On Fri, Sep 03, 2021 at 01:06:50PM +0200, Philippe Mathieu-Daudé wrote:
> Per
> https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538
>
> The old API took the size of the memory to duplicate as a guint,
> whereas most memory functions take memory sizes as a gsize. This
> made it easy to accidentally pass a gsize to g_memdup(). For large
> values, that would lead to a silent truncation of the size from 64
> to 32 bits, and result in a heap area being returned which is
> significantly smaller than what the caller expects. This can likely
> be exploited in various modules to cause a heap buffer overflow.
>
> Replace g_memdup() by the safer g_memdup2_qemu() wrapper.
>
> Signed-off-by: Philippe Mathieu-Daudé
Acked-by: David Gibson
> ---
> hw/ppc/spapr_pci.c | 8
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/hw/ppc/spapr_pci.c b/hw/ppc/spapr_pci.c
> index 7430bd63142..79c0e8d4f98 100644
> --- a/hw/ppc/spapr_pci.c
> +++ b/hw/ppc/spapr_pci.c
> @@ -2201,10 +2201,10 @@ static int spapr_pci_post_load(void *opaque, int
> version_id)
> int i;
>
> for (i = 0; i < sphb->msi_devs_num; ++i) {
> -key = g_memdup(>msi_devs[i].key,
> - sizeof(sphb->msi_devs[i].key));
> -value = g_memdup(>msi_devs[i].value,
> - sizeof(sphb->msi_devs[i].value));
> +key = g_memdup2_qemu(>msi_devs[i].key,
> + sizeof(sphb->msi_devs[i].key));
> +value = g_memdup2_qemu(>msi_devs[i].value,
> + sizeof(sphb->msi_devs[i].value));
> g_hash_table_insert(sphb->msi, key, value);
> }
> g_free(sphb->msi_devs);
--
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson
signature.asc
Description: PGP signature
