From mboxrd@z Thu Jan 1 00:00:00 1970 From: Claude Code Review Bot To: dri-devel-reviews@example.com Subject: Claude review: gpu: nova-core: vbios: fix various cases of reading past `BIOS_MAX_SCAN_LEN` Date: Sun, 12 Apr 2026 10:18:45 +1000 Message-ID: In-Reply-To: <20260410-fix-vbios-v1-1-bc6f71d153d6@nvidia.com> References: <20260410-fix-vbios-v1-0-bc6f71d153d6@nvidia.com> <20260410-fix-vbios-v1-1-bc6f71d153d6@nvidia.com> X-Mailer: Claude Code Patch Reviewer Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Patch Review This patch fixes three issues: 1. **`read_more_at_offset` bounds check**: The old code checked `offset > B= IOS_MAX_SCAN_LEN` but didn't account for `len`, so `offset + len` could exc= eed the limit. The fix computes `end =3D offset.checked_add(len)` and check= s `end > BIOS_MAX_SCAN_LEN`. 2. **`read_more_at_offset` over-read**: The old logic computed `gap_bytes += len` which would read `len` additional bytes even when some were already c= ached. The new `end.saturating_sub(self.data.len())` correctly reads only t= he uncached portion. This is a genuine bug fix. 3. **`read_bios_image_at_offset` overflow**: Similarly replaces `offset + l= en` with `checked_add`. 4. **Iterator boundary**: Changes `>` to `>=3D` for `current_offset >=3D BI= OS_MAX_SCAN_LEN`. All four changes are correct. One observation: ```rust + let end =3D offset.checked_add(len).ok_or(EINVAL)?; + + if end > BIOS_MAX_SCAN_LEN { ``` The `read_more` function requires `len` to be a multiple of 4. After the fi= x, `read_more_at_offset` calls `self.read_more(end.saturating_sub(self.data= .len()))` =E2=80=94 if `end` and `self.data.len()` don't have matching alig= nment, this could pass a non-multiple-of-4 to `read_more`, which would then= return `EINVAL`. This was also possible with the old code (it depended on = the caller), so it's not a regression =E2=80=94 just worth noting that call= ers must ensure alignment-compatible `offset` and `len` values. **Reviewed-by assessment: Good.** --- --- Generated by Claude Code Patch Reviewer