diff options
author | Jean Delvare <jdelvare@suse.de> | 2023-03-10 15:12:56 +0100 |
---|---|---|
committer | Jean Delvare <jdelvare@suse.de> | 2023-03-10 15:15:19 +0100 |
commit | 189ca352e9341778c21e95c27817574b2876ede7 (patch) | |
tree | fdb25fd1368ce81e1cd328a72c1af0f1beefb295 | |
parent | 8427888ccf068f2ae1105e0c9276a15191a16ee5 (diff) | |
download | dmidecode-git-189ca352e9341778c21e95c27817574b2876ede7.tar.gz |
Ensure /dev/mem is a character device file
While option --dev-mem can be convenient for testing purposes, it
could be abused by attackers to force dmidecode to read a malicious
file. Add a safety check on the type of the mem device file we are
asked to read from. If we are root and this isn't a character device
file, then something is fishy and we better stop.
For non-root users, reading from a regular file is OK and accepted.
Signed-off-by: Jean Delvare <jdelvare@suse.de>
-rw-r--r-- | util.c | 25 |
1 files changed, 13 insertions, 12 deletions
@@ -173,18 +173,26 @@ static void safe_memcpy(void *dest, const void *src, size_t n) */ void *mem_chunk(off_t base, size_t len, const char *devmem) { - void *p; + struct stat statbuf; + void *p = NULL; int fd; #ifdef USE_MMAP - struct stat statbuf; off_t mmoffset; void *mmp; #endif - if ((fd = open(devmem, O_RDONLY)) == -1) + /* + * Safety check: if running as root, devmem is expected to be a + * character device file. + */ + if ((fd = open(devmem, O_RDONLY)) == -1 + || fstat(fd, &statbuf) == -1 + || (geteuid() == 0 && !S_ISCHR(statbuf.st_mode))) { - perror(devmem); - return NULL; + fprintf(stderr, "Can't read memory from %s\n", devmem); + if (fd == -1) + return NULL; + goto out; } if ((p = malloc(len)) == NULL) @@ -194,13 +202,6 @@ void *mem_chunk(off_t base, size_t len, const char *devmem) } #ifdef USE_MMAP - if (fstat(fd, &statbuf) == -1) - { - fprintf(stderr, "%s: ", devmem); - perror("stat"); - goto err_free; - } - /* * mmap() will fail with SIGBUS if trying to map beyond the end of * the file. |