Re: [PATCH v2 11/16] block: sed-opal: ioctl for writing to shadow mbr

From: David Kozub <zub@linux.fjfi.cvut.cz>
To: Scott Bauer <sbauer@plzdonthack.me>
Cc: linux-kernel@vger.kernel.org, axboe@kernel.dk, hch@infradead.org,
	jonathan.derrick@intel.com
Subject: Re: [PATCH v2 11/16] block: sed-opal: ioctl for writing to shadow mbr
Date: Sun, 20 Jan 2019 11:27:30 +0100 (CET)	[thread overview]
Message-ID: <alpine.LRH.2.21.1901201045280.4278@linux.fjfi.cvut.cz> (raw)
In-Reply-To: <20190119171550.GB12171@hacktheplanet>

On Sat, 19 Jan 2019, Scott Bauer wrote:

> On Thu, Jan 17, 2019 at 09:31:51PM +0000, David Kozub wrote:
>
>> +static int write_shadow_mbr(struct opal_dev *dev, void *data)
>> +{
>> +	struct opal_shadow_mbr *shadow = data;
>> +	const u8 __user *src;
>> +	u8 *dst;
>> +	size_t off = 0;
>> +	u64 len;
>> +	int err = 0;
>> +
>> +	/* do the actual transmission(s) */
>> +	src = (u8 *) shadow->data;
>> +	while (off < shadow->size) {
>> +		err = cmd_start(dev, opaluid[OPAL_MBR], opalmethod[OPAL_SET]);
>> +		add_token_u8(&err, dev, OPAL_STARTNAME);
>> +		add_token_u8(&err, dev, OPAL_WHERE);
>> +		add_token_u64(&err, dev, shadow->offset + off);
>> +		add_token_u8(&err, dev, OPAL_ENDNAME);
>> +
>> +		add_token_u8(&err, dev, OPAL_STARTNAME);
>> +		add_token_u8(&err, dev, OPAL_VALUES);
>> +
>> +		/*
>> +		 * The bytestring header is either 1 or 2 bytes, so assume 2.
>> +		 * There also needs to be enough space to accommodate the
>> +		 * trailing OPAL_ENDNAME (1 byte) and tokens added by
>> +		 * cmd_finalize.
>> +		 */
>> +		len = min(remaining_size(dev) - (2+1+CMD_FINALIZE_BYTES_NEEDED),
>> +			  (size_t)(shadow->size - off));
>
> What if remaining_size(dev) <  2 + 1 + CMD_FINALIZE_BYTES_NEEDED? If that's possible we
> get min(UINT_MAX(ish) , some size larger than our remaining buffer) and that's not good.

This is only possible for uselessly small values of IO_BUFFER_LENGTH, 
which is a compile-time value. Originally I thought it's OK as nobody 
would set the value so low. But on a second thought, after reading your 
comment, I think that even if IO_BUFFER_LENGTH was set to such a value, 
the code should fail gracefully.

So I will change it into:

while (off < shadow->size) {
 	/*
 	 * Number of bytes needed in the cmd buffer to terminate the
 	 * write shadow mbr command.
 	 *
 	 * The bytestring header is either 1 or 2 bytes, so assume 2.
 	 * There also needs to be enough space to accommodate the
 	 * trailing OPAL_ENDNAME (1 byte) and tokens added by
 	 * cmd_finalize.
 	 */
 	const size_t write_shadow_mbr_footer_size =
 		2 + 1 + CMD_FINALIZE_BYTES_NEEDED;

 	err = cmd_start(dev, opaluid[OPAL_MBR], opalmethod[OPAL_SET]);
 	add_token_u8(&err, dev, OPAL_STARTNAME);
 	add_token_u8(&err, dev, OPAL_WHERE);
 	add_token_u64(&err, dev, shadow->offset + off);
 	add_token_u8(&err, dev, OPAL_ENDNAME);

 	add_token_u8(&err, dev, OPAL_STARTNAME);
 	add_token_u8(&err, dev, OPAL_VALUES);

 	if (!can_add(&err, dev, write_shadow_mbr_footer_size))
 		break;
 	len = min(remaining_size(dev) - write_shadow_mbr_footer_size,
 		  (size_t)(shadow->size - off));
 	pr_debug("MBR: write bytes %zu+%llu/%llu\n",
 		 off, len, shadow->size);

Please let me know if you would prefer a different solution.

Best regards,
David