From: "Philippe Mathieu-Daudé" <philmd@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Fam Zheng" <fam@euphon.net>,
"Peter Maydell" <peter.maydell@linaro.org>,
"Li Zhijian" <lizhijian@cn.fujitsu.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
"Jason Wang" <jasowang@redhat.com>,
"Christian Schoenebeck" <qemu_oss@crudebyte.com>,
"Yuval Shaia" <yuval.shaia.ml@gmail.com>,
"Peter Xu" <peterx@redhat.com>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Alexandre Iooss" <erdnaxe@crans.org>,
"Eric Blake" <eblake@redhat.com>,
qemu-block@nongnu.org, "Zhang Chen" <chen.zhang@intel.com>,
"Alex Bennée" <alex.bennee@linaro.org>,
"Helge Deller" <deller@gmx.de>,
"David Hildenbrand" <david@redhat.com>,
"Markus Armbruster" <armbru@redhat.com>,
"Gonglei (Arei)" <arei.gonglei@huawei.com>,
"Stefan Weil" <sw@weilnetz.de>,
"Philippe Mathieu-Daudé" <philmd@redhat.com>,
"Laurent Vivier" <lvivier@redhat.com>,
"Thomas Huth" <thuth@redhat.com>,
"Eduardo Habkost" <ehabkost@redhat.com>,
"Michael Roth" <michael.roth@amd.com>,
"Richard Henderson" <richard.henderson@linaro.org>,
"Greg Kurz" <groug@kaod.org>,
"Alex Williamson" <alex.williamson@redhat.com>,
qemu-arm@nongnu.org, "Paolo Bonzini" <pbonzini@redhat.com>,
"John Snow" <jsnow@redhat.com>,
"David Gibson" <david@gibson.dropbear.id.au>,
"Kevin Wolf" <kwolf@redhat.com>,
"Vladimir Sementsov-Ogievskiy" <vsementsov@virtuozzo.com>,
"Laurent Vivier" <laurent@vivier.eu>,
"Shannon Zhao" <shannon.zhaosl@gmail.com>,
"Hanna Reitz" <hreitz@redhat.com>,
qemu-ppc@nongnu.org, "Igor Mammedov" <imammedo@redhat.com>,
"Mahmoud Mandour" <ma.mandourr@gmail.com>
Subject: [PATCH 14/28] hw/nvram/fw_cfg: Replace g_memdup() by g_memdup2_qemu()
Date: Fri, 3 Sep 2021 13:06:48 +0200 [thread overview]
Message-ID: <20210903110702.588291-15-philmd@redhat.com> (raw)
In-Reply-To: <20210903110702.588291-1-philmd@redhat.com>
Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538
The old API took the size of the memory to duplicate as a guint,
whereas most memory functions take memory sizes as a gsize. This
made it easy to accidentally pass a gsize to g_memdup(). For large
values, that would lead to a silent truncation of the size from 64
to 32 bits, and result in a heap area being returned which is
significantly smaller than what the caller expects. This can likely
be exploited in various modules to cause a heap buffer overflow.
Replace g_memdup() by the safer g_memdup2_qemu() wrapper.
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
hw/nvram/fw_cfg.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c
index 9b8dcca4ead..fefcdeb8241 100644
--- a/hw/nvram/fw_cfg.c
+++ b/hw/nvram/fw_cfg.c
@@ -205,7 +205,8 @@ static void fw_cfg_bootsplash(FWCfgState *s)
/* use little endian format */
bst_le16 = cpu_to_le16(bst_val);
fw_cfg_add_file(s, "etc/boot-menu-wait",
- g_memdup(&bst_le16, sizeof bst_le16), sizeof bst_le16);
+ g_memdup2_qemu(&bst_le16, sizeof bst_le16),
+ sizeof bst_le16);
}
/* insert splash file if user configurated */
@@ -260,7 +261,7 @@ static void fw_cfg_reboot(FWCfgState *s)
}
rt_le32 = cpu_to_le32(rt_val);
- fw_cfg_add_file(s, "etc/boot-fail-wait", g_memdup(&rt_le32, 4), 4);
+ fw_cfg_add_file(s, "etc/boot-fail-wait", g_memdup2_qemu(&rt_le32, 4), 4);
}
static void fw_cfg_write(FWCfgState *s, uint8_t value)
@@ -755,7 +756,7 @@ void fw_cfg_add_string(FWCfgState *s, uint16_t key, const char *value)
size_t sz = strlen(value) + 1;
trace_fw_cfg_add_string(key, trace_key_name(key), value);
- fw_cfg_add_bytes(s, key, g_memdup(value, sz), sz);
+ fw_cfg_add_bytes(s, key, g_memdup2_qemu(value, sz), sz);
}
void fw_cfg_modify_string(FWCfgState *s, uint16_t key, const char *value)
@@ -763,7 +764,7 @@ void fw_cfg_modify_string(FWCfgState *s, uint16_t key, const char *value)
size_t sz = strlen(value) + 1;
char *old;
- old = fw_cfg_modify_bytes_read(s, key, g_memdup(value, sz), sz);
+ old = fw_cfg_modify_bytes_read(s, key, g_memdup2_qemu(value, sz), sz);
g_free(old);
}
--
2.31.1
