File ensure-dev-mem-is-a-character-device-file.patch of Package dmidecode.28623

From: Jean Delvare <jdelvare@suse.de>
Date: Fri, 10 Mar 2023 15:12:56 +0100
Subject: Ensure /dev/mem is a character device file
Git-commit: 189ca352e9341778c21e95c27817574b2876ede7
Patch-mainline: 3.5
References: bsc#1210418 CVE-2023-30630

While option --dev-mem can be convenient for testing purposes, it
could be abused by attackers to force dmidecode to read a malicious
file. Add a safety check on the type of the mem device file we are
asked to read from. If we are root and this isn't a character device
file, then something is fishy and we better stop.

For non-root users, reading from a regular file is OK and accepted.

Signed-off-by: Jean Delvare <jdelvare@suse.de>
---
 util.c |   25 +++++++++++++------------
 1 file changed, 13 insertions(+), 12 deletions(-)

--- a/util.c
+++ b/util.c
@@ -161,18 +161,26 @@ out:
  */
 void *mem_chunk(off_t base, size_t len, const char *devmem)
 {
-	void *p;
+	struct stat statbuf;
+	void *p = NULL;
 	int fd;
 #ifdef USE_MMAP
-	struct stat statbuf;
 	off_t mmoffset;
 	void *mmp;
 #endif
 
-	if ((fd = open(devmem, O_RDONLY)) == -1)
+	/*
+	 * Safety check: if running as root, devmem is expected to be a
+	 * character device file.
+	 */
+	if ((fd = open(devmem, O_RDONLY)) == -1
+	 || fstat(fd, &statbuf) == -1
+	 || (geteuid() == 0 && !S_ISCHR(statbuf.st_mode)))
 	{
-		perror(devmem);
-		return NULL;
+		fprintf(stderr, "Can't read memory from %s\n", devmem);
+		if (fd == -1)
+			return NULL;
+		goto out;
 	}
 
 	if ((p = malloc(len)) == NULL)
@@ -182,13 +190,6 @@ void *mem_chunk(off_t base, size_t len,
 	}
 
 #ifdef USE_MMAP
-	if (fstat(fd, &statbuf) == -1)
-	{
-		fprintf(stderr, "%s: ", devmem);
-		perror("stat");
-		goto err_free;
-	}
-
 	/*
 	 * mmap() will fail with SIGBUS if trying to map beyond the end of
 	 * the file.