,6 +382,13 @@ static void smbios_validate_table(MachineState *ms) > expect_t4_count, smbios_type4_count); > exit(1); > } > + > + if (smbios_ep_type =3D=3D SMBIOS_ENTRY_POINT_21 && > + smbios_tables_len > SMBIOS_21_MAX_TABLES_LEN) { > + error_report("SMBIOS 2.1 table length %zu exceeds %d", > + smbios_tables_len, SMBIOS_21_MAX_TABLES_LEN); > + exit(1); > + } > } > =20 > =20