From patchwork Wed Feb 26 18:01:51 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Peter Maydell <peter.maydell@linaro.org>
X-Patchwork-Id: 25429
Return-Path: <patchwork-forward+bncBC6Z756YVMIBBLMPXGMAKGQEWXUEBNQ@linaro.org>
X-Original-To: linaro@patches.linaro.org
Delivered-To: linaro@patches.linaro.org
Received: from mail-ie0-f199.google.com (mail-ie0-f199.google.com
 [209.85.223.199])
 by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id A9E8720636
 for <linaro@patches.linaro.org>; Wed, 26 Feb 2014 19:59:42 +0000 (UTC)
Received: by mail-ie0-f199.google.com with SMTP id lx4sf4805821iec.2
 for <linaro@patches.linaro.org>; Wed, 26 Feb 2014 11:59:42 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:delivered-to:from:to:date:message-id:in-reply-to
 :references:mime-version:cc:subject:precedence:list-id
 :list-unsubscribe:list-archive:list-post:list-help:list-subscribe
 :errors-to:sender:x-original-sender
 :x-original-authentication-results:mailing-list:content-type
 :content-transfer-encoding;
 bh=HT1FWkNxUeMeFh5Hxqy7DK40GiOGS11Yf0/SqFe9EaQ=;
 b=aV3Vent7KXEwikWZmiZnpPilwJupO0ddpK8QCid8W8az2A3GzMcGoHyqJA9PJirJ5F
 HRmAQ1I7cp3c1ykDZtg4H0XSC2XIQ1jE6vO+0fiwGnLE/qabBQ7ia4EMhp0mkc6agD0o
 RKvilbp1rYLEKFQlX9Hew7HE/nZvp+trTdqKjBBGaMYe69JLJGzArAkx7SwQlEEDZN28
 BBn+IinBqcqclr0LVxiP8nHOnKn66402T+7YhNmpjWUnLUuMQfmW9LY1sESfyZ02Ig92
 AyqdpiVmoUcncRh2g3uHgVca521sQ9WXFWMVDDzfm5UNUyT8ZXIOitWFpZWCktSBec3L
 SQ6A==
X-Gm-Message-State: ALoCoQnUM9lgZ6q+0uYtA0sgCrAyn8D9uDdSnhu573v0Hb7UJeRGGRpDklwki7NB5RBlS3RkFupM
X-Received: by 10.182.28.36 with SMTP id y4mr2234456obg.46.1393444781972;
 Wed, 26 Feb 2014 11:59:41 -0800 (PST)
X-BeenThere: patchwork-forward@linaro.org
Received: by 10.140.42.14 with SMTP id b14ls375153qga.47.gmail; Wed, 26 Feb
 2014 11:59:41 -0800 (PST)
X-Received: by 10.220.109.1 with SMTP id h1mr7257911vcp.20.1393444781770;
 Wed, 26 Feb 2014 11:59:41 -0800 (PST)
Received: from mail-ve0-f177.google.com (mail-ve0-f177.google.com
 [209.85.128.177])
 by mx.google.com with ESMTPS id tr5si510772vdc.65.2014.02.26.11.59.41
 for <patchwork-forward@linaro.org>
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Wed, 26 Feb 2014 11:59:41 -0800 (PST)
Received-SPF: neutral (google.com: 209.85.128.177 is neither permitted nor
 denied by best guess record for domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org)
 client-ip=209.85.128.177; 
Received: by mail-ve0-f177.google.com with SMTP id db12so2717038veb.36
 for <patchwork-forward@linaro.org>;
 Wed, 26 Feb 2014 11:59:41 -0800 (PST)
X-Received: by 10.58.235.129 with SMTP id um1mr7365460vec.17.1393444781691; 
 Wed, 26 Feb 2014 11:59:41 -0800 (PST)
X-Forwarded-To: patchwork-forward@linaro.org
X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org
Delivered-To: patch@linaro.org
Received: by 10.220.174.196 with SMTP id u4csp51169vcz;
 Wed, 26 Feb 2014 11:59:41 -0800 (PST)
X-Received: by 10.224.94.2 with SMTP id x2mr4871859qam.100.1393444781186;
 Wed, 26 Feb 2014 11:59:41 -0800 (PST)
Received: from lists.gnu.org (lists.gnu.org. [2001:4830:134:3::11])
 by mx.google.com with ESMTPS id 45si650289qgg.105.2014.02.26.11.59.41
 for <patch@linaro.org> (version=TLSv1 cipher=RC4-SHA bits=128/128);
 Wed, 26 Feb 2014 11:59:41 -0800 (PST)
Received-SPF: pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates
 2001:4830:134:3::11 as permitted sender)
 client-ip=2001:4830:134:3::11; 
Received: from localhost ([::1]:42273 helo=lists.gnu.org)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <qemu-devel-bounces+patch=linaro.org@nongnu.org>)
 id 1WIj0S-0008MT-Py
 for patch@linaro.org; Wed, 26 Feb 2014 13:14:56 -0500
Received: from eggs.gnu.org ([2001:4830:134:3::10]:34314)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <pm215@archaic.org.uk>) id 1WIios-00014v-Kk
