From: Jason Wang <jasowang@redhat.com>
To: "Eugenio Pérez" <eperezma@redhat.com>, qemu-devel@nongnu.org
Cc: Laurent Vivier <lvivier@redhat.com>,
Parav Pandit <parav@mellanox.com>, Cindy Lu <lulu@redhat.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
Cornelia Huck <cohuck@redhat.com>,
Markus Armbruster <armbru@redhat.com>,
Gautam Dawar <gdawar@xilinx.com>,
Harpreet Singh Anand <hanand@xilinx.com>,
"Gonglei \(Arei\)" <arei.gonglei@huawei.com>,
Peter Xu <peterx@redhat.com>, Eli Cohen <eli@mellanox.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Zhu Lingshan <lingshan.zhu@intel.com>,
Eric Blake <eblake@redhat.com>,
Liuxiangdong <liuxiangdong5@huawei.com>
Subject: Re: [RFC PATCH v5 04/23] hw/virtio: Replace g_memdup() by g_memdup2()
Date: Thu, 14 Apr 2022 11:37:34 +0800 [thread overview]
Message-ID: <f2fb6570-78cc-2cdb-5a8b-740e49fd7ab2@redhat.com> (raw)
In-Reply-To: <20220408133415.1371760-5-eperezma@redhat.com>
在 2022/4/8 21:33, Eugenio Pérez 写道:
> From: Philippe Mathieu-Daudé <philmd@redhat.com>
>
> Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538
>
> The old API took the size of the memory to duplicate as a guint,
> whereas most memory functions take memory sizes as a gsize. This
> made it easy to accidentally pass a gsize to g_memdup(). For large
> values, that would lead to a silent truncation of the size from 64
> to 32 bits, and result in a heap area being returned which is
> significantly smaller than what the caller expects. This can likely
> be exploited in various modules to cause a heap buffer overflow.
>
> Replace g_memdup() by the safer g_memdup2() wrapper.
>
> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
> ---
Acked-by: Jason Wang <jasowang@redhat.com>
> hw/net/virtio-net.c | 3 ++-
> hw/virtio/virtio-crypto.c | 6 +++---
> 2 files changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
> index 1067e72b39..e4748a7e6c 100644
> --- a/hw/net/virtio-net.c
> +++ b/hw/net/virtio-net.c
> @@ -1443,7 +1443,8 @@ static void virtio_net_handle_ctrl(VirtIODevice *vdev, VirtQueue *vq)
> }
>
> iov_cnt = elem->out_num;
> - iov2 = iov = g_memdup(elem->out_sg, sizeof(struct iovec) * elem->out_num);
> + iov2 = iov = g_memdup2(elem->out_sg,
> + sizeof(struct iovec) * elem->out_num);
> s = iov_to_buf(iov, iov_cnt, 0, &ctrl, sizeof(ctrl));
> iov_discard_front(&iov, &iov_cnt, sizeof(ctrl));
> if (s != sizeof(ctrl)) {
> diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
> index dcd80b904d..0e31e3cc04 100644
> --- a/hw/virtio/virtio-crypto.c
> +++ b/hw/virtio/virtio-crypto.c
> @@ -242,7 +242,7 @@ static void virtio_crypto_handle_ctrl(VirtIODevice *vdev, VirtQueue *vq)
> }
>
> out_num = elem->out_num;
> - out_iov_copy = g_memdup(elem->out_sg, sizeof(out_iov[0]) * out_num);
> + out_iov_copy = g_memdup2(elem->out_sg, sizeof(out_iov[0]) * out_num);
> out_iov = out_iov_copy;
>
> in_num = elem->in_num;
> @@ -605,11 +605,11 @@ virtio_crypto_handle_request(VirtIOCryptoReq *request)
> }
>
> out_num = elem->out_num;
> - out_iov_copy = g_memdup(elem->out_sg, sizeof(out_iov[0]) * out_num);
> + out_iov_copy = g_memdup2(elem->out_sg, sizeof(out_iov[0]) * out_num);
> out_iov = out_iov_copy;
>
> in_num = elem->in_num;
> - in_iov_copy = g_memdup(elem->in_sg, sizeof(in_iov[0]) * in_num);
> + in_iov_copy = g_memdup2(elem->in_sg, sizeof(in_iov[0]) * in_num);
> in_iov = in_iov_copy;
>
