[PULL 07/21] smbios: sanitize type from external type before checking ha

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PULL 07/21] smbios: sanitize type from external type before checking ha

From:	Paolo Bonzini
Subject:	[PULL 07/21] smbios: sanitize type from external type before checking have_fields_bitmap
Date:	Mon, 19 Sep 2022 19:34:35 +0200

test_bit uses header->type as an offset; if the file incorrectly specifies a
type greater than 127, smbios_entry_add will read and write garbage.

To fix this, just pass the smbios data through, assuming the user knows what
to do.  Reported by Coverity as CID 1487255.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 hw/smbios/smbios.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/hw/smbios/smbios.c b/hw/smbios/smbios.c
index 60349ee402..4c9f664830 100644
--- a/hw/smbios/smbios.c
+++ b/hw/smbios/smbios.c
@@ -1205,13 +1205,15 @@ void smbios_entry_add(QemuOpts *opts, Error **errp)
             return;
         }
 
-        if (test_bit(header->type, have_fields_bitmap)) {
-            error_setg(errp,
-                       "can't load type %d struct, fields already specified!",
-                       header->type);
-            return;
+        if (header->type <= SMBIOS_MAX_TYPE) {
+            if (test_bit(header->type, have_fields_bitmap)) {
+                error_setg(errp,
+                           "can't load type %d struct, fields already 
specified!",
+                           header->type);
+                return;
+            }
+            set_bit(header->type, have_binfile_bitmap);
         }
-        set_bit(header->type, have_binfile_bitmap);
 
         if (header->type == 4) {
             smbios_type4_count++;
-- 
2.37.2

[Prev in Thread]

Current Thread

[Next in Thread]

[PULL 00/21] Misc patches for 2022-09-19, Paolo Bonzini, 2022/09/19
- [PULL 01/21] KVM: use store-release to mark dirty pages as harvested, Paolo Bonzini, 2022/09/19
- [PULL 02/21] target/i386: Raise #GP on unaligned m128 accesses when required., Paolo Bonzini, 2022/09/19
- [PULL 03/21] kvm: fix memory leak on failure to read stats descriptors, Paolo Bonzini, 2022/09/19
- [PULL 04/21] spapr_pci: fix leak in spapr_phb_vfio_get_loc_code, Paolo Bonzini, 2022/09/19
- [PULL 06/21] coverity: put NUBus under m68k component, Paolo Bonzini, 2022/09/19
- [PULL 07/21] smbios: sanitize type from external type before checking have_fields_bitmap, Paolo Bonzini <=
- [PULL 08/21] tests: unit: simplify test-visitor-serialization list tests, Paolo Bonzini, 2022/09/19
- [PULL 10/21] tests: unit: add NULL-pointer check, Paolo Bonzini, 2022/09/19
- [PULL 09/21] tests: test-qga: close socket on failure to connect, Paolo Bonzini, 2022/09/19
- [PULL 05/21] coverity: add new RISC-V component, Paolo Bonzini, 2022/09/19
- [PULL 15/21] audio: add help option for -audio and -audiodev, Paolo Bonzini, 2022/09/19
- [PULL 16/21] target/i386: correctly mask SSE4a bit indices in register operands, Paolo Bonzini, 2022/09/19
- [PULL 14/21] tests/tcg: remove old SSE tests, Paolo Bonzini, 2022/09/19
- [PULL 20/21] build: remove extra parentheses causing missing rebuilds, Paolo Bonzini, 2022/09/19
- [PULL 11/21] tests/tcg: i386: fix typos in 3DNow! instructions, Paolo Bonzini, 2022/09/19
- [PULL 12/21] tests/tcg: i386: add MMX and 3DNow! tests, Paolo Bonzini, 2022/09/19

Prev by Date: [PULL 06/21] coverity: put NUBus under m68k component
Next by Date: [PULL 08/21] tests: unit: simplify test-visitor-serialization list tests
Previous by thread: [PULL 06/21] coverity: put NUBus under m68k component
Next by thread: [PULL 08/21] tests: unit: simplify test-visitor-serialization list tests
Index(es):
- Date
- Thread