INTEL-SA-00075-Discovery-Tool.c defines amt_code_versions as:
struct amt_code_versions {
uint8_t bios[AMT_BIOS_VERSION_LEN];
uint32_t count;
struct amt_version_type versions[AMT_VERSIONS_NUMBER];
}__attribute__((packed));
where AMT_VERSIONS_NUMBER is set to 50. Where does this value come from? Can we really have 50 different versions for a piece of AMT code?
Furthermore, we have the following:
struct amt_host_if_resp_header {
struct amt_host_if_msg_header header;
uint32_t status;
unsigned char data[0];
}__attribute__((packed));
Then, amt_host_if_call allocates acmd->mei_cl.buf_size bytes for what ends up being casted to an amt_host_if_resp_header. amt_get_code_versions ends up doing:
memcpy(versions, response->data, sizeof(struct amt_code_versions));
which looks like it's copying a huge amount of bytes from the response buffer. Shouldn't that be copying just acmd->mei_cl.buf_size bytes? In any case, this all seems to work since otherwise the check for
response_size != (resp_hdr->length + sizeof(struct amt_host_if_msg_header) at amt_verify_response_header would fail.
INTEL-SA-00075-Discovery-Tool.c defines
amt_code_versionsas:where
AMT_VERSIONS_NUMBERis set to 50. Where does this value come from? Can we really have 50 different versions for a piece of AMT code?Furthermore, we have the following:
Then,
amt_host_if_callallocatesacmd->mei_cl.buf_sizebytes for what ends up being casted to anamt_host_if_resp_header.amt_get_code_versionsends up doing:memcpy(versions, response->data, sizeof(struct amt_code_versions));which looks like it's copying a huge amount of bytes from the response buffer. Shouldn't that be copying just
acmd->mei_cl.buf_sizebytes? In any case, this all seems to work since otherwise the check forresponse_size != (resp_hdr->length + sizeof(struct amt_host_if_msg_header)atamt_verify_response_headerwould fail.