Mailing List Archive

From:: benfectordd <benfectordd@proton.me>
Subject:: [PATCH] amd64: validate SMBIOS entry point length before checksum
To:: "tech@openbsd.org" <tech@openbsd.org>
Date:: Fri, 19 Dec 2025 13:53:19 +0000

Download raw body.

Thread

2025-12-19 13:53 benfectordd:
[PATCH] amd64: validate SMBIOS entry point length before checksum

Hi,

The current smbios_find() code trusts hdr->len from firmware when
computing the SMBIOS entry point checksum.

A malformed entry point could provide an excessive length, causing
the checksum loop to read beyond the actual entry point. This change
validates hdr->len against the SMBIOS specification limits before
computing the checksum, without changing behaviour for valid firmware.
Thanks,
'benfector'

diff --git a/sys/arch/amd64/amd64/bios.c b/sys/arch/amd64/amd64/bios.c
index 3b0fa203b9b..03c9a96b274 100644
--- a/sys/arch/amd64/amd64/bios.c
+++ b/sys/arch/amd64/amd64/bios.c
@@ -249,9 +249,11 @@ smbios_find(uint8_t *p)

if (hdr->sig != SMBIOS_SIGNATURE)
return (NULL);
- i = hdr->len;
- for (chksum = 0; i--; chksum += p[i])
- ;
+ /* SMBIOS entry point length is at most 0x40 bytes */
+ if (hdr->len < sizeof(*hdr) || hdr->len > 0x40)
+ return (NULL);
+ for (chksum = 0, i = 0; i < hdr->len; i++)
+ chksum += p[i];
if (chksum != 0)
return (NULL); p += 0x10;

2025-12-19 13:53 benfectordd:
[PATCH] amd64: validate SMBIOS entry point length before checksum