--- Begin Message ---
Package: memtest86+
Version: 5.31b+dfsg-1
Severity: important
Tags: patch
Dear Maintainer,
When using the brand-new memtest86+ 5.31b package from Debian experimental
on a server with 32 RAM slots, the program first displayed garbage
manufacturer name, board name and CPU number at the bottom of the screen.
These pieces of information are extracted from DMI data, so I attempted to
display the DMI information from the appropriate menu. The server
displayed a popup containing... something... then it simply rebooted.
I went looking into the source code, in file dmi.c, and found an unbounded
increment of the mem_devs_count and md_maps_count variables, which can
lead to significant OOB writes (memory corruption) on computers which have
more than MAX_DMI_MEMDEVS memory devices. That value is low, only 16.
Granted, computers with > 16 RAM slots aren't one's average laptop /
desktop computer, but recent dual-socket workstations and servers tend to
have 24 or 32 RAM slots, and quad-socket servers easily have 32.
Then, I searched for memtest86+ forks on the Web, and found
https://github.com/anphsw/memtest86
where both the buffer overflow and the low value for MAX_DMI_MEMDEVS have
been fixed since February 2018... This version also contains a number of
other improvements over upstream: more tests, more supported memory
controllers and SMBus controllers, etc. However, upstream has a number of
typo fixes, etc.
I applied the relevant part of the fix locally, sprinkled 3 "else" into
the if() chain because these are exclusive conditions, rebuilt and
installed the package, and tested it:
* the manufacturer name, board name and (last) CPU number have become
correct;
* the program displays DMI information for all 32 RAM slots, in 4 pages,
without rebooting the server - as it should.
Two days ago, I contacted both the upstream maintainer and the
aforementioned downstream maintainer about this matter.
memtest86+ 5.01b has the same bug, but not memtest86 4.3.7, which doesn't
have DMI parsing code.
Regards,
Lionel Debroux.
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf, armel, arm64
[system information removed because not only the bug report is sent from
another computer, but memtest86+ is freestanding, non-Linux software]
Versions of packages memtest86+ depends on:
ii debconf [debconf-2.0] 1.5.79
memtest86+ recommends no packages.
Versions of packages memtest86+ suggests:
pn grub-pc | grub-legacy <none>
pn hwtools <none>
pn kernel-patch-badram <none>
pn memtest86 <none>
pn memtester <none>
ii mtools 4.0.33-1+really4.0.32-1
-- debconf information:
shared/memtest86-run-lilo: false
Author: Michael Brown <mcb30@ipxe.org>
Author: Lionel Debroux <lionel_debroux@yahoo.fr>
Description: make it possible to retrieve DMI memory information for 128
memory devices (up from 16), and prevent crash/reboot-inducing buffer
overflow in DMI memory information retrieval.
Via: https://github.com/anphsw/memtest86/commit/d15092a56940810b6e124d59c20c819e5e3e7df1
Via: https://github.com/anphsw/memtest86/commit/1144e231b5dad0e315ff834e4056cebafc4cba0b
---
diff -Naurp a/debian/patches/dmi-more-ram-slots-and-buffer-overflow-fix.patch b/debian/patches/dmi-more-ram-slots-and-buffer-overflow-fix.patch
--- a/debian/patches/dmi-more-ram-slots-and-buffer-overflow-fix.patch 1970-01-01 01:00:00.000000000 +0100
+++ b/debian/patches/dmi-more-ram-slots-and-buffer-overflow-fix.patch 2022-01-16 20:07:44.144559811 +0100
@@ -0,0 +1,41 @@
+diff -Naur memtest86+-5.31b+dfsg_orig/dmi.c memtest86+-5.31b+dfsg/dmi.c
+--- a/dmi.c 2020-04-12 17:14:51.000000000 +0200
++++ b/dmi.c 2022-01-16 20:05:32.245340025 +0100
+@@ -209,21 +209,21 @@
+ while(dmi < table_start + eps->tablelength){
+ struct tstruct_header *header = (struct tstruct_header *)dmi;
+
+- if (header->type == 17)
++ if (header->type == 17 && mem_devs_count < sizeof(mem_devs) / sizeof(mem_devs[0]))
