From nobody Mon Feb 9 02:32:38 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1729166982884321.55846352963; Thu, 17 Oct 2024 05:09:42 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id AB523144C; Thu, 17 Oct 2024 08:09:41 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 250581285; Thu, 17 Oct 2024 08:09:25 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id AA50A1276; Thu, 17 Oct 2024 08:09:21 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 3238D1215 for ; Thu, 17 Oct 2024 08:09:19 -0400 (EDT) Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-183-4P3NYjW1NiqK2pRiaL5pcw-1; Thu, 17 Oct 2024 08:09:17 -0400 Received: from mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 69EB81955F40 for ; Thu, 17 Oct 2024 12:09:16 +0000 (UTC) Received: from speedmetal.redhat.com (unknown [10.45.242.4]) by mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 990D61955F45 for ; Thu, 17 Oct 2024 12:09:15 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: *** X-Spam-Status: No, score=3.0 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,RCVD_IN_SBL_CSS, RCVD_IN_VALIDITY_RPBL_BLOCKED,RCVD_IN_VALIDITY_SAFE_BLOCKED, SPF_HELO_NONE autolearn=no autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1729166958; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=aaqUvEGahrlU4O5mTCMTlWja6y6l+0qinNBF9IHFVXo=; b=DTKbTYydG40i2z40He8kAgqXBcO/4tU0eF1Qy4P/slVws2UafWzXQ/skujnNcjE7W26mMd AnYgyiW1drW4XFrA135Qm64ixGUlqijKYobsRoYMsqemTf7VlJNFIJx/KB1E9a6cGJOJtZ plBgpg/9S6CGq9by5tqT8bSKwAjuxWQ= X-MC-Unique: 4P3NYjW1NiqK2pRiaL5pcw-1 From: Peter Krempa To: devel@lists.libvirt.org Subject: [PATCH 1/4] virBitmapNewCopy: Honor sizes of either bitmap when doing memcpy() Date: Thu, 17 Oct 2024 14:09:09 +0200 Message-ID: <7212293c8ecceacad239952a52860f74f7d0568c.1729166910.git.pkrempa@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.15 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: OZQGRDUBPZXEW3GAFOKNUMPVPAFBK4CR X-Message-ID-Hash: OZQGRDUBPZXEW3GAFOKNUMPVPAFBK4CR X-MailFrom: pkrempa@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1729166983482116600 Content-Type: text/plain; charset="utf-8" 'virBitmapNewCopy()' allocates a new bitmap with the same number of bits but uses the internal allocation length as argument for the memcpy() operation to copy the bits. Due to bugs in other code these may not be the same resulting into a buffer overflow if the source is over-allocated. Use the buffer length of the target bitmap instead. Signed-off-by: Peter Krempa --- src/util/virbitmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/util/virbitmap.c b/src/util/virbitmap.c index b8d0352bb1..a1a8c5d126 100644 --- a/src/util/virbitmap.c +++ b/src/util/virbitmap.c @@ -582,7 +582,7 @@ virBitmapNewCopy(virBitmap *src) { virBitmap *dst =3D virBitmapNew(src->nbits); - memcpy(dst->map, src->map, src->map_len * sizeof(src->map[0])); + memcpy(dst->map, src->map, dst->map_len * sizeof(src->map[0])); return dst; } --=20 2.47.0