On Fri, Sep 03, 2021 at 01:06:50PM +0200, Philippe Mathieu-Daudé wrote: > Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 > > The old API took the size of the memory to duplicate as a guint, > whereas most memory functions take memory sizes as a gsize. This > made it easy to accidentally pass a gsize to g_memdup(). For large > values, that would lead to a silent truncation of the size from 64 > to 32 bits, and result in a heap area being returned which is > significantly smaller than what the caller expects. This can likely > be exploited in various modules to cause a heap buffer overflow. > > Replace g_memdup() by the safer g_memdup2_qemu() wrapper. > > Signed-off-by: Philippe Mathieu-Daudé Acked-by: David Gibson > --- > hw/ppc/spapr_pci.c | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/hw/ppc/spapr_pci.c b/hw/ppc/spapr_pci.c > index 7430bd63142..79c0e8d4f98 100644 > --- a/hw/ppc/spapr_pci.c > +++ b/hw/ppc/spapr_pci.c > @@ -2201,10 +2201,10 @@ static int spapr_pci_post_load(void *opaque, int version_id) > int i; > > for (i = 0; i < sphb->msi_devs_num; ++i) { > - key = g_memdup(&sphb->msi_devs[i].key, > - sizeof(sphb->msi_devs[i].key)); > - value = g_memdup(&sphb->msi_devs[i].value, > - sizeof(sphb->msi_devs[i].value)); > + key = g_memdup2_qemu(&sphb->msi_devs[i].key, > + sizeof(sphb->msi_devs[i].key)); > + value = g_memdup2_qemu(&sphb->msi_devs[i].value, > + sizeof(sphb->msi_devs[i].value)); > g_hash_table_insert(sphb->msi, key, value); > } > g_free(sphb->msi_devs); -- David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson