From ec1efab95767312ff4afb816d0d4b548e093b031 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Wed, 26 Feb 2014 17:19:57 +0000 Subject: hw/misc/arm_sysctl: Fix bad boundary check on mb clock accesses MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix incorrect use of sizeof() rather than ARRAY_SIZE() to guard accesses into the mb_clock[] array, which was allowing a malicious guest to overwrite the end of the array. Signed-off-by: Peter Maydell Reviewed-by: Paolo Bonzini Reviewed-by: Andreas Färber Message-id: 1392647854-8067-2-git-send-email-peter.maydell@linaro.org Cc: qemu-stable@nongnu.org --- hw/misc/arm_sysctl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'hw/misc') diff --git a/hw/misc/arm_sysctl.c b/hw/misc/arm_sysctl.c index 0fc26d29a5..3fad6f86de 100644 --- a/hw/misc/arm_sysctl.c +++ b/hw/misc/arm_sysctl.c @@ -276,7 +276,7 @@ static bool vexpress_cfgctrl_read(arm_sysctl_state *s, unsigned int dcc, } break; case SYS_CFG_OSC: - if (site == SYS_CFG_SITE_MB && device < sizeof(s->mb_clock)) { + if (site == SYS_CFG_SITE_MB && device < ARRAY_SIZE(s->mb_clock)) { /* motherboard clock */ *val = s->mb_clock[device]; return true; @@ -324,7 +324,7 @@ static bool vexpress_cfgctrl_write(arm_sysctl_state *s, unsigned int dcc, switch (function) { case SYS_CFG_OSC: - if (site == SYS_CFG_SITE_MB && device < sizeof(s->mb_clock)) { + if (site == SYS_CFG_SITE_MB && device < ARRAY_SIZE(s->mb_clock)) { /* motherboard clock */ s->mb_clock[device] = val; return true; -- cgit v1.2.1