New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

smbios-sys-info(-lite) crashes with short memory files #58

Closed
debrouxl opened this Issue Jul 14, 2018 · 0 comments

Comments

1 participant
@debrouxl

debrouxl commented Jul 14, 2018

I noticed that when given small enough memory files, smbios-sys-info and smbios-sys-info-lite crash with bus errors:
$ dd if=/dev/zero of=smbios_memory_file_zero bs=8K count=1
$ /usr/sbin/smbios-sys-info --memory-dat=smbios_memory_file_zero
Bus error
$ /usr/sbin/smbios-sys-info-lite -m smbios_memory_file_zero
Libsmbios: 2.4.1
Bus error
This works as a non-privileged user as well. This is on a Dell Precision M6700 laptop.

The threshold is a bit below 1 MB: there's a crash with a file 0xFD000 (1036288) bytes large, no crash with a file 0xFE000 (1044480) bytes large.

AFAIK, such bus errors don't have potential for code execution. However, the program should still validate input data, complain and exit cleanly with a nonzero error code, instead of crashing :)
afl-fuzz and honggfuzz ( #43 ) should easily find this fault when invoking smbios-sys-info-lite -m @@ and smbios-sys-info-lite -m ___FILE___, respectively.

As part of #43, you'll have to expand the CLI of smbios-sys-info-lite, or make new front-ends, to make it easier to fuzz libsmbios. For instance, passing arbitrary, independent replacements of /sys/firmware/dmi/tables/DMI and /sys/firmware/dmi/tables/smbios_entry_point to the program. At this point, both are tied by the same prefix in smbios_get_table_firm_tables(), and none of the existing callers of smbios_table_factory() enables the unit testing mode.

superm1 added a commit that referenced this issue Jul 17, 2018

superm1 added a commit that referenced this issue Jul 17, 2018

@superm1 superm1 closed this in dab5dfd Jul 17, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment