Partial fix for CVE-2020-5208, see
https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
The `read_fru_area_section` function only performs size validation of
requested read size, and falsely assumes that the IPMI message will not
respond with more than the requested amount of data; it uses the
unvalidated response size to copy into `frubuf`. If the response is
larger than the request, this can result in overflowing the buffer.
The same issue affects the `read_fru_area` function.
Fix ipmitool not writing the last block of boot mailbox data if the
block is shorter than 3 bytes.
Signed-off-by: Ivan Mikhaylov <fr0st61te@gmail.com>
Signed-off-by: Alexander Amelkin <alexander@amelkin.msk.ru>
For parameter checking replace calls to strncmp() with calls
to strcmp() in order to improve readability and get rid of literal
string lengths.
Signed-off-by: Alexander Amelkin <alexander@amelkin.msk.ru>
* Get rid of magic '8' in bootdev options processing.
* Optimize the code of bootdev arguments processing, remove the
special crafting of flags for 'clear-cmos' argument, make it use
the same code as other options.
Signed-off-by: Alexander Amelkin <alexander@amelkin.msk.ru>
There was a wrong help message regarding the console redirection,
and also the help formatting was a bit off. Straightened this all up.
Signed-off-by: Alexander Amelkin <alexander@amelkin.msk.ru>
Refactor the boot flags decoder:
* Add macros for boot flag bits, replace magic numbers in
the `chassis bootparam get 5` and in `chassis bootdev`
handlers.
The macros are prefixed with BFx_ where x stands for the
boot flags data byte as per IPMI 2.0 specification Table 28-14;
* Add decoding of remote/redirected media boot flags;
* Remove erroneous decoding of boot flags byte 3 bit 1 as
Sleep button lockout whereas the bit is a part of console
redirection setting;
* Fix console redirection settings reported under the 'BIOS verbosity'
header and vice versa;
* Fix resetting of all other boot flags in the data byte when
setting any of the bits in the same byte. This fixes inability
to set both 'efiboot' and 'persistent' bits at the same time,
and other similar cases.
Resolvesipmitool/ipmitool#163
Signed-off-by: Alexander Amelkin <alexander@amelkin.msk.ru>
ftp://ftp.supermicro.com/utility/IPMICFG/IPMICFG_1.30.0_build.190710.zip
contains MBType.dat file that lists all known Supermicro product IDs
with their respective names.
Import that knowledge into ipmitool.
Resolvesipmitool/ipmitool#151
Signed-off-by: Alexander Amelkin <alexander@amelkin.msk.ru>
Commit 6e2b688e introduced a bug due to which VLAN id range checking
was negated and resulted in error messages printed for correct VLAN ids.
Resolvesipmitool/ipmitool#55
Signed-off-by: Alexander Amelkin <alexander@amelkin.msk.ru>
No longer truncate passwords (16 < p <= 20) silently, instead attempt
to set a 20-char password when such a password is given.
Fail if an explicit length is exceeded, and any time the upper limit
is exceeded.
ipmi_intf.h was missing a couple of declarations for the functions
used by fru, sdr and hpmfwupg modules. Add those declarations
to ipmi_intf.h and remove local declarations.
This fixes a couple of compilation warnings.
Signed-off-by: Alexander Amelkin <alexander@amelkin.msk.ru>
The ipmi_event_fromfile() function was massively repeating the code of
ipmi_send_platform_event() and ipmi_event_msg_print().
This commit cleans up ipmi_event_fromfile() to simply call
ipmi_send_platform_event() with all the prepared data read from the
file. That function in its turn calls ipmi_event_msg_print().
This commit also replaces the dummy generator ID 2 that was printed to
the user with a more relevant generator ID that will actually be sent
by ipmi_send_platform_event().
Signed-off-by: Alexander Amelkin <alexander@amelkin.msk.ru>
IPMI 2.0 specification is quite inconsistent about system interfaces.
They have section 1.7.16 "System Interfaces" that clearly states that
there are FOUR system interfaces (KCS, SMIC, BT and SSIF), but then they
have section 1.7.31 saying that "It is mandatory to implement a system
interface that is compatible with one of the **three** specified system
interfaces" without specifying which three of the four interfaces are
meant. Then in section 6 "IPMI Messaging interfaces" they again say that
"As mentioned earlier, there are three System Interface implementations
specified for the BMC: SMIC, KCS, and BT". Is all looks like during
update from 1.5 to 2.0 they have updated section 1.7.16, but forgot to
update Table 6-3, section 1.7.31 and section 6. Yet again, there is 'Get
System Interface Capabilities' command that has a parameter 'System
Interface Type' that can specify that SI is of SSIF type.
All that have lead to a situation where some BMC manufacturers treated
the specification as if it prohibited specifying media type 0xC
(which is "System Interface") for system interfaces using SSIF
(SMBus Sustem Interface), and so they specified an SMBUS media type
for their system interface channels.
As a result, ipmitool failed to properly send event data via such
system interfaces as it treated them as non-system and didn't add
the required Generator ID.
To mitigate the inconsistency of IPMI specification and yet not
ask BMC manufacturers to alter their code, thus increasing compatibility
with legacy BMCs, this commit adds checking of current interface number.
The system interface, according to Table 6-1 of IPMI Specification is
required to have channel number 15 (0Fh). So with this commit the
generator ID is added for any interfaces that are either marked
as media type 0Ch 'System Interface' or have channel number 0Fh.
Resolvesipmitool/ipmitool#111
Signed-off-by: Alexander Amelkin <alexander@amelkin.msk.ru>
If a manufacturer's IANA PEN (aka manufacturer ID) was above
65535, it wasn't reported properly. Luckily there are no such
IDs so far, the biggest is 54077 as of 2019/06/18.
There is, however, an ID 0xFFFFFE used by fake_ipmistack
for debug purposes, and it was not reported correctly.
This commit expands the value argument to string searching functions
from 16-bit to 32-bit to allow for any possible IANA PEN.
Fixes: 73d6af57827fc85e78c700ca1dff00b3dbc63948
Signed-off-by: Alexander Amelkin <alexander@amelkin.msk.ru>
Add support for IANADIR and IANAUSERDIR variables to configure
to allow for customizable locations of system and user-supplied
IANA PEN registry.
Also make path building code portable to Windows.
Partially resolvesipmitool/ipmitool#11
Signed-off-by: Alexander Amelkin <alexander@amelkin.msk.ru>
Previously, the OEM names dictionary was compiled in and
updating it required rebuilding of `ipmitool`, thus taking a
long time for newly registered OEMs to get supported by the tool.
Building also required a direct internet connection to succeed.
With this commit, the OEM enterprise dictionary is now loaded from
either ${HOME}/.local/usr/share/misc/enterprise-numbers or from
/usr/share/misc/enterprise-numbers (in that precedence).
Those files can be downloaded from iana.org at
http://www.iana.org/assignments/enterprise-numbers
Partially resolvesipmitool/ipmitool#11
Fixes: 9d41136c9b7c7d392f1a3f3adeb6d7fe3bd3135e
Signed-off-by: Alexander Amelkin <alexander@amelkin.msk.ru>
Renamed the oem strings containing Newisys to Viking Enterprise Solutions.
IANA 9237
Built and tested with AMI's IPMI stack LTS 12.01.
Resolvesipmitool/ipmitool#124
Signed-off-by: dan mcgee <dan.mcgee@vikingenterprise.com>
Signed-off-by: dan mcgee <dan.mcgee@sanmina.com>
Add `chassis bootmbox` command to set and get Boot Initiator Mailbox
boot parameter (id 7) the easy way. The command allows for getting
and setting the data both in hex and text modes, as well as properly
decodes IANA Enterprise number for block 0. It can get/set the whole
mailbox at once or operate on separate data blocks.
This commit enhances the chassis_get_boot_param() function with extra
arguments to re-use its code in handling of the added command.
Documentation update will follow.
Signed-off-by: Alexander Amelkin <alexander@amelkin.msk.ru>
Get/set system boot option commands have some command-specific
completion codes that are now reported as "Unknown (0080)", etc.
Use the previously introduced specific_val2str() to convert those
specific error codes to human-readable strings.
Signed-off-by: Alexander Amelkin <alexander@amelkin.msk.ru>
Some commands may return command-specific completion codes.
Now they are all reported as 'Unknown'.
Add helper functions to support such command-specific codes.
Command handlers will need to define their own valstr arrays
with completion code descriptions and then use specific_val2str()
instead of generic val2str() to convert the completion code into
a string.
Also reduce code duplication in helper.c
Signed-off-by: Alexander Amelkin <alexander@amelkin.msk.ru>
The function converts a set of command line arguments representing
byte values into a byte buffer and verifies each individual value
to be a valid data byte.
Signed-off-by: Alexander Amelkin <alexander@amelkin.msk.ru>
On a failed download of the PEN list, the create_pen_list script
improperly printed an invalid entry of { , "" } causing the build to
fail. The last line print must check that it has something to print or
it will print the wrong thing.
Partially resolvesipmitool/ipmitool#11
Signed-off-by: Vernon Mauery <vernon.mauery@intel.com>
Move boot information acknowledgement clearing code into
a helper funcion, call it instead of copy-pasted code.
Signed-off-by: Alexander Amelkin <alexander@amelkin.msk.ru>
Get rid of repeated code that sets the set-in-progress parameter.
Introduce chassis_bootparam_set_in_progress() function to do
the job.
Signed-off-by: Alexander Amelkin <alexander@amelkin.msk.ru>
The program would crash if the BMC returned an out of range (>90)
unit type for a full sensor record. This commit adds a range check
and also add support for IPMI 2.0 additional unit types 91 and 92
("fatal error" and "grams").
Resolvesipmitool/ipmitool#118
Signed-off-by: Alexander Amelkin <alexander@amelkin.msk.ru>
The endian.h header is not used for anything and was earlier
added by mistake. It however hampers building on some systems
where it doesn't exist.
Resolvesipmitool/ipmitool#101
Signed-off-by: Alexander Amelkin <alexander@amelkin.msk.ru>
Swap calls to free() with calls to free_n() to leverage helper method
and handle clearing pointers after freeing in one step.
Signed-off-by: Patrick Venture <venture@google.com>
Check against FRU_AREA_MAXIMUM_BLOCK_SZ instead of FRU_BLOCK_SZ
when checking if the write chunk needs to be reduced.
Apparently, that was the original intention, and then there
was just a typo. In other places the same check is done properly.
Signed-off-by: Patrick Venture <venture@google.com>
Change ipmi_fru_query_new_value to return the bool type
instead of an int that's being used as a boolean value.
Signed-off-by: Patrick Venture <venture@google.com>
Add fru_cc_rq2big helper method to reduce duplicate
code checking for specific size-based IPMI response
codes.
Signed-off-by: Patrick Venture <venture@google.com>
Cleanup style in method ipmi_fru_oemkontron_get as well as add inverted
logic checks to reduce indentation.
Signed-off-by: Patrick Venture <venture@google.com>
Fixup the following array bounds checking bugs:
[lib/ipmi_fru.c:1003]: (style) Array index 'i' is
used before limits check.
[lib/ipmi_fru.c:1127]: (style) Array index 'i' is
used before limits check.
[lib/ipmi_fru.c:1262]: (style) Array index 'i' is
used before limits check.
Signed-off-by: Patrick Venture <venture@google.com>