next prev parent reply other threads:[~2021-09-03 11:29 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-03 11:06 [PATCH 00/28] glib: Replace g_memdup() by g_memdup2_qemu() Philippe Mathieu-Daudé
2021-09-03 11:06 ` [PATCH 01/28] hw/hyperv/vmbus: Remove unused vmbus_load/save_req() Philippe Mathieu-Daudé
2021-09-03 11:06 ` [PATCH 02/28] glib-compat: Introduce g_memdup2() wrapper Philippe Mathieu-Daudé
2021-09-03 11:16 ` Daniel P. Berrangé
2021-09-03 11:51 ` Vladimir Sementsov-Ogievskiy
2021-09-03 11:56 ` Daniel P. Berrangé
2021-09-03 12:03 ` Vladimir Sementsov-Ogievskiy
2021-09-03 17:09 ` Philippe Mathieu-Daudé
2021-09-03 11:06 ` [PATCH 03/28] qapi: Replace g_memdup() by g_memdup2_qemu() Philippe Mathieu-Daudé
2021-09-03 11:18 ` Daniel P. Berrangé
2021-09-03 17:10 ` Philippe Mathieu-Daudé
2021-09-03 11:06 ` [PATCH 04/28] accel/tcg: " Philippe Mathieu-Daudé
2021-09-03 11:06 ` [PATCH 05/28] block/qcow2-bitmap: " Philippe Mathieu-Daudé
2021-09-03 11:06 ` [PATCH 06/28] softmmu: " Philippe Mathieu-Daudé
2021-09-03 11:06 ` [PATCH 07/28] hw/9pfs: " Philippe Mathieu-Daudé
2021-09-03 11:06 ` [PATCH 08/28] hw/acpi: Avoid truncating acpi_data_len() to 32-bit Philippe Mathieu-Daudé
2021-09-08 7:15 ` Igor Mammedov
2021-09-03 11:06 ` [PATCH 09/28] hw/acpi: Replace g_memdup() by g_memdup2_qemu() Philippe Mathieu-Daudé
2021-09-08 7:16 ` Igor Mammedov
2021-09-03 11:06 ` [PATCH 10/28] hw/core/machine: " Philippe Mathieu-Daudé
2021-09-03 11:06 ` [PATCH 11/28] hw/hppa/machine: " Philippe Mathieu-Daudé
2021-09-03 11:06 ` [PATCH 12/28] hw/i386/multiboot: " Philippe Mathieu-Daudé
2021-09-03 11:06 ` [PATCH 13/28] hw/net/eepro100: " Philippe Mathieu-Daudé
2021-09-03 11:06 ` Philippe Mathieu-Daudé [this message]
2021-09-03 11:06 ` [PATCH 15/28] hw/scsi/mptsas: " Philippe Mathieu-Daudé
2021-09-03 11:06 ` [PATCH 16/28] hw/ppc/spapr_pci: " Philippe Mathieu-Daudé
2021-09-03 11:45 ` David Gibson
2021-09-03 11:06 ` [PATCH 17/28] hw/rdma: " Philippe Mathieu-Daudé
2021-09-03 11:06 ` [PATCH 18/28] hw/vfio/pci: " Philippe Mathieu-Daudé
2021-09-03 11:06 ` [RFC PATCH 19/28] hw/virtio: " Philippe Mathieu-Daudé
2021-09-03 11:06 ` [PATCH 20/28] net/colo: " Philippe Mathieu-Daudé
2021-09-03 11:06 ` [RFC PATCH 21/28] ui/clipboard: " Philippe Mathieu-Daudé
2021-09-03 11:06 ` [RFC PATCH 22/28] linux-user: " Philippe Mathieu-Daudé
2021-09-03 11:06 ` [PATCH 23/28] tests/unit: " Philippe Mathieu-Daudé
2021-09-03 11:06 ` [PATCH 24/28] tests/qtest: " Philippe Mathieu-Daudé
2021-09-03 11:06 ` [PATCH 25/28] target/arm: " Philippe Mathieu-Daudé
2021-09-03 11:07 ` [PATCH 26/28] target/ppc: " Philippe Mathieu-Daudé
2021-09-03 11:45 ` David Gibson
2021-09-03 11:07 ` [PATCH 27/28] contrib: " Philippe Mathieu-Daudé
2021-09-03 11:07 ` [PATCH 28/28] checkpatch: Do not allow deprecated g_memdup() Philippe Mathieu-Daudé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210903110702.588291-15-philmd@redhat.com \
--to=philmd@redhat.com \
--cc=alex.bennee@linaro.org \
--cc=alex.williamson@redhat.com \
--cc=arei.gonglei@huawei.com \
--cc=armbru@redhat.com \
--cc=chen.zhang@intel.com \
--cc=david@gibson.dropbear.id.au \
--cc=david@redhat.com \
--cc=deller@gmx.de \
--cc=eblake@redhat.com \
--cc=ehabkost@redhat.com \
--cc=erdnaxe@crans.org \
--cc=fam@euphon.net \
--cc=groug@kaod.org \
--cc=hreitz@redhat.com \
--cc=imammedo@redhat.com \
--cc=jasowang@redhat.com \
--cc=jsnow@redhat.com \
--cc=kraxel@redhat.com \
--cc=kwolf@redhat.com \
--cc=laurent@vivier.eu \
--cc=lizhijian@cn.fujitsu.com \
--cc=lvivier@redhat.com \
--cc=ma.mandourr@gmail.com \
--cc=michael.roth@amd.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=peterx@redhat.com \
--cc=qemu-arm@nongnu.org \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-ppc@nongnu.org \
--cc=qemu_oss@crudebyte.com \
--cc=richard.henderson@linaro.org \
--cc=shannon.zhaosl@gmail.com \
--cc=sw@weilnetz.de \
--cc=thuth@redhat.com \
--cc=vsementsov@virtuozzo.com \
--cc=yuval.shaia.ml@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.