From nobody Mon Feb 9 00:02:36 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1630667235; cv=none; d=zohomail.com; s=zohoarc; b=ZkuZNzHJlLViiu+SPpfcBzIZYLcAvXZfDpLUFlypZG8GI3EIiauaQ+BWBA2OqggIkBg+t7pHjsTXnmIAOhWZ0qd8sX08YUQlK2k36ZjKoQuGCCwezZlaLcbavyMqmybhjr0ZIoP0rTpCyClo86sExxzOqkRnSSZgZHl+5qNSEfI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1630667235; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=K59TWFNfhgS3efbWdzQjx6xmDgV9ebFReZvuleU1Sck=; b=HWkeeUDCyb6wyNjy/DqCD2/k2eT5omWQ5GDQBSgs5Ug9JfXFsGK9dPvmEzVsuOobEEAf2oSO9qukBWO+n5rhDa6pmtdAK1B4jHlFpcgouQezsPvSc4ZgYrGVtwuxrAzjaiw02CgT62jN3cO9B9y2DR+XnsIw/JNehIE2v3LWLvc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1630667235734725.9631957753126; Fri, 3 Sep 2021 04:07:15 -0700 (PDT) Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-601-sXNFsGCUMgmm1F-gEAKw3g-1; Fri, 03 Sep 2021 07:07:13 -0400 Received: by mail-wm1-f69.google.com with SMTP id w25-20020a1cf6190000b0290252505ddd56so1770461wmc.3 for ; Fri, 03 Sep 2021 04:07:13 -0700 (PDT) Return-Path: Return-Path: Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id j207sm4380948wmj.40.2021.09.03.04.07.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:07:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667234; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=K59TWFNfhgS3efbWdzQjx6xmDgV9ebFReZvuleU1Sck=; b=VI1FlFkQ40Pp4Hhjgab4vXQWuxpOBXuoLGuzYlLwXcnCEL0c2btDLpBmhaKkxlilSQFL6I dc7Si49tFDYV8GsH8GBrMMYWCvRSEe9L0il+kjZb/UId7z5Fn0yWp8jbC9rXHtjWtUNmUo LxxhUgChahHe1a8nWcsE8Epgq0Eqswg= X-MC-Unique: sXNFsGCUMgmm1F-gEAKw3g-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=K59TWFNfhgS3efbWdzQjx6xmDgV9ebFReZvuleU1Sck=; b=U7PtaVsZgkKbrBMKrO89lnqQUJWl/OwyOY6VgEFuneYpleRB6tFAwMJj3q3EvEnTsZ K6Bco3SZjSf9rbvi9no9Uj0YOXengQvHxvtfKJphkWfPYDSxJw9Ob/7EeIZYbPFBCoHw mkKhmb7Gt964rtHTJESnIOMVLI11H4IqXtePlPfQCA74QeeaaB+AiM2YpJgyOF/q43AL nsUXd0SyYYG/R1n2Kg/722HD0Uq7MYtpeTiCB9g8cSj3/THITf8VUrXEiQsebAGflw3g 8Ysw25hWkEtrs2Y1Oyerri2V+8467shUyz0ASa9MVdnvj4b1SluoVSWddZTW71q5x5ij MdGQ== X-Gm-Message-State: AOAM530kAVKKeRsZODQ//ra0QJbv/+nP///evVoFkpT6057GKxxQMZhJ eHbGaWV2fWTyPkBeHdh2T5o7nauVWB5jfgqg8IDljp4g6gWuxyEX3UOaBZoHfHKBFLCMEF/5BjB fZgJlpyytWwN6Dw== X-Received: by 2002:adf:d0c3:: with SMTP id z3mr3510227wrh.108.1630667232048; Fri, 03 Sep 2021 04:07:12 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzuQzt1zQyOoV195AnoVvGJcFGlsPxFtDdDER46/qDKajNyUtQpmHaCMGAGB07QiI3cNCdLCA== X-Received: by 2002:adf:d0c3:: with SMTP id z3mr3510188wrh.108.1630667231886; Fri, 03 Sep 2021 04:07:11 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Hanna Reitz , Igor Mammedov , Laurent Vivier , Alexandre Iooss , =?UTF-8?q?Alex=20Benn=C3=A9e?= , Michael Roth , Zhang Chen , Shannon Zhao , Richard Henderson , Alex Williamson , Eduardo Habkost , Markus Armbruster , Eric Blake , Stefan Weil , John Snow , Mahmoud Mandour , Li Zhijian , Marcel Apfelbaum , qemu-block@nongnu.org, Helge Deller , "Michael S. Tsirkin" , David Gibson , Peter Xu , "Gonglei (Arei)" , Gerd Hoffmann , Fam Zheng , Jason Wang , Vladimir Sementsov-Ogievskiy , Christian Schoenebeck , Kevin Wolf , Yuval Shaia , Paolo Bonzini , Peter Maydell , qemu-arm@nongnu.org, Thomas Huth , Laurent Vivier , Greg Kurz , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , qemu-ppc@nongnu.org, David Hildenbrand Subject: [PATCH 01/28] hw/hyperv/vmbus: Remove unused vmbus_load/save_req() Date: Fri, 3 Sep 2021 13:06:35 +0200 Message-Id: <20210903110702.588291-2-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1630667237325100001 vmbus_save_req() and vmbus_load_req() are not used. Remove them to avoid maintaining dead code. Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- include/hw/hyperv/vmbus.h | 3 -- hw/hyperv/vmbus.c | 59 --------------------------------------- 2 files changed, 62 deletions(-) diff --git a/include/hw/hyperv/vmbus.h b/include/hw/hyperv/vmbus.h index f98bea3888d..8ea660dd8e6 100644 --- a/include/hw/hyperv/vmbus.h +++ b/include/hw/hyperv/vmbus.h @@ -223,7 +223,4 @@ int vmbus_map_sgl(VMBusChanReq *req, DMADirection dir, = struct iovec *iov, void vmbus_unmap_sgl(VMBusChanReq *req, DMADirection dir, struct iovec *io= v, unsigned iov_cnt, size_t accessed); =20 -void vmbus_save_req(QEMUFile *f, VMBusChanReq *req); -void *vmbus_load_req(QEMUFile *f, VMBusDevice *dev, uint32_t size); - #endif diff --git a/hw/hyperv/vmbus.c b/hw/hyperv/vmbus.c index c9887d5a7bc..18d3c3b9240 100644 --- a/hw/hyperv/vmbus.c +++ b/hw/hyperv/vmbus.c @@ -1311,65 +1311,6 @@ static const VMStateDescription vmstate_vmbus_chan_r= eq =3D { } }; =20 -void vmbus_save_req(QEMUFile *f, VMBusChanReq *req) -{ - VMBusChanReqSave req_save; - - req_save.chan_idx =3D req->chan->subchan_idx; - req_save.pkt_type =3D req->pkt_type; - req_save.msglen =3D req->msglen; - req_save.msg =3D req->msg; - req_save.transaction_id =3D req->transaction_id; - req_save.need_comp =3D req->need_comp; - req_save.num =3D req->sgl.nsg; - req_save.sgl =3D g_memdup(req->sgl.sg, - req_save.num * sizeof(ScatterGatherEntry)); - - vmstate_save_state(f, &vmstate_vmbus_chan_req, &req_save, NULL); - - g_free(req_save.sgl); -} - -void *vmbus_load_req(QEMUFile *f, VMBusDevice *dev, uint32_t size) -{ - VMBusChanReqSave req_save; - VMBusChanReq *req =3D NULL; - VMBusChannel *chan =3D NULL; - uint32_t i; - - vmstate_load_state(f, &vmstate_vmbus_chan_req, &req_save, 0); - - if (req_save.chan_idx >=3D dev->num_channels) { - error_report("%s: %u(chan_idx) > %u(num_channels)", __func__, - req_save.chan_idx, dev->num_channels); - goto out; - } - chan =3D &dev->channels[req_save.chan_idx]; - - if (vmbus_channel_reserve(chan, 0, req_save.msglen)) { - goto out; - } - - req =3D vmbus_alloc_req(chan, size, req_save.pkt_type, req_save.msglen, - req_save.transaction_id, req_save.need_comp); - if (req_save.msglen) { - memcpy(req->msg, req_save.msg, req_save.msglen); - } - - for (i =3D 0; i < req_save.num; i++) { - qemu_sglist_add(&req->sgl, req_save.sgl[i].base, req_save.sgl[i].l= en); - } - -out: - if (req_save.msglen) { - g_free(req_save.msg); - } - if (req_save.num) { - g_free(req_save.sgl); - } - return req; -} - static void channel_event_cb(EventNotifier *e) { VMBusChannel *chan =3D container_of(e, VMBusChannel, notifier); --=20 2.31.1 From nobody Mon Feb 9 00:02:36 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1630667242; cv=none; d=zohomail.com; s=zohoarc; b=PfEVkwA5oJA+KJfZBke0fdnl+GAn45MaOYMPJ/8/0ISGJ6ui8+Zz2GcIUSK25fNWGQ2QEbgZuS1+AQhEcIpQoiRDIhy4bZYEKMFY6ZYrPMM94f/yuvTcWPG/xc+oVEnw0Fl9MX/a4qq6rI9aNeK1NmAxmir8yp3ZLE2H3tV2ml0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1630667242; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=5oIQyOxRLkXvAZeThJneQzsCWvWqxZQLcKV/EKIlWcU=; b=flcQC3KIYDf4dTTuANWVtcHKP7qqUQYsj6rX8gIFQ/elkU7YLVnhWfGCDiSGLy/DcfKC6xVwAYSjR71QyUuqGxfD0sX5qC8iA6LKzV07o2CfehMLdelhY3FJo53V19pjqCgHp8mDPnkSDUcGz3m7sHZxSTxSbNIarp6hlTl0Zz0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1630667242661326.99433583873997; Fri, 3 Sep 2021 04:07:22 -0700 (PDT) Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-305-gKnanEKrNIiqwX2BCvO7Lg-1; Fri, 03 Sep 2021 07:07:18 -0400 Received: by mail-wm1-f72.google.com with SMTP id v2-20020a7bcb420000b02902e6b108fcf1so2511133wmj.8 for ; Fri, 03 Sep 2021 04:07:18 -0700 (PDT) Return-Path: Return-Path: Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id t23sm4706476wrb.71.2021.09.03.04.07.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:07:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667241; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5oIQyOxRLkXvAZeThJneQzsCWvWqxZQLcKV/EKIlWcU=; b=ZT7AvZ85hukwcigaE3Q4IpaYpEhZjSZdEBBPU/17MWpw34tgSDuXP9/vzAqI3rhpN51DZe WDxI01qu9Hblyr3z+5T/Gl7wJCYpVCy43IGUe1uZM/66JTKyLDVY6ZWs+TLpTP7Yq8q4UF 4HMUWDiiodE/JJBRbaPJ2ihWHj9Bnok= X-MC-Unique: gKnanEKrNIiqwX2BCvO7Lg-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=5oIQyOxRLkXvAZeThJneQzsCWvWqxZQLcKV/EKIlWcU=; b=sdzxTAUci652C9Ux3tPNClJLQLtHaPo5lhJvYQFHej2XFNSzyJNa/7JikViZPu3ZB4 orDf/rbHCJW82eX3D4XDb/EgWBwhXUx3yGfBgfLna8g3QO0aOPAwVh745CQxGHcilw0r Kpqdd+cLuKwLdxVsSCknqYczES8PQGppWwmguQgKytQC4sXeGlgXQJkggpd4ueLD1ejT Dq6nxlgj3QlX+6RvVwsd0djc99esqGlId4YqV+Bj+epISwt31LXZAygLtqPvsPXmWVVT A4d39xAxZZFGXj8PcgmihaXXbU+lb+MPREyC7ugmASIX9qeZLhETW2vb80tYYyBfVLat vYjA== X-Gm-Message-State: AOAM532OYNfFuw5OiNDvxps8r4/YLHCEcOld5c8A+UBBo6LRxx5HNzl+ tlrnBLaCgSGeQhQYbfrMC1PT5mdh0SwKkWWNUbXo6mhVJ+d4inSIujMigBdmZMrQIPRTFzsLesf qSBbNt0geWzbBaw== X-Received: by 2002:a7b:c38a:: with SMTP id s10mr2702625wmj.109.1630667237585; Fri, 03 Sep 2021 04:07:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJymGMUQnajUM6zCJFy33nugdk1EqfzYF9E55VNsnGFQkFplYskbiyvVLelKH/gLWPqURal3aw== X-Received: by 2002:a7b:c38a:: with SMTP id s10mr2702602wmj.109.1630667237397; Fri, 03 Sep 2021 04:07:17 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Hanna Reitz , Igor Mammedov , Laurent Vivier , Alexandre Iooss , =?UTF-8?q?Alex=20Benn=C3=A9e?= , Michael Roth , Zhang Chen , Shannon Zhao , Richard Henderson , Alex Williamson , Eduardo Habkost , Markus Armbruster , Eric Blake , Stefan Weil , John Snow , Mahmoud Mandour , Li Zhijian , Marcel Apfelbaum , qemu-block@nongnu.org, Helge Deller , "Michael S. Tsirkin" , David Gibson , Peter Xu , "Gonglei (Arei)" , Gerd Hoffmann , Fam Zheng , Jason Wang , Vladimir Sementsov-Ogievskiy , Christian Schoenebeck , Kevin Wolf , Yuval Shaia , Paolo Bonzini , Peter Maydell , qemu-arm@nongnu.org, Thomas Huth , Laurent Vivier , Greg Kurz , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , qemu-ppc@nongnu.org, David Hildenbrand Subject: [PATCH 02/28] glib-compat: Introduce g_memdup2() wrapper Date: Fri, 3 Sep 2021 13:06:36 +0200 Message-Id: <20210903110702.588291-3-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1630667244428100001 When experimenting raising GLIB_VERSION_MIN_REQUIRED to 2.68 (Fedora 34 provides GLib 2.68.1) we get: hw/virtio/virtio-crypto.c:245:24: error: 'g_memdup' is deprecated: Use 'g= _memdup2' instead [-Werror,-Wdeprecated-declarations] ... g_memdup() has been updated by g_memdup2() to fix eventual security issues (size argument is 32-bit and could be truncated / wrapping). GLib recommends to copy their static inline version of g_memdup2(): https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-n= ow/5538 Our glib-compat.h provides a comment explaining how to deal with these deprecated declarations (see commit e71e8cc0355 "glib: enforce the minimum required version and warn about old APIs"). Following this comment suggestion, implement the g_memdup2_qemu() wrapper to g_memdup2(), and use the safer equivalent inlined when we are using pre-2.68 GLib. Reported-by: Eric Blake Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- include/glib-compat.h | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/include/glib-compat.h b/include/glib-compat.h index 9e95c888f54..6577d9ab393 100644 --- a/include/glib-compat.h +++ b/include/glib-compat.h @@ -68,6 +68,42 @@ * without generating warnings. */ =20 +/* + * g_memdup2_qemu: + * @mem: (nullable): the memory to copy. + * @byte_size: the number of bytes to copy. + * + * Allocates @byte_size bytes of memory, and copies @byte_size bytes into = it + * from @mem. If @mem is %NULL it returns %NULL. + * + * This replaces g_memdup(), which was prone to integer overflows when + * converting the argument from a #gsize to a #guint. + * + * This static inline version is a backport of the new public API from + * GLib 2.68, kept internal to GLib for backport to older stable releases. + * See https://gitlab.gnome.org/GNOME/glib/-/issues/2319. + * + * Returns: (nullable): a pointer to the newly-allocated copy of the memor= y, + * or %NULL if @mem is %NULL. + */ +static inline gpointer g_memdup2_qemu(gconstpointer mem, gsize byte_size) +{ +#if GLIB_CHECK_VERSION(2, 68, 0) + return g_memdup2(mem, byte_size); +#else + gpointer new_mem; + + if (mem && byte_size !=3D 0) { + new_mem =3D g_malloc(byte_size); + memcpy(new_mem, mem, byte_size); + } else { + new_mem =3D NULL; + } + + return new_mem; +#endif +} + #if defined(G_OS_UNIX) /* * Note: The fallback implementation is not MT-safe, and it returns a copy= of --=20 2.31.1 From nobody Mon Feb 9 00:02:36 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1630667246; cv=none; d=zohomail.com; s=zohoarc; b=DZPgdq7lC9A3EmnwrzFA6qGWfS+tHqlXShcNUW4BHUvSpqB8AtcH7+pZyK/sO48CQvmRaFXGEIwdfTsQDph6Dhop0Whne3x5AUkzgMWpYCUbdTALpL2pFW3AwbmEKplfi+qm8hZKlYtJ60adgymgUdVdlcsK0i4tDO5hUH5+4Fs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1630667246; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=IJcPcmBTlXv680lRxXxIAa1x+QW8hhus++pQyqguqCw=; b=cZhrbUuV2O7kRx6Xj1WnV5gFmxiKKDIZusb7oHK6bU6uvwmoWC+Zavr2e5Nr4vvQ66z3w3P2ehNj8EvNP/rp1R4S7dnTv9A6utGz/QKibmiSjwFygqth28S7EHWMdF2H9UJb2dAvCp4NT/QzySSdp6ZxNwMw4NV8dRaCx8y2ToI= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1630667246666102.05455946565485; Fri, 3 Sep 2021 04:07:26 -0700 (PDT) Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-198-2fvijZMaOCeQtIJRKeEdsQ-1; Fri, 03 Sep 2021 07:07:24 -0400 Received: by mail-wm1-f70.google.com with SMTP id j33-20020a05600c48a100b002e879427915so1767697wmp.5 for ; Fri, 03 Sep 2021 04:07:24 -0700 (PDT) Return-Path: Return-Path: Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id k25sm4747138wrd.42.2021.09.03.04.07.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:07:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667245; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=IJcPcmBTlXv680lRxXxIAa1x+QW8hhus++pQyqguqCw=; b=CfnwAl5Uy73PnPFbWIOSuCTs+/fY8KX/IeK2VPvD0jxp1XDiZAyfmgonbEBiECCmevPFM7 HzZI8zY6inLxkWdzKwzvGkkayfXCCulh46J1G4rUStLQzxoS/kyCE90XaNdhs2y0oQdgaV 14YHUCDuDo+eAFm7DB7c8hywb3BqGkE= X-MC-Unique: 2fvijZMaOCeQtIJRKeEdsQ-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=IJcPcmBTlXv680lRxXxIAa1x+QW8hhus++pQyqguqCw=; b=XOeqTCWKFBGLs0mtkpXAxyVKE7/c0HgUN8sWaWyjpViZjAPm4NYDsPg6uMN8/IbL2V lLeqp9gSvnenFiTe9lCd2fknJ1SiyV8gOlrWZVWd24cZMEexNCNWoMm4cAg7i55OiZ7K Uqn2he/tfXqLyKLXi6GanqnZzSKdgrtiwzSqdN0MvOSvNw7aBMz27mg7ipqSP6bFSwza xKdQIbhMmpQ1WMqdqkfx0j6aomsAjtNHsWSOzkQp7j6OxpTI8jsFxX3MHwUOyEzU65UM IBCbMT3lfQmT+7PZ0CdvTgejn5CXYKkXqPpnc25L7u4Zn5VC9hjM59Zt1mth8KTIz8bD HxBA== X-Gm-Message-State: AOAM532pPKW7uKCdkIeXh7Ss8Qt7cFSkAQT60bpp5Y9n0gLlVQUnC+I4 nee9VyHPQdhza4ZjwvVygk4Nqq9+C7KX6+Xuxe/z6PMRDVaPrh9yIzAvgkFs52H39xAs+EcvsQk quxm+ovXe/FL5yA== X-Received: by 2002:a7b:c014:: with SMTP id c20mr2767827wmb.81.1630667243364; Fri, 03 Sep 2021 04:07:23 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx907zJ6KqO6waEP4roxOCLkQUMR0ZCH7m0SU6uYQccu8GgebksOgpFBvIeXxJzbM2ctmPo7w== X-Received: by 2002:a7b:c014:: with SMTP id c20mr2767781wmb.81.1630667243141; Fri, 03 Sep 2021 04:07:23 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Hanna Reitz , Igor Mammedov , Laurent Vivier , Alexandre Iooss , =?UTF-8?q?Alex=20Benn=C3=A9e?= , Michael Roth , Zhang Chen , Shannon Zhao , Richard Henderson , Alex Williamson , Eduardo Habkost , Markus Armbruster , Eric Blake , Stefan Weil , John Snow , Mahmoud Mandour , Li Zhijian , Marcel Apfelbaum , qemu-block@nongnu.org, Helge Deller , "Michael S. Tsirkin" , David Gibson , Peter Xu , "Gonglei (Arei)" , Gerd Hoffmann , Fam Zheng , Jason Wang , Vladimir Sementsov-Ogievskiy , Christian Schoenebeck , Kevin Wolf , Yuval Shaia , Paolo Bonzini , Peter Maydell , qemu-arm@nongnu.org, Thomas Huth , Laurent Vivier , Greg Kurz , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , qemu-ppc@nongnu.org, David Hildenbrand Subject: [PATCH 03/28] qapi: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:37 +0200 Message-Id: <20210903110702.588291-4-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1630667248656100001 Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdu= p2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- qapi/qapi-clone-visitor.c | 16 ++++++++-------- qapi/qapi-visit-core.c | 6 ++++-- 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/qapi/qapi-clone-visitor.c b/qapi/qapi-clone-visitor.c index c45c5caa3b8..fb38505d982 100644 --- a/qapi/qapi-clone-visitor.c +++ b/qapi/qapi-clone-visitor.c @@ -37,7 +37,7 @@ static bool qapi_clone_start_struct(Visitor *v, const cha= r *name, void **obj, return true; } =20 - *obj =3D g_memdup(*obj, size); + *obj =3D g_memdup2_qemu(*obj, size); qcv->depth++; return true; } @@ -65,8 +65,8 @@ static GenericList *qapi_clone_next_list(Visitor *v, Gene= ricList *tail, QapiCloneVisitor *qcv =3D to_qcv(v); =20 assert(qcv->depth); - /* Unshare the tail of the list cloned by g_memdup() */ - tail->next =3D g_memdup(tail->next, size); + /* Unshare the tail of the list cloned by g_memdup2() */ + tail->next =3D g_memdup2_qemu(tail->next, size); return tail->next; } =20 @@ -83,7 +83,7 @@ static bool qapi_clone_type_int64(Visitor *v, const char = *name, int64_t *obj, QapiCloneVisitor *qcv =3D to_qcv(v); =20 assert(qcv->depth); - /* Value was already cloned by g_memdup() */ + /* Value was already cloned by g_memdup2() */ return true; } =20 @@ -93,7 +93,7 @@ static bool qapi_clone_type_uint64(Visitor *v, const char= *name, QapiCloneVisitor *qcv =3D to_qcv(v); =20 assert(qcv->depth); - /* Value was already cloned by g_memdup() */ + /* Value was already cloned by g_memdup2() */ return true; } =20 @@ -103,7 +103,7 @@ static bool qapi_clone_type_bool(Visitor *v, const char= *name, bool *obj, QapiCloneVisitor *qcv =3D to_qcv(v); =20 assert(qcv->depth); - /* Value was already cloned by g_memdup() */ + /* Value was already cloned by g_memdup2() */ return true; } =20 @@ -114,7 +114,7 @@ static bool qapi_clone_type_str(Visitor *v, const char = *name, char **obj, =20 assert(qcv->depth); /* - * Pointer was already cloned by g_memdup; create fresh copy. + * Pointer was already cloned by g_memdup2; create fresh copy. * Note that as long as qobject-output-visitor accepts NULL instead of * "", then we must do likewise. However, we want to obey the * input visitor semantics of never producing NULL when the empty @@ -130,7 +130,7 @@ static bool qapi_clone_type_number(Visitor *v, const ch= ar *name, double *obj, QapiCloneVisitor *qcv =3D to_qcv(v); =20 assert(qcv->depth); - /* Value was already cloned by g_memdup() */ + /* Value was already cloned by g_memdup2() */ return true; } =20 diff --git a/qapi/qapi-visit-core.c b/qapi/qapi-visit-core.c index a641adec51e..ebabe63b6ea 100644 --- a/qapi/qapi-visit-core.c +++ b/qapi/qapi-visit-core.c @@ -413,8 +413,10 @@ bool visit_type_enum(Visitor *v, const char *name, int= *obj, case VISITOR_OUTPUT: return output_type_enum(v, name, obj, lookup, errp); case VISITOR_CLONE: - /* nothing further to do, scalar value was already copied by - * g_memdup() during visit_start_*() */ + /* + * nothing further to do, scalar value was already copied by + * g_memdup2() during visit_start_*() + */ return true; case VISITOR_DEALLOC: /* nothing to deallocate for a scalar */ --=20 2.31.1 From nobody Mon Feb 9 00:02:36 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1630667252; cv=none; d=zohomail.com; s=zohoarc; b=Uto/xwgjtJehmQDIiuHN/Ay3Gvi7S0vXFAjJS11VDNmnszMsUGjupE7br+QcqdrcPXs/8UDrI2wbpGxb+uzmRi5PW3a74Ml5nN50WmRAfYWW6CrwNDPQWpemuopQRx6pm6G6O2goBBRi5GuNX+SnNcZXPhK6hGJrDL5758Fdpww= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1630667252; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=YRPx8k5aASvYP1xf6/9soHjF4TaI9K/GxMLKkwWKabI=; b=UwsI8n37iHBSOZczjc5HChhY2ZtRLKVm3LgOKqW+uq7OFyM/7f0LxqQxyw43Jb5Q87h4YTTVtrUtk5lrFqIF+UWtKTqM6TuEkBbja1Ds77zzttrotrT2RwvAhNlwyRwFzQiZv98OrmR4xfyHKyt+ggY0tU7NCEv6ipuWAVNMnqY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1630667252884932.088988514805; Fri, 3 Sep 2021 04:07:32 -0700 (PDT) Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-383-5hMFraQJPrGP-GJ-g9KsWA-1; Fri, 03 Sep 2021 07:07:29 -0400 Received: by mail-wr1-f72.google.com with SMTP id v6-20020adfe4c6000000b001574f9d8336so1458618wrm.15 for ; Fri, 03 Sep 2021 04:07:29 -0700 (PDT) Return-Path: Return-Path: Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id f5sm4032824wmb.47.2021.09.03.04.07.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:07:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667251; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YRPx8k5aASvYP1xf6/9soHjF4TaI9K/GxMLKkwWKabI=; b=cRs8otB9zwvwNsebMCRJ9sn295kK0l+hblhfe8ywFoqFJOebI4mi+02XBCuItr14yPEbMY 0haEFfwg/2cRlRcq7WasZDcBtt5Hqw7InBEuSqHrGJ2kEzp+Lk1q/axO/WkTjsxJldK4wj kPPxqdcNaFHA/xbmhr7v6BSB9Moytt4= X-MC-Unique: 5hMFraQJPrGP-GJ-g9KsWA-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=YRPx8k5aASvYP1xf6/9soHjF4TaI9K/GxMLKkwWKabI=; b=qLQaDwioZdurZ3fYCuan6rTrQE4CIE2IiNxVSvNz4ArF9E68q/49uGHptqkPq0KleY 29BcZevQvZSqPz8N6p3w6WZcOAD3owYVqRS/QLshuJ1HGZOGul0CrMPcxVZnqkwQeecu Byg866uQSrzNueLjin9508C2E8v//iJ02suaXvuhFISimkjKseTLn35Ms1NVy9MOJyP9 /if6+vM4G0wgOkuLCZGfqjvL01n1SDl0yULUmaQYpKoyCEkDVaqjV7IiEqIQbAQda4q7 iEHQD0r0uan3KNminS6niVLypD53nUSyGOTDeVo60TwIPUqG0qflLX2peQ/kesN5IHB3 KMJw== X-Gm-Message-State: AOAM531tH9lwugrFBNu5RF0NoEVYvVCo0g8P6CbmPTYHkmnXQvSnPTd6 ZypXI1kNuSviuPoyJwW/YkQsqhpqyL/VHDNDjfdU3GKxMTiF28NXBqAIhnrEB1A1/YARiJTxdf6 UeueLJ4/qSmWPfA== X-Received: by 2002:a05:6000:92:: with SMTP id m18mr3355272wrx.293.1630667248770; Fri, 03 Sep 2021 04:07:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxlwFkOP0MVQF4y1XJ9fLv0qg256KT5I44ftRi9235B9/2W1BEuHyhR7G5P4RskcOmyCVOd6Q== X-Received: by 2002:a05:6000:92:: with SMTP id m18mr3355251wrx.293.1630667248603; Fri, 03 Sep 2021 04:07:28 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Hanna Reitz , Igor Mammedov , Laurent Vivier , Alexandre Iooss , =?UTF-8?q?Alex=20Benn=C3=A9e?= , Michael Roth , Zhang Chen , Shannon Zhao , Richard Henderson , Alex Williamson , Eduardo Habkost , Markus Armbruster , Eric Blake , Stefan Weil , John Snow , Mahmoud Mandour , Li Zhijian , Marcel Apfelbaum , qemu-block@nongnu.org, Helge Deller , "Michael S. Tsirkin" , David Gibson , Peter Xu , "Gonglei (Arei)" , Gerd Hoffmann , Fam Zheng , Jason Wang , Vladimir Sementsov-Ogievskiy , Christian Schoenebeck , Kevin Wolf , Yuval Shaia , Paolo Bonzini , Peter Maydell , qemu-arm@nongnu.org, Thomas Huth , Laurent Vivier , Greg Kurz , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , qemu-ppc@nongnu.org, David Hildenbrand Subject: [PATCH 04/28] accel/tcg: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:38 +0200 Message-Id: <20210903110702.588291-5-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1630667255034100001 Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdu= p2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- accel/tcg/cputlb.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c index b1e5471f949..1d5069a30d1 100644 --- a/accel/tcg/cputlb.c +++ b/accel/tcg/cputlb.c @@ -826,7 +826,7 @@ void tlb_flush_range_by_mmuidx(CPUState *cpu, target_ul= ong addr, tlb_flush_range_by_mmuidx_async_0(cpu, d); } else { /* Otherwise allocate a structure, freed by the worker. */ - TLBFlushRangeData *p =3D g_memdup(&d, sizeof(d)); + TLBFlushRangeData *p =3D g_memdup2_qemu(&d, sizeof(d)); async_run_on_cpu(cpu, tlb_flush_range_by_mmuidx_async_1, RUN_ON_CPU_HOST_PTR(p)); } @@ -868,7 +868,7 @@ void tlb_flush_range_by_mmuidx_all_cpus(CPUState *src_c= pu, /* Allocate a separate data block for each destination cpu. */ CPU_FOREACH(dst_cpu) { if (dst_cpu !=3D src_cpu) { - TLBFlushRangeData *p =3D g_memdup(&d, sizeof(d)); + TLBFlushRangeData *p =3D g_memdup2_qemu(&d, sizeof(d)); async_run_on_cpu(dst_cpu, tlb_flush_range_by_mmuidx_async_1, RUN_ON_CPU_HOST_PTR(p)); @@ -918,13 +918,13 @@ void tlb_flush_range_by_mmuidx_all_cpus_synced(CPUSta= te *src_cpu, /* Allocate a separate data block for each destination cpu. */ CPU_FOREACH(dst_cpu) { if (dst_cpu !=3D src_cpu) { - p =3D g_memdup(&d, sizeof(d)); + p =3D g_memdup2_qemu(&d, sizeof(d)); async_run_on_cpu(dst_cpu, tlb_flush_range_by_mmuidx_async_1, RUN_ON_CPU_HOST_PTR(p)); } } =20 - p =3D g_memdup(&d, sizeof(d)); + p =3D g_memdup2_qemu(&d, sizeof(d)); async_safe_run_on_cpu(src_cpu, tlb_flush_range_by_mmuidx_async_1, RUN_ON_CPU_HOST_PTR(p)); } --=20 2.31.1 From nobody Mon Feb 9 00:02:36 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1630667257; cv=none; d=zohomail.com; s=zohoarc; b=Q1B4KhFIaaEZQGkW5n7P11JGP9g/6TUvIVTj1g4hGXqYdJ6DZr93djxpy/UBd5TF3+ecpZI2HJnUbPsc+IvcY+ymP8GTNjaaYvuNPYYKfhtOVxv+tPIkrJvhuFP1cXLktyQYEO9m9y2paIBfmwk/2wmJ0Mv9XduArBXGW11A+ic= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1630667257; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=FZHOag7nyoHENtq9LgEUpVfsjfcHne0EwT0c8I8en8s=; b=RJKYKqUnGNUSg0nElY658Dj0U9h9LELfvDwyRpPondOU3YqFoz+n5bOuFaPOkfLiuz6d/F99djUft8nGYh4HF5B/GGan6EafBf3qGMxKyZ38E84o5+MvKeSdP+9eHxhwgI0Ny/b24/3Yl88OUljrYGquwGmX2sf9Qnrwy6QoEgw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1630667257771491.3501792005501; Fri, 3 Sep 2021 04:07:37 -0700 (PDT) Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-577-FccI0tn5OPiZA-X9zME9hA-1; Fri, 03 Sep 2021 07:07:35 -0400 Received: by mail-wr1-f71.google.com with SMTP id i16-20020adfded0000000b001572ebd528eso1442842wrn.19 for ; Fri, 03 Sep 2021 04:07:35 -0700 (PDT) Return-Path: Return-Path: Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id w1sm3983986wmc.19.2021.09.03.04.07.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:07:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667256; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=FZHOag7nyoHENtq9LgEUpVfsjfcHne0EwT0c8I8en8s=; b=Qw79lfK/lb5Jj897xrwt4Uhi5DHpvGe1cz3AZArQyadhQy0CT38ptGasp7+KYZ0ECxtqLa cjZwjS7sY2uniYckZqks4OeFK75qej8Vey2Hv2maFtr0YVISfgzo88brPve/aUrZFnNYAp RxKsHcRvw/4ApDecZlLi0iW4unaQloE= X-MC-Unique: FccI0tn5OPiZA-X9zME9hA-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=FZHOag7nyoHENtq9LgEUpVfsjfcHne0EwT0c8I8en8s=; b=f/kdc7jlODxYJdxUoycFv1rGOVHwTnKEl+kakEwHMR7P1gyhuPuV2g6YGh+QvMLdpo vtil78ikBjR+XK9gENKFc0y4hH3K7MGz6kBHnapAHblhmmkl3dif3xSSAyTBwIi3+iNW 8l2dFY6GvA6a08qrmiL0lR/31S69/a15lkO4gJ1oYr7URm2OabZiK6ETdaIGKzt1V1nN cf1+fZH4PcKpEQ5zbic7DFPBU9ZaKZZpbf6vKpaofBpoPotLul5/P6wiQ+B8N07+zw7G LTh99QmzMsyZzp9dEBEyQzvQVB2hbmYdM1KC2bbMXWx9fX3bn6tw7HTKpKPCi181MPKH prKg== X-Gm-Message-State: AOAM533TQs52cNcjDSDn7a+MLA8uUiBaYbwryNSvnanO+C8zwDYlKHK1 6jERtmc/ZW4lXwJe6CIEtmGQoKf3sJpcWGgYsNDZu5gYLZiXcL1Aty2SuBIYAcHWncbfs/kaPLw YKnudWgyddqFxUw== X-Received: by 2002:a05:6000:18c2:: with SMTP id w2mr3345275wrq.282.1630667254349; Fri, 03 Sep 2021 04:07:34 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyoB5TMIuInAl2n/PRtQj2iipmUHWUxT2HqaGZ7Zes9XsQggaJR678emY6uLRnPMCNKGATEww== X-Received: by 2002:a05:6000:18c2:: with SMTP id w2mr3345238wrq.282.1630667254198; Fri, 03 Sep 2021 04:07:34 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Hanna Reitz , Igor Mammedov , Laurent Vivier , Alexandre Iooss , =?UTF-8?q?Alex=20Benn=C3=A9e?= , Michael Roth , Zhang Chen , Shannon Zhao , Richard Henderson , Alex Williamson , Eduardo Habkost , Markus Armbruster , Eric Blake , Stefan Weil , John Snow , Mahmoud Mandour , Li Zhijian , Marcel Apfelbaum , qemu-block@nongnu.org, Helge Deller , "Michael S. Tsirkin" , David Gibson , Peter Xu , "Gonglei (Arei)" , Gerd Hoffmann , Fam Zheng , Jason Wang , Vladimir Sementsov-Ogievskiy , Christian Schoenebeck , Kevin Wolf , Yuval Shaia , Paolo Bonzini , Peter Maydell , qemu-arm@nongnu.org, Thomas Huth , Laurent Vivier , Greg Kurz , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , qemu-ppc@nongnu.org, David Hildenbrand Subject: [PATCH 05/28] block/qcow2-bitmap: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:39 +0200 Message-Id: <20210903110702.588291-6-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1630667259671100003 Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdu= p2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- block/qcow2-bitmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/block/qcow2-bitmap.c b/block/qcow2-bitmap.c index 8fb47315515..ec303acb46b 100644 --- a/block/qcow2-bitmap.c +++ b/block/qcow2-bitmap.c @@ -1599,7 +1599,7 @@ bool qcow2_store_persistent_dirty_bitmaps(BlockDriver= State *bs, name); goto fail; } - tb =3D g_memdup(&bm->table, sizeof(bm->table)); + tb =3D g_memdup2_qemu(&bm->table, sizeof(bm->table)); bm->table.offset =3D 0; bm->table.size =3D 0; QSIMPLEQ_INSERT_TAIL(&drop_tables, tb, entry); --=20 2.31.1 From nobody Mon Feb 9 00:02:36 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1630667266; cv=none; d=zohomail.com; s=zohoarc; b=YEnd1dxM3x4pdHL2BGbtmyFSrsJGkAFivubHvniuGaOAU6Xn7Rkp3ymVHW3ga4siyIpZofFp5aCHWN3SemGiSEqCutWRw2aeZDJN2q1PyK+szdUK+nGKva+QqDPnpEnLCMzcbT0Yj4xoyrbrV8rdib178YUX/BKVtrAw5J3w2GY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1630667266; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=vyN09QcPG+VDBDsPFQVE2hfeE/VYAwQywY+WfYVVI7k=; b=T+3rSVmM6W66FSRPMHiPrHh+R5xri7dfGSjQa5Bme8y7vVxGHl491Roqn8jnXxDqVcut705Zijc71yiYjg85JicpPrj3sjnncYn4gW6Ub/DY0gi/fuHjOg1CkVrbcxInGAaBhn0CyjAnkuPz2VtHxBqOqDHRQ0ARJf1l5UUxo48= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1630667265997162.01666967704875; Fri, 3 Sep 2021 04:07:45 -0700 (PDT) Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-380-DhCSzM-WPEyJjPJQFGfMKQ-1; Fri, 03 Sep 2021 07:07:41 -0400 Received: by mail-wr1-f72.google.com with SMTP id h14-20020a056000000e00b001575b00eb08so1445944wrx.13 for ; Fri, 03 Sep 2021 04:07:40 -0700 (PDT) Return-Path: Return-Path: Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id f3sm3966844wmj.28.2021.09.03.04.07.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:07:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667264; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vyN09QcPG+VDBDsPFQVE2hfeE/VYAwQywY+WfYVVI7k=; b=exSoiuabXggiJrGD0SvjZLNAKHsFBKtu5mR22GrZ5aP5E6vTjNzn7pKiUnAmDMMP1PpXO1 YyQ6S7Vian98Qq8HUCT0w5s3pW1ruiu1LKIMMMScnnzGkhHf5OOYYEZ24QeCfZngZzhP1y JqWGUjTNFVNSrpCRvMdnrhxLZmPqMAE= X-MC-Unique: DhCSzM-WPEyJjPJQFGfMKQ-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=vyN09QcPG+VDBDsPFQVE2hfeE/VYAwQywY+WfYVVI7k=; b=Dff0k+5d8nCe1QCJmtUxgD1r7ZX3VZ4rq0izkjD/FABuxtN4wyqP0Ul9Pj5NWRVmGD 6RhP/fzonYV7YCw23qym3QqnuPiqoMupyKty0wLNT5WWHiG8Zw4wukYnOfKH94OS32c3 SmEjYs/PamlBzOYiW91pWAIXbTCIpVi/2//1yiRN5Y5P51Q2DqgtDNwIHy3uSPUX/P/M iuPO3BIWxAwRV+9XzW/8iD6Gl6PBNS29aLNDFzCUxAtIeoBvC+Tw4kvdRed9GKsFc3cF DUEv7KZCN/FjD+0RRW7KuUZmpLE84jVawZEaa9OWj1MjnZQUrdzAB6Btd5aZhBLOhX2B 6eEQ== X-Gm-Message-State: AOAM532L5y1erayIJ6M0TqCAWWXap/wMLXjQvIrNJwYdI+ad9dGFxlH2 /8KVgCCW11WbfYFPlzUwNhB0kGNaxM/LEY8v7s9ty/Nu+OjrnMmn7vs1jtF0NOzDejDRQEZAmmF XBRoJhXZSj8wrRw== X-Received: by 2002:adf:e6c5:: with SMTP id y5mr3584614wrm.198.1630667259941; Fri, 03 Sep 2021 04:07:39 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwTXAcCGMILiN6BBKbtvJurMFFvfI5fIWlIBSfIhCVNo+ciUFdo+9M1Slhc1REyU+6QphSpBA== X-Received: by 2002:adf:e6c5:: with SMTP id y5mr3584577wrm.198.1630667259732; Fri, 03 Sep 2021 04:07:39 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Hanna Reitz , Igor Mammedov , Laurent Vivier , Alexandre Iooss , =?UTF-8?q?Alex=20Benn=C3=A9e?= , Michael Roth , Zhang Chen , Shannon Zhao , Richard Henderson , Alex Williamson , Eduardo Habkost , Markus Armbruster , Eric Blake , Stefan Weil , John Snow , Mahmoud Mandour , Li Zhijian , Marcel Apfelbaum , qemu-block@nongnu.org, Helge Deller , "Michael S. Tsirkin" , David Gibson , Peter Xu , "Gonglei (Arei)" , Gerd Hoffmann , Fam Zheng , Jason Wang , Vladimir Sementsov-Ogievskiy , Christian Schoenebeck , Kevin Wolf , Yuval Shaia , Paolo Bonzini , Peter Maydell , qemu-arm@nongnu.org, Thomas Huth , Laurent Vivier , Greg Kurz , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , qemu-ppc@nongnu.org, David Hildenbrand Subject: [PATCH 06/28] softmmu: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:40 +0200 Message-Id: <20210903110702.588291-7-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1630667266711100001 Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdu= p2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- softmmu/memory.c | 2 +- softmmu/vl.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/softmmu/memory.c b/softmmu/memory.c index bfedaf9c4df..838a274b627 100644 --- a/softmmu/memory.c +++ b/softmmu/memory.c @@ -1140,7 +1140,7 @@ static char *memory_region_escape_name(const char *na= me) bytes +=3D memory_region_need_escape(*p) ? 4 : 1; } if (bytes =3D=3D p - name) { - return g_memdup(name, bytes + 1); + return g_memdup2_qemu(name, bytes + 1); } =20 escaped =3D g_malloc(bytes + 1); diff --git a/softmmu/vl.c b/softmmu/vl.c index ea05bb39c50..a136ef0bfb6 100644 --- a/softmmu/vl.c +++ b/softmmu/vl.c @@ -1154,7 +1154,7 @@ static int parse_fw_cfg(void *opaque, QemuOpts *opts,= Error **errp) } if (nonempty_str(str)) { size =3D strlen(str); /* NUL terminator NOT included in fw_cfg blo= b */ - buf =3D g_memdup(str, size); + buf =3D g_memdup2_qemu(str, size); } else if (nonempty_str(gen_id)) { if (!fw_cfg_add_from_generator(fw_cfg, name, gen_id, errp)) { return -1; --=20 2.31.1 From nobody Mon Feb 9 00:02:36 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1630667268; cv=none; d=zohomail.com; s=zohoarc; b=U1OEKcaH4xIP685bAkKseNp06Qil2SaVwaLLUZT1QCzo2DDjG4xiXHKxRNbPdWzbK6CzP59+zY0UO7i2TAwRkOn0hRAfNA87xbamifNQ7xpGyJrFqKePjFfrcNGwGBA3hrPIBq1FuxhyhTN0CysGWLdYM9MCjeTIHdiFgkp6Fcs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1630667268; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=E9PypJHZFiMU1wwHSEPf1Pz6upK9EcgUKxTQXXjwTWw=; b=Z8NOb7Tg9vu+8qkAK/yQM15QuikmomIEc+eEEvR5rxP30qY84mtINKa8KL4x15zUZEw4BdTG1XDIxdj9PaSlw0fzWfklM8GUweSGt+IB7fy6ZlJo2/eWhpDA5VXxA4rz+Pe+2/SwWgLRVXV10cqANkVun1X2aDqBvAidA9X/BaA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1630667268885804.5933390237286; Fri, 3 Sep 2021 04:07:48 -0700 (PDT) Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-106-lx5QfJeQO1ag04Iqnk_ubA-1; Fri, 03 Sep 2021 07:07:46 -0400 Received: by mail-wm1-f70.google.com with SMTP id b126-20020a1c8084000000b002f152a868a2so1706164wmd.1 for ; Fri, 03 Sep 2021 04:07:46 -0700 (PDT) Return-Path: Return-Path: Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id o5sm4341463wrw.17.2021.09.03.04.07.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:07:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667267; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=E9PypJHZFiMU1wwHSEPf1Pz6upK9EcgUKxTQXXjwTWw=; b=GSRKkGqvlIogjHFds+ZsksoNN2PBmHOpXGybVcc/N8xVWfkQ91KCnAsj7+P20BVb2psImS lCNOWk1XKpJWc3Jj7ogqGhf+MiQonaheIW1unLC8fByzWk1lAlC7kTOppt8rELWuN4XXTv ZV2jqY6KsXajDITwVRrTy6UQy9aB4+g= X-MC-Unique: lx5QfJeQO1ag04Iqnk_ubA-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=E9PypJHZFiMU1wwHSEPf1Pz6upK9EcgUKxTQXXjwTWw=; b=hMTBhZsVoqKYDRz7MFcP+LdG3adJQK3NMNdbMp2qM3t5+TYMF1b1JhZ203mPgL2Cli gS37eW5ixqEFlt5MBPnKT6Xcx199dq8FQqW2kHBrLM7yYrO1auO6b0dvj0BkVms322Kv 4PXA9qEHcWzZ9jQ/GzdDP4XBwrtkEP8EiRyf312JUeiYbllxSk6jnjg1DV9har1UoHAg lG8Vk/HgDhNq6uxmaCBc6BUl380c6rEl+6mYKSqT8kp4f0q6Gj3VqWh1ZscMCV1frz8Z 6Q2Sk3OjZhFK4jBALjrlJnCUEBHVgoHfiO7X2VnBppqOZOIcoWrNLxh+iD49JFyGUlTG CFfw== X-Gm-Message-State: AOAM532RWE7tpqH6Fh9NEKyraXD+bOCeAt/jN5Sp3E/6SMwP8ufx1i7f aajtQAv7A7VW7EEVR1zIiHKXfdMnwiG0zb60N2u/33IFK3qRxIKOqZd/Lt3HXXOZxLXYW16b7Cu BM1UyNgPxEqKrPw== X-Received: by 2002:adf:e887:: with SMTP id d7mr3332688wrm.79.1630667265701; Fri, 03 Sep 2021 04:07:45 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxOpfMVNquMJIWDXetxTHCuL3Fzb8lZKKWemq9NT4HySMg6qKhGx6koZ2JlS7tbzuIj9REIrw== X-Received: by 2002:adf:e887:: with SMTP id d7mr3332646wrm.79.1630667265554; Fri, 03 Sep 2021 04:07:45 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Hanna Reitz , Igor Mammedov , Laurent Vivier , Alexandre Iooss , =?UTF-8?q?Alex=20Benn=C3=A9e?