[Qemu-devel] [PATCH] acpi: fix assert failure caused by commit 35c5a52d

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] [PATCH] acpi: fix assert failure caused by commit 35c5a52d
@ 2016-10-19  9:19 Haozhong Zhang
  2016-10-19 15:50 ` Dan Williams
  2016-10-24  9:46 ` Xiao Guangrong
  0 siblings, 2 replies; 3+ messages in thread
From: Haozhong Zhang @ 2016-10-19  9:19 UTC (permalink / raw)
  To: qemu-devel
  Cc: Xiao Guangrong, mst, Igor Mammedov, Dan Williams, Haozhong Zhang

Commit 35c5a52d "acpi: do not use TARGET_PAGE_SIZE" changed struct
NvdimmDsmIn from a variable-size structure to a fixed-size structure of
4096 bytes. It forgot to adjust an assert in
nvdimm_dsm_set_label_data(..., NvdimmDsmIn *in, ...):
    assert(sizeof(*in) + sizeof(*set_label_data) + set_label_data->length <=
           4096);
which could crash QEMU when guest writes NVDIMM labels.

Fix it by replacing sizeof(*in) by offsetof(NvdimmDsmIn, arg3).

Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com>
Reported-by: Dan Williams <dan.j.williams@intel.com>
---
 hw/acpi/nvdimm.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/acpi/nvdimm.c b/hw/acpi/nvdimm.c
index e486128..9fdc56a 100644
--- a/hw/acpi/nvdimm.c
+++ b/hw/acpi/nvdimm.c
@@ -643,8 +643,8 @@ static void nvdimm_dsm_set_label_data(NVDIMMDevice *nvdimm, NvdimmDsmIn *in,
         return;
     }
 
-    assert(sizeof(*in) + sizeof(*set_label_data) + set_label_data->length <=
-           4096);
+    assert(offsetof(NvdimmDsmIn, arg3) +
+           sizeof(*set_label_data) + set_label_data->length <= 4096);
 
     nvc->write_label_data(nvdimm, set_label_data->in_buf,
                           set_label_data->length, set_label_data->offset);
-- 
2.10.1

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [Qemu-devel] [PATCH] acpi: fix assert failure caused by commit 35c5a52d
  2016-10-19  9:19 [Qemu-devel] [PATCH] acpi: fix assert failure caused by commit 35c5a52d Haozhong Zhang
@ 2016-10-19 15:50 ` Dan Williams
  2016-10-24  9:46 ` Xiao Guangrong
  1 sibling, 0 replies; 3+ messages in thread
From: Dan Williams @ 2016-10-19 15:50 UTC (permalink / raw)
  To: Haozhong Zhang
  Cc: qemu-devel, Xiao Guangrong, Michael S. Tsirkin, Igor Mammedov

On Wed, Oct 19, 2016 at 2:19 AM, Haozhong Zhang
<haozhong.zhang@intel.com> wrote:
> Commit 35c5a52d "acpi: do not use TARGET_PAGE_SIZE" changed struct
> NvdimmDsmIn from a variable-size structure to a fixed-size structure of
> 4096 bytes. It forgot to adjust an assert in
> nvdimm_dsm_set_label_data(..., NvdimmDsmIn *in, ...):
>     assert(sizeof(*in) + sizeof(*set_label_data) + set_label_data->length <=
>            4096);
> which could crash QEMU when guest writes NVDIMM labels.
>
> Fix it by replacing sizeof(*in) by offsetof(NvdimmDsmIn, arg3).
>
> Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com>
> Reported-by: Dan Williams <dan.j.williams@intel.com>

Thanks!

Tested-by: Dan Williams <dan.j.williams@intel.com>

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [Qemu-devel] [PATCH] acpi: fix assert failure caused by commit 35c5a52d
  2016-10-19  9:19 [Qemu-devel] [PATCH] acpi: fix assert failure caused by commit 35c5a52d Haozhong Zhang
  2016-10-19 15:50 ` Dan Williams
@ 2016-10-24  9:46 ` Xiao Guangrong
  1 sibling, 0 replies; 3+ messages in thread
From: Xiao Guangrong @ 2016-10-24  9:46 UTC (permalink / raw)
  To: Haozhong Zhang, qemu-devel; +Cc: Igor Mammedov, Dan Williams, mst



On 10/19/2016 05:19 PM, Haozhong Zhang wrote:
> Commit 35c5a52d "acpi: do not use TARGET_PAGE_SIZE" changed struct
> NvdimmDsmIn from a variable-size structure to a fixed-size structure of
> 4096 bytes. It forgot to adjust an assert in
> nvdimm_dsm_set_label_data(..., NvdimmDsmIn *in, ...):
>     assert(sizeof(*in) + sizeof(*set_label_data) + set_label_data->length <=
>            4096);
> which could crash QEMU when guest writes NVDIMM labels.
>
> Fix it by replacing sizeof(*in) by offsetof(NvdimmDsmIn, arg3).

Thanks for your fix.

Reviewed-by: Xiao Guangrong <guangrong.xiao@linux.intel.com>

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2016-10-24  9:53 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-10-19  9:19 [Qemu-devel] [PATCH] acpi: fix assert failure caused by commit 35c5a52d Haozhong Zhang
2016-10-19 15:50 ` Dan Williams
2016-10-24  9:46 ` Xiao Guangrong

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).