Date: Tue, 13 Jul 2010 16:03:27 GMT From: Spencer Minear <spencer_minear@mcafee.com> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/148546: Buffer overrun in the impi driver while processing smbios date Message-ID: <201007131603.o6DG3RIg007226@www.freebsd.org> Resent-Message-ID: <201007131610.o6DGA5lE081325@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 148546 >Category: misc >Synopsis: Buffer overrun in the impi driver while processing smbios date >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Jul 13 16:10:05 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Spencer Minear >Release: 7.2 >Organization: Mcafee >Environment: Observed in our modified version of 7.2. But the bad code appears to be present in a wide range of releases >Description: The smbios_run_table function in ipmi_smbios.c allocates a local variable named table that can contain 20 entries. It then calls the get_strings function which is also in ipmi_smbios.c and provides the address of the table as a parameter to the get_strings functions. As the get_strings function is walking the list of strings it saves a pointer to the string in the table with out any consideration to how many pointers it adds to the table. The obvious error is that IF the bios happens to have a SMBIOS entry that contains more than 19 strings, we need room for the terminal NULL pointer which is also added by the get_strings function, it will overflow the table. I've found NO indication in the specifications that 20 is a fixed limit on the number of strings. We have observed that with the latest BIOS update from Dell and use of one of their new large systems, that the buffer will overrun and can lead to panic because the buffer overrun can cause a panic during system boot when the ipmi_smbios_identfy function is called as the bus_generic_probe fuction is walking the list of drivers. >How-To-Repeat: We found the problem using the 2.1.9 version of the BIOS from Dell running on a Dell T610 MLK system. The problem smbios entry is one that provides information on the CPU and DIM sockets on the mother board. This system has 2 CPU sockets and a total of 18 DIM sockets, which leads to 20 strings giving names of all of them. We see a panic when using a i386 kernel with no debug flags set. In this case the NULL happens to overwrite the saved EBX register from the bus_generic_attach function. We have not observed a problem with a amd64 bit system, but clearly the error exists but what ever is being overwritten is not as critical as in the i368 >Fix: The fix that we are making involves first making the table bigger. We also are adding a parameter to the get_strings function to tell it the number of allowed entries in the table. The get_strings logic counts entries and IF it sees that it will overflow the table it will burp an overflow message to the console and NOT overflow the table. Worst case one or more some strings will not be referenced. But at least it won't panic the kernel during boot. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201007131603.o6DG3RIg007226>