= , Michael Roth , Zhang Chen , Shannon Zhao , Richard Henderson , Alex Williamson , Eduardo Habkost , Markus Armbruster , Eric Blake , Stefan Weil , John Snow , Mahmoud Mandour , Li Zhijian , Marcel Apfelbaum , qemu-block@nongnu.org, Helge Deller , "Michael S. Tsirkin" , David Gibson , Peter Xu , "Gonglei (Arei)" , Gerd Hoffmann , Fam Zheng , Jason Wang , Vladimir Sementsov-Ogievskiy , Christian Schoenebeck , Kevin Wolf , Yuval Shaia , Paolo Bonzini , Peter Maydell , qemu-arm@nongnu.org, Thomas Huth , Laurent Vivier , Greg Kurz , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , qemu-ppc@nongnu.org, David Hildenbrand Subject: [PATCH 07/28] hw/9pfs: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:41 +0200 Message-Id: <20210903110702.588291-8-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1630667270948100001 Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdu= p2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- hw/9pfs/9p-synth.c | 2 +- hw/9pfs/9p.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/9pfs/9p-synth.c b/hw/9pfs/9p-synth.c index b38088e0664..7d983574af5 100644 --- a/hw/9pfs/9p-synth.c +++ b/hw/9pfs/9p-synth.c @@ -497,7 +497,7 @@ static int synth_name_to_path(FsContext *ctx, V9fsPath = *dir_path, out: /* Copy the node pointer to fid */ g_free(target->data); - target->data =3D g_memdup(&node, sizeof(void *)); + target->data =3D g_memdup2_qemu(&node, sizeof(void *)); target->size =3D sizeof(void *); return 0; } diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c index 2815257f425..5bf1bd7229f 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -202,7 +202,7 @@ void v9fs_path_copy(V9fsPath *dst, const V9fsPath *src) { v9fs_path_free(dst); dst->size =3D src->size; - dst->data =3D g_memdup(src->data, src->size); + dst->data =3D g_memdup2_qemu(src->data, src->size); } =20 int v9fs_name_to_path(V9fsState *s, V9fsPath *dirpath, --=20 2.31.1 From nobody Mon Feb 9 00:02:36 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1630667274; cv=none; d=zohomail.com; s=zohoarc; b=nUmSugoAqMt2EFPWfFlXDmJx1CILnRePpw6nDLUhaEqg65p7NsGKIGiL6wkEuDjda0g09ae2Qaw/ZPmKy2kbKliR7IjXtt2FK6lvJqK3FVJ4bm/uMTTFzxvn6aUgPOuHtB5naph4w1MtEtLIqLc7NPIY5vd+pl6qr7pJlVIc4gU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1630667274; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=6osDXRphDo8TIq2I2JrJLj4Iq8ymwMld3GU8FS2XmwE=; b=ZWB6SigW4xOP2Q71WY+Ut2OH2GCTlPQlDCDlV/d9VoD90vgiI9GIKYnq2U+MKU/7IYGEBhndqCAyU4OTbtnO7KcMSlW2dKsc09r6t/QKPJKfyQupt3heXysnsR9r8vIlKrQpWaDBXWpcGFplgVlqms4kbHNJVo9DLn/+/YnIowE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1630667274527874.9316137257139; Fri, 3 Sep 2021 04:07:54 -0700 (PDT) Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-182-nFFD01lDNQyUaLbjDsF3fw-1; Fri, 03 Sep 2021 07:07:52 -0400 Received: by mail-wr1-f69.google.com with SMTP id m16-20020a056000181000b0015964e4ae48so416739wrh.14 for ; Fri, 03 Sep 2021 04:07:52 -0700 (PDT) Return-Path: Return-Path: Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id b12sm5141598wrx.72.2021.09.03.04.07.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:07:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667273; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=6osDXRphDo8TIq2I2JrJLj4Iq8ymwMld3GU8FS2XmwE=; b=TkEmPXBsWJ4NulsSwSQJFuR809PslHT3DRkY6kKp5TG0W1CpMaixflAxVxThJYhcL03Ktw O6BFFWEQi/G9nxcLo08kvNYbW8szuWXquauiXFXn20ENUmsF92rjzFgLe2WoIn8XwghMwL 7k80mBXvWZ76y191Gw+mAIWkTvjMcMM= X-MC-Unique: nFFD01lDNQyUaLbjDsF3fw-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=6osDXRphDo8TIq2I2JrJLj4Iq8ymwMld3GU8FS2XmwE=; b=ukkswlHzzlMGEIJyFb6cG+fvoXjTdIKjqoZizXl8KRZVGSv/8X7GMCWM24hs7BgnHJ R/UynIfdo5fuvaLLmsCm5y8tb7ZcstH/LDX+NaikyTs92y+6+ONwkM7rFACzoisrY+zJ 4AGNmWSaE30muiPj6x8QKPL5efbhwkWTwtSJkRWSC3C5sQs+29po7XpfZwj0BCVuHQuh //7dkkUjJJjZNb7YyTn8/lh/cySHQtgpmcfM7Mefonl8HAITRQLvTtOkx7DPXK1dWiCs 5x+83ldDtKCVgwbrdASQd0DYjQDEHOnipR/H23ZhuwkespebtGEd2FsCp/lC+4AP2jYy 4fQg== X-Gm-Message-State: AOAM5325Toqt75VE2POWkZuxUmQbXyoUvupHTZaTpplOFNW1vuvjDorw ybAA7DKIfDZvm0qdwMrhAET8n0gDg//LzwbR/JskRNkTwq5NM1lOBfQykBUZVUI0c5q1qewW4Mc 7pkDgEwmrD/wuzg== X-Received: by 2002:a5d:526a:: with SMTP id l10mr3307813wrc.279.1630667271412; Fri, 03 Sep 2021 04:07:51 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxcJFg+fUtt74cezEjGtPfJjbB/p8oBH6n6a0g8f/lUmZ5V9PLYMGF1/ZME4j9YjZI6HscUjA== X-Received: by 2002:a5d:526a:: with SMTP id l10mr3307771wrc.279.1630667271215; Fri, 03 Sep 2021 04:07:51 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Hanna Reitz , Igor Mammedov , Laurent Vivier , Alexandre Iooss , =?UTF-8?q?Alex=20Benn=C3=A9e?= , Michael Roth , Zhang Chen , Shannon Zhao , Richard Henderson , Alex Williamson , Eduardo Habkost , Markus Armbruster , Eric Blake , Stefan Weil , John Snow , Mahmoud Mandour , Li Zhijian , Marcel Apfelbaum , qemu-block@nongnu.org, Helge Deller , "Michael S. Tsirkin" , David Gibson , Peter Xu , "Gonglei (Arei)" , Gerd Hoffmann , Fam Zheng , Jason Wang , Vladimir Sementsov-Ogievskiy , Christian Schoenebeck , Kevin Wolf , Yuval Shaia , Paolo Bonzini , Peter Maydell , qemu-arm@nongnu.org, Thomas Huth , Laurent Vivier , Greg Kurz , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , qemu-ppc@nongnu.org, David Hildenbrand Subject: [PATCH 08/28] hw/acpi: Avoid truncating acpi_data_len() to 32-bit Date: Fri, 3 Sep 2021 13:06:42 +0200 Message-Id: <20210903110702.588291-9-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1630667275489100001 acpi_data_len() returns an unsigned type, which might be bigger than 32-bit (although it is unlikely such value is returned). Hold the returned value in an 'unsigned' type to avoid unlikely size truncation. Signed-off-by: Philippe Mathieu-Daud=C3=A9 Acked-by: Igor Mammedov --- hw/arm/virt-acpi-build.c | 2 +- hw/i386/acpi-build.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c index 037cc1fd82c..95543d43e2a 100644 --- a/hw/arm/virt-acpi-build.c +++ b/hw/arm/virt-acpi-build.c @@ -885,7 +885,7 @@ void virt_acpi_build(VirtMachineState *vms, AcpiBuildTa= bles *tables) =20 static void acpi_ram_update(MemoryRegion *mr, GArray *data) { - uint32_t size =3D acpi_data_len(data); + unsigned size =3D acpi_data_len(data); =20 /* Make sure RAM size is correct - in case it got changed * e.g. by migration */ diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c index a33ac8b91e1..aa269914b49 100644 --- a/hw/i386/acpi-build.c +++ b/hw/i386/acpi-build.c @@ -2660,7 +2660,7 @@ void acpi_build(AcpiBuildTables *tables, MachineState= *machine) =20 static void acpi_ram_update(MemoryRegion *mr, GArray *data) { - uint32_t size =3D acpi_data_len(data); + unsigned size =3D acpi_data_len(data); =20 /* Make sure RAM size is correct - in case it got changed e.g. by migr= ation */ memory_region_ram_resize(mr, size, &error_abort); @@ -2783,7 +2783,7 @@ void acpi_setup(void) * Though RSDP is small, its contents isn't immutable, so * we'll update it along with the rest of tables on guest access. */ - uint32_t rsdp_size =3D acpi_data_len(tables.rsdp); + unsigned rsdp_size =3D acpi_data_len(tables.rsdp); =20 build_state->rsdp =3D g_memdup(tables.rsdp->data, rsdp_size); fw_cfg_add_file_callback(x86ms->fw_cfg, ACPI_BUILD_RSDP_FILE, --=20 2.31.1 From nobody Mon Feb 9 00:02:36 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1630667280; cv=none; d=zohomail.com; s=zohoarc; b=IXOnqzdabUFKYEKa65TwDBtjpgRGkOjyNxevEqhwH47Im3ZDWG5AZuz/DO6YTOEYIwpY0HQNuam0ghv5ETZhQv1PtZfAJSOq1+2/aRb6/ZoYEGf01eTl2jVROs/uJBDrXYeyGGWh2YToWKoSgOBEVKIsNcdf8iuFKnZjw3Zefn0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1630667280; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=jdbGO9h9jnqrOlFY+xUPTR+ImPF+i+blj+6DLU+L+so=; b=meakhc7rFt7GWbBjigz2wE7ScbKdHvJ5I6eBczPMeGeSeMZ6LNH6A4M1yEZldvwDm4d/+J9ID/dTr8ucd8H2E+Ik8dr4ChJUyXEbhEf3xQxYjVDo8fnrcEZQ76ssZJxOEqaAD8P+5gGwZSZEQwTN05SbmQclFvve6YPvstCTh64= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1630667280022148.7914445980158; Fri, 3 Sep 2021 04:08:00 -0700 (PDT) Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-230-Pv9r5M1YNGicuve3aoWNdQ-1; Fri, 03 Sep 2021 07:07:58 -0400 Received: by mail-wm1-f70.google.com with SMTP id o20-20020a05600c379400b002e755735eedso1861617wmr.0 for ; Fri, 03 Sep 2021 04:07:57 -0700 (PDT) Return-Path: Return-Path: Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id l124sm4039567wml.8.2021.09.03.04.07.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:07:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667279; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=jdbGO9h9jnqrOlFY+xUPTR+ImPF+i+blj+6DLU+L+so=; b=Kps/7ugDjxtyTCdW8xTjS1hPapwN//3dW7TJZaSHIOGdoeGpnV+bozJ3Z/T+TVp8IIaopN inj2grkGyDXjNjJoG8Hh5p1IrYiXg8NFMZNxLG5onWRc6zQiZlyY1zNsO0WyhhiPBgBY8N X+Am8CikF9Iy7wqaJ42ycSfr2lB6F1I= X-MC-Unique: Pv9r5M1YNGicuve3aoWNdQ-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=jdbGO9h9jnqrOlFY+xUPTR+ImPF+i+blj+6DLU+L+so=; b=jKe2rL0s6DBwxvO014raxwDaHYDhAa3DJUU7R/a3roKTRliokm2LEmZM4M+IxSqkba lqr1WhWG16omxImd45l5HxOkbw9uU3pnuFDpY40pknLfPTM2kLWzIc8jWOKmZnnuWX6E IlT/PzjZHSzsxRIutKmZEpLTKI8W6w51yyGkKX4eMOH32big8zwsHmd858aySndqsUIX LysxFPsTV3JuuQ+/S59BYhY/XkfK5MMwKTJIfWbzy2EsRNsfuVLA1rOMch50zXGjkSb5 tAZFMZSjixYVsdvxvjU26LH4GE7ODLcem5Pqg6zUO2w8es8h1PMI7poibRWl3NvpT26c zHMg== X-Gm-Message-State: AOAM53392UOfqJSsEQngwsSzh/gcK+jnU57JzNTmXN7BQztDH7IQkjgf fG3SFSjO2i7TvoCJ+We9tIiGbAzz2vznClRRCHOO9sRC5PLgb1T4ylpcnIx3abbA15FVGNg5vdo FBKh+Bhim+DzbWw== X-Received: by 2002:a05:600c:230c:: with SMTP id 12mr2762187wmo.41.1630667276890; Fri, 03 Sep 2021 04:07:56 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyaAweBFiZwGaMpvEF57j+Ip2CFlgT7mOREgnEpdZoNjDiORDuB5ABI4Md7tnxGgAvNN6sfhA== X-Received: by 2002:a05:600c:230c:: with SMTP id 12mr2762155wmo.41.1630667276703; Fri, 03 Sep 2021 04:07:56 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Hanna Reitz , Igor Mammedov , Laurent Vivier , Alexandre Iooss , =?UTF-8?q?Alex=20Benn=C3=A9e?= , Michael Roth , Zhang Chen , Shannon Zhao , Richard Henderson , Alex Williamson , Eduardo Habkost , Markus Armbruster , Eric Blake , Stefan Weil , John Snow , Mahmoud Mandour , Li Zhijian , Marcel Apfelbaum , qemu-block@nongnu.org, Helge Deller , "Michael S. Tsirkin" , David Gibson , Peter Xu , "Gonglei (Arei)" , Gerd Hoffmann , Fam Zheng , Jason Wang , Vladimir Sementsov-Ogievskiy , Christian Schoenebeck , Kevin Wolf , Yuval Shaia , Paolo Bonzini , Peter Maydell , qemu-arm@nongnu.org, Thomas Huth , Laurent Vivier , Greg Kurz , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , qemu-ppc@nongnu.org, David Hildenbrand Subject: [PATCH 09/28] hw/acpi: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:43 +0200 Message-Id: <20210903110702.588291-10-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1630667282121100001 Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdu= p2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daud=C3=A9 Acked-by: Igor Mammedov --- hw/acpi/core.c | 3 ++- hw/i386/acpi-build.c | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/hw/acpi/core.c b/hw/acpi/core.c index 1e004d0078d..9dd2cf09a0b 100644 --- a/hw/acpi/core.c +++ b/hw/acpi/core.c @@ -637,7 +637,8 @@ void acpi_pm1_cnt_init(ACPIREGS *ar, MemoryRegion *pare= nt, suspend[3] =3D 1 | ((!disable_s3) << 7); suspend[4] =3D s4_val | ((!disable_s4) << 7); =20 - fw_cfg_add_file(fw_cfg, "etc/system-states", g_memdup(suspend, 6),= 6); + fw_cfg_add_file(fw_cfg, "etc/system-states", + g_memdup2_qemu(suspend, 6), 6); } } =20 diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c index aa269914b49..54494ca1f65 100644 --- a/hw/i386/acpi-build.c +++ b/hw/i386/acpi-build.c @@ -2785,7 +2785,7 @@ void acpi_setup(void) */ unsigned rsdp_size =3D acpi_data_len(tables.rsdp); =20 - build_state->rsdp =3D g_memdup(tables.rsdp->data, rsdp_size); + build_state->rsdp =3D g_memdup2_qemu(tables.rsdp->data, rsdp_size); fw_cfg_add_file_callback(x86ms->fw_cfg, ACPI_BUILD_RSDP_FILE, acpi_build_update, NULL, build_state, build_state->rsdp, rsdp_size, true); --=20 2.31.1 From nobody Mon Feb 9 00:02:36 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1630667285; cv=none; d=zohomail.com; s=zohoarc; b=G/7M6GR2ax0aembF4J3J/GWknjIC9F6B2uLmLwCVUd3xEHKpEFh79jxdkO7WR8LIqDKAoTIrI4AHIGes3BO9QXLo0sd30XuflstbovZHi8oPP5fMWrRdPL2HBTqdvCPrx5YsClHTmxK4rP2N8Ep4oEHTBazRgkUv1RX06qGYptQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1630667285; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=TAjmPmjyX5Sum8VvmviC+qTvvfAZSwR9odfcOrS4BTU=; b=mrTVllB/k9CAVkoPUU/sNls2+BaJApBs6QVNlCDsotY/TZe7uaTlt5BAbffQk8O+Fh+hdKy/v9qL6rBKvEO6UEHQCNIy89rQULganQFuZhBEtbtvIK75ndBunwGMzBqV8T+IItlmCDqtBjgCEF4m0o4sdDiyQLO7GqYzzmKhR3w= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1630667285819825.1118515704549; Fri, 3 Sep 2021 04:08:05 -0700 (PDT) Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-99-o5vQ1v4HO0yABfjDgMm_dg-1; Fri, 03 Sep 2021 07:08:03 -0400 Received: by mail-wm1-f72.google.com with SMTP id h1-20020a05600c350100b002e751bf6733so1833154wmq.8 for ; Fri, 03 Sep 2021 04:08:03 -0700 (PDT) Return-Path: Return-Path: Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id m1sm3842996wmq.10.2021.09.03.04.08.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:08:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667284; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=TAjmPmjyX5Sum8VvmviC+qTvvfAZSwR9odfcOrS4BTU=; b=EIDwesObK66zeoJZ3uInYuy2RxRmApBQNSDM+Z3/ebkwFNBv8f3oC1/YiHVXkDNC3kWXZz UGjwU+nLig1nLyAxjdba3W+EgdgxqacY3I769n8q9Qju9wKAb2Z3oTcsfwszlX/l5PV7ky 6x+jsqfzKKAopyRbuwFsNrIfJIPh5Pc= X-MC-Unique: o5vQ1v4HO0yABfjDgMm_dg-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=TAjmPmjyX5Sum8VvmviC+qTvvfAZSwR9odfcOrS4BTU=; b=CPsDUX86UnGkU8n34OEeJqEqaJXuCz8NnlgOGgHOvNubbX7BnPOxy8SKHOnZbZ2rcI QTqTmraB06WeJkdl/U6vM5u3cXYJNcl1o8D3bPyF7NUnlnZTBPCFc1Sivw8kkoyldIEW qnBp00hcpCa0T6X8WDRHbvV8UdhvRmBpqclSuiQbyu+hNJIg7do4SMt4Oc7f3oI4s/KE LMNb/zCbFB5ImVB43bc9qRiZUvsQ3X96/kgTrjbHW2+IE4D4BX9lnYconN+yhLjS7a8B 1OChhpSB5Sdd8MzLVZ4cc73GV7UJE46toZ0TUEzfy2uSrGepXIo3kTlXJrI2urQN/bh5 8BVQ== X-Gm-Message-State: AOAM532yIssDMmllB9hxIGNe5jezANDVofI7/yCrk3aYeiiZ3rQvrFe1 9v9Govnj9V8WC75vJHJH10yJUsPBbWLpL7VD/My+gPAaNdTyDHY+B763Z+p9oa1vDcQu85UksbE uUpZA527H7RWWdw== X-Received: by 2002:adf:e809:: with SMTP id o9mr3379801wrm.425.1630667282667; Fri, 03 Sep 2021 04:08:02 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxsmF09EK4NrKvycxeBcaS8cKieqRtT6B1h254T7rl6pFmdlrTvZWeo11IMse515sDwDeakbw== X-Received: by 2002:adf:e809:: with SMTP id o9mr3379776wrm.425.1630667282465; Fri, 03 Sep 2021 04:08:02 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Hanna Reitz , Igor Mammedov , Laurent Vivier , Alexandre Iooss , =?UTF-8?q?Alex=20Benn=C3=A9e?= , Michael Roth , Zhang Chen , Shannon Zhao , Richard Henderson , Alex Williamson , Eduardo Habkost , Markus Armbruster , Eric Blake , Stefan Weil , John Snow , Mahmoud Mandour , Li Zhijian , Marcel Apfelbaum , qemu-block@nongnu.org, Helge Deller , "Michael S. Tsirkin" , David Gibson , Peter Xu , "Gonglei (Arei)" , Gerd Hoffmann , Fam Zheng , Jason Wang , Vladimir Sementsov-Ogievskiy , Christian Schoenebeck , Kevin Wolf , Yuval Shaia , Paolo Bonzini , Peter Maydell , qemu-arm@nongnu.org, Thomas Huth , Laurent Vivier , Greg Kurz , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , qemu-ppc@nongnu.org, David Hildenbrand Subject: [PATCH 10/28] hw/core/machine: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:44 +0200 Message-Id: <20210903110702.588291-11-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1630667287046100001 Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdu= p2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- hw/core/machine.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/core/machine.c b/hw/core/machine.c index 067f42b528f..0808a681360 100644 --- a/hw/core/machine.c +++ b/hw/core/machine.c @@ -615,8 +615,8 @@ HotpluggableCPUList *machine_query_hotpluggable_cpus(Ma= chineState *machine) =20 cpu_item->type =3D g_strdup(machine->possible_cpus->cpus[i].type); cpu_item->vcpus_count =3D machine->possible_cpus->cpus[i].vcpus_co= unt; - cpu_item->props =3D g_memdup(&machine->possible_cpus->cpus[i].prop= s, - sizeof(*cpu_item->props)); + cpu_item->props =3D g_memdup2_qemu(&machine->possible_cpus->cpus[i= ].props, + sizeof(*cpu_item->props)); =20 cpu =3D machine->possible_cpus->cpus[i].cpu; if (cpu) { --=20 2.31.1 From nobody Mon Feb 9 00:02:36 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1630667293; cv=none; d=zohomail.com; s=zohoarc; b=KEU0Wuo8OAnKH2iOUafrqND7qnL+LdzcW+/p0Uq/eeB2izIT3Cr8YB3rvolWs6aJhElvHpHmR/zoRrTY8gCQDizOOHguKAeI8FOFzNAGdIlMDHq9heclSABbFzPmrTAmIDd0RXxkkhC9kWDROV/FMNYiXqDpLCp3Ybz0gGuh4fo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1630667293; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=FntGbVxFK+XtYARw6XcNLA9NRLn2kntvBlBnFrP4mzA=; b=Tn1uCoOG2rNtLsZ6vPjgnEpjjEqaTZRBvduBhrhczyUP9nopyh/NWJfxR/Ojy+CM2R9eShnniK4hstFLE1XtygCXDmYQmTnS8SWXTQ3EZLnMC5rkelIs0VdOqMMxbA88GvHrVuANx11VlIXzww8lOkEfpHilHzn2NXQb5EsnXHM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1630667293317457.83607675160613; Fri, 3 Sep 2021 04:08:13 -0700 (PDT) Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-350-in6RgdE1PZOfxTUhiVudsw-1; Fri, 03 Sep 2021 07:08:09 -0400 Received: by mail-wm1-f71.google.com with SMTP id b126-20020a1c8084000000b002f152a868a2so1706649wmd.1 for ; Fri, 03 Sep 2021 04:08:09 -0700 (PDT) Return-Path: Return-Path: Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id j207sm4383064wmj.40.2021.09.03.04.08.