diff options
author | Haozhong Zhang <haozhong.zhang@intel.com> | 2016-10-19 17:19:25 +0800 |
---|---|---|
committer | Michael S. Tsirkin <mst@redhat.com> | 2016-11-01 19:21:09 +0200 |
commit | 53000638f233d6ba1d584a68b74f2cde79615b80 (patch) | |
tree | b450c7bfb462c17ce38fa779a0241eb7e6afa6a9 /hw | |
parent | 698ae42b9124dce23e03d0fea2e635b70540ef13 (diff) | |
download | qemu-53000638f233d6ba1d584a68b74f2cde79615b80.tar.gz qemu-53000638f233d6ba1d584a68b74f2cde79615b80.tar.bz2 qemu-53000638f233d6ba1d584a68b74f2cde79615b80.zip |
acpi: fix assert failure caused by commit 35c5a52d
Commit 35c5a52d "acpi: do not use TARGET_PAGE_SIZE" changed struct
NvdimmDsmIn from a variable-size structure to a fixed-size structure of
4096 bytes. It forgot to adjust an assert in
nvdimm_dsm_set_label_data(..., NvdimmDsmIn *in, ...):
assert(sizeof(*in) + sizeof(*set_label_data) + set_label_data->length <=
4096);
which could crash QEMU when guest writes NVDIMM labels.
Fix it by replacing sizeof(*in) by offsetof(NvdimmDsmIn, arg3).
Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com>
Reported-by: Dan Williams <dan.j.williams@intel.com>
Tested-by: Dan Williams <dan.j.williams@intel.com>
Reviewed-by: Xiao Guangrong <guangrong.xiao@linux.intel.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Diffstat (limited to 'hw')
-rw-r--r-- | hw/acpi/nvdimm.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/hw/acpi/nvdimm.c b/hw/acpi/nvdimm.c index fc1a012ad8..602ec54485 100644 --- a/hw/acpi/nvdimm.c +++ b/hw/acpi/nvdimm.c @@ -757,8 +757,8 @@ static void nvdimm_dsm_set_label_data(NVDIMMDevice *nvdimm, NvdimmDsmIn *in, return; } - assert(sizeof(*in) + sizeof(*set_label_data) + set_label_data->length <= - 4096); + assert(offsetof(NvdimmDsmIn, arg3) + + sizeof(*set_label_data) + set_label_data->length <= 4096); nvc->write_label_data(nvdimm, set_label_data->in_buf, set_label_data->length, set_label_data->offset); |