Message ID | 20210903110702.588291-17-philmd@redhat.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | glib: Replace g_memdup() by g_memdup2_qemu() | expand |
On Fri, Sep 03, 2021 at 01:06:50PM +0200, Philippe Mathieu-Daudé wrote: > Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 > > The old API took the size of the memory to duplicate as a guint, > whereas most memory functions take memory sizes as a gsize. This > made it easy to accidentally pass a gsize to g_memdup(). For large > values, that would lead to a silent truncation of the size from 64 > to 32 bits, and result in a heap area being returned which is > significantly smaller than what the caller expects. This can likely > be exploited in various modules to cause a heap buffer overflow. > > Replace g_memdup() by the safer g_memdup2_qemu() wrapper. > > Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Acked-by: David Gibson <david@gibson.dropbear.id.au> > --- > hw/ppc/spapr_pci.c | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/hw/ppc/spapr_pci.c b/hw/ppc/spapr_pci.c > index 7430bd63142..79c0e8d4f98 100644 > --- a/hw/ppc/spapr_pci.c > +++ b/hw/ppc/spapr_pci.c > @@ -2201,10 +2201,10 @@ static int spapr_pci_post_load(void *opaque, int version_id) > int i; > > for (i = 0; i < sphb->msi_devs_num; ++i) { > - key = g_memdup(&sphb->msi_devs[i].key, > - sizeof(sphb->msi_devs[i].key)); > - value = g_memdup(&sphb->msi_devs[i].value, > - sizeof(sphb->msi_devs[i].value)); > + key = g_memdup2_qemu(&sphb->msi_devs[i].key, > + sizeof(sphb->msi_devs[i].key)); > + value = g_memdup2_qemu(&sphb->msi_devs[i].value, > + sizeof(sphb->msi_devs[i].value)); > g_hash_table_insert(sphb->msi, key, value); > } > g_free(sphb->msi_devs);
diff --git a/hw/ppc/spapr_pci.c b/hw/ppc/spapr_pci.c index 7430bd63142..79c0e8d4f98 100644 --- a/hw/ppc/spapr_pci.c +++ b/hw/ppc/spapr_pci.c @@ -2201,10 +2201,10 @@ static int spapr_pci_post_load(void *opaque, int version_id) int i; for (i = 0; i < sphb->msi_devs_num; ++i) { - key = g_memdup(&sphb->msi_devs[i].key, - sizeof(sphb->msi_devs[i].key)); - value = g_memdup(&sphb->msi_devs[i].value, - sizeof(sphb->msi_devs[i].value)); + key = g_memdup2_qemu(&sphb->msi_devs[i].key, + sizeof(sphb->msi_devs[i].key)); + value = g_memdup2_qemu(&sphb->msi_devs[i].value, + sizeof(sphb->msi_devs[i].value)); g_hash_table_insert(sphb->msi, key, value); } g_free(sphb->msi_devs);
Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> --- hw/ppc/spapr_pci.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)