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:08:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667292; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=FntGbVxFK+XtYARw6XcNLA9NRLn2kntvBlBnFrP4mzA=; b=WQ0I+V+A9AxaO+ze0BRTmc5FNrzAdUcaVJixyr66mdGsyrmIWxj7z8ukPufXi0M9Xc+vLy NK2AoVwHl2rbNPn0VUpFm8WrgeJ2KSIFSH1G4QvHV4SO7dIDds894vgdLPpLWDpOEuzyKU g68YwgJeB/O6PveOVV6oSqpX/r2r4fQ= X-MC-Unique: in6RgdE1PZOfxTUhiVudsw-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=FntGbVxFK+XtYARw6XcNLA9NRLn2kntvBlBnFrP4mzA=; b=fDJwTkRb3pd3A/eQvOZPqXahO0Kc8tM9rTixy5jRoviZuZveBGgekL510N+BaOB0Vl H4ARXKdGEtBrC9Rb07nIqepm+bLITOy9kbGJDXARMdgIaDT/vyE4WY5kFy/2YtPPtBh1 yWuaO+VcSl5cEJmiIfqBs2nnXQ5ZB1psxIFsiz1kUYjlyWSkaEuzLSG+4Myo3rV4W5gW oHa0565znXImX4G8fCUKy4AnDMmt+890rLL02+9NllQXa4Y9oxqzapEuM5Otvrt72+Oh SZNLxf5I6WOi741RZINkPQNVxXuVRm5W2Cz4Zdiy/B03QMyJPYQ94IAZ6klwD/9g3RhK fgrg== X-Gm-Message-State: AOAM531m+UwdPDmyu0avF44M9jjgnepUQwXyzlhWt5ncdHg1bFI+8HlS OreerclwlEuj963sphrQj5fm18YhUw0PVF1989SAMWm88FHYZ9kFXT4rcp7t0owqwRgr+zmxOtb gxy5RcWtdN2cvCQ== X-Received: by 2002:a1c:f30b:: with SMTP id q11mr7737806wmq.91.1630667288143; Fri, 03 Sep 2021 04:08:08 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwN+kSFBVyveYXn5+sGs4JVUNV4P0ZW7WHxEXMqHi40ecnicQxkfAmkq1xp5ilgKOE4A+RKyg== X-Received: by 2002:a1c:f30b:: with SMTP id q11mr7737785wmq.91.1630667287932; Fri, 03 Sep 2021 04:08:07 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Hanna Reitz , Igor Mammedov , Laurent Vivier , Alexandre Iooss , =?UTF-8?q?Alex=20Benn=C3=A9e?= , Michael Roth , Zhang Chen , Shannon Zhao , Richard Henderson , Alex Williamson , Eduardo Habkost , Markus Armbruster , Eric Blake , Stefan Weil , John Snow , Mahmoud Mandour , Li Zhijian , Marcel Apfelbaum , qemu-block@nongnu.org, Helge Deller , "Michael S. Tsirkin" , David Gibson , Peter Xu , "Gonglei (Arei)" , Gerd Hoffmann , Fam Zheng , Jason Wang , Vladimir Sementsov-Ogievskiy , Christian Schoenebeck , Kevin Wolf , Yuval Shaia , Paolo Bonzini , Peter Maydell , qemu-arm@nongnu.org, Thomas Huth , Laurent Vivier , Greg Kurz , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , qemu-ppc@nongnu.org, David Hildenbrand Subject: [PATCH 11/28] hw/hppa/machine: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:45 +0200 Message-Id: <20210903110702.588291-12-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1630667293654100001 Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdu= p2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- hw/hppa/machine.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/hw/hppa/machine.c b/hw/hppa/machine.c index 2a46af5bc9b..058a81e85dd 100644 --- a/hw/hppa/machine.c +++ b/hw/hppa/machine.c @@ -101,19 +101,19 @@ static FWCfgState *create_fw_cfg(MachineState *ms) =20 val =3D cpu_to_le64(MIN_SEABIOS_HPPA_VERSION); fw_cfg_add_file(fw_cfg, "/etc/firmware-min-version", - g_memdup(&val, sizeof(val)), sizeof(val)); + g_memdup2_qemu(&val, sizeof(val)), sizeof(val)); =20 val =3D cpu_to_le64(HPPA_TLB_ENTRIES); fw_cfg_add_file(fw_cfg, "/etc/cpu/tlb_entries", - g_memdup(&val, sizeof(val)), sizeof(val)); + g_memdup2_qemu(&val, sizeof(val)), sizeof(val)); =20 val =3D cpu_to_le64(HPPA_BTLB_ENTRIES); fw_cfg_add_file(fw_cfg, "/etc/cpu/btlb_entries", - g_memdup(&val, sizeof(val)), sizeof(val)); + g_memdup2_qemu(&val, sizeof(val)), sizeof(val)); =20 val =3D cpu_to_le64(HPA_POWER_BUTTON); fw_cfg_add_file(fw_cfg, "/etc/power-button-addr", - g_memdup(&val, sizeof(val)), sizeof(val)); + g_memdup2_qemu(&val, sizeof(val)), sizeof(val)); =20 fw_cfg_add_i16(fw_cfg, FW_CFG_BOOT_DEVICE, ms->boot_order[0]); qemu_register_boot_set(fw_cfg_boot_set, fw_cfg); --=20 2.31.1 From nobody Mon Feb 9 00:02:36 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1630667296; cv=none; d=zohomail.com; s=zohoarc; b=P7oRNnmm7SW2zu96+6H+0FkOdIDLfkjW8e+JOcpykQMKuLJ2i26V1FCc4d0/OgolCZr5wyiLKBIOnJ+4WAknk4HAM1uSBtGV2zMFGsNc96cpDHFv0djg8oKIIcobVotgwnMCVoWlZKvCpuDjIhEJByGyd1kPhMH9A+NKIWxtZfk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1630667296; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=DAHpDs712oI1Di1eaFqrdG2Typ24HrNYG4qVZsBh0cw=; b=fDaPMSAFukk0Pyb5vQaJK1G/M6+MmVfm37b3ZLJuLd4dcTVuY8JRSEHhj9usqt6ljuAUIM0WD+gJnIMlNx4CV5KBObaqNnmiZqC9kf5mjGepc3ERlKKleRQYPAinurM/27LN1/bqJiy1DAre9R5eBxlLsSlHDuiavRqeB+M0eIU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1630667296829212.51600894509306; Fri, 3 Sep 2021 04:08:16 -0700 (PDT) Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-600-aCsyFR1VOFSVzaTcV2Y5OA-1; Fri, 03 Sep 2021 07:08:14 -0400 Received: by mail-wm1-f70.google.com with SMTP id h1-20020a05600c350100b002e751bf6733so1833394wmq.8 for ; Fri, 03 Sep 2021 04:08:14 -0700 (PDT) Return-Path: Return-Path: Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id y21sm4191900wmc.11.2021.09.03.04.08.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:08:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667295; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=DAHpDs712oI1Di1eaFqrdG2Typ24HrNYG4qVZsBh0cw=; b=HYGjJmNmp/IhpXP+YCtHnhsVxDa6Uaq4dWnEvO6T7TTWucEpSF6nPG6YWDTKF7NfatWNoY s7RXvt6K+4L+9iUCuBEs2yLMglFT4GUPt3wZbXp9A4o4lYLWmUTy8rnBFsJfZrVW+k+1gz lrCQh7gyitpkdKItA6tWI+g/TN/dItU= X-MC-Unique: aCsyFR1VOFSVzaTcV2Y5OA-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=DAHpDs712oI1Di1eaFqrdG2Typ24HrNYG4qVZsBh0cw=; b=B9pmeRp8pJcR+OMkIrCB0RJCux8MbdmMECL2Bfq43TtcszmmlnOoGDKWnnqDj+mAwe LJ1M6J4xldOdZsoFc1hzh/u2tEHqcI8a4fbpoA/FpwMA/0heTwAi2Ov0+c4iwiNSaWDK X7os35cTORACp+wyq2GsTxB83Ps6dzDi7Jkfggragnm+ijddVjy/w8thBE2uZn0KCh/m uWTfPNenkSc6fMNLyZ68pWvmWmtvTov7FVto2Cwi/ftNestPPTc1vYjGi7R8KIQxaLq0 ruJAU5pkdmXI6tk+p0lRrkCrrjSZXr+TsKnaqKVxBecxZ8U368i6sB2Q8wr6Q+vY/gYt 7qSA== X-Gm-Message-State: AOAM5311f17cmA20pa1c2yczD8GIjCVAtOeD2DusBK3zkfZVLDji6mD1 AbYM9SnXuc10NIL2unqp7TC1HE8W4GaSkgctKrfARfa7dpdndYAjY9ELi7nx4wlzE4cxZswY468 FNN8Q1G71Gvjrkg== X-Received: by 2002:adf:db83:: with SMTP id u3mr3485669wri.363.1630667293635; Fri, 03 Sep 2021 04:08:13 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxhSQcK5FJTs0sGhQbUmpLfHDCygADufnlCA9XiiEfi1zCH7QtVMSqQu/dZo926/mNxJx5weg== X-Received: by 2002:adf:db83:: with SMTP id u3mr3485647wri.363.1630667293467; Fri, 03 Sep 2021 04:08:13 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Hanna Reitz , Igor Mammedov , Laurent Vivier , Alexandre Iooss , =?UTF-8?q?Alex=20Benn=C3=A9e?= , Michael Roth , Zhang Chen , Shannon Zhao , Richard Henderson , Alex Williamson , Eduardo Habkost , Markus Armbruster , Eric Blake , Stefan Weil , John Snow , Mahmoud Mandour , Li Zhijian , Marcel Apfelbaum , qemu-block@nongnu.org, Helge Deller , "Michael S. Tsirkin" , David Gibson , Peter Xu , "Gonglei (Arei)" , Gerd Hoffmann , Fam Zheng , Jason Wang , Vladimir Sementsov-Ogievskiy , Christian Schoenebeck , Kevin Wolf , Yuval Shaia , Paolo Bonzini , Peter Maydell , qemu-arm@nongnu.org, Thomas Huth , Laurent Vivier , Greg Kurz , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , qemu-ppc@nongnu.org, David Hildenbrand Subject: [PATCH 12/28] hw/i386/multiboot: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:46 +0200 Message-Id: <20210903110702.588291-13-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1630667297967100001 Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdu= p2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- hw/i386/multiboot.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c index 9e7d69d4705..f536e3c8c96 100644 --- a/hw/i386/multiboot.c +++ b/hw/i386/multiboot.c @@ -387,7 +387,7 @@ int load_multiboot(FWCfgState *fw_cfg, mb_debug(" mb_mods_count =3D %d", mbs.mb_mods_count); =20 /* save bootinfo off the stack */ - mb_bootinfo_data =3D g_memdup(bootinfo, sizeof(bootinfo)); + mb_bootinfo_data =3D g_memdup2_qemu(bootinfo, sizeof(bootinfo)); =20 /* Pass variables to option rom */ fw_cfg_add_i32(fw_cfg, FW_CFG_KERNEL_ENTRY, mh_entry_addr); --=20 2.31.1 From nobody Mon Feb 9 00:02:36 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1630667302; cv=none; d=zohomail.com; s=zohoarc; b=ZllWSRUR3A8A3Tg1sk9l0Odq3xJih8RkVYvHwPMGYA+mrKxtToW+EG6ZUtfaem2bZWs0H6dykwvSCAkZQ6MO83/cZFFkMTH2p5f9tA8E15n194BsedGWLMKbmbH4wkzkQISSw6cvASrCNMf8XPudYkS9vpbxCMPdrrcu7gPMu30= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1630667302; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=9Eu7asELFex4yFplfKK/zMZmk6Z93QlAJxAwuUJzsvI=; b=gm9ixERSf/Dlvlk2JMtVWJ4hsE6qin5SkDg5c4Alz+A9sGuij85rViuaWAavWMV8UaNuGTCNU0qhEcNcHSJKtUNyjxRXkGK8tqjrYYwAa4TH8mGAkQCkAw0BO2+JgjGSscfNAY+CmblQBLKmNzW3zka04kqrywsEO8FTfXRV9Lc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1630667302932459.5296677253806; Fri, 3 Sep 2021 04:08:22 -0700 (PDT) Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-192-ftM7GVBEMwOLWC-6sHs3ew-1; Fri, 03 Sep 2021 07:08:20 -0400 Received: by mail-wm1-f72.google.com with SMTP id n16-20020a1c7210000000b002ea2ed60dc6so1719547wmc.0 for ; Fri, 03 Sep 2021 04:08:20 -0700 (PDT) Return-Path: Return-Path: Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id d7sm4401782wrs.39.2021.09.03.04.08.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:08:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667301; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=9Eu7asELFex4yFplfKK/zMZmk6Z93QlAJxAwuUJzsvI=; b=e21X5GWCAve3KOomfkQzUWT+KYD87WXIsJvwJeuG4tmuwj5n36zbzcGPVu+nKNwS5cZevC 9StqwynqiOCNOID8smA+fx377cMaYyPrV9eGzRmSQ3yp0+iMchIwO8vfed+o7gu1+HrYO6 75CI+HBbe/Hnqz9lsE5FSasoLra5lGs= X-MC-Unique: ftM7GVBEMwOLWC-6sHs3ew-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=9Eu7asELFex4yFplfKK/zMZmk6Z93QlAJxAwuUJzsvI=; b=Ig9vXJhjgDkOeX9xvJfgIQpR+s8flq3V/1HM4swht87e/hgFKxg+S8J/OM1AwdYC86 PrRmbFfUVkAwOaucGM0lj00xIEbAYKhyxT8wyUJYUuw1qRYC0P/tg30LDRA1tI5ed9IO efEAKkGIWsBD1+TxYI64BlWbTOBuWP2Iz1EKwEFnIgxPdjeXF4o53tebP4mgrd5kjNDI 4U45coNjb6gbXYzgWMTLRfZR8TMf3LwXvMvBnm2wXWD8QSnNi/rb2FFXRcep2FlldmuL yI0BQJG8aW53+PJajONCjcwiWMGdS11V4q85MqTO4SPFdkhJ6Zz0V/x2VoSzikLANOSj KSXw== X-Gm-Message-State: AOAM532hXVAMnNYCQ3kTcxd1G7T2nhqAQETm+AKbYWoof+Nr7kmj+CHI u6/qsjZ7EXg7OUuRKeWL5AMKgnfvbkdhAVjwiVLZj2ITGZwBowulghLk4jEddColckqZWdulQa2 ciHjzG1B8KywezA== X-Received: by 2002:a1c:3102:: with SMTP id x2mr7947486wmx.122.1630667299711; Fri, 03 Sep 2021 04:08:19 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzlUaVFt+tJT5LaJ3kyuGO1VaY8TUngaLwcpu0pipKrSkdlOz7rImuHU2SzJPLLISqxx4e5tQ== X-Received: by 2002:a1c:3102:: with SMTP id x2mr7947440wmx.122.1630667299523; Fri, 03 Sep 2021 04:08:19 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Hanna Reitz , Igor Mammedov , Laurent Vivier , Alexandre Iooss , =?UTF-8?q?Alex=20Benn=C3=A9e?= , Michael Roth , Zhang Chen , Shannon Zhao , Richard Henderson , Alex Williamson , Eduardo Habkost , Markus Armbruster , Eric Blake , Stefan Weil , John Snow , Mahmoud Mandour , Li Zhijian , Marcel Apfelbaum , qemu-block@nongnu.org, Helge Deller , "Michael S. Tsirkin" , David Gibson , Peter Xu , "Gonglei (Arei)" , Gerd Hoffmann , Fam Zheng , Jason Wang , Vladimir Sementsov-Ogievskiy , Christian Schoenebeck , Kevin Wolf , Yuval Shaia , Paolo Bonzini , Peter Maydell , qemu-arm@nongnu.org, Thomas Huth , Laurent Vivier , Greg Kurz , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , qemu-ppc@nongnu.org, David Hildenbrand Subject: [PATCH 13/28] hw/net/eepro100: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:47 +0200 Message-Id: <20210903110702.588291-14-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1630667304829100001 Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdu= p2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- hw/net/eepro100.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c index 16e95ef9cc9..ed2bc54c052 100644 --- a/hw/net/eepro100.c +++ b/hw/net/eepro100.c @@ -1872,7 +1872,7 @@ static void e100_nic_realize(PCIDevice *pci_dev, Erro= r **errp) =20 qemu_register_reset(nic_reset, s); =20 - s->vmstate =3D g_memdup(&vmstate_eepro100, sizeof(vmstate_eepro100)); + s->vmstate =3D g_memdup2_qemu(&vmstate_eepro100, sizeof(vmstate_eepro1= 00)); s->vmstate->name =3D qemu_get_queue(s->nic)->model; vmstate_register(VMSTATE_IF(&pci_dev->qdev), VMSTATE_INSTANCE_ID_ANY, s->vmstate, s); --=20 2.31.1 From nobody Mon Feb 9 00:02:36 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1630667308; cv=none; d=zohomail.com; s=zohoarc; b=XYn523uUCzwn0PEFGhNUPx/FSz1Oypu/1VweOiOKP0tDbD9fqzcGxTtFS8nrbYdPA63rpQdsejJRlTrRpMCFTBXLTwgYSY3HJxC4t6iO1SCicHWbj0+iFFT1vtVql5YcZBJAqSUmvlhJcMNIoEcp4v23RxrtHCDMVKDBLzj+gsw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1630667308; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=eD1qqZlm+MV+YIIGwjAnZcGqFrpvQZPW91qRyOYFT9E=; b=bOiL1BWBSS4E/1PLgCRX450TaQwpbgJLKXsrfU+ndTnIyz1d7yWmJZn2sT9yDJmUPcnstS/xiie6+139JBdnvOgYiKUiefhIC3wWK8lXnh2cLnX4WqB0yQFh1yMAlgmiH1DN5kdngtOnI2AYJUH+S89vz1i6V4xuX6RYJy153a8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1630667308625505.0901912369094; Fri, 3 Sep 2021 04:08:28 -0700 (PDT) Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-559-n2mLeOOhNnWVWtFWfS8uzQ-1; Fri, 03 Sep 2021 07:08:26 -0400 Received: by mail-wr1-f69.google.com with SMTP id t15-20020a5d42cf000000b001565f9c9ee8so1459081wrr.2 for ; Fri, 03 Sep 2021 04:08:26 -0700 (PDT) Return-Path: Return-Path: Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id t64sm3914121wma.48.2021.09.03.04.08.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:08:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667307; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=eD1qqZlm+MV+YIIGwjAnZcGqFrpvQZPW91qRyOYFT9E=; b=IvgR3Hu2pVG9GY6o066s3a5jOEFoc4AsyPxZzCe7mQ2Na4NshrlIvef8A/ktZw08KxyLP9 oDVeNyi2ms111OHkLAANFW8qvvHT46aXvLXapPnDDMZXDd3RqP2hYfmRaAXkgX1eSxUMaj ebaN3Ti9VnKET1IXPIgwlgJHd2BJt2k= X-MC-Unique: n2mLeOOhNnWVWtFWfS8uzQ-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=eD1qqZlm+MV+YIIGwjAnZcGqFrpvQZPW91qRyOYFT9E=; b=Z02QS2CuikVT9Ju7uzjTH8GUXgXGVn9FG8nFEBtSCUsg6v76tY4fmjEnjMj37ly3vS zULShP6MaVZtVlb2AE6SGVUwLzjtixDKX5ZYm/1wiOoiE7itMAd+qxBQSgYV9xhZECNs YT8+EMnd1Ud6phb6T2polTU9VH7m1LpS9WUhYEJPqW+fEGhaYQDPEJWn0IbbdjcolazT Cgq+LRdXHw77ivwV9v2LOZu0WH65ZccfYvvrdcd5SSQlu2ONU18/+HWOU8GRtlGyTJqZ cCylNeO8Vpw+2ndcMcw1+3J06MZ9bfO6GRt/Uta70kMxYL4vcwltJtyiyV6rTdPNvBnz fEhg== X-Gm-Message-State: AOAM533f22lfm964a00mgZ0SC6tz3SmXBFHJtD9+3W8Ocid/k/W8iIHL NrX1zQ9c9B/lfes9lQN5IaDZVkpWlNGSDfU62WPKwMdikAWcGptWQps0/d8hVzahgpS4oBFoYV1 cKUFWOKJwyaaufw== X-Received: by 2002:a1c:c903:: with SMTP id f3mr7737085wmb.101.1630667305419; Fri, 03 Sep 2021 04:08:25 -0700 (PDT) X-Google-Smtp-Source: ABdhPJySTjPFgphZi0Ha8ChgIVmQjp9uZBff9gP4iaRxu5Bv69t9K0UO/ElQXH2XkzX2xYryeljCRA== X-Received: by 2002:a1c:c903:: with SMTP id f3mr7737046wmb.101.1630667305212; Fri, 03 Sep 2021 04:08:25 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Hanna Reitz , Igor Mammedov , Laurent Vivier , Alexandre Iooss , =?UTF-8?q?Alex=20Benn=C3=A9e?= , Michael Roth , Zhang Chen , Shannon Zhao , Richard Henderson , Alex Williamson , Eduardo Habkost , Markus Armbruster , Eric Blake , Stefan Weil , John Snow , Mahmoud Mandour , Li Zhijian , Marcel Apfelbaum , qemu-block@nongnu.org, Helge Deller , "Michael S. Tsirkin" , David Gibson , Peter Xu , "Gonglei (Arei)" , Gerd Hoffmann , Fam Zheng , Jason Wang , Vladimir Sementsov-Ogievskiy , Christian Schoenebeck , Kevin Wolf , Yuval Shaia , Paolo Bonzini , Peter Maydell , qemu-arm@nongnu.org, Thomas Huth , Laurent Vivier , Greg Kurz , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , qemu-ppc@nongnu.org, David Hildenbrand Subject: [PATCH 14/28] hw/nvram/fw_cfg: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:48 +0200 Message-Id: <20210903110702.588291-15-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1630667309414100001 Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdu= p2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- hw/nvram/fw_cfg.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c index 9b8dcca4ead..fefcdeb8241 100644 --- a/hw/nvram/fw_cfg.c +++ b/hw/nvram/fw_cfg.c @@ -205,7 +205,8 @@ static void fw_cfg_bootsplash(FWCfgState *s) /* use little endian format */ bst_le16 =3D cpu_to_le16(bst_val); fw_cfg_add_file(s, "etc/boot-menu-wait", - g_memdup(&bst_le16, sizeof bst_le16), sizeof bst_l= e16); + g_memdup2_qemu(&bst_le16, sizeof bst_le16), + sizeof bst_le16); } =20 /* insert splash file if user configurated */ @@ -260,7 +261,7 @@ static void fw_cfg_reboot(FWCfgState *s) } =20 rt_le32 =3D cpu_to_le32(rt_val); - fw_cfg_add_file(s, "etc/boot-fail-wait", g_memdup(&rt_le32, 4), 4); + fw_cfg_add_file(s, "etc/boot-fail-wait", g_memdup2_qemu(&rt_le32, 4), = 4); } =20 static void fw_cfg_write(FWCfgState *s, uint8_t value) @@ -755,7 +756,7 @@ void fw_cfg_add_string(FWCfgState *s, uint16_t key, con= st char *value) size_t sz =3D strlen(value) + 1; =20 trace_fw_cfg_add_string(key, trace_key_name(key), value); - fw_cfg_add_bytes(s, key, g_memdup(value, sz), sz); + fw_cfg_add_bytes(s, key, g_memdup2_qemu(value, sz), sz); } =20 void fw_cfg_modify_string(FWCfgState *s, uint16_t key, const char *value) @@ -763,7 +764,7 @@ void fw_cfg_modify_string(FWCfgState *s, uint16_t key, = const char *value) size_t sz =3D strlen(value) + 1; char *old; =20 - old =3D fw_cfg_modify_bytes_read(s, key, g_memdup(value, sz), sz); + old =3D fw_cfg_modify_bytes_read(s, key, g_memdup2_qemu(value, sz), sz= ); g_free(old); } =20 --=20 2.31.1 From nobody Mon Feb 9 00:02:36 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1630667314; cv=none; d=zohomail.com; s=zohoarc; b=gECJtieUDEBSA+DxBUTk/eu1Do8USf1vWreAP/N9JCH+XE6AYuMGKq0Nnxg3kTeotzBsNRmgQ/+6WQlWj8oBBV7xtCZ0JmyXG/QhQhhqzca3oOO/D+FkB2ErCCD6nVSdqI3XEhqmOaJ9XHPPrY/O8KwcFOT6pHT1sSQtEOKRlpU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1630667314; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=dJwik153XkNmqJfLX2OaJbitNFOzhpORupSCbSGdFBs=; b=Ypdv09knSiUWHUnWxfB9HXzi1kTbBzZ5O2RosZpgZR0VtJs8gt+VB3I443YWLqXePK6d3KBVBtlnzNshgeN8MXcdApR+9IUH5xQ0Ji4V+YLA1NIzdH2UuhTAdF6JZG6KhGfFrufs64kbBXmayeCiSG+EcpFpBsCidU9/qtWUTE0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1630667314458532.6273649696454; Fri, 3 Sep 2021 04:08:34 -0700 (PDT) Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-558-ziSFJ3DtPmOYF0-VW8b9kw-1; Fri, 03 Sep 2021 07:08:32 -0400 Received: by mail-wm1-f69.google.com with SMTP id r4-20020a1c4404000000b002e728beb9fbso2512287wma.9 for ; Fri, 03 Sep 2021 04:08:32 -0700 (PDT) Return-Path: Return-Path: Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id x21sm890930wmc.14.2021.09.03.04.08.