search

intel / INTEL-SA-00075-Linux-Detection-And-Mitigation-Tools

GNU General Public License v2.0
63 stars 14 forks source link

Question about amt_code_versions #6

Open martingalvan opened 6 years ago

martingalvan commented 6 years ago

INTEL-SA-00075-Discovery-Tool.c defines amt_code_versions as:

struct amt_code_versions {
    uint8_t bios[AMT_BIOS_VERSION_LEN];
    uint32_t count;
    struct amt_version_type versions[AMT_VERSIONS_NUMBER];
}__attribute__((packed));

where AMT_VERSIONS_NUMBER is set to 50. Where does this value come from? Can we really have 50 different versions for a piece of AMT code?

Furthermore, we have the following:

struct amt_host_if_resp_header {
    struct amt_host_if_msg_header header;
    uint32_t status;
    unsigned char data[0];
}__attribute__((packed));

Then, amt_host_if_call allocates acmd->mei_cl.buf_size bytes for what ends up being casted to an amt_host_if_resp_header. amt_get_code_versions ends up doing:

memcpy(versions, response->data, sizeof(struct amt_code_versions));

which looks like it's copying a huge amount of bytes from the response buffer. Shouldn't that be copying just acmd->mei_cl.buf_size bytes? In any case, this all seems to work since otherwise the check for response_size != (resp_hdr->length + sizeof(struct amt_host_if_msg_header) at amt_verify_response_header would fail.

martingalvan commented 4 years ago

Tagging @idesai