The SMBIOS 2.1 entry point uses a uint16 data type for reporting the
total length of the tables. If the user passes -smbios configuration to
QEMU that causes the table size to exceed this limit then various bad
behaviours result, including
- firmware hangs in an infinite loop
- firmware triggers a KVM crash on bad memory access
- firmware silently discards user's SMBIOS data replacing it with
a generic data set.
Limiting the size to 0xffff in QEMU avoids triggering most of these
problems. There is a remaining bug in SeaBIOS which tries to prepend its
own data for table 0, and does not check whether there is sufficient
space before attempting this.
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <
20200923133804.
2089190-3-berrange@redhat.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
opts_init(smbios_register_config);
+/*
+ * The SMBIOS 2.1 "structure table length" field in the
+ * entry point uses a 16-bit integer, so we're limited
+ * in total table size
+ */
+#define SMBIOS_21_MAX_TABLES_LEN 0xffff
+
static void smbios_validate_table(MachineState *ms)
{
uint32_t expect_t4_count = smbios_legacy ?
expect_t4_count, smbios_type4_count);
exit(1);
}
+
+ if (smbios_ep_type == SMBIOS_ENTRY_POINT_21 &&
+ smbios_tables_len > SMBIOS_21_MAX_TABLES_LEN) {
+ error_report("SMBIOS 2.1 table length %zu exceeds %d",
+ smbios_tables_len, SMBIOS_21_MAX_TABLES_LEN);
+ exit(1);
+ }
}
projects / qemu-nvme.git / commitdiff