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:08:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667313; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=dJwik153XkNmqJfLX2OaJbitNFOzhpORupSCbSGdFBs=; b=NGgzPgLHKoCi0bpqfquLrOdXhdDyru2xGS1O+5YAB1dmTXesfuTWHLalxw9gEXl/TC1NVu uWSgIHIyeQdThjncQzyQIzC/ge0SFbKYR03bvFrne9B9WsIwW65wYBYeqCN24WumrTqCz1 Jy8pVe/zs+O3/+9wpIw/dA0rmkaT6Lc= X-MC-Unique: ziSFJ3DtPmOYF0-VW8b9kw-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=dJwik153XkNmqJfLX2OaJbitNFOzhpORupSCbSGdFBs=; b=AUPkJ6W5ml0sVPfpVcr7F8oIe+OwxNHSLW+SZO1bZbuIvna9QzmdRPMsmBK9mCI5Nm IH+YiT7LPe6e3+fAEeXcTZ2qaAE1yf7pNBApqCDJuJ30Ze3kMsbZTLotvuTy5hOhAcK0 J9EbmaBMot7Hte+FjLqJspjN9rivNWYWJ730pelqj82n/aNKxFr+uc0jFZttaY8totId GjmKcDVMiza2VLdBcqKR/I0Dge8A4LJfidAvLEKCyjxjeUs7Q+KQzzsJCGPJv0XrH3Ay ghKU+DhWhW98ZzZYeYuscXbA6TqyTE8jsoYfTsAGcCX4MMdMf/pB74s1k/V1xJ9ATzXz v2hQ== X-Gm-Message-State: AOAM531k8IDw7Qw1EtygPROQkwnx/3gD8u/si6gXtDPi84XqE3N2nZc1 fH9x1h1xL2UhB7LGjBI6Zc+8ipXkk6aLC0fm5ev7oxBa99U6prWHEqmnLS/NVty6EOvfLP+K/Aj S5YBCHMw0v54TEA== X-Received: by 2002:a1c:3587:: with SMTP id c129mr7583822wma.57.1630667311141; Fri, 03 Sep 2021 04:08:31 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw5r0XeeX6oDBAmIiFbFCHjKsXYnfVoM/it+dWZcDkZmIgH65YEMVRXHS9DXEpfLuhGguK5bg== X-Received: by 2002:a1c:3587:: with SMTP id c129mr7583780wma.57.1630667310694; Fri, 03 Sep 2021 04:08:30 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Hanna Reitz , Igor Mammedov , Laurent Vivier , Alexandre Iooss , =?UTF-8?q?Alex=20Benn=C3=A9e?= , Michael Roth , Zhang Chen , Shannon Zhao , Richard Henderson , Alex Williamson , Eduardo Habkost , Markus Armbruster , Eric Blake , Stefan Weil , John Snow , Mahmoud Mandour , Li Zhijian , Marcel Apfelbaum , qemu-block@nongnu.org, Helge Deller , "Michael S. Tsirkin" , David Gibson , Peter Xu , "Gonglei (Arei)" , Gerd Hoffmann , Fam Zheng , Jason Wang , Vladimir Sementsov-Ogievskiy , Christian Schoenebeck , Kevin Wolf , Yuval Shaia , Paolo Bonzini , Peter Maydell , qemu-arm@nongnu.org, Thomas Huth , Laurent Vivier , Greg Kurz , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , qemu-ppc@nongnu.org, David Hildenbrand Subject: [PATCH 15/28] hw/scsi/mptsas: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:49 +0200 Message-Id: <20210903110702.588291-16-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1630667315935100001 Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdu= p2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- hw/scsi/mptsas.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c index db3219e7d20..d05735d3e11 100644 --- a/hw/scsi/mptsas.c +++ b/hw/scsi/mptsas.c @@ -449,7 +449,8 @@ static void mptsas_process_scsi_task_mgmt(MPTSASState *= s, MPIMsgSCSITaskMgmt *re } else { MPTSASCancelNotifier *notifier; =20 - reply_async =3D g_memdup(&reply, sizeof(MPIMsgSCSITaskMgmt= Reply)); + reply_async =3D g_memdup2_qemu(&reply, + sizeof(MPIMsgSCSITaskMgmtRepl= y)); reply_async->IOCLogInfo =3D INT_MAX; =20 count =3D 1; @@ -476,7 +477,7 @@ static void mptsas_process_scsi_task_mgmt(MPTSASState *= s, MPIMsgSCSITaskMgmt *re goto out; } =20 - reply_async =3D g_memdup(&reply, sizeof(MPIMsgSCSITaskMgmtReply)); + reply_async =3D g_memdup2_qemu(&reply, sizeof(MPIMsgSCSITaskMgmtRe= ply)); reply_async->IOCLogInfo =3D INT_MAX; =20 count =3D 0; --=20 2.31.1 From nobody Mon Feb 9 00:02:36 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1630667319; cv=none; d=zohomail.com; s=zohoarc; b=R9ZP03vkpX5ZGx3lswN+nZ6q4Enva1STl0m+WC/74UHfG1bk1L4AvnlRgeeqsa6VQXViZwit+naK/klPO7DrlJ4pw3C4BoN8PEfUGQOo8tQqY7N6Nhm4TkgCTtBNuyl6xQZHGa4ZCf0oDTm8NbeBdjyxMllrm5eoQus0+HCrWlo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1630667319; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=EzShw/2xTdEPPWeNVs4kSs4t7kGgMmp/B6AgbgiX3Ec=; b=YA3H6eXCjOw7ynkWxPstdJjUh2TF6O9K7kjXZ+VgdhLIcwzZ4tnuWLyHUfSNQJ2g9HVVm9uozEq1cWlan7B3lSXL1qaZhGK+Hu0K6WxpR8GoWTdV0kGRJ8/FxExMmFM/h/vzmqkrjlPtbCrEsqmUV4U7p2F9zwCl+yw9D9WVFq8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1630667319643303.1124985312606; Fri, 3 Sep 2021 04:08:39 -0700 (PDT) Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-284-hI3F7fJ1MSyH3zU79A9fJQ-1; Fri, 03 Sep 2021 07:08:37 -0400 Received: by mail-wm1-f71.google.com with SMTP id k5-20020a7bc3050000b02901e081f69d80so1759475wmj.8 for ; Fri, 03 Sep 2021 04:08:37 -0700 (PDT) Return-Path: Return-Path: Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id s1sm4548992wrs.53.2021.09.03.04.08.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:08:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667318; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=EzShw/2xTdEPPWeNVs4kSs4t7kGgMmp/B6AgbgiX3Ec=; b=jEfAYhgDvqjHnyQH1ge2icy6Ap1XH5HgSIVGQeidbmEu7+IYiQJ0ujB/8C+Wm7GLW41CKT kkRE2HSRjz3Ast5s+5f929NAv1CiXpxMBjP86glLKBV91Iznxfy3JOeOH5v+3eRXHw3Qbb 1pa99PFhSQUYHyklNg4FkUZJwrap5e0= X-MC-Unique: hI3F7fJ1MSyH3zU79A9fJQ-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=EzShw/2xTdEPPWeNVs4kSs4t7kGgMmp/B6AgbgiX3Ec=; b=W7La708xpgNzxlK8eHFUwrxLIB/nnfn+AHWC5HOj+48BtrR5QFRc4HrAg2knwEx2jW lmNZWM59w3lvaUuT+zSJjnwvbHlwS5rYm6xAOstcx2KmhdmdBTeEVqQ4g22wuWDajBiW /tJBmMWky0RM1nnlxpqT8TjJie3v2hvM2b2KZsdwStYPgYjb7T70X1h0mEdB3Wm1A06D BRANTARmiR68AUuacJWdCzymT3TXdIUTBJOEpcGqigyotI/wgEWHSKJLlVYR0uWxeR3S PbIYaXT3CYhKUYaZKR8HR2io7wIJuyJhkHwZiV0AtYR20LU0WKFvForjr9sKTuwFgoh0 gqXg== X-Gm-Message-State: AOAM531fwZmVwiHC9ApzMHTiam1JPxkZQeTOf14uQuUuNo6f6EnKYcxZ 3Gs+JC/u4HUdH3C0v8K/ErISRkuwBjkKLBxXQfM7Y+b6J5IdnyheZiLFPAqjHKWprJvYXszkRHq jeMYY6n2qo8e2/A== X-Received: by 2002:a5d:4fc7:: with SMTP id h7mr3395756wrw.333.1630667316305; Fri, 03 Sep 2021 04:08:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyr0apXucGqUcpjJT9otdfT31A80MSNUrFt2Om2OTvUQfQWLMSjkVr2uNK1Wh00u5HzgpymFw== X-Received: by 2002:a5d:4fc7:: with SMTP id h7mr3395724wrw.333.1630667316143; Fri, 03 Sep 2021 04:08:36 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Hanna Reitz , Igor Mammedov , Laurent Vivier , Alexandre Iooss , =?UTF-8?q?Alex=20Benn=C3=A9e?= , Michael Roth , Zhang Chen , Shannon Zhao , Richard Henderson , Alex Williamson , Eduardo Habkost , Markus Armbruster , Eric Blake , Stefan Weil , John Snow , Mahmoud Mandour , Li Zhijian , Marcel Apfelbaum , qemu-block@nongnu.org, Helge Deller , "Michael S. Tsirkin" , David Gibson , Peter Xu , "Gonglei (Arei)" , Gerd Hoffmann , Fam Zheng , Jason Wang , Vladimir Sementsov-Ogievskiy , Christian Schoenebeck , Kevin Wolf , Yuval Shaia , Paolo Bonzini , Peter Maydell , qemu-arm@nongnu.org, Thomas Huth , Laurent Vivier , Greg Kurz , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , qemu-ppc@nongnu.org, David Hildenbrand Subject: [PATCH 16/28] hw/ppc/spapr_pci: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:50 +0200 Message-Id: <20210903110702.588291-17-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1630667320493100001 Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdu= p2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daud=C3=A9 Acked-by: David Gibson --- hw/ppc/spapr_pci.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/hw/ppc/spapr_pci.c b/hw/ppc/spapr_pci.c index 7430bd63142..79c0e8d4f98 100644 --- a/hw/ppc/spapr_pci.c +++ b/hw/ppc/spapr_pci.c @@ -2201,10 +2201,10 @@ static int spapr_pci_post_load(void *opaque, int ve= rsion_id) int i; =20 for (i =3D 0; i < sphb->msi_devs_num; ++i) { - key =3D g_memdup(&sphb->msi_devs[i].key, - sizeof(sphb->msi_devs[i].key)); - value =3D g_memdup(&sphb->msi_devs[i].value, - sizeof(sphb->msi_devs[i].value)); + key =3D g_memdup2_qemu(&sphb->msi_devs[i].key, + sizeof(sphb->msi_devs[i].key)); + value =3D g_memdup2_qemu(&sphb->msi_devs[i].value, + sizeof(sphb->msi_devs[i].value)); g_hash_table_insert(sphb->msi, key, value); } g_free(sphb->msi_devs); --=20 2.31.1 From nobody Mon Feb 9 00:02:36 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1630667325; cv=none; d=zohomail.com; s=zohoarc; b=V1xesifpqAltL7XxfF6HFZF2Hqpo89x2NEYuWHJnczx9y7pfBdpGSYfhgBF02U/QMg+gog5sMQTr3R1+nS4aM7qgFeyDtjNP+1wDjRDa/mcFrK7N9taK3rYIgMekaGi2b5pnVhGZnqP45JMRjLVC1Q4WW1rc5DTM69NknqCxZ5o= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1630667325; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=dyVB6AzxmMS8BlTCGJx6yUBvjK62NisiC2d6bnlid2E=; b=ReFg03YVwxLsy6tOQnSn1cvc/RLXTs00OPMVuhumB5I80ah3Sikd/hn5XG5ycAtZTRH6X4JyqrwoSpPnLUqM9XbTpXARM1SdqJYEGCnkpo9ezb/DuYnqI1pGNtg/Rvo9cNcegGQbJM0De1DmxkNW6JfeBFlwaUunNJI13KKyvnA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1630667325240730.7979052727192; Fri, 3 Sep 2021 04:08:45 -0700 (PDT) Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-392-xGuOMbRHPtOVLxQilOdRAQ-1; Fri, 03 Sep 2021 07:08:43 -0400 Received: by mail-wr1-f72.google.com with SMTP id h6-20020a5d4fc6000000b00157503046afso1451472wrw.3 for ; Fri, 03 Sep 2021 04:08:42 -0700 (PDT) Return-Path: Return-Path: Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id w9sm4439669wrs.7.2021.09.03.04.08.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:08:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667324; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=dyVB6AzxmMS8BlTCGJx6yUBvjK62NisiC2d6bnlid2E=; b=V4WrOfve+2o/sCv5zyC3jTO9ur6gUOUZr5C6+PFzI2mN9p7oPx/nLghhhfRIPPfw2pYG77 hOczQ/GIlZiKaff2JxzX4E2skWqmU4rOZ9M536pvKczctqiO5GELGkOHtc0lUkYtTZp75k PjRAgPKW1DmRrh+OfxsoHqhRg9m1tAY= X-MC-Unique: xGuOMbRHPtOVLxQilOdRAQ-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=dyVB6AzxmMS8BlTCGJx6yUBvjK62NisiC2d6bnlid2E=; b=ek9te1Jd8RbZHK+YWNxOPOz58OwQS5l6RWvl8m/MNlMQpZ26/WYzBKcEJIx2Gay8mr 0GMnCCXpLdG8uxWJU2MmTOr/nqrjNFeHuGgG1XOUMdJdPHYfhWiOOqvtcT4OWdRF3RHX PnKxS+QEXH529EnfdqL8XEA3B2hlT79WrVniAuYhWMgQQyuoFgp7dcY1uZd94VcqEGlp FBquF2CjwsCa4B5XU6EegjPkMMbmP6iaAM7JyZZTmByPXgNeriI+PWQocdEfP6i7Pkbg S7dgnpNSW7zMwbYChs5F6eXl1cP7p7ZouzdsHcY2ubJfAxNnjXG/V9uieTGU1bcpFuMD blcg== X-Gm-Message-State: AOAM533d3rPqttCbu3JSfitwTK5+pPam3NHpep50tnttDR4vfMkBs3aF F+mgPJHH307/M/ybzW3SLa79T9p4yUpNlz0Da7vCqJOX96MTPVASZCI72LGaU3rLhIagmx1FORQ Qx4CTbbR9qKba/Q== X-Received: by 2002:a05:600c:5102:: with SMTP id o2mr2733906wms.104.1630667321940; Fri, 03 Sep 2021 04:08:41 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzb4sgtV74rpbNMK7lro6Zp2a1Bicv7CxBMUuULP/VYB1PgOM9RnbhlKgyVZuLyyqF/XcA8KA== X-Received: by 2002:a05:600c:5102:: with SMTP id o2mr2733882wms.104.1630667321792; Fri, 03 Sep 2021 04:08:41 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Hanna Reitz , Igor Mammedov , Laurent Vivier , Alexandre Iooss , =?UTF-8?q?Alex=20Benn=C3=A9e?= , Michael Roth , Zhang Chen , Shannon Zhao , Richard Henderson , Alex Williamson , Eduardo Habkost , Markus Armbruster , Eric Blake , Stefan Weil , John Snow , Mahmoud Mandour , Li Zhijian , Marcel Apfelbaum , qemu-block@nongnu.org, Helge Deller , "Michael S. Tsirkin" , David Gibson , Peter Xu , "Gonglei (Arei)" , Gerd Hoffmann , Fam Zheng , Jason Wang , Vladimir Sementsov-Ogievskiy , Christian Schoenebeck , Kevin Wolf , Yuval Shaia , Paolo Bonzini , Peter Maydell , qemu-arm@nongnu.org, Thomas Huth , Laurent Vivier , Greg Kurz , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , qemu-ppc@nongnu.org, David Hildenbrand Subject: [PATCH 17/28] hw/rdma: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:51 +0200 Message-Id: <20210903110702.588291-18-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1630667326912100001 Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdu= p2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- hw/rdma/rdma_utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/rdma/rdma_utils.c b/hw/rdma/rdma_utils.c index 98df58f6897..9792b1c8ef5 100644 --- a/hw/rdma/rdma_utils.c +++ b/hw/rdma/rdma_utils.c @@ -71,7 +71,7 @@ void rdma_protected_gqueue_append_int64(RdmaProtectedGQue= ue *list, int64_t value) { qemu_mutex_lock(&list->lock); - g_queue_push_tail(list->list, g_memdup(&value, sizeof(value))); + g_queue_push_tail(list->list, g_memdup2_qemu(&value, sizeof(value))); qemu_mutex_unlock(&list->lock); } =20 --=20 2.31.1 From nobody Mon Feb 9 00:02:36 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1630667330; cv=none; d=zohomail.com; s=zohoarc; b=govwC6K94cxovRvEH2qlYhFpDEcWCRq+K8sIk1IKBx2lz+O/T79gJ4L/CWzdQs+93rWRc68UOmoSxIUbdbUrFOT9ZIlG+wH6P7KJscoWdpFyNOjs/+jgazS7hWf0wmgvrKCNEtd89bpGw5870FwoRyS774uohJchAnrBJSoG2vI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1630667330; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=VOTtLJVTxmWiXFyWxgdLM6727jqRmtc6Bq8YlLBzcWE=; b=G89VX29kfkyMkMPovxiZhcur/wQK8wWuPNp6bJAf/deYN7F8Xds7MDAsxw624iUnwzQC0LWFuxQVXxTSwDY2beYPQt2OPbU07avMfAb85Ia3g0xFQFS4TCLhURRUAV4XiaIqHae86TJN+fJLaGsoU8tvKyl9Vdw8fhsZ0JTaycc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1630667330726532.7017736469884; Fri, 3 Sep 2021 04:08:50 -0700 (PDT) Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-285-fA1MrM1GP1aQkGuc3NdNHw-1; Fri, 03 Sep 2021 07:08:48 -0400 Received: by mail-wm1-f72.google.com with SMTP id o20-20020a05600c379400b002e755735eedso1862483wmr.0 for ; Fri, 03 Sep 2021 04:08:48 -0700 (PDT) Return-Path: Return-Path: Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id g1sm5692199wrb.27.2021.09.03.04.08.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:08:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667329; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=VOTtLJVTxmWiXFyWxgdLM6727jqRmtc6Bq8YlLBzcWE=; b=Ai1HjDZSO41N6Vf6xkkVPe5KxlW3SP6GwClFImmLtXL2iXNRuhUvs9Dorjak+OD6ZrWeGh sYFuDWGwwGBjwtKIRSjBQ/6IpUytnDuwy0VcRnXHdJv+f8BD2/St1JjX4dZ8IZx9Mg0D10 PH7xhiPRxZP5IZuiuQaY427yRHPbJ3E= X-MC-Unique: fA1MrM1GP1aQkGuc3NdNHw-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=VOTtLJVTxmWiXFyWxgdLM6727jqRmtc6Bq8YlLBzcWE=; b=A6Kj2vmrnGYVga12PyzElCMp883MQaDljtp8t6FQM1GPEhXDlrm+xMD6KpEaof03RL MJcAGtOfhizL9Zt03zlfTEyS+Hf2T1kAw61GOueK2I52DKH8fFHT5QC/s0KnLb5xJrfZ tKN/OJtxsmAEUcRQd2nlggSUF4+yIWh9aA/fZoweBgFhf4NaW1ngSYN6MMDP0aGUy9tM wGB89H6vDVCWRPGI5v0gisLkIaqfU9jRRVODEXc9Yy7Y3cBzfUB/HjLG13FzV5CKDIPl mcQSr+PBZWECZZ40Mji+3i88aRFu7kKGU8kOhHoYtQnclGx5LT4ZUIMlPXNPndHUFomS sGfg== X-Gm-Message-State: AOAM533eiyg+2KVERh52xHhvU3vXA6vjcq30FBwbKM9r2sOxvybEOUxN 4Hs732n54xXXiM5MELQgYqX9Fd/N5hXCirtpjJk0F1PovUPcjZ9Vu6bR0eOff6MgsBFhXGJtiXQ j5P/qZILyJL5dPg== X-Received: by 2002:adf:c14c:: with SMTP id w12mr3481213wre.115.1630667327552; Fri, 03 Sep 2021 04:08:47 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyIBBuXYMK0C2F+Vw5z9iQcRoob5RxQQtk7EF66z9lHOLy5Q7edix8DBRMzSDgVMsm39FO74A== X-Received: by 2002:adf:c14c:: with SMTP id w12mr3481173wre.115.1630667327398; Fri, 03 Sep 2021 04:08:47 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Hanna Reitz , Igor Mammedov , Laurent Vivier , Alexandre Iooss , =?UTF-8?q?Alex=20Benn=C3=A9e?= , Michael Roth , Zhang Chen , Shannon Zhao , Richard Henderson , Alex Williamson , Eduardo Habkost , Markus Armbruster , Eric Blake , Stefan Weil , John Snow , Mahmoud Mandour , Li Zhijian , Marcel Apfelbaum , qemu-block@nongnu.org, Helge Deller , "Michael S. Tsirkin" , David Gibson , Peter Xu , "Gonglei (Arei)" , Gerd Hoffmann , Fam Zheng , Jason Wang , Vladimir Sementsov-Ogievskiy , Christian Schoenebeck , Kevin Wolf , Yuval Shaia , Paolo Bonzini , Peter Maydell , qemu-arm@nongnu.org, Thomas Huth , Laurent Vivier , Greg Kurz , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , qemu-ppc@nongnu.org, David Hildenbrand Subject: [PATCH 18/28] hw/vfio/pci: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:52 +0200 Message-Id: <20210903110702.588291-19-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1630667331613100001 Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdu= p2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- hw/vfio/pci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c index e1ea1d8a23b..5c9acfd9c40 100644 --- a/hw/vfio/pci.c +++ b/hw/vfio/pci.c @@ -2040,7 +2040,7 @@ static void vfio_add_ext_cap(VFIOPCIDevice *vdev) * physical device, we cache the config space to avoid overwriting * the original config space when we parse the extended capabilities. */ - config =3D g_memdup(pdev->config, vdev->config_size); + config =3D g_memdup2_qemu(pdev->config, vdev->config_size); =20 /* * Extended capabilities are chained with each pointing to the next, s= o we --=20 2.31.1 From nobody Mon Feb 9 00:02:36 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1630667338; cv=none; d=zohomail.com; s=zohoarc; b=Wvg5qGyk3YRUnmxRoVpKsIhAgIWnoEmf5IPqE4Cz6ogt2i7ouA2uTyjiRNWU4neX6c3ZJ4kdimlui1/prPPxLoBC/hHiZOAv3YAEjT4FHpmkxiznSBEWGkYLgxu4+Bcscjs4ck8CAkOlRKhCkEm0+yBIeuqIlDYgWp+DVdgMTns= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1630667338; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=e+/T5ni6234ihtWfiY6ChgUlClrUNMBebZZu1LShGeE=; b=fk6UwYBrAxIcZKW6htpdzyU91nCQxTIewcSjhaN6cqzxBsTB9RY7dctMDfwXqSZfUxdvsC0+gVWcmtnrLhATNrHh2n+XaHKL/aWbR+nSv2RzvqEbZ2U0UtvBSzO5j9AQNwHb/TDVB1DN8/QW59g72vR01Tqv5Ts+BY9FpJk+GVU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1630667338706100.97539098178811; Fri, 3 Sep 2021 04:08:58 -0700 (PDT) Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-33-iLCS7IMmNxKCjwfGV7ZtMw-1; Fri, 03 Sep 2021 07:08:54 -0400 Received: by mail-wr1-f70.google.com with SMTP id n1-20020a5d4c41000000b00159305d19baso1455376wrt.11 for ; Fri, 03 Sep 2021 04:08:54 -0700 (PDT) Return-Path: Return-Path: Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id h16sm4386547wre.52.2021.09.03.04.08.