@@ -2310,11 +2310,10 @@ static void
build_tpm_tcpa(GArray *table_data, BIOSLinker *linker, GArray *tcpalog)
{
Acpi20Tcpa *tcpa = acpi_data_push(table_data, sizeof *tcpa);
- uint64_t log_area_start_address = acpi_data_len(tcpalog);
tcpa->platform_class = cpu_to_le16(TPM_TCPA_ACPI_CLASS_CLIENT);
tcpa->log_area_minimum_length = cpu_to_le32(TPM_LOG_AREA_MINIMUM_SIZE);
- tcpa->log_area_start_address = cpu_to_le64(log_area_start_address);
+ acpi_data_push(tcpalog, tcpa->log_area_minimum_length);
bios_linker_loader_alloc(linker, ACPI_BUILD_TPMLOG_FILE, tcpalog, 1,
false /* high memory */);
@@ -2327,8 +2326,6 @@ build_tpm_tcpa(GArray *table_data, BIOSLinker *linker, GArray *tcpalog)
build_header(linker, table_data,
(void *)tcpa, "TCPA", sizeof(*tcpa), 2, NULL, NULL);
-
- acpi_data_push(tcpalog, TPM_LOG_AREA_MINIMUM_SIZE);
}
static void
At the time build_tpm_tcpa() is called the tcpalog size is always 0, so log_area_start_address which is actually offset from the start of ACPI_BUILD_TPMLOG_FILE is always 0. More over if tcpalog would be not 0 sized at build_tpm_tcpa() calling time it would make tcpa->log_area_start_address point to ACPI_BUILD_TPMLOG_FILE+log_area_start_address causing guest to write beyound ACPI_BUILD_TPMLOG_FILE which would resulted to memory corruption. As 'TCPA' is allocated 0 filled, there is not point to calculate constant 0 log_area_start_address and set tcpa->log_area_start_address to it since the field should always point to start of ACPI_BUILD_TPMLOG_FILE. Make code easier to read dropping misleading at best offset calculations and making it impossible to silently backfire if tcpalog size becomes non 0 at the time build_tpm_tcpa() is called in future. While at that move tcpalog allocation closer to the code that defines its size. Signed-off-by: Igor Mammedov <imammedo@redhat.com> --- hw/i386/acpi-build.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-)