aboutsummaryrefslogtreecommitdiff
path: root/hw
diff options
context:
space:
mode:
authorPeter Maydell <peter.maydell@linaro.org>2014-02-26 17:19:57 +0000
committerPeter Maydell <peter.maydell@linaro.org>2014-02-26 17:19:57 +0000
commitec1efab95767312ff4afb816d0d4b548e093b031 (patch)
tree1e9223fb627f164f7be8badbb33e3559c6330b1e /hw
parentd5001cf787ad0514839a81d0f2e771e01e076e21 (diff)
downloadqemu-ec1efab95767312ff4afb816d0d4b548e093b031.zip
qemu-ec1efab95767312ff4afb816d0d4b548e093b031.tar.gz
qemu-ec1efab95767312ff4afb816d0d4b548e093b031.tar.bz2
hw/misc/arm_sysctl: Fix bad boundary check on mb clock accesses
Fix incorrect use of sizeof() rather than ARRAY_SIZE() to guard accesses into the mb_clock[] array, which was allowing a malicious guest to overwrite the end of the array. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Andreas Färber <afaerber@suse.de> Message-id: 1392647854-8067-2-git-send-email-peter.maydell@linaro.org Cc: qemu-stable@nongnu.org
Diffstat (limited to 'hw')
-rw-r--r--hw/misc/arm_sysctl.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/hw/misc/arm_sysctl.c b/hw/misc/arm_sysctl.c
index 0fc26d2..3fad6f86 100644
--- a/hw/misc/arm_sysctl.c
+++ b/hw/misc/arm_sysctl.c
@@ -276,7 +276,7 @@ static bool vexpress_cfgctrl_read(arm_sysctl_state *s, unsigned int dcc,
}
break;
case SYS_CFG_OSC:
- if (site == SYS_CFG_SITE_MB && device < sizeof(s->mb_clock)) {
+ if (site == SYS_CFG_SITE_MB && device < ARRAY_SIZE(s->mb_clock)) {
/* motherboard clock */
*val = s->mb_clock[device];
return true;
@@ -324,7 +324,7 @@ static bool vexpress_cfgctrl_write(arm_sysctl_state *s, unsigned int dcc,
switch (function) {
case SYS_CFG_OSC:
- if (site == SYS_CFG_SITE_MB && device < sizeof(s->mb_clock)) {
+ if (site == SYS_CFG_SITE_MB && device < ARRAY_SIZE(s->mb_clock)) {
/* motherboard clock */
s->mb_clock[device] = val;
return true;