On 9/8/20 5:21 PM, Daniel P. Berrangé wrote: > SeaBIOS implements the SMBIOS 2.1 entry point which is limited to a > maximum length of 0xffff. If the SMBIOS data received from QEMU is large > enough, then adding the type 0 table will cause integer overflow. This > results in fun behaviour such as a KVM crash, or hangs in SeaBIOS. > > Signed-off-by: Daniel P. Berrangé <berra...@redhat.com> > --- > src/fw/biostables.c | 14 ++++++++++---- > 1 file changed, 10 insertions(+), 4 deletions(-) > > diff --git a/src/fw/biostables.c b/src/fw/biostables.c > index 0c07833..794b5be 100644 > --- a/src/fw/biostables.c > +++ b/src/fw/biostables.c > @@ -462,10 +462,16 @@ smbios_romfile_setup(void) > /* common case: add our own type 0, with 3 strings and 4 '\0's */ > u16 t0_len = sizeof(struct smbios_type_0) + strlen(BIOS_NAME) + > strlen(VERSION) + strlen(BIOS_DATE) + 4; > - ep.structure_table_length += t0_len; > - if (t0_len > ep.max_structure_size) > - ep.max_structure_size = t0_len; > - ep.number_of_structures++; > + if (t0_len > (0xffff - ep.structure_table_length)) { > + dprintf(1, "Insufficient space (%d bytes) to add SMBIOS type 0 > table (%d bytes)\n", > + 0xffff - ep.structure_table_length, t0_len); > + need_t0 = 0; > + } else { > + ep.structure_table_length += t0_len; > + if (t0_len > ep.max_structure_size) > + ep.max_structure_size = t0_len; > + ep.number_of_structures++; > + } > } > > /* allocate final blob and record its address in the entry point */ >
Reviewed-by: Philippe Mathieu-Daudé <phi...@redhat.com> _______________________________________________ SeaBIOS mailing list -- seabios@seabios.org To unsubscribe send an email to seabios-le...@seabios.org