On Sat, 19 Jan 2019, Scott Bauer wrote:
On Thu, Jan 17, 2019 at 09:31:51PM +0000, David Kozub wrote:
+static int write_shadow_mbr(struct opal_dev *dev, void *data)
+{
+ struct opal_shadow_mbr *shadow = data;
+ const u8 __user *src;
+ u8 *dst;
+ size_t off = 0;
+ u64 len;
+ int err = 0;
+
+ /* do the actual transmission(s) */
+ src = (u8 *) shadow->data;
+ while (off < shadow->size) {
+ err = cmd_start(dev, opaluid[OPAL_MBR], opalmethod[OPAL_SET]);
+ add_token_u8(&err, dev, OPAL_STARTNAME);
+ add_token_u8(&err, dev, OPAL_WHERE);
+ add_token_u64(&err, dev, shadow->offset + off);
+ add_token_u8(&err, dev, OPAL_ENDNAME);
+
+ add_token_u8(&err, dev, OPAL_STARTNAME);
+ add_token_u8(&err, dev, OPAL_VALUES);
+
+ /*
+ * The bytestring header is either 1 or 2 bytes, so assume 2.
+ * There also needs to be enough space to accommodate the
+ * trailing OPAL_ENDNAME (1 byte) and tokens added by
+ * cmd_finalize.
+ */
+ len = min(remaining_size(dev) - (2+1+CMD_FINALIZE_BYTES_NEEDED),
+ (size_t)(shadow->size - off));
What if remaining_size(dev) < 2 + 1 + CMD_FINALIZE_BYTES_NEEDED? If that's
possible we
get min(UINT_MAX(ish) , some size larger than our remaining buffer) and that's
not good.
This is only possible for uselessly small values of IO_BUFFER_LENGTH,
which is a compile-time value. Originally I thought it's OK as nobody
would set the value so low. But on a second thought, after reading your
comment, I think that even if IO_BUFFER_LENGTH was set to such a value,
the code should fail gracefully.
So I will change it into:
while (off < shadow->size) {
/*
* Number of bytes needed in the cmd buffer to terminate the
* write shadow mbr command.
*
* The bytestring header is either 1 or 2 bytes, so assume 2.
* There also needs to be enough space to accommodate the
* trailing OPAL_ENDNAME (1 byte) and tokens added by
* cmd_finalize.
*/
const size_t write_shadow_mbr_footer_size =
2 + 1 + CMD_FINALIZE_BYTES_NEEDED;
err = cmd_start(dev, opaluid[OPAL_MBR], opalmethod[OPAL_SET]);
add_token_u8(&err, dev, OPAL_STARTNAME);
add_token_u8(&err, dev, OPAL_WHERE);
add_token_u64(&err, dev, shadow->offset + off);
add_token_u8(&err, dev, OPAL_ENDNAME);
add_token_u8(&err, dev, OPAL_STARTNAME);
add_token_u8(&err, dev, OPAL_VALUES);
if (!can_add(&err, dev, write_shadow_mbr_footer_size))
break;
len = min(remaining_size(dev) - write_shadow_mbr_footer_size,
(size_t)(shadow->size - off));
pr_debug("MBR: write bytes %zu+%llu/%llu\n",
off, len, shadow->size);
Please let me know if you would prefer a different solution.
Best regards,
David