 for qemu-devel@nongnu.org; Wed, 26 Feb 2014 13:02:59 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <pm215@archaic.org.uk>) id 1WIior-0007SO-NA
 for qemu-devel@nongnu.org; Wed, 26 Feb 2014 13:02:58 -0500
Received: from mnementh.archaic.org.uk ([2001:8b0:1d0::1]:46191)
 by eggs.gnu.org with esmtp (Exim 4.71)
 (envelope-from <pm215@archaic.org.uk>) id 1WIior-0007Eu-Fw
 for qemu-devel@nongnu.org; Wed, 26 Feb 2014 13:02:57 -0500
Received: from pm215 by mnementh.archaic.org.uk with local (Exim 4.80)
 (envelope-from <pm215@archaic.org.uk>)
 id 1WIioV-00068w-Ct; Wed, 26 Feb 2014 18:02:35 +0000
From: Peter Maydell <peter.maydell@linaro.org>
To: Anthony Liguori <aliguori@amazon.com>
Date: Wed, 26 Feb 2014 18:01:51 +0000
Message-Id: <1393437755-23586-2-git-send-email-peter.maydell@linaro.org>
X-Mailer: git-send-email 1.7.10.4
In-Reply-To: <1393437755-23586-1-git-send-email-peter.maydell@linaro.org>
References: <1393437755-23586-1-git-send-email-peter.maydell@linaro.org>
MIME-Version: 1.0
X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address
 (bad octet value).
X-Received-From: 2001:8b0:1d0::1
Cc: Blue Swirl <blauwirbel@gmail.com>, qemu-devel@nongnu.org,
 Aurelien Jarno <aurelien@aurel32.net>
Subject: [Qemu-devel] [PULL 01/45] hw/misc/arm_sysctl: Fix bad boundary
 check on mb clock accesses
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: <patchwork-forward.linaro.org>
List-Unsubscribe: <http://groups.google.com/a/linaro.org/group/patchwork-forward/subscribe>, 
 <mailto:googlegroups-manage+836684582541+unsubscribe@googlegroups.com>
List-Archive: <http://groups.google.com/a/linaro.org/group/patchwork-forward/>
List-Post: <http://groups.google.com/a/linaro.org/group/patchwork-forward/post>, 
 <mailto:patchwork-forward@linaro.org>
List-Help: <http://support.google.com/a/linaro.org/bin/topic.py?topic=25838>, 
 <mailto:patchwork-forward+help@linaro.org>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org
Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org
X-Removed-Original-Auth: Dkim didn't pass.
X-Original-Sender: peter.maydell@linaro.org
X-Original-Authentication-Results: mx.google.com;       spf=neutral
 (google.com: 209.85.128.177 is neither permitted nor denied by best
 guess record for domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org)
 smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org
Mailing-list: list patchwork-forward@linaro.org;
 contact patchwork-forward+owners@linaro.org
X-Google-Group-Id: 836684582541

Fix incorrect use of sizeof() rather than ARRAY_SIZE() to guard
accesses into the mb_clock[] array, which was allowing a malicious
guest to overwrite the end of the array.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Message-id: 1392647854-8067-2-git-send-email-peter.maydell@linaro.org
Cc: qemu-stable@nongnu.org
---
 hw/misc/arm_sysctl.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/misc/arm_sysctl.c b/hw/misc/arm_sysctl.c
index 0fc26d2..3fad6f8 100644
--- a/hw/misc/arm_sysctl.c
+++ b/hw/misc/arm_sysctl.c
@@ -276,7 +276,7 @@ static bool vexpress_cfgctrl_read(arm_sysctl_state *s, unsigned int dcc,
         }
         break;
     case SYS_CFG_OSC:
-        if (site == SYS_CFG_SITE_MB && device < sizeof(s->mb_clock)) {
+        if (site == SYS_CFG_SITE_MB && device < ARRAY_SIZE(s->mb_clock)) {
             /* motherboard clock */
             *val = s->mb_clock[device];
             return true;
@@ -324,7 +324,7 @@ static bool vexpress_cfgctrl_write(arm_sysctl_state *s, unsigned int dcc,
 
     switch (function) {
     case SYS_CFG_OSC:
-        if (site == SYS_CFG_SITE_MB && device < sizeof(s->mb_clock)) {
+        if (site == SYS_CFG_SITE_MB && device < ARRAY_SIZE(s->mb_clock)) {
             /* motherboard clock */
             s->mb_clock[device] = val;
             return true;