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:08:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667337; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=e+/T5ni6234ihtWfiY6ChgUlClrUNMBebZZu1LShGeE=; b=I9czOIExIrB9X0nSaDFSM4J2Z1Pbu2cK1FcV8/tBjpiyiLjwwlnHXPmQ4ToEljB7Mq+djt KF/ABxajLCyupQ7i51Az3SHTL0WEtk3101pyBHYjIJ2NsRtd2hIjeiOurI9r1jfqHgrGKk 3Kzt2r5o4IAXFUKKLPqj5l2WuCcaUD4= X-MC-Unique: iLCS7IMmNxKCjwfGV7ZtMw-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=e+/T5ni6234ihtWfiY6ChgUlClrUNMBebZZu1LShGeE=; b=DmXxV5kfCnVVTEjWDoDk95ef49AWomKk8orWZ2vZfd6CI3+/09+8jC7xZmLyDmdiTo kIGX24gc6aaV7Kuz4Gby2RDynQ2o1f3Z/2WwzYOUtaACBW9HdIU4yQX4aqalLiDigNP1 3eD+jxzrUJwm8HLFo6QZxtBF9Se/WDw6GGomDOtlK+OgG7Y286+eAS9ogybHBo44LeJX s9Kqfcnu/f/EbLeLOm/u/66Ecf8MjH57VQ5iUfOZp5j8hf3j42ZeTy+ux75ffo8Tuu2b BH/42lBGST5td37wyaxEjxGYUOxC0rFeGnMPMT9RMbILE6SE9+XOM9Zd5X8HxtG498e/ +mZA== X-Gm-Message-State: AOAM533tlp+7A03eaDcC8Wb/KCBVRf63zEqtsotfvMEPmRTLP+RhTfre xUswaWQXpbU1yN4sG5H+9mqD7Nbbf+Z4LWU7cB5cGdDG1JGYzEyr0Qx0L/SgghvpcgoUiKV+qll n5xPkRfbBVwAjuA== X-Received: by 2002:adf:816f:: with SMTP id 102mr3412386wrm.368.1630667333532; Fri, 03 Sep 2021 04:08:53 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwKVIhqhQclBigb+uSRWXSSmTSWnWM8sjZh3FL9BO89jaiUDjU5xH1NQtxLg8HHW+REZ68Nfw== X-Received: by 2002:adf:816f:: with SMTP id 102mr3412332wrm.368.1630667333320; Fri, 03 Sep 2021 04:08:53 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Hanna Reitz , Igor Mammedov , Laurent Vivier , Alexandre Iooss , =?UTF-8?q?Alex=20Benn=C3=A9e?= , Michael Roth , Zhang Chen , Shannon Zhao , Richard Henderson , Alex Williamson , Eduardo Habkost , Markus Armbruster , Eric Blake , Stefan Weil , John Snow , Mahmoud Mandour , Li Zhijian , Marcel Apfelbaum , qemu-block@nongnu.org, Helge Deller , "Michael S. Tsirkin" , David Gibson , Peter Xu , "Gonglei (Arei)" , Gerd Hoffmann , Fam Zheng , Jason Wang , Vladimir Sementsov-Ogievskiy , Christian Schoenebeck , Kevin Wolf , Yuval Shaia , Paolo Bonzini , Peter Maydell , qemu-arm@nongnu.org, Thomas Huth , Laurent Vivier , Greg Kurz , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , qemu-ppc@nongnu.org, David Hildenbrand Subject: [RFC PATCH 19/28] hw/virtio: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:53 +0200 Message-Id: <20210903110702.588291-20-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1630667340409100001 Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdu= p2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- Should we check in_num/out_num in range? --- hw/net/virtio-net.c | 3 ++- hw/virtio/virtio-crypto.c | 7 ++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c index 16d20cdee52..8fa23d5f941 100644 --- a/hw/net/virtio-net.c +++ b/hw/net/virtio-net.c @@ -1449,7 +1449,8 @@ static void virtio_net_handle_ctrl(VirtIODevice *vdev= , VirtQueue *vq) } =20 iov_cnt =3D elem->out_num; - iov2 =3D iov =3D g_memdup(elem->out_sg, sizeof(struct iovec) * ele= m->out_num); + iov2 =3D iov =3D g_memdup2_qemu(elem->out_sg, + sizeof(struct iovec) * elem->out_num); s =3D iov_to_buf(iov, iov_cnt, 0, &ctrl, sizeof(ctrl)); iov_discard_front(&iov, &iov_cnt, sizeof(ctrl)); if (s !=3D sizeof(ctrl)) { diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c index 54f9bbb789c..43c1a39e469 100644 --- a/hw/virtio/virtio-crypto.c +++ b/hw/virtio/virtio-crypto.c @@ -242,7 +242,8 @@ static void virtio_crypto_handle_ctrl(VirtIODevice *vde= v, VirtQueue *vq) } =20 out_num =3D elem->out_num; - out_iov_copy =3D g_memdup(elem->out_sg, sizeof(out_iov[0]) * out_n= um); + out_iov_copy =3D g_memdup2_qemu(elem->out_sg, + sizeof(out_iov[0]) * out_num); out_iov =3D out_iov_copy; =20 in_num =3D elem->in_num; @@ -605,11 +606,11 @@ virtio_crypto_handle_request(VirtIOCryptoReq *request) } =20 out_num =3D elem->out_num; - out_iov_copy =3D g_memdup(elem->out_sg, sizeof(out_iov[0]) * out_num); + out_iov_copy =3D g_memdup2_qemu(elem->out_sg, sizeof(out_iov[0]) * out= _num); out_iov =3D out_iov_copy; =20 in_num =3D elem->in_num; - in_iov_copy =3D g_memdup(elem->in_sg, sizeof(in_iov[0]) * in_num); + in_iov_copy =3D g_memdup2_qemu(elem->in_sg, sizeof(in_iov[0]) * in_num= ); in_iov =3D in_iov_copy; =20 if (unlikely(iov_to_buf(out_iov, out_num, 0, &req, sizeof(req)) --=20 2.31.1 From nobody Mon Feb 9 00:02:36 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1630667342; cv=none; d=zohomail.com; s=zohoarc; b=Cm1D46ojGBtCuftC4L1TvEwd/tQhQe/4IsriLe2YM36XJ1ZaNsnB7CzgMcN0lurYENagG1SAp2uZTyTOXjyqjWhp6mZYmcgHtofp2bLdQGmDwLlNvNLWQ/4beQcKi54BGzCvnNsxHCb6CrtlJmRMuP8Lj5Xv8HmtWxsAlmVh1FE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1630667342; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=6LOA6vxWsxNeyRV6PCApiN2cj9fcdeFYW29H3LS1FGk=; b=fCLRxTZcZJFEgALytwdJiI+Ue7lD9b+IT54t7Y7iSSOkJ+tYZdLlPN4wd+0KalhQK4CN4lVsQSIZSHh0HAai6gXxjMc/rb92esmFyu5TSep0IzojG2VXMeLHzAZuagaDW5JhFCz0uQ7yYBahuwU27S6d3pE23XjqCCb7BQYfwYw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1630667342229845.4210897355196; Fri, 3 Sep 2021 04:09:02 -0700 (PDT) Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-117-_S7WGj1wMgydA_2483PNMg-1; Fri, 03 Sep 2021 07:09:00 -0400 Received: by mail-wr1-f71.google.com with SMTP id p18-20020a5d4e12000000b0015940dc586aso1465543wrt.6 for ; Fri, 03 Sep 2021 04:09:00 -0700 (PDT) Return-Path: Return-Path: Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id e2sm4370145wra.40.2021.09.03.04.08.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:08:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667341; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=6LOA6vxWsxNeyRV6PCApiN2cj9fcdeFYW29H3LS1FGk=; b=XOmt4Cha/bbgxq0+mjtpUiQwXx3Ax70QpMsFDB4Qv4OdQZEeDQBI8dbgPwyn8+bKM+IWoK bWO8I+1oeOQfol/pyv4XEg6C6AUPrMxZT6R2GMtTSys+wWJmBL0Y/Xkp5mTyhBJkjJsde+ FjXqtgEov9L6BJO0MkpKrjylYrn3Oys= X-MC-Unique: _S7WGj1wMgydA_2483PNMg-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=6LOA6vxWsxNeyRV6PCApiN2cj9fcdeFYW29H3LS1FGk=; b=V5nRd6QTKbXHLWIZ6Ym90RPomIKWIgcxgEOUMBWYtf5ZEtDAnGFErc1LH6rVpSyJZu 2X8iIlVgPi8fj5E5snoaf96IdxPnuXs1tXKU9TzrEselToGYnfo6F3Rrn/OSgGUDEipn r4R0bx5U2qR2zB/hndbuQM2ClCDF6AZFSmpyzmbqWUrFCFsPxlzQvl/UZWokzYqApv3E WdcCCD6SaZeL2O7WeEEPm4FnOZFzp1TC8PQV/tvhMm4GiUcZHzILfTZk0NpjEPOuZfPt 9vSGSRgVg9cYwmt1C38FQAmqzW5JWrO5Bgxb+GlCyKSRg6L+NfGxU1NuiantvaWqVVST UJHQ== X-Gm-Message-State: AOAM5306HonNwCXf+alXI/dveDnDXAqWDtkB0QdD+UKvZR6dTS7ueR1o San9nZzvhuy1edwkd0GIEKEgpgMCeJi0Xov5ImIryycI+snk7N7yDZbd5lJQR1H4j4YXx1F7yck aQ4XBsXtPcqarsw== X-Received: by 2002:adf:c54a:: with SMTP id s10mr3382754wrf.405.1630667339113; Fri, 03 Sep 2021 04:08:59 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxzopBsfgspfdDlrpZUpsr41FgOxa6kgWftrebygxzUBuKUb/fPiR/qlP4CZMfiKI3MKwkKmA== X-Received: by 2002:adf:c54a:: with SMTP id s10mr3382702wrf.405.1630667338948; Fri, 03 Sep 2021 04:08:58 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Hanna Reitz , Igor Mammedov , Laurent Vivier , Alexandre Iooss , =?UTF-8?q?Alex=20Benn=C3=A9e?= , Michael Roth , Zhang Chen , Shannon Zhao , Richard Henderson , Alex Williamson , Eduardo Habkost , Markus Armbruster , Eric Blake , Stefan Weil , John Snow , Mahmoud Mandour , Li Zhijian , Marcel Apfelbaum , qemu-block@nongnu.org, Helge Deller , "Michael S. Tsirkin" , David Gibson , Peter Xu , "Gonglei (Arei)" , Gerd Hoffmann , Fam Zheng , Jason Wang , Vladimir Sementsov-Ogievskiy , Christian Schoenebeck , Kevin Wolf , Yuval Shaia , Paolo Bonzini , Peter Maydell , qemu-arm@nongnu.org, Thomas Huth , Laurent Vivier , Greg Kurz , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , qemu-ppc@nongnu.org, David Hildenbrand Subject: [PATCH 20/28] net/colo: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:54 +0200 Message-Id: <20210903110702.588291-21-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1630667342949100001 Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdu= p2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. packet_new() is called from packet_enqueue() with size being 32-bit (of type SocketReadState::packet_len). Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- net/colo.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/colo.c b/net/colo.c index 3a3e6e89a0c..cfe37b19eac 100644 --- a/net/colo.c +++ b/net/colo.c @@ -159,7 +159,7 @@ Packet *packet_new(const void *data, int size, int vnet= _hdr_len) { Packet *pkt =3D g_slice_new0(Packet); =20 - pkt->data =3D g_memdup(data, size); + pkt->data =3D g_memdup2_qemu(data, size); pkt->size =3D size; pkt->creation_ms =3D qemu_clock_get_ms(QEMU_CLOCK_HOST); pkt->vnet_hdr_len =3D vnet_hdr_len; @@ -214,7 +214,7 @@ Connection *connection_get(GHashTable *connection_track= _table, Connection *conn =3D g_hash_table_lookup(connection_track_table, key); =20 if (conn =3D=3D NULL) { - ConnectionKey *new_key =3D g_memdup(key, sizeof(*key)); + ConnectionKey *new_key =3D g_memdup2_qemu(key, sizeof(*key)); =20 conn =3D connection_new(key); =20 --=20 2.31.1 From nobody Mon Feb 9 00:02:36 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1630667347; cv=none; d=zohomail.com; s=zohoarc; b=Uu4yPO6GIwXuho7/K6Mvw4IH3zn98J1eiF+UzUPXH7eHkUYpaWzhTEFqTYnrDpDPrAlh5KPw2mAMNERGav0wQpoaAEprS+bcUSmCJr8mkAeQ4AtghxUrGBWmENfuuP5uiXJ3H4uqUXbaD8tmxHAKcYwoIJCKATpuN3+Kw4JjJoQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1630667347; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=mHnJ0cVcteOlyXY2WQSoPOrlbaqqNkIp409L2/nVF/Q=; b=L45Ya4pEtzR4P2ZWrPUHREPqOSQ9Mca1Lhi9GCvCnzLn/DXcghtYgTUQaNb5EjRELtfMdrVGeYyFN2mXJggXB9mQ3z9DN2pyKnLfyuTaMGZnZavc+cA9bn470ssRDKLSilYaLR/sSclMqPzRuM+gZLbcQ14q3jCCnPz8t2J2lG8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1630667347711712.135995560981; Fri, 3 Sep 2021 04:09:07 -0700 (PDT) Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-309-GLs5TWSjNZuN4SryFdvpnw-1; Fri, 03 Sep 2021 07:09:05 -0400 Received: by mail-wm1-f70.google.com with SMTP id a201-20020a1c7fd2000000b002e748bf0544so2528970wmd.2 for ; Fri, 03 Sep 2021 04:09:05 -0700 (PDT) Return-Path: Return-Path: Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id q13sm3880071wmj.46.2021.09.03.04.09.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:09:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667346; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=mHnJ0cVcteOlyXY2WQSoPOrlbaqqNkIp409L2/nVF/Q=; b=M2ROo9jOdA0dEmH7NZ6XV6jrasXxWZ1DfsjZPPft+EgBQZFIRJmPrHpG56Txl7TkOk40ZC FuICsvWd6rzDmB0GwFK4hMdIuquRM88Ltpcz4OzizDTSz0fLqHyllBau1NWBnVWXutX4Mt 5n+JCnT4S+NciUQVp0xfzzi7+a72QqY= X-MC-Unique: GLs5TWSjNZuN4SryFdvpnw-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=mHnJ0cVcteOlyXY2WQSoPOrlbaqqNkIp409L2/nVF/Q=; b=n6M1tROt+3VU1DfUeg82uHd+DpgnVy6t1eupsPv8Ebf5eYw4GY9J03QB2cEKsrvb/0 15BX3ssoUQ8b58rBngyWLdUPaef8O/mbeBRB5/7MAS07K2n7Vj7//P6PnWFAoNqmF9V7 HV4dFmwvTlYFuKfryVk9NKiJ3UKEq2qDWVSyY6k5d5cuyNhLOQId5dYIDqsEeZtZLoMP g4Ez9mQ8tLEPHxWX5UPFSvttbkBO/lH9Hc14rsYKgM9cdMVhEAn/P4xOsTTMUk0tvRW+ gv58dWN1hE8dp8B/K/vXHolXLCtCGofGXBK1cdHKBNp3t8AT5LWIWVgxvCaAO5gW4yb6 nMFQ== X-Gm-Message-State: AOAM530FfZ/aCRRKjibgfPPd7VFjYowQ6jzq5w2BgHqXZGhAGI7SJMit /YB7STbaSmtxON250XYuzLNHgtdELJOPi2MsLCQ8yvQJ3FGdpOqhKrwcDC9SwJJQoXhoCn9ecBv nif08DmoIAL9JKw== X-Received: by 2002:a05:600c:2210:: with SMTP id z16mr7583390wml.70.1630667344632; Fri, 03 Sep 2021 04:09:04 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyzXN5Abat+u5GhU97+T79No5Nl13oW/wgdhYam21QjGlUyuHjSwW1tSLBF2QoToAE6kZSvQQ== X-Received: by 2002:a05:600c:2210:: with SMTP id z16mr7583359wml.70.1630667344397; Fri, 03 Sep 2021 04:09:04 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Hanna Reitz , Igor Mammedov , Laurent Vivier , Alexandre Iooss , =?UTF-8?q?Alex=20Benn=C3=A9e?= , Michael Roth , Zhang Chen , Shannon Zhao , Richard Henderson , Alex Williamson , Eduardo Habkost , Markus Armbruster , Eric Blake , Stefan Weil , John Snow , Mahmoud Mandour , Li Zhijian , Marcel Apfelbaum , qemu-block@nongnu.org, Helge Deller , "Michael S. Tsirkin" , David Gibson , Peter Xu , "Gonglei (Arei)" , Gerd Hoffmann , Fam Zheng , Jason Wang , Vladimir Sementsov-Ogievskiy , Christian Schoenebeck , Kevin Wolf , Yuval Shaia , Paolo Bonzini , Peter Maydell , qemu-arm@nongnu.org, Thomas Huth , Laurent Vivier , Greg Kurz , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , qemu-ppc@nongnu.org, David Hildenbrand Subject: [RFC PATCH 21/28] ui/clipboard: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:55 +0200 Message-Id: <20210903110702.588291-22-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1630667349179100001 Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdu= p2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- TODO: audit qemu_clipboard_set_data() calls --- ui/clipboard.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ui/clipboard.c b/ui/clipboard.c index d7b008d62a0..0e12a55d3e5 100644 --- a/ui/clipboard.c +++ b/ui/clipboard.c @@ -123,7 +123,7 @@ void qemu_clipboard_set_data(QemuClipboardPeer *peer, } =20 g_free(info->types[type].data); - info->types[type].data =3D g_memdup(data, size); + info->types[type].data =3D g_memdup2_qemu(data, size); info->types[type].size =3D size; info->types[type].available =3D true; =20 --=20 2.31.1 From nobody Mon Feb 9 00:02:36 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1630667355; cv=none; d=zohomail.com; s=zohoarc; b=movvajQH2+OWxxN0NwUeWFYSqUTJ83pX9BhpqAl+yVO8uRKQU++dkqNxaDCUoigXzCQN1YM4K9Uf8K/hu6kRpfhBi10FCepAi3ftIxvqo/ILfbMdpL+KoAG6BEPg/hDfUB7z1G4Faa/lE3USbvmROq+u0w/y8Nebj26w4YM4CaU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1630667355; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=oWlYVXKgef7rt8tFGoGOU02/9c4fFsb6XOBLj2EPez0=; b=b5MKcDO7Tv+WJHtQva4i2CyYxeECx9/dpBPppkR0SP8jgrOOIv8dCALd72tNwCAFDXDi5IFbYCo0lCvG8BHrZI0q5pLFTSCQmxOWvNy+6Qpqknczpgp1lEmr8dSjMoksnfqsJcch5ax3IGE3Z66lbU7ZgGX9exwX1OOoUpGNIAQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1630667355211181.92275016143606; Fri, 3 Sep 2021 04:09:15 -0700 (PDT) Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-373-hgVazKGAOMOsRyJQWL1xpQ-1; Fri, 03 Sep 2021 07:09:11 -0400 Received: by mail-wr1-f70.google.com with SMTP id m16-20020a056000181000b0015964e4ae48so418476wrh.14 for ; Fri, 03 Sep 2021 04:09:11 -0700 (PDT) Return-Path: Return-Path: Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id o21sm4479970wms.32.2021.09.03.04.09.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:09:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667354; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=oWlYVXKgef7rt8tFGoGOU02/9c4fFsb6XOBLj2EPez0=; b=EVZPKSrKJw4He4J7ONOdfOfb3sindxE/pN/LAs11ylQAJYlkxRbGPQX7yyDCNuanSgPBID tdI2NKsmp7k5b69HqkAq6cT7JexD2HCzyza/fXXYQupXfLiO1skxI2O2jqZdfcJs86r85u ZwlKXs28uO6XBl8EH4BSYGLzz7533kA= X-MC-Unique: hgVazKGAOMOsRyJQWL1xpQ-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=oWlYVXKgef7rt8tFGoGOU02/9c4fFsb6XOBLj2EPez0=; b=H8YiVxjCfpFdaftNF8zvaoMqcKa2FQyLb+mWxa0nMo4WtP6dPA27ke7TPZCpc9xXbH Q86GHBSpytu4iJKc9bVje7knMrDcyMLN8XKvLvhUlPzK9vqUYqNd9RkXpquu/5WiWjJc 8UHZFr64VNgRm7yHTK5Rimj5mYODPDtSokW1xtIf/Mo5mGHqfVd//BtCWGWpkjMw623K HIMZg3NHEH1XDEwpVS55cf00LEJq8l8bigA9JTTBHEUXraI4ta3ieT8XwYz6jCn7vcJ+ d9H6LkyCiMrpIAHZeYQMdH75GZ/nwmgj234OpnRmKtzUO7n1cxUDg9IBCz99AXptnMyn oG4g== X-Gm-Message-State: AOAM530d1CPUzYKQHy7E0ygvebhbzVT3sADNifEjPKrAbMLJ0Khvyp3i KczDRIE78/23v7rg0Ni+rBa//xVR+yLL/yhfUcUCvnnQJhI4yEEC0gVc6PoCOO+KQyK3s3ZDL+N 7/OB5fecAU6hymQ== X-Received: by 2002:adf:fb44:: with SMTP id c4mr3357046wrs.179.1630667350192; Fri, 03 Sep 2021 04:09:10 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz04LeqfAek5qhgfGuBb6P5Xc3NkLACwF2mysEtZwYjLBQ5+2iNJmq5HKQGBR6hLi9iuqmVyA== X-Received: by 2002:adf:fb44:: with SMTP id c4mr3356996wrs.179.1630667349988; Fri, 03 Sep 2021 04:09:09 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Hanna Reitz , Igor Mammedov , Laurent Vivier , Alexandre Iooss , =?UTF-8?q?Alex=20Benn=C3=A9e?= , Michael Roth , Zhang Chen , Shannon Zhao , Richard Henderson , Alex Williamson , Eduardo Habkost , Markus Armbruster , Eric Blake , Stefan Weil , John Snow , Mahmoud Mandour , Li Zhijian , Marcel Apfelbaum , qemu-block@nongnu.org, Helge Deller , "Michael S. Tsirkin" , David Gibson , Peter Xu , "Gonglei (Arei)" , Gerd Hoffmann , Fam Zheng , Jason Wang , Vladimir Sementsov-Ogievskiy , Christian Schoenebeck , Kevin Wolf , Yuval Shaia , Paolo Bonzini , Peter Maydell , qemu-arm@nongnu.org, Thomas Huth , Laurent Vivier , Greg Kurz , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , qemu-ppc@nongnu.org, David Hildenbrand Subject: [RFC PATCH 22/28] linux-user: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:56 +0200 Message-Id: <20210903110702.588291-23-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1630667356599100001 Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdu= p2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- do_open_by_handle_at() doesn't check: size + sizeof(struct file_handle) < 4GiB --- linux-user/syscall.c | 2 +- linux-user/uaccess.