On 9/8/20 5:21 PM, Daniel P. Berrangé wrote:
> SeaBIOS implements the SMBIOS 2.1 entry point which is limited to a
> maximum length of 0xffff. If the SMBIOS data received from QEMU is large
> enough, then adding the type 0 table will cause integer overflow. This
> results in fun behaviour such as a KVM crash, or hangs in SeaBIOS.
> 
> Signed-off-by: Daniel P. Berrangé <berra...@redhat.com>
> ---
>  src/fw/biostables.c | 14 ++++++++++----
>  1 file changed, 10 insertions(+), 4 deletions(-)
> 
> diff --git a/src/fw/biostables.c b/src/fw/biostables.c
> index 0c07833..794b5be 100644
> --- a/src/fw/biostables.c
> +++ b/src/fw/biostables.c
> @@ -462,10 +462,16 @@ smbios_romfile_setup(void)
>          /* common case: add our own type 0, with 3 strings and 4 '\0's */
>          u16 t0_len = sizeof(struct smbios_type_0) + strlen(BIOS_NAME) +
>                       strlen(VERSION) + strlen(BIOS_DATE) + 4;
> -        ep.structure_table_length += t0_len;
> -        if (t0_len > ep.max_structure_size)
> -            ep.max_structure_size = t0_len;
> -        ep.number_of_structures++;
> +        if (t0_len > (0xffff - ep.structure_table_length)) {
> +            dprintf(1, "Insufficient space (%d bytes) to add SMBIOS type 0 
> table (%d bytes)\n",
> +                    0xffff - ep.structure_table_length, t0_len);
> +            need_t0 = 0;
> +        } else {
> +            ep.structure_table_length += t0_len;
> +            if (t0_len > ep.max_structure_size)
> +                ep.max_structure_size = t0_len;
> +            ep.number_of_structures++;
> +        }
>      }
>  
>      /* allocate final blob and record its address in the entry point */
> 

Reviewed-by: Philippe Mathieu-Daudé <phi...@redhat.com>
_______________________________________________
SeaBIOS mailing list -- seabios@seabios.org
To unsubscribe send an email to seabios-le...@seabios.org

Reply via email to