+ mem_devs[mem_devs_count++] = (struct mem_dev *)dmi;
+
+ // Mem Dev Map
+- if (header->type == 20)
++ else if (header->type == 20 && md_maps_count < sizeof(md_maps) / sizeof(md_maps[0]))
+ md_maps[md_maps_count++] = (struct md_map *)dmi;
+
+ // MB_SPEC
+- if (header->type == 2)
++ else if (header->type == 2)
+ {
+ dmi_system_info = (struct system_map *)dmi;
+ }
+
+ // CPU_SPEC
+- if (header->type == 4)
++ else if (header->type == 4)
+ {
+ dmi_cpu_info = (struct cpu_map *)dmi;
+ }
+diff -Naur memtest86+-5.31b+dfsg_orig/test.h memtest86+-5.31b+dfsg/test.h
+--- a/test.h 2022-01-16 20:02:23.000000000 +0100
++++ b/test.h 2022-01-16 20:03:54.139841007 +0100
+@@ -53,7 +53,7 @@
+
+ #define DMI_SEARCH_START 0x0000F000
+ #define DMI_SEARCH_LENGTH 0x000F0FFF
+-#define MAX_DMI_MEMDEVS 16
++#define MAX_DMI_MEMDEVS 128
+
+ #define TITLE_WIDTH 28
+ #define LINE_TITLE 0
diff -Naurp a/debian/patches/series b/debian/patches/series
--- a/debian/patches/series 2022-01-16 20:06:36.789041768 +0100
+++ b/debian/patches/series 2022-01-16 20:06:42.692649698 +0100
@@ -8,3 +8,4 @@ make-iso-reproducible
test-random-cflags.patch
fix-gcc8-freeze-crash.patch
discard-note_gnu_property.patch
+dmi-more-ram-slots-and-buffer-overflow-fix.patch
--- End Message ---
--- Begin Message ---
Source: memtest86+
Source-Version: 5.31b+dfsg-2
Done: Fabio Fantoni <fantonifabio@tiscali.it>
We believe that the bug you reported is fixed in the latest version of
memtest86+, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1003906@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Fabio Fantoni <fantonifabio@tiscali.it> (supplier of updated memtest86+ package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 18 Jan 2022 18:30:04 +0100
Source: memtest86+
Architecture: source
Version: 5.31b+dfsg-2
Distribution: experimental
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Fabio Fantoni <fantonifabio@tiscali.it>
Closes: 1003906
Changes:
memtest86+ (5.31b+dfsg-2) experimental; urgency=medium
.
* QA upload.
* d/patches/dmi-more-ram-slots-and-buffer-overflow-fix.patch:
prevent crash for buffer overflow in DMI memory and increase
supported memory devices from 16 to 128 (Closes: #1003906)
Thanks to Lionel Debroux
Checksums-Sha1:
8fa2be2359617f07cc1fbd92ab13b42226c470e0 2056 memtest86+_5.31b+dfsg-2.dsc
116ecd5f2a7c7406ddfb8b099f1febd283b352f9 21704 memtest86+_5.31b+dfsg-2.debian.tar.xz
b4a25a37fee2eab0fffdc8e9cd956f21e0857ec2 6279 memtest86+_5.31b+dfsg-2_source.buildinfo
Checksums-Sha256:
a4abc16dc69267dbf71435c8c5248bfb8f1e980a8a0f22c30820e0e2305d9fd8 2056 memtest86+_5.31b+dfsg-2.dsc
c67f296665882cde8c7a341b09142b3e627b523e6d644d17d49856a9e49497c3 21704 memtest86+_5.31b+dfsg-2.debian.tar.xz
1f8a921ef4e3c70f2741f129091765c49d3a42ad501a93806cbb5f5f3b3ea747 6279 memtest86+_5.31b+dfsg-2_source.buildinfo
Files:
f90ceef4e98d713ec802c7b490fef151 2056 misc optional memtest86+_5.31b+dfsg-2.dsc
47804589faa4bd16e1436aaa0d881100 21704 misc optional memtest86+_5.31b+dfsg-2.debian.tar.xz
fd0c63828096374618571155be490c57 6279 misc optional memtest86+_5.31b+dfsg-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEkjZVexcMh/iCHArDweDZLphvfH4FAmHnwW8ACgkQweDZLphv
fH66Fw//RS4F+B5mgEithFgBakiNE0BHRYq1ChMjKjtmhTbS/hdJ8Kbb6SCv8aa/
v03QVZWyrtKkwql7O4L70kwpnQvrd6YO+F9naeqloJKeFdWJRSks2RCtdxamdrx6
BMDX+VGhTX2pQMD+UrhIuNibA+u3/PG6d+VSzPzeU3g5SZd5xaUL+3R3i/6rpGhx
SAbcprsUkkCmis97GOqpS+iqJtLlkzVQ/NjfxL2UZpsm5pqTshLV21uzdf13Bu3q
gh88s+sY/LfGuCjyr5Z4wZjsmw6+IWh/L4Cpwel+07n4Msk0nmdz+dc9Tb1B/ZJg
GC+j7PJ3ZDSLXZPy47H2w16CFnUU6Udjaj4bm6fg9pH7GIphi3GXVESd44XL4kJe
gOfcqPoixC+PVdGZsc5ukYg+Slfz6z3amIqFTSlLudPlYkraiaX3B2aFVPp1WU28
cD6SA1YJUvYpN48HTRDCRD6lp8RW05c0Zifr1oFUZftvtZJqdQ6Y8YIm2+ntCwiO
fzCuyJ+llu0ZmANOmBhdNoKWe/l7eXGPr8PGTylCOwZhAWDvn+qJbYL3UghZv1gR
UfTC3h8gkICRJ79O98Pxpdg7yc70Lmp5ORMH00yq2HGz9Cx23IR1fdEIescSRkUP
5ckYIfgN1Id6aOFouxGIEtc1iees9EpMbteEx21lkxGgfoa7Nw8=
=KK80
-----END PGP SIGNATURE-----
--- End Message ---