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index ccd3892b2df..e127927f0b9 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -7665,7 +7665,7 @@ static abi_long do_open_by_handle_at(abi_long mount_f= d, abi_long handle, return -TARGET_EFAULT; } =20 - fh =3D g_memdup(target_fh, total_size); + fh =3D g_memdup2_qemu(target_fh, total_size); fh->handle_bytes =3D size; fh->handle_type =3D tswap32(target_fh->handle_type); =20 diff --git a/linux-user/uaccess.c b/linux-user/uaccess.c index 6a5b029607c..80992e2e233 100644 --- a/linux-user/uaccess.c +++ b/linux-user/uaccess.c @@ -15,7 +15,7 @@ void *lock_user(int type, abi_ulong guest_addr, ssize_t l= en, bool copy) host_addr =3D g2h_untagged(guest_addr); #ifdef DEBUG_REMAP if (copy) { - host_addr =3D g_memdup(host_addr, len); + host_addr =3D g_memdup2_qemu(host_addr, len); } else { host_addr =3D g_malloc0(len); } --=20 2.31.1 From nobody Mon Feb 9 00:02:36 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1630667359; cv=none; d=zohomail.com; s=zohoarc; b=KUGZ5bHeSjzbVzKRlCwLzvQd/3RerUPos8l6H11cg3Zqra6KDVbb+qtMMM92D10D/56xt4F+DFKDLc9eUuX5p6GtZ7tBknoSd1/hBwVDE1dYGXtzNI7SvtFXpUX1Mm39kH5BPJsVn2z4+BN90/aPOVpcf6yBmSgCKSCGmBhpROk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1630667359; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=PNmQn7pp74t94Lr73ldUSMDFHfSQgs8qkh8r7R4cWBA=; b=OKnlauiQtCdUwNao0dFQKZ5f9Inq/Nk9vjiaBCJR8FJHxc62d24cj/Oqfl/02rrExgZSGlZthOnoL42dNtRZsSI5CqsOHT9oUBENG/XVUFB4jBK0y1N2M+NlPVAm9GT5CamvgEw3wz7UaBzolmN6xMA6qqdEVaTBURu9KXPLLKY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1630667359346297.18725026332356; Fri, 3 Sep 2021 04:09:19 -0700 (PDT) Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-129-bucKqufpPMuSba-XFcmzTQ-1; Fri, 03 Sep 2021 07:09:17 -0400 Received: by mail-wr1-f71.google.com with SMTP id v6-20020adfe4c6000000b001574f9d8336so1460814wrm.15 for ; Fri, 03 Sep 2021 04:09:16 -0700 (PDT) Return-Path: Return-Path: Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id k25sm4751451wrd.42.2021.09.03.04.09.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:09:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667358; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PNmQn7pp74t94Lr73ldUSMDFHfSQgs8qkh8r7R4cWBA=; b=OPFGc6avkdVAKor4APa+KJ8kHQfLCiqr5f/wf1rMVF9HTCUz/ZLI9YlV9hXkm+47rPDPeZ SQ9JZ2qxwPztqC14SvaVnAc9LCIcnj77IprH7cHVJNdNUgiONowj1AwoXFVEOKXy98Ueji LZBZrYNn53p5zlHvvQ7hazbQIDMMZEI= X-MC-Unique: bucKqufpPMuSba-XFcmzTQ-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=PNmQn7pp74t94Lr73ldUSMDFHfSQgs8qkh8r7R4cWBA=; b=ImPosVh9s7bu0rDU32ZrazdtPlV/RC1HYSTXGNi/DHYI11dkiOFy4HdWVVfRG3t242 EPWmRLLWFhfA2kLsGS3+AvQ7zLB+E0KWA701kYJnuMjWmu7uqukwf8sMbiMDZPmfauvN obwXE2IuaqAzk4ZvQhfNuIMECSL9nanT1QtICTY9e3Y2FCuxKGrz4flVqYblLz/F2REf wCyqnmGIr0EjvsOY51RL10wFqbvAJsByhK7QN46JSpz/INfg4qxrBCENuXPYsS0K0lBN fMIWNxjB20TgvqDwpOPWNH2s/UXgH/ct4HCoQ0ud9m2Pyl+E7tPLfvJnhjUPZtnHSXKk o9Ow== X-Gm-Message-State: AOAM530NAxDYc7EqrRH0RdVSARRHUSo0u5wP/v3HG0BnBet7sLXwLx4z nVdPAoBQxRsUJNCN6j0EO/qiVuPvEhJOQsikN5mcJRhsx5qSmiqMeyZLiN4f7t/GymrrvYq3hpH 3d8TQ9xyRRqawUA== X-Received: by 2002:a5d:6cb0:: with SMTP id a16mr3413376wra.245.1630667355849; Fri, 03 Sep 2021 04:09:15 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy7GNZSDtH7eNMhcSg/f8Lt0w2oSbtabaXRSOl+1qUAig28an7Yx8aZ5ZPl0WYwewdHyBWloA== X-Received: by 2002:a5d:6cb0:: with SMTP id a16mr3413326wra.245.1630667355660; Fri, 03 Sep 2021 04:09:15 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Hanna Reitz , Igor Mammedov , Laurent Vivier , Alexandre Iooss , =?UTF-8?q?Alex=20Benn=C3=A9e?= , Michael Roth , Zhang Chen , Shannon Zhao , Richard Henderson , Alex Williamson , Eduardo Habkost , Markus Armbruster , Eric Blake , Stefan Weil , John Snow , Mahmoud Mandour , Li Zhijian , Marcel Apfelbaum , qemu-block@nongnu.org, Helge Deller , "Michael S. Tsirkin" , David Gibson , Peter Xu , "Gonglei (Arei)" , Gerd Hoffmann , Fam Zheng , Jason Wang , Vladimir Sementsov-Ogievskiy , Christian Schoenebeck , Kevin Wolf , Yuval Shaia , Paolo Bonzini , Peter Maydell , qemu-arm@nongnu.org, Thomas Huth , Laurent Vivier , Greg Kurz , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , qemu-ppc@nongnu.org, David Hildenbrand Subject: [PATCH 23/28] tests/unit: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:57 +0200 Message-Id: <20210903110702.588291-24-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1630667360906100001 Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdu= p2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- tests/unit/ptimer-test.c | 22 +++++++++++----------- tests/unit/test-iov.c | 26 +++++++++++++------------- 2 files changed, 24 insertions(+), 24 deletions(-) diff --git a/tests/unit/ptimer-test.c b/tests/unit/ptimer-test.c index 9176b96c1ce..23efeb04a57 100644 --- a/tests/unit/ptimer-test.c +++ b/tests/unit/ptimer-test.c @@ -798,64 +798,64 @@ static void add_ptimer_tests(uint8_t policy) =20 g_test_add_data_func_full( tmp =3D g_strdup_printf("/ptimer/set_count policy=3D%s", policy_na= me), - g_memdup(&policy, 1), check_set_count, g_free); + g_memdup2_qemu(&policy, 1), check_set_count, g_free); g_free(tmp); =20 g_test_add_data_func_full( tmp =3D g_strdup_printf("/ptimer/set_limit policy=3D%s", policy_na= me), - g_memdup(&policy, 1), check_set_limit, g_free); + g_memdup2_qemu(&policy, 1), check_set_limit, g_free); g_free(tmp); =20 g_test_add_data_func_full( tmp =3D g_strdup_printf("/ptimer/oneshot policy=3D%s", policy_name= ), - g_memdup(&policy, 1), check_oneshot, g_free); + g_memdup2_qemu(&policy, 1), check_oneshot, g_free); g_free(tmp); =20 g_test_add_data_func_full( tmp =3D g_strdup_printf("/ptimer/periodic policy=3D%s", policy_nam= e), - g_memdup(&policy, 1), check_periodic, g_free); + g_memdup2_qemu(&policy, 1), check_periodic, g_free); g_free(tmp); =20 g_test_add_data_func_full( tmp =3D g_strdup_printf("/ptimer/on_the_fly_mode_change policy=3D%= s", policy_name), - g_memdup(&policy, 1), check_on_the_fly_mode_change, g_free); + g_memdup2_qemu(&policy, 1), check_on_the_fly_mode_change, g_free); g_free(tmp); =20 g_test_add_data_func_full( tmp =3D g_strdup_printf("/ptimer/on_the_fly_period_change policy= =3D%s", policy_name), - g_memdup(&policy, 1), check_on_the_fly_period_change, g_free); + g_memdup2_qemu(&policy, 1), check_on_the_fly_period_change, g_free= ); g_free(tmp); =20 g_test_add_data_func_full( tmp =3D g_strdup_printf("/ptimer/on_the_fly_freq_change policy=3D%= s", policy_name), - g_memdup(&policy, 1), check_on_the_fly_freq_change, g_free); + g_memdup2_qemu(&policy, 1), check_on_the_fly_freq_change, g_free); g_free(tmp); =20 g_test_add_data_func_full( tmp =3D g_strdup_printf("/ptimer/run_with_period_0 policy=3D%s", policy_name), - g_memdup(&policy, 1), check_run_with_period_0, g_free); + g_memdup2_qemu(&policy, 1), check_run_with_period_0, g_free); g_free(tmp); =20 g_test_add_data_func_full( tmp =3D g_strdup_printf("/ptimer/run_with_delta_0 policy=3D%s", policy_name), - g_memdup(&policy, 1), check_run_with_delta_0, g_free); + g_memdup2_qemu(&policy, 1), check_run_with_delta_0, g_free); g_free(tmp); =20 g_test_add_data_func_full( tmp =3D g_strdup_printf("/ptimer/periodic_with_load_0 policy=3D%s", policy_name), - g_memdup(&policy, 1), check_periodic_with_load_0, g_free); + g_memdup2_qemu(&policy, 1), check_periodic_with_load_0, g_free); g_free(tmp); =20 g_test_add_data_func_full( tmp =3D g_strdup_printf("/ptimer/oneshot_with_load_0 policy=3D%s", policy_name), - g_memdup(&policy, 1), check_oneshot_with_load_0, g_free); + g_memdup2_qemu(&policy, 1), check_oneshot_with_load_0, g_free); g_free(tmp); } =20 diff --git a/tests/unit/test-iov.c b/tests/unit/test-iov.c index 5371066fb6a..19ae24adb70 100644 --- a/tests/unit/test-iov.c +++ b/tests/unit/test-iov.c @@ -173,7 +173,7 @@ static void test_io(void) } iov_from_buf(iov, niov, 0, buf, sz); =20 - siov =3D g_memdup(iov, sizeof(*iov) * niov); + siov =3D g_memdup2_qemu(iov, sizeof(*iov) * niov); =20 if (socketpair(PF_UNIX, SOCK_STREAM, 0, sv) < 0) { perror("socketpair"); @@ -350,7 +350,7 @@ static void test_discard_front_undo(void) =20 /* Discard zero bytes */ iov_random(&iov, &iov_cnt); - iov_orig =3D g_memdup(iov, sizeof(iov[0]) * iov_cnt); + iov_orig =3D g_memdup2_qemu(iov, sizeof(iov[0]) * iov_cnt); iov_tmp =3D iov; iov_cnt_tmp =3D iov_cnt; iov_discard_front_undoable(&iov_tmp, &iov_cnt_tmp, 0, &undo); @@ -361,7 +361,7 @@ static void test_discard_front_undo(void) =20 /* Discard more bytes than vector size */ iov_random(&iov, &iov_cnt); - iov_orig =3D g_memdup(iov, sizeof(iov[0]) * iov_cnt); + iov_orig =3D g_memdup2_qemu(iov, sizeof(iov[0]) * iov_cnt); iov_tmp =3D iov; iov_cnt_tmp =3D iov_cnt; size =3D iov_size(iov, iov_cnt); @@ -373,7 +373,7 @@ static void test_discard_front_undo(void) =20 /* Discard entire vector */ iov_random(&iov, &iov_cnt); - iov_orig =3D g_memdup(iov, sizeof(iov[0]) * iov_cnt); + iov_orig =3D g_memdup2_qemu(iov, sizeof(iov[0]) * iov_cnt); iov_tmp =3D iov; iov_cnt_tmp =3D iov_cnt; size =3D iov_size(iov, iov_cnt); @@ -385,7 +385,7 @@ static void test_discard_front_undo(void) =20 /* Discard within first element */ iov_random(&iov, &iov_cnt); - iov_orig =3D g_memdup(iov, sizeof(iov[0]) * iov_cnt); + iov_orig =3D g_memdup2_qemu(iov, sizeof(iov[0]) * iov_cnt); iov_tmp =3D iov; iov_cnt_tmp =3D iov_cnt; size =3D g_test_rand_int_range(1, iov->iov_len); @@ -397,7 +397,7 @@ static void test_discard_front_undo(void) =20 /* Discard entire first element */ iov_random(&iov, &iov_cnt); - iov_orig =3D g_memdup(iov, sizeof(iov[0]) * iov_cnt); + iov_orig =3D g_memdup2_qemu(iov, sizeof(iov[0]) * iov_cnt); iov_tmp =3D iov; iov_cnt_tmp =3D iov_cnt; iov_discard_front_undoable(&iov_tmp, &iov_cnt_tmp, iov->iov_len, &undo= ); @@ -408,7 +408,7 @@ static void test_discard_front_undo(void) =20 /* Discard within second element */ iov_random(&iov, &iov_cnt); - iov_orig =3D g_memdup(iov, sizeof(iov[0]) * iov_cnt); + iov_orig =3D g_memdup2_qemu(iov, sizeof(iov[0]) * iov_cnt); iov_tmp =3D iov; iov_cnt_tmp =3D iov_cnt; size =3D iov->iov_len + g_test_rand_int_range(1, iov[1].iov_len); @@ -499,7 +499,7 @@ static void test_discard_back_undo(void) =20 /* Discard zero bytes */ iov_random(&iov, &iov_cnt); - iov_orig =3D g_memdup(iov, sizeof(iov[0]) * iov_cnt); + iov_orig =3D g_memdup2_qemu(iov, sizeof(iov[0]) * iov_cnt); iov_cnt_tmp =3D iov_cnt; iov_discard_back_undoable(iov, &iov_cnt_tmp, 0, &undo); iov_discard_undo(&undo); @@ -509,7 +509,7 @@ static void test_discard_back_undo(void) =20 /* Discard more bytes than vector size */ iov_random(&iov, &iov_cnt); - iov_orig =3D g_memdup(iov, sizeof(iov[0]) * iov_cnt); + iov_orig =3D g_memdup2_qemu(iov, sizeof(iov[0]) * iov_cnt); iov_cnt_tmp =3D iov_cnt; size =3D iov_size(iov, iov_cnt); iov_discard_back_undoable(iov, &iov_cnt_tmp, size + 1, &undo); @@ -520,7 +520,7 @@ static void test_discard_back_undo(void) =20 /* Discard entire vector */ iov_random(&iov, &iov_cnt); - iov_orig =3D g_memdup(iov, sizeof(iov[0]) * iov_cnt); + iov_orig =3D g_memdup2_qemu(iov, sizeof(iov[0]) * iov_cnt); iov_cnt_tmp =3D iov_cnt; size =3D iov_size(iov, iov_cnt); iov_discard_back_undoable(iov, &iov_cnt_tmp, size, &undo); @@ -531,7 +531,7 @@ static void test_discard_back_undo(void) =20 /* Discard within last element */ iov_random(&iov, &iov_cnt); - iov_orig =3D g_memdup(iov, sizeof(iov[0]) * iov_cnt); + iov_orig =3D g_memdup2_qemu(iov, sizeof(iov[0]) * iov_cnt); iov_cnt_tmp =3D iov_cnt; size =3D g_test_rand_int_range(1, iov[iov_cnt - 1].iov_len); iov_discard_back_undoable(iov, &iov_cnt_tmp, size, &undo); @@ -542,7 +542,7 @@ static void test_discard_back_undo(void) =20 /* Discard entire last element */ iov_random(&iov, &iov_cnt); - iov_orig =3D g_memdup(iov, sizeof(iov[0]) * iov_cnt); + iov_orig =3D g_memdup2_qemu(iov, sizeof(iov[0]) * iov_cnt); iov_cnt_tmp =3D iov_cnt; size =3D iov[iov_cnt - 1].iov_len; iov_discard_back_undoable(iov, &iov_cnt_tmp, size, &undo); @@ -553,7 +553,7 @@ static void test_discard_back_undo(void) =20 /* Discard within second-to-last element */ iov_random(&iov, &iov_cnt); - iov_orig =3D g_memdup(iov, sizeof(iov[0]) * iov_cnt); + iov_orig =3D g_memdup2_qemu(iov, sizeof(iov[0]) * iov_cnt); iov_cnt_tmp =3D iov_cnt; size =3D iov[iov_cnt - 1].iov_len + g_test_rand_int_range(1, iov[iov_cnt - 2].iov_len); --=20 2.31.1 From nobody Mon Feb 9 00:02:36 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1630667367; cv=none; d=zohomail.com; s=zohoarc; b=VONme80GdO5orhMEcGnga0AsKiU1WHVHjLW8RyRX5g89G+P5idx9GSSx43zu4dIHHYzwdXQ1jEsPNyIfospwFGbMwk9xdyKryoqY5dUZOFf8y7jGsJxLmR+ClyIgG7fpDrGITXrGvk6zKoIAl+rr2lZiW9Z3FuTdFu3jzNKOXig= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1630667367; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=n0triH/V2nmMAjnP2t96Jm0J8HMx9Dls9aYUNoC2xTc=; b=KXXNrUR/31DGYwk+4xKLh02/cR42CPVY3DoxRZ4THbQ+ozDwURYIlP6MXm5hbP7O7e1uSLi3xahChkJ/1ebI60Je477mYqe01NuF4fn3iX85BfSoHrdgCtUWxECbbHg9caD0oy3qSJhbPxXA5WLfMzPLwWVs25b+WcSbhcJjeVo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1630667367245680.3742204096559; Fri, 3 Sep 2021 04:09:27 -0700 (PDT) Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-406-LI7IqLGWOSqqT0_SLLAFUA-1; Fri, 03 Sep 2021 07:09:23 -0400 Received: by mail-wm1-f71.google.com with SMTP id x125-20020a1c3183000000b002e73f079eefso2543495wmx.0 for ; Fri, 03 Sep 2021 04:09:22 -0700 (PDT) Return-Path: Return-Path: Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id r25sm4622504wra.12.2021.09.03.04.09.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:09:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667365; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=n0triH/V2nmMAjnP2t96Jm0J8HMx9Dls9aYUNoC2xTc=; b=VYX4nRG50ihDo5TqBTuQOPEb/Fzb+rVYeQqxvAZNQ18DcnAaGd0lkCWtE7Fwym7CsHey5k lASAv+fu9NXndVPSp9Gc+6iMeahfVf/jHOxChAZOgh9tD5u/4p1kLyQWQQS5p8Moe+hrse nvy+Bm+Xh+pL3sPHRVX8CDnr+TclLgc= X-MC-Unique: LI7IqLGWOSqqT0_SLLAFUA-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=n0triH/V2nmMAjnP2t96Jm0J8HMx9Dls9aYUNoC2xTc=; b=Dquxks1Kv/hLO/CCQ1dVHz2q5rRIDs6ubI+7SSaF42R37OHK6nwSGvyWDq9Lwl7Yr8 gxfIpFPE2LMyAKCIU9eY0vQO57l51BZLaB3Q1xEFa7YdH6CAupPpwFBIRf1rGSKFP4Dl V7gEM0D38s2a6rU/IwU7o9y10FugqEXxF76WXVlkc1/7K+laqorkp1dwhnZGp58d7jOj ryXfu/9aZOKIY5ALwhoX1yGlkje0a5JRQQ6NejOa635q/X6STZhMs+H8GoXCqYD36QIp +eCbq6qLVGM+B4lM22Co5LS0wrw2eE4DvhM91gXDxWLyILrn9uUpHuZzItHMhfLg+zY6 xKTA== X-Gm-Message-State: AOAM533TCjVSbbrcrLDb9YWEegZ7hTcS0j2kcJAVULnNfNp7oohu8xoS CS2c5w5SnpwReDf8V2suYkGhLBx5ihKP0ma0NHjH5DPFQDjsuq5mu20x0qRiOzo3brtzz3CEwKw gIBd8xY7umkb96Q== X-Received: by 2002:a05:6000:34e:: with SMTP id e14mr3400048wre.401.1630667361811; Fri, 03 Sep 2021 04:09:21 -0700 (PDT) X-Google-Smtp-Source: ABdhPJygD1LHKrazXWd2ti6h3NF8Ii1KKU0zYPFqQVcCVwcY1zpr1xnUywyPoJmcGRu+BhfGJLIRwQ== X-Received: by 2002:a05:6000:34e:: with SMTP id e14mr3400010wre.401.1630667361655; Fri, 03 Sep 2021 04:09:21 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Hanna Reitz , Igor Mammedov , Laurent Vivier , Alexandre Iooss , =?UTF-8?q?Alex=20Benn=C3=A9e?= , Michael Roth , Zhang Chen , Shannon Zhao , Richard Henderson , Alex Williamson , Eduardo Habkost , Markus Armbruster , Eric Blake , Stefan Weil , John Snow , Mahmoud Mandour , Li Zhijian , Marcel Apfelbaum , qemu-block@nongnu.org, Helge Deller , "Michael S. Tsirkin" , David Gibson , Peter Xu , "Gonglei (Arei)" , Gerd Hoffmann , Fam Zheng , Jason Wang , Vladimir Sementsov-Ogievskiy , Christian Schoenebeck , Kevin Wolf , Yuval Shaia , Paolo Bonzini , Peter Maydell , qemu-arm@nongnu.org, Thomas Huth , Laurent Vivier , Greg Kurz , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , qemu-ppc@nongnu.org, David Hildenbrand Subject: [PATCH 24/28] tests/qtest: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:58 +0200 Message-Id: <20210903110702.588291-25-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1630667369545100001 Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdu= p2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- tests/qtest/libqos/ahci.c | 6 +++--- tests/qtest/libqos/qgraph.c | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/qtest/libqos/ahci.c b/tests/qtest/libqos/ahci.c index fba3e7a954e..8ef1bda7c1c 100644 --- a/tests/qtest/libqos/ahci.c +++ b/tests/qtest/libqos/ahci.c @@ -639,8 +639,8 @@ void ahci_exec(AHCIQState *ahci, uint8_t port, AHCIOpts *opts; uint64_t buffer_in; =20 - opts =3D g_memdup((opts_in =3D=3D NULL ? &default_opts : opts_in), - sizeof(AHCIOpts)); + opts =3D g_memdup2_qemu((opts_in =3D=3D NULL ? &default_opts : opts_in= ), + sizeof(AHCIOpts)); =20 buffer_in =3D opts->buffer; =20 @@ -860,7 +860,7 @@ AHCICommand *ahci_command_create(uint8_t command_name) g_assert(!props->ncq || props->lba48); =20 /* Defaults and book-keeping */ - cmd->props =3D g_memdup(props, sizeof(AHCICommandProp)); + cmd->props =3D g_memdup2_qemu(props, sizeof(AHCICommandProp)); cmd->name =3D command_name; cmd->xbytes =3D props->size; cmd->prd_size =3D 4096; diff --git a/tests/qtest/libqos/qgraph.c b/tests/qtest/libqos/qgraph.c index d1dc4919305..c2e7719bed9 100644 --- a/tests/qtest/libqos/qgraph.c +++ b/tests/qtest/libqos/qgraph.c @@ -93,7 +93,7 @@ static void add_edge(const char *source, const char *dest, edge->type =3D type; edge->dest =3D g_strdup(dest); edge->edge_name =3D g_strdup(opts->edge_name ?: dest); - edge->arg =3D g_memdup(opts->arg, opts->size_arg); + edge->arg =3D g_memdup2_qemu(opts->arg, opts->size_arg); =20 edge->before_cmd_line =3D opts->before_cmd_line ? g_strconcat(" ", opts->before_cmd_line, NU= LL) : NULL; --=20 2.31.1 From nobody Mon Feb 9 00:02:36 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1630667370; cv=none; d=zohomail.com; s=zohoarc; b=azvNKYWdPtq/AFjw8v+uPFgk17U2Qchz1/naarIjNVXQRuJZvy8wqrWZfi4Y3FaJbix9G/WUT5QCG/q4izydFplg25+fROXclBheP92Gqy4TGJd89ZQJWKMaR8N76HFzO1nkPDnskOFXh8VbCj8WnHNRQjorDGyl7NpJBmQ21xs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1630667370; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=1TRLuEzHEF/4g6uAMMisPruZyA4xzKhXkVqPhmG3sbs=; b=Y9AHLEzj/C3SiCdTd9DCtEytGhgNKHjenMhINpQPAeOii8/OqubtXFiSctjIv0U6loFSr5QknQfnyKHvAMUqv+2o5FgJy0KEutOqqx8C8+PumhJq6XpK0orbEHHTrij7Wl5x3PyTkujpVGL4nxX+g8z+N27qgLhJ5eACCC3G2eY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1630667370649263.7883471089963; Fri, 3 Sep 2021 04:09:30 -0700 (PDT) Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-563-wG0b4igWO3uOy96rHcF2zw-1; Fri, 03 Sep 2021 07:09:28 -0400 Received: by mail-wm1-f69.google.com with SMTP id n16-20020a1c7210000000b002ea2ed60dc6so1720597wmc.0 for ; Fri, 03 Sep 2021 04:09:28 -0700 (PDT) Return-Path: Return-Path: Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id q195sm4179375wme.37.2021.09.03.04.09.