Ship It!

usr/src/boot/sys/boot/efi/loader/copy.c (Diff revision 1)

Show all issues

Is it legal for dest to be UINT32_MAX? I'm just noticing that we used to check for an invalid value, so maybe that means it should be <=? I'm not sure if that'll still end up causing problems for the 32-bit build or not.

1. 

   Toomas Soome Aug. 20, 2019, 3:02 p.m.

   yes, The reason for this limit is the fact that some systems have only mapped first 4GB of memory, so we only want to avoid going any higher.

2. 

   Gergő Mihály Doma Aug. 22, 2019, 12:11 a.m.

   Maybe check the whole range, not just the start: dest + len <= UINT32_MAX ?

3. 

   Toomas Soome Aug. 22, 2019, 6:14 a.m.

   Good point. of course it is still < UINT32_MAX for assert condition.

4. 

   Robert Mustacchi Aug. 23, 2019, 9:55 p.m.

   With the len addition, why exactly is it < UINT32_MAX? If we have a 10 byte field that ends at UINT32_MAX, doesn't that correctly fit?

5. 

   Toomas Soome Aug. 30, 2019, 11:19 a.m.

   Right, I did confuse myself. Fixed now.

usr/src/boot/sys/boot/efi/loader/copy.c (Diff revision 3)

I'm assuming we don't care about overflow possibilities in the debug assert?

usr/src/boot/sys/boot/efi/loader/copy.c (Diff revision 4)

Show all issues

In libi386, i386_copyin(), i386_copyout() (and i386_readin()) uses regular if (...) checks.

Why the EFI implementation uses DEGUG-only assert() instead?

usr/src/boot/sys/boot/efi/loader/copy.c (Diff revision 4)

Show all issues

Missing range check?
Compared to libi386::i386_readin() function, efi_readin() passing it's arguments to read() without any checks.

Why?

usr/src/boot/sys/boot/efi/loader/copy.c (Diff revision 7)

Show all issues

Why do we cast dest in some cases but not others?

1. 

   Toomas Soome Sept. 9, 2019, 4:31 p.m.

   The dest + len <= UINT32_MAX needs cast because of 32-bit build (in 64-bit build the vm_offset_t is 64-bit int), and with only 32-bit nusigned values, we never get above UINT32_MAX.
   The dest + len >= dest case (negated dest + len < dest) is simplified case of test a + b < a || a + b < b and there we do not really need to cast to 64-bit because we only need to see what happens with sum of the dest and len.

2. 

   Robert Mustacchi Sept. 10, 2019, 8:56 p.m.

   I see, so in the second if block you basically want to ensure that it's always promoted to a 64-bit comparison. I guess that makes sense, though it's a bit hard to see that in a 32-bit case it'll always be three 32-bit quantities that we're comparing and if there was overflow, it'd certainly end up being less than the max.

Ship It!