system/qemu
system/qemu
1
0
Fork 0
mirror of https://gitlab.com/qemu-project/qemu synced 2024-10-14 23:13:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

hw/misc/arm_sysctl: Fix bad boundary check on mb clock accesses

Browse source 
Fix incorrect use of sizeof() rather than ARRAY_SIZE() to guard
accesses into the mb_clock[] array, which was allowing a malicious
guest to overwrite the end of the array.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Message-id: 1392647854-8067-2-git-send-email-peter.maydell@linaro.org
Cc: qemu-stable@nongnu.org
This commit is contained in:
Peter Maydell 2014-02-26 17:19:57 +00:00
parent d5001cf787
commit ec1efab957
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
hw/misc/arm_sysctl.c
View file

@ -276,7 +276,7 @@ static bool vexpress_cfgctrl_read(arm_sysctl_state *s, unsigned int dcc,
}
break;
case SYS_CFG_OSC:
if (site == SYS_CFG_SITE_MB && device < sizeof(s->mb_clock)) {
if (site == SYS_CFG_SITE_MB && device < ARRAY_SIZE(s->mb_clock)) {
/* motherboard clock */
*val = s->mb_clock[device];
return true;
@ -324,7 +324,7 @@ static bool vexpress_cfgctrl_write(arm_sysctl_state *s, unsigned int dcc,
switch (function) {
case SYS_CFG_OSC:
if (site == SYS_CFG_SITE_MB && device < sizeof(s->mb_clock)) {
if (site == SYS_CFG_SITE_MB && device < ARRAY_SIZE(s->mb_clock)) {
/* motherboard clock */
s->mb_clock[device] = val;
return true;