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:09:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667369; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1TRLuEzHEF/4g6uAMMisPruZyA4xzKhXkVqPhmG3sbs=; b=ZYIxNLgjbaqyby9G7kPx3Tx9q+WOuExdnNxZrmlEbJ7+mfdDTFn3U1ONWyv67Xlt+ssi86 /scDFsXfYnDHZzzCwKOXdpWORW4o15aNRMhJ6YT6hZk0v+QhrSpuZN8CIDMHU9rfhFc/EU Fo7PLmSU/xUlIwBftkhzB+MITE7n06M= X-MC-Unique: wG0b4igWO3uOy96rHcF2zw-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=1TRLuEzHEF/4g6uAMMisPruZyA4xzKhXkVqPhmG3sbs=; b=hTg5/exnd5jqZvW8/hq5V8zGzGDSlbPkzTN1canAYwGQFQjLNiNhcsDf/wMQnmF2xl RZ12Bw4Ve+zapCWn2y3FBjM+6Gb46CEsLM8vFfcwBVopIre3wjqCgh77aOrOAYPoUm1k aqAHe21lZO8jnqO+yDNGWJVm4lAqAblbztKnHGgNf6ICPGjFjFykUyVw/EoRZ5i36AOY KTXqOKraoK/aFd98/ExrynPc4QwF4igqpl45r9rg78uzrUUadrR5/tHRDGLVwXpIr66F 3jUHPiXdLzNqnPQfsdMv17ZQrXFNREbWwXxBk4zpGi/YFwXL3uy+sei5/g50hxENtIXC nhlw== X-Gm-Message-State: AOAM5303wFfooMxwGdVFBWgJzjZafdRywISiOuOiC0dWDFkP8cDfi7FY 53jcyWG1kVVs2tcXpgmVhbePJkxToWqG1jhDgNRks1y+Jes5L+L990QYYRn5d66D0JX4TLMS4Sc At0NfHCKgRrQGtQ== X-Received: by 2002:adf:eac3:: with SMTP id o3mr3437730wrn.60.1630667367343; Fri, 03 Sep 2021 04:09:27 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx66CtwoDGpHiwwHLDTWFbbSa3lc4biNGGpcp8z6UWY/Npax4D9p0PpnTBANuSDcT5pc6KZ7g== X-Received: by 2002:adf:eac3:: with SMTP id o3mr3437691wrn.60.1630667367173; Fri, 03 Sep 2021 04:09:27 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Hanna Reitz , Igor Mammedov , Laurent Vivier , Alexandre Iooss , =?UTF-8?q?Alex=20Benn=C3=A9e?= , Michael Roth , Zhang Chen , Shannon Zhao , Richard Henderson , Alex Williamson , Eduardo Habkost , Markus Armbruster , Eric Blake , Stefan Weil , John Snow , Mahmoud Mandour , Li Zhijian , Marcel Apfelbaum , qemu-block@nongnu.org, Helge Deller , "Michael S. Tsirkin" , David Gibson , Peter Xu , "Gonglei (Arei)" , Gerd Hoffmann , Fam Zheng , Jason Wang , Vladimir Sementsov-Ogievskiy , Christian Schoenebeck , Kevin Wolf , Yuval Shaia , Paolo Bonzini , Peter Maydell , qemu-arm@nongnu.org, Thomas Huth , Laurent Vivier , Greg Kurz , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , qemu-ppc@nongnu.org, David Hildenbrand Subject: [PATCH 25/28] target/arm: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:59 +0200 Message-Id: <20210903110702.588291-26-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1630667372107100001 Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdu= p2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- target/arm/helper.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index a7ae78146d4..f3aeff399b9 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -6242,8 +6242,9 @@ static void define_arm_vh_e2h_redirects_aliases(ARMCP= U *cpu) =20 /* Create alias before redirection so we dup the right data. */ if (a->new_key) { - ARMCPRegInfo *new_reg =3D g_memdup(src_reg, sizeof(ARMCPRegInf= o)); - uint32_t *new_key =3D g_memdup(&a->new_key, sizeof(uint32_t)); + ARMCPRegInfo *new_reg =3D g_memdup2_qemu(src_reg, + sizeof(ARMCPRegInfo)); + uint32_t *new_key =3D g_memdup2_qemu(&a->new_key, sizeof(uint3= 2_t)); bool ok; =20 new_reg->name =3D a->new_name; @@ -8818,7 +8819,7 @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const= ARMCPRegInfo *r, * add a single reginfo struct to the hash table. */ uint32_t *key =3D g_new(uint32_t, 1); - ARMCPRegInfo *r2 =3D g_memdup(r, sizeof(ARMCPRegInfo)); + ARMCPRegInfo *r2 =3D g_memdup2_qemu(r, sizeof(ARMCPRegInfo)); int is64 =3D (r->type & ARM_CP_64BIT) ? 1 : 0; int ns =3D (secstate & ARM_CP_SECSTATE_NS) ? 1 : 0; =20 --=20 2.31.1 From nobody Mon Feb 9 00:02:36 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1630667376; cv=none; d=zohomail.com; s=zohoarc; b=ngFc8okJRF/QfPCSIlYOdSWp/ByV+g5/h2ky6uzO035qAYG7toUNdAVQrcHwNYNOt+AA3wHlnZ4tlh3hw4764YCNFUao1R9NqlImXTzuAKsiMTXAcUWWsTPdTM9rAUHOQB96pvtME4NZ5u7s2jla5gFlBhihs/aSdDX4k0ZO4Ek= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1630667376; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=IGLIaIG1oc/f/hK8LLmc1ZCw3aRo0zL/iFOeAMJ8CLs=; b=cpTY4AepbCsSewr2VpnlW+vlPMVnBg77VepeBFeNtwBCkysPkKLYDLhO7nh+a36B7Sg1dhS6zpWzW1bOdk8/AzLLGMI+6y4N+6j5xg7I9u+Am3Pgvysm6/n3z1riv2ysTkv66ddHUjcdNjDMq8jAwFqaN/aOlQgQwt1auflWRKI= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 163066737610986.56655750261939; Fri, 3 Sep 2021 04:09:36 -0700 (PDT) Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-225-P_RYhTZyPSyuO3ysTVENnA-1; Fri, 03 Sep 2021 07:09:34 -0400 Received: by mail-wr1-f69.google.com with SMTP id v6-20020adfe4c6000000b001574f9d8336so1461140wrm.15 for ; Fri, 03 Sep 2021 04:09:33 -0700 (PDT) Return-Path: Return-Path: Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id z19sm4806706wma.0.2021.09.03.04.09.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:09:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667375; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=IGLIaIG1oc/f/hK8LLmc1ZCw3aRo0zL/iFOeAMJ8CLs=; b=Qky2GCJAuUP8ghHUYVQd6jR4K6hnU6vn1qZ6GzzY7rMOE3J06M+ZUhPqWzRRff4nuKBXJG t5kd5xhWULM0G8j94RwWQoIfVaycj/mD3GiqzCeayUdpwG8wde4XRwm4hjuF6rcZAGZyyC AvMJpdAsKbqW+1vGAhxEDy9gmUPmeZQ= X-MC-Unique: P_RYhTZyPSyuO3ysTVENnA-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=IGLIaIG1oc/f/hK8LLmc1ZCw3aRo0zL/iFOeAMJ8CLs=; b=sibhnBUmJA+msFnQ87h65L8GXjZMDw2V3DMdq83UN+3vBat6vxpFENk/F+C0grwivz hky5pfemjLGVRw6RefdGn/5uE7vOSUB9uMAH1BxSeg2F/a1+DsIX08dmbU908yfG9C90 HZlMrFyUrbHdyBq+ekvcF6UXaibt9nTjF1x4xNcpf+14LEgbEtLvqFjeZwUH4pdjWs9D FyS0Yk2h2wQ1rX7qg4CFKyiylyBmAk7eD/6cDTiKh66pg6LI1xLh2shgRNXLSjuzAxPQ Jw+GkA+F/wtEVTUzM8cpSMSzbx0t9hZCT1z4/jbFJw7iAwSKIJxPSRTLHcDrErdnsZqX FtfQ== X-Gm-Message-State: AOAM533D959wA9UdBBAweO6ZEgFhCY7x0kGtVsZYFAI/P6J3ugoJAeLL BYrCjObiz6HhbEbMBlNBfbUmWL27BLJ/8uQG0//6dp54T8pGFYv3RZtQOMAuKTmqouDvJ/TR78n cVrLFtRwPqay3xQ== X-Received: by 2002:adf:fd51:: with SMTP id h17mr3315337wrs.178.1630667372947; Fri, 03 Sep 2021 04:09:32 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzOCmSQ+xc0Q2SgMJRIjaynE2wUiaPQJusQW9eaFrqniAzajXkn5CbXrHEgNUg6VJYO5+nq6Q== X-Received: by 2002:adf:fd51:: with SMTP id h17mr3315291wrs.178.1630667372803; Fri, 03 Sep 2021 04:09:32 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Hanna Reitz , Igor Mammedov , Laurent Vivier , Alexandre Iooss , =?UTF-8?q?Alex=20Benn=C3=A9e?= , Michael Roth , Zhang Chen , Shannon Zhao , Richard Henderson , Alex Williamson , Eduardo Habkost , Markus Armbruster , Eric Blake , Stefan Weil , John Snow , Mahmoud Mandour , Li Zhijian , Marcel Apfelbaum , qemu-block@nongnu.org, Helge Deller , "Michael S. Tsirkin" , David Gibson , Peter Xu , "Gonglei (Arei)" , Gerd Hoffmann , Fam Zheng , Jason Wang , Vladimir Sementsov-Ogievskiy , Christian Schoenebeck , Kevin Wolf , Yuval Shaia , Paolo Bonzini , Peter Maydell , qemu-arm@nongnu.org, Thomas Huth , Laurent Vivier , Greg Kurz , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , qemu-ppc@nongnu.org, David Hildenbrand Subject: [PATCH 26/28] target/ppc: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:07:00 +0200 Message-Id: <20210903110702.588291-27-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1630667376771100001 Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdu= p2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- target/ppc/mmu-hash64.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/target/ppc/mmu-hash64.c b/target/ppc/mmu-hash64.c index 19832c4b46f..2ee6025a406 100644 --- a/target/ppc/mmu-hash64.c +++ b/target/ppc/mmu-hash64.c @@ -1122,7 +1122,8 @@ void ppc_hash64_init(PowerPCCPU *cpu) return; } =20 - cpu->hash64_opts =3D g_memdup(pcc->hash64_opts, sizeof(*cpu->hash64_op= ts)); + cpu->hash64_opts =3D g_memdup2_qemu(pcc->hash64_opts, + sizeof(*cpu->hash64_opts)); } =20 void ppc_hash64_finalize(PowerPCCPU *cpu) --=20 2.31.1 From nobody Mon Feb 9 00:02:36 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1630667382; cv=none; d=zohomail.com; s=zohoarc; b=XlWCzBd+TMk8V5rcslTaNVMIMZWd9wepnwVZ+FTDsMTTO006iEV/D5bzfWCc2HakA8XPdtyieAPsEwqzDbppjIgJq0zwtWwkhdugJnGe7wKLCbyCv4S6Y4ASPhIJ1ai6LG9+XOozu0vMGsO8je9vZFjr4R7HC+4DhIBw9TDQsDY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1630667382; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=jqD7iyLbQ9DTFxBdziDoBhccB1nGTykeUMkgqm25WoQ=; b=FW9JGpzfh5P/cadzzwgIrmO+2q/2urZF/n1AJxoOJQ7cvpcKkBUms1JUj0hzA2gb0VNtu4Fl2HO35ctxaNX+u1jZOzKlyNOXZE5oZJ/YsEpPCyBYVYkbspbsk/8UJIEGaAEM8Xt+kS1g+FC5JEceuHnPXo+C4d3KQ3KR1hx0s2Q= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 163066738267557.941231051949785; Fri, 3 Sep 2021 04:09:42 -0700 (PDT) Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-516-gbQ9a3KTMvy5QoAaYBuIXw-1; Fri, 03 Sep 2021 07:09:39 -0400 Received: by mail-wm1-f70.google.com with SMTP id b126-20020a1c8084000000b002f152a868a2so1708061wmd.1 for ; Fri, 03 Sep 2021 04:09:39 -0700 (PDT) Return-Path: Return-Path: Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id t23sm4712670wrb.71.2021.09.03.04.09.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:09:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667381; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=jqD7iyLbQ9DTFxBdziDoBhccB1nGTykeUMkgqm25WoQ=; b=M5xkaaMAVeoqtYNnyAenGgs4NiejCA5NwMnk0lKkE1B9vZJOSHptSVz4cytRcunhQpDKTU 0JvA22hhdKH3rnNLe5n29ksiBK4iyd5LiOPhNUpitZEgD1j9xl8WCDZXro9C6+bGUwiw43 mKY95yXvOfAZ2owsbqjpaig1NT2tYO0= X-MC-Unique: gbQ9a3KTMvy5QoAaYBuIXw-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=jqD7iyLbQ9DTFxBdziDoBhccB1nGTykeUMkgqm25WoQ=; b=XI24TzOt/Tnk2Ta5b+nZLWrF22QDW9EnnHwkVK+EhRlD2YJ1K8zJvbERTS0lo0+Ykj OAIT/pqHgBXqGUvf7QsNNebKVCKyobP3/Vnn+hjC7k9jpaIjWcq3i8YV+G2szDVDUCTZ Fw7ModSSq5bKBFktJKRx6WaicUNx1VUStGQtIgNVkRPd4ILyUc07zFmKR1JkHeAJa3DA guVuUKJlQfy+Q+Q6qdOiNkMe5JARSAnQStKiOQ9JVupycRdnG1sZQvyVR2pH+zjdL2r7 WOb0Bv5SDIjdJGx/Cfk5ATNIcmk5rKCjlmcrxxs3nvhjZBA+pTnZuKkQZm25YE6GfNRL dWcQ== X-Gm-Message-State: AOAM530hzf5rjo+Ea79zLPC0c/rzIiPkvlbUSONQGxA1gjCko+ZjYK+Z sVZQbrMl5BhMXhFGN8v/uJk6U/5w1fgeiq1vS1CnhC06CcwRI5PEoUURJuMHc5p0H/QLHrBAW0n ZBv1IMtjdlXwC+A== X-Received: by 2002:adf:f9cb:: with SMTP id w11mr3531984wrr.382.1630667378602; Fri, 03 Sep 2021 04:09:38 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzMOvBdWerfmwLS6/8RuY/Oazm/1aA8TyZs75/crfM2ZbilJZTIPESof8HJh+OnE/0lMkkuSw== X-Received: by 2002:adf:f9cb:: with SMTP id w11mr3531951wrr.382.1630667378445; Fri, 03 Sep 2021 04:09:38 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Hanna Reitz , Igor Mammedov , Laurent Vivier , Alexandre Iooss , =?UTF-8?q?Alex=20Benn=C3=A9e?= , Michael Roth , Zhang Chen , Shannon Zhao , Richard Henderson , Alex Williamson , Eduardo Habkost , Markus Armbruster , Eric Blake , Stefan Weil , John Snow , Mahmoud Mandour , Li Zhijian , Marcel Apfelbaum , qemu-block@nongnu.org, Helge Deller , "Michael S. Tsirkin" , David Gibson , Peter Xu , "Gonglei (Arei)" , Gerd Hoffmann , Fam Zheng , Jason Wang , Vladimir Sementsov-Ogievskiy , Christian Schoenebeck , Kevin Wolf , Yuval Shaia , Paolo Bonzini , Peter Maydell , qemu-arm@nongnu.org, Thomas Huth , Laurent Vivier , Greg Kurz , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , qemu-ppc@nongnu.org, David Hildenbrand Subject: [PATCH 27/28] contrib: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:07:01 +0200 Message-Id: <20210903110702.588291-28-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1630667383414100001 Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdu= p2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- contrib/plugins/lockstep.c | 2 +- contrib/rdmacm-mux/main.c | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/contrib/plugins/lockstep.c b/contrib/plugins/lockstep.c index 7fd35eb6692..119a8054b3f 100644 --- a/contrib/plugins/lockstep.c +++ b/contrib/plugins/lockstep.c @@ -130,7 +130,7 @@ static void report_divergance(ExecState *us, ExecState = *them) } } divergence_log =3D g_slist_prepend(divergence_log, - g_memdup(&divrec, sizeof(divrec))); + g_memdup2_qemu(&divrec, sizeof(divrec= ))); =20 /* Output short log entry of going out of sync... */ if (verbose || divrec.distance =3D=3D 1 || diverged) { diff --git a/contrib/rdmacm-mux/main.c b/contrib/rdmacm-mux/main.c index 771ca01e03f..d447d50f538 100644 --- a/contrib/rdmacm-mux/main.c +++ b/contrib/rdmacm-mux/main.c @@ -227,8 +227,8 @@ static RdmaCmMuxErrCode add_fd_ifid_pair(int fd, __be64= gid_ifid) RDMACM_MUX_ERR_CODE_EACCES; } =20 - g_hash_table_insert(server.umad_agent.gid2fd, g_memdup(&gid_ifid, - sizeof(gid_ifid)), g_memdup(&fd, sizeof(fd))); + g_hash_table_insert(server.umad_agent.gid2fd, g_memdup2_qemu(&gid_ifid, + sizeof(gid_ifid)), g_memdup2_qemu(&fd, sizeof(fd))= ); =20 pthread_rwlock_unlock(&server.lock); =20 @@ -250,7 +250,7 @@ static RdmaCmMuxErrCode delete_fd_ifid_pair(int fd, __b= e64 gid_ifid) return RDMACM_MUX_ERR_CODE_ENOTFOUND; } =20 - g_hash_table_remove(server.umad_agent.gid2fd, g_memdup(&gid_ifid, + g_hash_table_remove(server.umad_agent.gid2fd, g_memdup2_qemu(&gid_ifid, sizeof(gid_ifid))); pthread_rwlock_unlock(&server.lock); =20 @@ -267,8 +267,8 @@ static void hash_tbl_save_fd_comm_id_pair(int fd, uint3= 2_t comm_id, =20 pthread_rwlock_wrlock(&server.lock); g_hash_table_insert(server.umad_agent.commid2fd, - g_memdup(&comm_id, sizeof(comm_id)), - g_memdup(&fde, sizeof(fde))); + g_memdup2_qemu(&comm_id, sizeof(comm_id)), + g_memdup2_qemu(&fde, sizeof(fde))); pthread_rwlock_unlock(&server.lock); } =20 --=20 2.31.1 From nobody Mon Feb 9 00:02:36 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1630667388; cv=none; d=zohomail.com; s=zohoarc; b=kEyELiJ+3Mzb9HNlUZQQADqE6ipecq6VfCJOAFrJxYqNTcQcnhQZ1bV5PvyD8+xe5bncuAGVE9Ybk29MW77nVXCgzhpjKQV/LOmbbMcdj5ydyOd7ulxzdv//zH0q4RbstKeMMPI5DdSwhtuKDJqmGEJdiXTgaMQJoYMGi0XPtRE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1630667388; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=i6HJ8MqhTy0s+GzLLhKT2UPzz5+277m7r3JgXnumMB8=; b=LQF48ZPnfqC8yZTWnS7LTrffPyrgyG3Z+htqxOOW9Ih8O2eBxXpMNCHExWuAYwtBQoGK1qQ3Iy8f8ruAtiP6aAUne1sd2qcfEYmxYbmdpps7YwPdxp1Mx5BKq1pc+9xFWYvgpupBj3zZhomM3yMkW1UtdOq6J3/oWF0HPhr8D/k= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1630667388733871.8404411366822; Fri, 3 Sep 2021 04:09:48 -0700 (PDT) Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-320-iVPJYkxdNkiN8L239RxQwQ-1; Fri, 03 Sep 2021 07:09:46 -0400 Received: by mail-wr1-f72.google.com with SMTP id h14-20020a056000000e00b001575b00eb08so1448655wrx.13 for ; Fri, 03 Sep 2021 04:09:45 -0700 (PDT) Return-Path: Return-Path: Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id t14sm3887073wmi.12.2021.09.03.04.09.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:09:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667387; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=i6HJ8MqhTy0s+GzLLhKT2UPzz5+277m7r3JgXnumMB8=; b=KHcU0t9jkyTCKWJS5kIuEewShI2TAyraHjByWWIgZQCM/WZtZaNqN9n5AHkdsZJh/TlNBM mXN3ENBf0mu7UIXhl0smDk7iRmgZMHK9enrbE6qn/2kQMYO2mYeV73Qkb+wAt1ymAhkHYI P/u3E3ti32yUBj7rivQ5GnQym7sB/OQ= X-MC-Unique: iVPJYkxdNkiN8L239RxQwQ-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=i6HJ8MqhTy0s+GzLLhKT2UPzz5+277m7r3JgXnumMB8=; b=cliZTRno0xVdATBVbzPfsHFNDnbiCXlFUQzwnlVpdrDsR5q6Q7tpZ6gMr4oqDr4w4K Gooks2WQEbmALVqr51nCwn61xFvt21RVxbHD8zj7v8G3t/5nw/Ssj6+oHFU7pkyl+5fP oJ3MJMD4CFHIyEBL1oA0PWhXo7fGm1Vr5MMx9eRLw5h6k6Er6NDsC/ub0zaXjp8MvLgF M325pKHN5DNzlTLLAOQsmJ6WouEgcZN8YldjJPwnfbJuIK6t/2jNgFeqJtXuwDCXzVZd SkaxSoixhDk00WYVbiM1b/alp0PiGv1njzQrHGmPLlsqjIxwmFXWm6ROHc3Qps50iupf 2T8g== X-Gm-Message-State: AOAM530DxUAOFyWaORLas3HDmQkMI83k6yrt7GzlkiX5llUO9/oOqTJO 1aza0/TQ64biGzAMWoIwvYNF6Ok/OxZEHpJykP9gnmgPvJoDeZ+6HoWac5aqx30ph/FJOa5niDC l6GQ7Jy70qYBycQ== X-Received: by 2002:adf:d1a8:: with SMTP id w8mr3454894wrc.306.1630667384537; Fri, 03 Sep 2021 04:09:44 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzTWWNvgUfXwGCxUu6tWBFBNL+R3tBdmQts4xFcP/prwWKpnKH5frCHZXk2WgxNT0N9oeyPWA== X-Received: by 2002:adf:d1a8:: with SMTP id w8mr3454844wrc.306.1630667384303; Fri, 03 Sep 2021 04:09:44 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Hanna Reitz , Igor Mammedov , Laurent Vivier , Alexandre Iooss , =?UTF-8?q?Alex=20Benn=C3=A9e?= , Michael Roth , Zhang Chen , Shannon Zhao , Richard Henderson , Alex Williamson , Eduardo Habkost , Markus Armbruster , Eric Blake , Stefan Weil , John Snow , Mahmoud Mandour , Li Zhijian , Marcel Apfelbaum , qemu-block@nongnu.org, Helge Deller , "Michael S. Tsirkin" , David Gibson , Peter Xu , "Gonglei (Arei)" , Gerd Hoffmann , Fam Zheng , Jason Wang , Vladimir Sementsov-Ogievskiy , Christian Schoenebeck , Kevin Wolf , Yuval Shaia , Paolo Bonzini , Peter Maydell , qemu-arm@nongnu.org, Thomas Huth , Laurent Vivier , Greg Kurz , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , qemu-ppc@nongnu.org, David Hildenbrand Subject: [PATCH 28/28] checkpatch: Do not allow deprecated g_memdup() Date: Fri, 3 Sep 2021 13:07:02 +0200 Message-Id: <20210903110702.588291-29-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1630667390173100001 g_memdup() is insecure and as been deprecated in GLib 2.68. QEMU provides the safely equivalent g_memdup2_qemu() wrapper. Do not allow more g_memdup() calls in the repository, provide a hint to use g_memdup2_qemu(). Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- scripts/checkpatch.pl | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl index cb8eff233e0..4ce9d753492 100755 --- a/scripts/checkpatch.pl +++ b/scripts/checkpatch.pl @@ -2850,6 +2850,11 @@ sub process { WARN("consider using g_path_get_$1() in preference to g_strdup($1())\n"= . $herecurr); } =20 +# enforce g_memdup2_qemu() over g_memdup() + if ($line =3D~ /\bg_memdup\s*\(/) { + ERROR("use g_memdup2_qemu() instead of unsafe g_memdup()\n" . $herecurr= ); + } + # recommend qemu_strto* over strto* for numeric conversions if ($line =3D~ /\b(strto[^kd].*?)\s*\(/) { ERROR("consider using qemu_$1 in preference to $1\n" . $herecurr); --=20 2.31.1