* [PATCH] smbios: Add an explicit bounds check for Type 9 length
@ 2026-04-07 20:41 Raymond Mao
2026-04-12 11:44 ` Simon Glass
0 siblings, 1 reply; 2+ messages in thread
From: Raymond Mao @ 2026-04-07 20:41 UTC (permalink / raw)
To: u-boot; +Cc: Raymond Mao, Raymond Mao, Tom Rini, Ilias Apalodimas,
Samuel Holland
From: Raymond Mao <raymond.mao@riscstar.com>
Fix Coverity Scan defect on Type 9 length.
Type 9 formatted length is built dynamically from peer_grouping_count.
Although peer_grouping_count is a byte, the resulting formatted area
still must fit in the SMBIOS header length field (u8).
Add an explicit bounds check before extending len, so the size used by
map_sysmem() and memset() is guaranteed to be valid and consistent
with hdr.length.
Fixes: a8442c226635 ("smbios: add support for dynamic generation of Type 9 system slot tables")
Addresses-Coverity-ID: CID 645487: Insecure data handling (TAINTED_SCALAR)
Signed-off-by: Raymond Mao <raymond.mao@riscstar.com>
---
lib/smbios.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/smbios.c b/lib/smbios.c
index d5f18c8bd69..18c48b15d2a 100644
--- a/lib/smbios.c
+++ b/lib/smbios.c
@@ -1093,6 +1093,9 @@ static int smbios_write_type9_1slot(ulong *current, int handle,
* TODO:
* peer_groups = <peer_grouping_count> * SMBIOS_TYPE9_PGROUP_SIZE
*/
+ if (len + pgroups_size > U8_MAX)
+ return -EINVAL;
+
len += pgroups_size;
t = map_sysmem(*current, len);
--
2.25.1
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [PATCH] smbios: Add an explicit bounds check for Type 9 length
2026-04-07 20:41 [PATCH] smbios: Add an explicit bounds check for Type 9 length Raymond Mao
@ 2026-04-12 11:44 ` Simon Glass
0 siblings, 0 replies; 2+ messages in thread
From: Simon Glass @ 2026-04-12 11:44 UTC (permalink / raw)
To: raymondmaoca
Cc: u-boot, Raymond Mao, Tom Rini, Ilias Apalodimas, Samuel Holland
Hi Raymond,
On 2026-04-07T20:41:09, Raymond Mao <raymondmaoca@gmail.com> wrote:
> smbios: Add an explicit bounds check for Type 9 length
>
> Fix Coverity Scan defect on Type 9 length.
> Type 9 formatted length is built dynamically from peer_grouping_count.
> Although peer_grouping_count is a byte, the resulting formatted area
> still must fit in the SMBIOS header length field (u8).
> Add an explicit bounds check before extending len, so the size used by
> map_sysmem() and memset() is guaranteed to be valid and consistent
> with hdr.length.
>
> Fixes: a8442c226635 ("smbios: add support for dynamic generation of Type 9 system slot tables")
> Addresses-Coverity-ID: CID 645487: Insecure data handling (TAINTED_SCALAR)
> Signed-off-by: Raymond Mao <raymond.mao@riscstar.com>
>
> lib/smbios.c | 3 +++
> 1 file changed, 3 insertions(+)
> diff --git a/lib/smbios.c b/lib/smbios.c
> @@ -1093,6 +1093,9 @@ static int smbios_write_type9_1slot(ulong *current, int handle,
> + if (len + pgroups_size > U8_MAX)
> + return -EINVAL;
The callers accumulate the return value with 'len +=' so returning a
negative error code will corrupt the total length. The convention in
this file is to return 0 on error.
Having said that, you could perhaps change this.
Regards,
Simon
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-04-12 11:44 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-07 20:41 [PATCH] smbios: Add an explicit bounds check for Type 9 length Raymond Mao
2026-04-12 11:44 ` Simon Glass
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox