Sergii Dmytruk has posted comments on this change by Sergii Dmytruk. ( https://review.coreboot.org/c/coreboot/+/83422?usp=email )

Change subject: drivers/efi/uefi_capsules.c: coalesce and store UEFI capsules ......................................................................

Patch Set 6:

(3 comments)

File src/drivers/efi/capsules.c:

https://review.coreboot.org/c/coreboot/+/83422/comment/b2b26212_ac617394?usp... : PS6, Line 347: data_size += ALIGN_UP(capsule_hdr->CapsuleImageSize, CAPSULE_ALIGNMENT);

This can overflow with a maliciously crafted SG list (e.g. one that contains […]

Your computation assumes that a payload will accept such huge capsules while there is `gEfiMdeModulePkgTokenSpaceGuid.PcdMaxSizePopulateCapsule` limit with the default value of 100 MiB.

CB:84541

https://review.coreboot.org/c/coreboot/+/83422/comment/84867156_29655187?usp... : PS6, Line 387: *total_data_size += data_size;

Same here.

CB:84541

https://review.coreboot.org/c/coreboot/+/83422/comment/6aad65ce_ebe7f1f6?usp... : PS6, Line 636: target += ALIGN_UP(block.len, CAPSULE_ALIGNMENT) - block.len;

This looks odd as the alignment accounted for is one of `CapsuleImageSize` which […]

Wow, thanks, this is way off. `block.len` is treated as size of a capsule not only here but above as well.

CB:84542