acpi: fix assert failure caused by commit 35c5a52d

Commit 35c5a52d "acpi: do not use TARGET_PAGE_SIZE" changed struct
NvdimmDsmIn from a variable-size structure to a fixed-size structure of
4096 bytes. It forgot to adjust an assert in
nvdimm_dsm_set_label_data(..., NvdimmDsmIn *in, ...):
    assert(sizeof(*in) + sizeof(*set_label_data) + set_label_data->length <=
           4096);
which could crash QEMU when guest writes NVDIMM labels.

Fix it by replacing sizeof(*in) by offsetof(NvdimmDsmIn, arg3).

Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com>
Reported-by: Dan Williams <dan.j.williams@intel.com>
Tested-by: Dan Williams <dan.j.williams@intel.com>
Reviewed-by: Xiao Guangrong <guangrong.xiao@linux.intel.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

diff --git a/hw/acpi/nvdimm.c b/hw/acpi/nvdimm.c
index fc1a012ad8e909ac57fd5ce6575dd5b1cdc5f700..602ec54485b1e3f6f9dcaa652eb9ece0f34ecffb 100644 (file)
--- a/hw/acpi/nvdimm.c
+++ b/hw/acpi/nvdimm.c
@@ -757,8 +757,8 @@ static void nvdimm_dsm_set_label_data(NVDIMMDevice *nvdimm, NvdimmDsmIn *in,
         return;
     }
 
-    assert(sizeof(*in) + sizeof(*set_label_data) + set_label_data->length <=
-           4096);
+    assert(offsetof(NvdimmDsmIn, arg3) +
+           sizeof(*set_label_data) + set_label_data->length <= 4096);
 
     nvc->write_label_data(nvdimm, set_label_data->in_buf,
                           set_label_data->length, set_label_data->offset);