[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL v4 32/48] hw/smbios: report error if table size is too large
From: |
Michael S. Tsirkin |
Subject: |
[PULL v4 32/48] hw/smbios: report error if table size is too large |
Date: |
Tue, 29 Sep 2020 03:22:18 -0400 |
From: Daniel P. Berrangé <berrange@redhat.com>
The SMBIOS 2.1 entry point uses a uint16 data type for reporting the
total length of the tables. If the user passes -smbios configuration to
QEMU that causes the table size to exceed this limit then various bad
behaviours result, including
- firmware hangs in an infinite loop
- firmware triggers a KVM crash on bad memory access
- firmware silently discards user's SMBIOS data replacing it with
a generic data set.
Limiting the size to 0xffff in QEMU avoids triggering most of these
problems. There is a remaining bug in SeaBIOS which tries to prepend its
own data for table 0, and does not check whether there is sufficient
space before attempting this.
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20200923133804.2089190-3-berrange@redhat.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
hw/smbios/smbios.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/hw/smbios/smbios.c b/hw/smbios/smbios.c
index d993448087..8b30906e50 100644
--- a/hw/smbios/smbios.c
+++ b/hw/smbios/smbios.c
@@ -365,6 +365,13 @@ static void smbios_register_config(void)
opts_init(smbios_register_config);
+/*
+ * The SMBIOS 2.1 "structure table length" field in the
+ * entry point uses a 16-bit integer, so we're limited
+ * in total table size
+ */
+#define SMBIOS_21_MAX_TABLES_LEN 0xffff
+
static void smbios_validate_table(MachineState *ms)
{
uint32_t expect_t4_count = smbios_legacy ?
@@ -375,6 +382,13 @@ static void smbios_validate_table(MachineState *ms)
expect_t4_count, smbios_type4_count);
exit(1);
}
+
+ if (smbios_ep_type == SMBIOS_ENTRY_POINT_21 &&
+ smbios_tables_len > SMBIOS_21_MAX_TABLES_LEN) {
+ error_report("SMBIOS 2.1 table length %zu exceeds %d",
+ smbios_tables_len, SMBIOS_21_MAX_TABLES_LEN);
+ exit(1);
+ }
}
--
MST
- [PULL v4 19/48] vhost-vsock-ccw: force virtio version 1, (continued)
- [PULL v4 19/48] vhost-vsock-ccw: force virtio version 1, Michael S. Tsirkin, 2020/09/29
- [PULL v4 22/48] x86: cpuhp: prevent guest crash on CPU hotplug when broadcast SMI is in use, Michael S. Tsirkin, 2020/09/29
- [PULL v4 21/48] x86: lpc9: let firmware negotiate 'CPU hotplug with SMI' features, Michael S. Tsirkin, 2020/09/29
- [PULL v4 24/48] acpi: add aml_land() and aml_break() primitives, Michael S. Tsirkin, 2020/09/29
- [PULL v4 25/48] tests: acpi: mark to be changed tables in bios-tables-test-allowed-diff, Michael S. Tsirkin, 2020/09/29
- [PULL v4 26/48] x86: ich9: expose "smi_negotiated_features" as a QOM property, Michael S. Tsirkin, 2020/09/29
- [PULL v4 27/48] x86: acpi: introduce AcpiPmInfo::smi_on_cpuhp, Michael S. Tsirkin, 2020/09/29
- [PULL v4 28/48] x86: acpi: introduce the PCI0.SMI0 ACPI device, Michael S. Tsirkin, 2020/09/29
- [PULL v4 29/48] x68: acpi: trigger SMI before sending hotplug Notify event to OSPM, Michael S. Tsirkin, 2020/09/29
- [PULL v4 31/48] hw/smbios: support loading OEM strings values from a file, Michael S. Tsirkin, 2020/09/29
- [PULL v4 32/48] hw/smbios: report error if table size is too large,
Michael S. Tsirkin <=
- [PULL v4 34/48] vhost-user: save features of multiqueues if chardev is closed, Michael S. Tsirkin, 2020/09/29
- [PULL v4 35/48] tests/acpi: mark addition of table DSDT.roothp for unit testing root pci hotplug, Michael S. Tsirkin, 2020/09/29
- [PULL v4 33/48] qemu-options: document SMBIOS type 11 settings, Michael S. Tsirkin, 2020/09/29
- [PULL v4 39/48] i440fx/acpi: do not add hotplug related amls for cold plugged bridges, Michael S. Tsirkin, 2020/09/29
- [PULL v4 36/48] tests/acpi: add new unit test to test hotplug off/on feature on the root pci bus, Michael S. Tsirkin, 2020/09/29
- [PULL v4 38/48] Fix a gap where acpi_pcihp_find_hotplug_bus() returns a non-hotpluggable bus, Michael S. Tsirkin, 2020/09/29
- [PULL v4 40/48] tests/acpi: list added acpi table binary file for pci bridge hotplug test, Michael S. Tsirkin, 2020/09/29
- [PULL v4 37/48] tests/acpi: add a new ACPI table in order to test root pci hotplug on/off, Michael S. Tsirkin, 2020/09/29
- [PULL v4 41/48] tests/acpi: unit test for 'acpi-pci-hotplug-with-bridge-support' bridge flag, Michael S. Tsirkin, 2020/09/29
- [PULL v4 42/48] tests/acpi: add newly added acpi DSDT table blob for pci bridge hotplug flag, Michael S. Tsirkin, 2020/09/29