On Thu, Jan 17, 2019 at 09:31:51PM +0000, David Kozub wrote:
> +static int write_shadow_mbr(struct opal_dev *dev, void *data)
> +{
> + struct opal_shadow_mbr *shadow = data;
> + const u8 __user *src;
> + u8 *dst;
> + size_t off = 0;
> + u64 len;
> + int err = 0;
> +
> + /* do the actual transmission(s) */
> + src = (u8 *) shadow->data;
> + while (off < shadow->size) {
> + err = cmd_start(dev, opaluid[OPAL_MBR], opalmethod[OPAL_SET]);
> + add_token_u8(&err, dev, OPAL_STARTNAME);
> + add_token_u8(&err, dev, OPAL_WHERE);
> + add_token_u64(&err, dev, shadow->offset + off);
> + add_token_u8(&err, dev, OPAL_ENDNAME);
> +
> + add_token_u8(&err, dev, OPAL_STARTNAME);
> + add_token_u8(&err, dev, OPAL_VALUES);
> +
> + /*
> + * The bytestring header is either 1 or 2 bytes, so assume 2.
> + * There also needs to be enough space to accommodate the
> + * trailing OPAL_ENDNAME (1 byte) and tokens added by
> + * cmd_finalize.
> + */
> + len = min(remaining_size(dev) - (2+1+CMD_FINALIZE_BYTES_NEEDED),
> + (size_t)(shadow->size - off));
What if remaining_size(dev) < 2 + 1 + CMD_FINALIZE_BYTES_NEEDED? If that's
possible we
get min(UINT_MAX(ish) , some size larger than our remaining buffer) and that's
not good.
> + pr_debug("MBR: write bytes %zu+%llu/%llu\n",
> + off, len, shadow->size);
> +
> + dst = add_bytestring_header(&err, dev, len);
> + if (!dst)
> + break;
> + if (copy_from_user(dst, src + off, len))
> + err = -EFAULT;
> --
> 2.20.1
>
>
