I noticed that when given small enough memory files, smbios-sys-info and smbios-sys-info-lite crash with bus errors:
$ dd if=/dev/zero of=smbios_memory_file_zero bs=8K count=1
$ /usr/sbin/smbios-sys-info --memory-dat=smbios_memory_file_zero
Bus error
$ /usr/sbin/smbios-sys-info-lite -m smbios_memory_file_zero
Libsmbios: 2.4.1
Bus error
This works as a non-privileged user as well. This is on a Dell Precision M6700 laptop.
The threshold is a bit below 1 MB: there's a crash with a file 0xFD000 (1036288) bytes large, no crash with a file 0xFE000 (1044480) bytes large.
AFAIK, such bus errors don't have potential for code execution. However, the program should still validate input data, complain and exit cleanly with a nonzero error code, instead of crashing :)
afl-fuzz and honggfuzz ( #43 ) should easily find this fault when invoking smbios-sys-info-lite -m @@ and smbios-sys-info-lite -m ___FILE___, respectively.
As part of #43, you'll have to expand the CLI of smbios-sys-info-lite, or make new front-ends, to make it easier to fuzz libsmbios. For instance, passing arbitrary, independent replacements of /sys/firmware/dmi/tables/DMI and /sys/firmware/dmi/tables/smbios_entry_point to the program. At this point, both are tied by the same prefix in smbios_get_table_firm_tables(), and none of the existing callers of smbios_table_factory() enables the unit testing mode.
I noticed that when given small enough memory files, smbios-sys-info and smbios-sys-info-lite crash with bus errors: $ dd if=/dev/zero of=smbios_memory_file_zero bs=8K count=1 $ /usr/sbin/smbios-sys-info --memory-dat=smbios_memory_file_zero Bus error $ /usr/sbin/smbios-sys-info-lite -m smbios_memory_file_zero Libsmbios: 2.4.1 Bus error This works as a non-privileged user as well. This is on a Dell Precision M6700 laptop.
The threshold is a bit below 1 MB: there's a crash with a file 0xFD000 (1036288) bytes large, no crash with a file 0xFE000 (1044480) bytes large.
AFAIK, such bus errors don't have potential for code execution. However, the program should still validate input data, complain and exit cleanly with a nonzero error code, instead of crashing :) afl-fuzz and honggfuzz ( #43 ) should easily find this fault when invoking smbios-sys-info-lite -m @@ and smbios-sys-info-lite -m ___FILE___, respectively.
As part of #43, you'll have to expand the CLI of smbios-sys-info-lite, or make new front-ends, to make it easier to fuzz libsmbios. For instance, passing arbitrary, independent replacements of /sys/firmware/dmi/tables/DMI and /sys/firmware/dmi/tables/smbios_entry_point to the program. At this point, both are tied by the same prefix in smbios_get_table_firm_tables(), and none of the existing callers of smbios_table_factory() enables the unit testing mode.