@@ -205,7 +205,8 @@ static void fw_cfg_bootsplash(FWCfgState *s)
/* use little endian format */
bst_le16 = cpu_to_le16(bst_val);
fw_cfg_add_file(s, "etc/boot-menu-wait",
- g_memdup(&bst_le16, sizeof bst_le16), sizeof bst_le16);
+ g_memdup2_qemu(&bst_le16, sizeof bst_le16),
+ sizeof bst_le16);
}
/* insert splash file if user configurated */
@@ -260,7 +261,7 @@ static void fw_cfg_reboot(FWCfgState *s)
}
rt_le32 = cpu_to_le32(rt_val);
- fw_cfg_add_file(s, "etc/boot-fail-wait", g_memdup(&rt_le32, 4), 4);
+ fw_cfg_add_file(s, "etc/boot-fail-wait", g_memdup2_qemu(&rt_le32, 4), 4);
}
static void fw_cfg_write(FWCfgState *s, uint8_t value)
@@ -755,7 +756,7 @@ void fw_cfg_add_string(FWCfgState *s, uint16_t key, const char *value)
size_t sz = strlen(value) + 1;
trace_fw_cfg_add_string(key, trace_key_name(key), value);
- fw_cfg_add_bytes(s, key, g_memdup(value, sz), sz);
+ fw_cfg_add_bytes(s, key, g_memdup2_qemu(value, sz), sz);
}
void fw_cfg_modify_string(FWCfgState *s, uint16_t key, const char *value)
@@ -763,7 +764,7 @@ void fw_cfg_modify_string(FWCfgState *s, uint16_t key, const char *value)
size_t sz = strlen(value) + 1;
char *old;
- old = fw_cfg_modify_bytes_read(s, key, g_memdup(value, sz), sz);
+ old = fw_cfg_modify_bytes_read(s, key, g_memdup2_qemu(value, sz), sz);
g_free(old);
}
Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> --- hw/nvram/fw_cfg.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-)