| Message ID | 20210903110702.588291-27-philmd@redhat.com |
|---|---|
| State | New |
| Headers | show |
| Series | glib: Replace g_memdup() by g_memdup2_qemu() | expand |
On Fri, Sep 03, 2021 at 01:07:00PM +0200, Philippe Mathieu-Daudé wrote: > Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 > > The old API took the size of the memory to duplicate as a guint, > whereas most memory functions take memory sizes as a gsize. This > made it easy to accidentally pass a gsize to g_memdup(). For large > values, that would lead to a silent truncation of the size from 64 > to 32 bits, and result in a heap area being returned which is > significantly smaller than what the caller expects. This can likely > be exploited in various modules to cause a heap buffer overflow. > > Replace g_memdup() by the safer g_memdup2_qemu() wrapper. > > Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Acked-by: David Gibson <david@gibson.dropbear.id.au> > --- > target/ppc/mmu-hash64.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/target/ppc/mmu-hash64.c b/target/ppc/mmu-hash64.c > index 19832c4b46f..2ee6025a406 100644 > --- a/target/ppc/mmu-hash64.c > +++ b/target/ppc/mmu-hash64.c > @@ -1122,7 +1122,8 @@ void ppc_hash64_init(PowerPCCPU *cpu) > return; > } > > - cpu->hash64_opts = g_memdup(pcc->hash64_opts, sizeof(*cpu->hash64_opts)); > + cpu->hash64_opts = g_memdup2_qemu(pcc->hash64_opts, > + sizeof(*cpu->hash64_opts)); > } > > void ppc_hash64_finalize(PowerPCCPU *cpu)
diff --git a/target/ppc/mmu-hash64.c b/target/ppc/mmu-hash64.c index 19832c4b46f..2ee6025a406 100644 --- a/target/ppc/mmu-hash64.c +++ b/target/ppc/mmu-hash64.c @@ -1122,7 +1122,8 @@ void ppc_hash64_init(PowerPCCPU *cpu) return; } - cpu->hash64_opts = g_memdup(pcc->hash64_opts, sizeof(*cpu->hash64_opts)); + cpu->hash64_opts = g_memdup2_qemu(pcc->hash64_opts, + sizeof(*cpu->hash64_opts)); } void ppc_hash64_finalize(PowerPCCPU *cpu)
Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> --- target/ppc/mmu-hash64.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)