On Thu, Jan 17, 2019 at 09:31:51PM +0000, David Kozub wrote: > +static int write_shadow_mbr(struct opal_dev *dev, void *data) > +{ > + struct opal_shadow_mbr *shadow = data; > + const u8 __user *src; > + u8 *dst; > + size_t off = 0; > + u64 len; > + int err = 0; > + > + /* do the actual transmission(s) */ > + src = (u8 *) shadow->data; > + while (off < shadow->size) { > + err = cmd_start(dev, opaluid[OPAL_MBR], opalmethod[OPAL_SET]); > + add_token_u8(&err, dev, OPAL_STARTNAME); > + add_token_u8(&err, dev, OPAL_WHERE); > + add_token_u64(&err, dev, shadow->offset + off); > + add_token_u8(&err, dev, OPAL_ENDNAME); > + > + add_token_u8(&err, dev, OPAL_STARTNAME); > + add_token_u8(&err, dev, OPAL_VALUES); > + > + /* > + * The bytestring header is either 1 or 2 bytes, so assume 2. > + * There also needs to be enough space to accommodate the > + * trailing OPAL_ENDNAME (1 byte) and tokens added by > + * cmd_finalize. > + */ > + len = min(remaining_size(dev) - (2+1+CMD_FINALIZE_BYTES_NEEDED), > + (size_t)(shadow->size - off));
What if remaining_size(dev) < 2 + 1 + CMD_FINALIZE_BYTES_NEEDED? If that's possible we get min(UINT_MAX(ish) , some size larger than our remaining buffer) and that's not good. > + pr_debug("MBR: write bytes %zu+%llu/%llu\n", > + off, len, shadow->size); > + > + dst = add_bytestring_header(&err, dev, len); > + if (!dst) > + break; > + if (copy_from_user(dst, src + off, len)) > + err = -EFAULT; > -- > 2.20.1 > >