Xen project Mailing List

[PATCH 2/3] hvmloader: fix SMBIOS table length checks

From: "Petr Beneš" <w1benny@xxxxxxxxx>

Date: Tue, 1 Jul 2025 23:45:11 +0000

Cc: Petr Beneš <w1benny@xxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>

Delivery-date: Tue, 01 Jul 2025 23:45:35 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

From: Petr Beneš <w1benny@xxxxxxxxx> SMBIOS specification dictates that tables should have a minimal length. This commit introduces further validation for user-input SMBIOS tables. As per SMBIOS Reference Specification: * Type 0: For version 2.3 and later implementations, the length is at least 14h * Type 1: 1Bh for 2.4 and later * Type 2: at least 08h * Type 3: 0Dh for version 2.1 and later * Type 11: 5h (+ strings) * Type 22: 1Ah (+ strings) * Type 39: a minimum of 10h hvmloader currently implements version 2.4 Signed-off-by: Petr Beneš <w1benny@xxxxxxxxx> --- tools/firmware/hvmloader/smbios.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/tools/firmware/hvmloader/smbios.c b/tools/firmware/hvmloader/smbios.c index fc3cdc9a25..2cd826768b 100644 --- a/tools/firmware/hvmloader/smbios.c +++ b/tools/firmware/hvmloader/smbios.c @@ -385,7 +385,7 @@ smbios_type_0_init(void *start, const char *xen_version, uint32_t length; pts = get_smbios_pt_struct(0, &length); - if ( pts != NULL && length > 0 ) + if ( pts != NULL && length >= sizeof(struct smbios_type_0) ) { memcpy(start, pts, length); p->header.handle = SMBIOS_HANDLE_TYPE0; @@ -444,7 +444,7 @@ smbios_type_1_init(void *start, const char *xen_version, uint32_t length; pts = get_smbios_pt_struct(1, &length); - if ( pts != NULL && length > 0 ) + if ( pts != NULL && length >= sizeof(struct smbios_type_1) ) { memcpy(start, pts, length); p->header.handle = SMBIOS_HANDLE_TYPE1; @@ -504,7 +504,7 @@ smbios_type_2_init(void *start) unsigned int counter = 0; pts = get_smbios_pt_struct(2, &length); - if ( pts != NULL && length > 0 ) + if ( pts != NULL && length >= 8 ) { memcpy(start, pts, length); p->header.handle = SMBIOS_HANDLE_TYPE2; @@ -598,7 +598,7 @@ smbios_type_3_init(void *start) uint32_t counter = 0; pts = get_smbios_pt_struct(3, &length); - if ( pts != NULL && length > 0 ) + if ( pts != NULL && length >= 13 ) { memcpy(start, pts, length); p->header.handle = SMBIOS_HANDLE_TYPE3; @@ -712,7 +712,7 @@ smbios_type_11_init(void *start) uint32_t length; pts = get_smbios_pt_struct(11, &length); - if ( pts != NULL && length > 0 ) + if ( pts != NULL && length >= sizeof(struct smbios_type_11) ) { memcpy(start, pts, length); p->header.handle = SMBIOS_HANDLE_TYPE11; @@ -869,7 +869,7 @@ smbios_type_22_init(void *start) uint32_t length; pts = get_smbios_pt_struct(22, &length); - if ( pts != NULL && length > 0 ) + if ( pts != NULL && length >= sizeof(struct smbios_type_22) ) { memcpy(start, pts, length); p->header.handle = SMBIOS_HANDLE_TYPE22; @@ -951,7 +951,7 @@ smbios_type_39_init(void *start) uint32_t length; pts = get_smbios_pt_struct(39, &length); - if ( pts != NULL && length > 0 ) + if ( pts != NULL && length >= 16 ) { memcpy(start, pts, length); p->header.handle = SMBIOS_HANDLE_TYPE39; -- 2.34.1

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.