From: "Philippe Mathieu-Daudé" <philmd@linaro.org>
To: qemu-devel@nongnu.org
Cc: "Philippe Mathieu-Daudé" <philmd@redhat.com>,
"David Gibson" <david@gibson.dropbear.id.au>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>
Subject: [PULL 02/26] target/ppc: Replace g_memdup() by g_memdup2()
Date: Wed, 8 May 2024 19:44:46 +0200 [thread overview]
Message-ID: <20240508174510.60470-3-philmd@linaro.org> (raw)
In-Reply-To: <20240508174510.60470-1-philmd@linaro.org>
From: Philippe Mathieu-Daudé <philmd@redhat.com>
Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538
The old API took the size of the memory to duplicate as a guint,
whereas most memory functions take memory sizes as a gsize. This
made it easy to accidentally pass a gsize to g_memdup(). For large
values, that would lead to a silent truncation of the size from 64
to 32 bits, and result in a heap area being returned which is
significantly smaller than what the caller expects. This can likely
be exploited in various modules to cause a heap buffer overflow.
Replace g_memdup() by the safer g_memdup2() wrapper.
Trivially safe because the argument was directly from sizeof.
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Acked-by: David Gibson <david@gibson.dropbear.id.au>
Message-Id: <20210903174510.751630-27-philmd@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
target/ppc/mmu-hash64.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/target/ppc/mmu-hash64.c b/target/ppc/mmu-hash64.c
index 5a0d80feda..0966422a55 100644
--- a/target/ppc/mmu-hash64.c
+++ b/target/ppc/mmu-hash64.c
@@ -1188,7 +1188,7 @@ void ppc_hash64_init(PowerPCCPU *cpu)
return;
}
- cpu->hash64_opts = g_memdup(pcc->hash64_opts, sizeof(*cpu->hash64_opts));
+ cpu->hash64_opts = g_memdup2(pcc->hash64_opts, sizeof(*cpu->hash64_opts));
}
void ppc_hash64_finalize(PowerPCCPU *cpu)
--
2.41.0
next prev parent reply other threads:[~2024-05-08 17:46 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-08 17:44 [PULL 00/26] Misc HW patches for 2024-05-08 Philippe Mathieu-Daudé
2024-05-08 17:44 ` [PULL 01/26] block/qcow2-bitmap: Replace g_memdup() by g_memdup2() Philippe Mathieu-Daudé
2024-05-08 17:44 ` Philippe Mathieu-Daudé [this message]
2024-05-08 17:44 ` [PULL 03/26] hw/hppa/machine: " Philippe Mathieu-Daudé
2024-05-08 17:44 ` [PULL 04/26] hw/ppc/spapr_pci: " Philippe Mathieu-Daudé
2024-05-08 17:44 ` [PULL 05/26] hw/remote/vfio-user: Fix config space access byte order Philippe Mathieu-Daudé
2024-05-10 8:18 ` Michael Tokarev
2024-05-10 9:54 ` Philippe Mathieu-Daudé
2024-05-08 17:44 ` [PULL 06/26] system/physmem: Replace qemu_mutex_lock() calls with QEMU_LOCK_GUARD Philippe Mathieu-Daudé
2024-05-08 17:44 ` [PULL 07/26] system/physmem: Propagate AddressSpace to MapClient helpers Philippe Mathieu-Daudé
2024-05-08 17:44 ` [PULL 08/26] system/physmem: Per-AddressSpace bounce buffering Philippe Mathieu-Daudé
2024-05-08 17:44 ` [PULL 09/26] hw/i386/pc: Allow to compile without CONFIG_FDC_ISA Philippe Mathieu-Daudé
2024-05-08 17:44 ` [PULL 10/26] hw/i386/Kconfig: Allow to compile Q35 without FDC_ISA Philippe Mathieu-Daudé
2024-05-08 17:44 ` [PULL 11/26] hw/i386: Add the possibility to use i440fx and isapc without FDC Philippe Mathieu-Daudé
2024-05-08 17:44 ` [PULL 12/26] hw/i386/x86: Eliminate two if statements in x86_bios_rom_init() Philippe Mathieu-Daudé
2024-05-08 17:44 ` [PULL 13/26] hw/i386: Have x86_bios_rom_init() take X86MachineState rather than MachineState Philippe Mathieu-Daudé
2024-05-08 17:44 ` [PULL 14/26] hw/i386/x86: Don't leak "isa-bios" memory regions Philippe Mathieu-Daudé
2024-05-08 17:44 ` [PULL 15/26] hw/usb/dev-network: Remove unused struct 'rndis_config_parameter' Philippe Mathieu-Daudé
2024-05-08 17:45 ` [PULL 16/26] hw/gpio: Handle clock migration in STM32L4x5 gpios Philippe Mathieu-Daudé
2024-05-08 17:45 ` [PULL 17/26] hw/ppc: Deprecate 'ref405ep' machine and 405 CPUs Philippe Mathieu-Daudé
2024-05-08 17:45 ` [PULL 18/26] hw/loongarch: move memory map to boot.c Philippe Mathieu-Daudé
2024-05-08 17:45 ` [PULL 19/26] hw/loongarch/virt: Fix memory leak Philippe Mathieu-Daudé
2024-05-08 17:45 ` [PULL 20/26] hw/loongarch: Rename LOONGARCH_MACHINE with LOONGARCH_VIRT_MACHINE Philippe Mathieu-Daudé
2024-05-08 17:45 ` [PULL 21/26] hw/loongarch: Rename LoongArchMachineState with LoongArchVirtMachineState Philippe Mathieu-Daudé
2024-05-08 17:45 ` [PULL 22/26] hw/mips/loongson3_virt: Emulate suspend function Philippe Mathieu-Daudé
2024-05-08 17:45 ` [PULL 23/26] hw/intc/loongarch_ipi: Remove pointless MAX_CPU check Philippe Mathieu-Daudé
2024-05-08 17:45 ` [PULL 24/26] hw/intc/loongarch_ipi: Rename as loongson_ipi Philippe Mathieu-Daudé
2024-05-08 17:45 ` [PULL 25/26] hw/intc/loongson_ipi: Implement IOCSR address space for MIPS Philippe Mathieu-Daudé
2024-05-08 17:45 ` [PULL 26/26] misc: Use QEMU header path relative to include/ directory Philippe Mathieu-Daudé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240508174510.60470-3-philmd@linaro.org \
--to=philmd@linaro.org \
--cc=david@gibson.dropbear.id.au \
--cc=philmd@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).