> if (unlikely(iov_to_buf(out_iov, out_num, 0, &req, sizeof(req))
next prev parent reply other threads:[~2022-04-14 3:38 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-08 13:33 [RFC PATCH v5 00/23] Net Control VQ support with asid in vDPA SVQ Eugenio Pérez
2022-04-08 13:33 ` [RFC PATCH v5 01/23] vdpa: Add missing tracing to batch mapping functions Eugenio Pérez
2022-04-14 3:32 ` Jason Wang
2022-04-08 13:33 ` [RFC PATCH v5 02/23] vdpa: Fix bad index calculus at vhost_vdpa_get_vring_base Eugenio Pérez
2022-04-14 3:34 ` Jason Wang
2022-04-22 9:00 ` Eugenio Perez Martin
2022-04-08 13:33 ` [RFC PATCH v5 03/23] util: Return void on iova_tree_remove Eugenio Pérez
2022-04-14 3:36 ` Jason Wang
2022-04-08 13:33 ` [RFC PATCH v5 04/23] hw/virtio: Replace g_memdup() by g_memdup2() Eugenio Pérez
2022-04-14 3:37 ` Jason Wang [this message]
2022-04-08 13:33 ` [RFC PATCH v5 05/23] vhost: Fix bad return of descriptors to SVQ Eugenio Pérez
2022-04-14 3:38 ` Jason Wang
2022-04-08 13:33 ` [RFC PATCH v5 06/23] vdpa: Add x-svq to NetdevVhostVDPAOptions Eugenio Pérez
2022-04-14 3:42 ` Jason Wang
2022-04-18 10:34 ` Eugenio Perez Martin
2022-04-08 13:33 ` [RFC PATCH v5 07/23] vhost: move descriptor translation to vhost_svq_vring_write_descs Eugenio Pérez
2022-04-08 13:34 ` [RFC PATCH v5 08/23] vdpa: Fix index calculus at vhost_vdpa_svqs_start Eugenio Pérez
2022-04-08 13:34 ` [RFC PATCH v5 09/23] virtio-net: Expose ctrl virtqueue logic Eugenio Pérez
2022-04-08 13:34 ` [RFC PATCH v5 10/23] vdpa: Extract get features part from vhost_vdpa_get_max_queue_pairs Eugenio Pérez
2022-04-08 13:34 ` [RFC PATCH v5 11/23] virtio: Make virtqueue_alloc_element non-static Eugenio Pérez
2022-04-08 13:34 ` [RFC PATCH v5 12/23] vhost: Add SVQElement Eugenio Pérez
2022-04-08 13:34 ` [RFC PATCH v5 13/23] vhost: Add custom used buffer callback Eugenio Pérez
2022-04-08 13:34 ` [RFC PATCH v5 14/23] vdpa: control virtqueue support on shadow virtqueue Eugenio Pérez
2022-04-08 13:34 ` [RFC PATCH v5 15/23] vhost: Add vhost_iova_tree_find Eugenio Pérez
2022-04-08 13:34 ` [RFC PATCH v5 16/23] vdpa: Add map/unmap operation callback to SVQ Eugenio Pérez
2022-04-08 13:34 ` [RFC PATCH v5 17/23] vhost: Add vhost_svq_inject Eugenio Pérez
2022-04-08 13:34 ` [RFC PATCH v5 18/23] vdpa: add NetClientState->start() callback Eugenio Pérez
2022-04-08 13:34 ` [RFC PATCH v5 19/23] vdpa: Add vhost_vdpa_start_control_svq Eugenio Pérez
2022-04-08 13:34 ` [RFC PATCH v5 20/23] vhost: Update kernel headers Eugenio Pérez
2022-04-08 13:34 ` [RFC PATCH v5 21/23] vhost: Make possible to check for device exclusive vq group Eugenio Pérez
2022-04-08 13:34 ` [RFC PATCH v5 22/23] vdpa: Add asid attribute to vdpa device Eugenio Pérez
2022-04-08 13:34 ` [RFC PATCH v5 23/23] vdpa: Add x-cvq-svq Eugenio Pérez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f2fb6570-78cc-2cdb-5a8b-740e49fd7ab2@redhat.com \
--to=jasowang@redhat.com \
--cc=arei.gonglei@huawei.com \
--cc=armbru@redhat.com \
--cc=cohuck@redhat.com \
--cc=eblake@redhat.com \
--cc=eli@mellanox.com \
--cc=eperezma@redhat.com \
--cc=gdawar@xilinx.com \
--cc=hanand@xilinx.com \
--cc=lingshan.zhu@intel.com \
--cc=liuxiangdong5@huawei.com \
--cc=lulu@redhat.com \
--cc=lvivier@redhat.com \
--cc=mst@redhat.com \
--cc=parav@mellanox.com \
--cc=pbonzini@redhat.com \
--cc=peterx@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.