From 64fc51a9cf71b2308399b7b7dee8a9bc9468877b Mon Sep 17 00:00:00 2001
From: Olivier Certner <olce@FreeBSD.org>
Date: Fri, 7 Mar 2025 14:32:24 +0100
Subject: [PATCH] libsa: smbios: Reject a 64-bit entry point with revision 0

According to the specification, such an entry point may have different
data in bytes at offsets 0x0c to 0x17 (included).  In such a case,
interpreting them as the Structure Table Maximum Size and Address fields
could have catastrophic consequences.

Reviewed by:    imp, markj
MFC after:      2 weeks
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D49286
---
 stand/libsa/smbios.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/stand/libsa/smbios.c b/stand/libsa/smbios.c
index 50cab3eee93..4deea4f31b1 100644
--- a/stand/libsa/smbios.c
+++ b/stand/libsa/smbios.c
@@ -193,6 +193,13 @@ smbios_sigsearch(const caddr_t addr, const uint32_t len)
 #ifdef SMBIOS_64BIT_EP
 		/* v3.0, 64-bit Entry point */
 		if (strncmp(cp, SMBIOS3_SIG, sizeof(SMBIOS3_SIG) - 1) == 0 &&
+		    /*
+		     * The specification only guarantees the presence of the
+		     * Structure Table Maximum Size and Address Entry fields at
+		     * offsets 0x0c and 0x10 if the Entry Point Revision is not
+		     * 0.
+		     */
+		    SMBIOS_GET8(cp, 0x0a) != 0 &&
 		    smbios_checksum(cp, SMBIOS_GET8(cp, 0x06)) == 0) {
 			smbios.is_64bit_ep = 1;
 			return (cp);