[PATCH v2] smbios: Add an explicit bounds check for Type 9 length
Ilias Apalodimas
ilias.apalodimas at linaro.org
Thu Apr 23 10:57:50 CEST 2026
Thanks Raynond,
On Wed, 22 Apr 2026 at 22:38, Raymond Mao <raymondmaoca at gmail.com> wrote:
>
> From: Raymond Mao <raymond.mao at riscstar.com>
>
> Fix Coverity Scan defect on Type 9 length.
> Type 9 formatted length is built dynamically from peer_grouping_count.
> Although peer_grouping_count is a byte, the resulting formatted area
> still must fit in the SMBIOS header length field (u8).
> Add an explicit bounds check before extending len, so the size used by
> map_sysmem() and memset() is guaranteed to be valid and consistent
> with hdr.length.
>
> Fixes: a8442c226635 ("smbios: add support for dynamic generation of Type 9 system slot tables")
> Addresses-Coverity-ID: CID 645487: Insecure data handling (TAINTED_SCALAR)
> Signed-off-by: Raymond Mao <raymond.mao at riscstar.com>
> ---
Reviewed-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
> Changes in v2:
> - return len 0 for errors to align with the existing convention of the
> file.
>
> lib/smbios.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/lib/smbios.c b/lib/smbios.c
> index d5f18c8bd69..fdab5948aad 100644
> --- a/lib/smbios.c
> +++ b/lib/smbios.c
> @@ -1093,6 +1093,9 @@ static int smbios_write_type9_1slot(ulong *current, int handle,
> * TODO:
> * peer_groups = <peer_grouping_count> * SMBIOS_TYPE9_PGROUP_SIZE
> */
> + if (len + pgroups_size > U8_MAX)
> + return 0;
> +
> len += pgroups_size;
>
> t = map_sysmem(*current, len);
> --
> 2.25.1
>
More information about the U-Boot
mailing list