| Message ID | 20210903174510.751630-6-philmd@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [v3,01/28] hw/hyperv/vmbus: Remove unused vmbus_load/save_req() | expand |
On Fri, Sep 03, 2021 at 07:44:47PM +0200, Philippe Mathieu-Daudé wrote: > Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 > > The old API took the size of the memory to duplicate as a guint, > whereas most memory functions take memory sizes as a gsize. This > made it easy to accidentally pass a gsize to g_memdup(). For large > values, that would lead to a silent truncation of the size from 64 > to 32 bits, and result in a heap area being returned which is > significantly smaller than what the caller expects. This can likely > be exploited in various modules to cause a heap buffer overflow. > > Replace g_memdup() by the safer g_memdup2() wrapper. > > Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> > --- > block/qcow2-bitmap.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/block/qcow2-bitmap.c b/block/qcow2-bitmap.c > index 8fb47315515..218a0dc712a 100644 > --- a/block/qcow2-bitmap.c > +++ b/block/qcow2-bitmap.c > @@ -1599,7 +1599,7 @@ bool qcow2_store_persistent_dirty_bitmaps(BlockDriverState *bs, > name); > goto fail; > } > - tb = g_memdup(&bm->table, sizeof(bm->table)); > + tb = g_memdup2(&bm->table, sizeof(bm->table)); Trivially safe. It might be worth a comment in the various commit messages for which patches are trivially safe (because the argument was directly from sizeof), and which would require a larger audit of callers to see if we had any (unlikely) bug (such as patch 3/28). Reviewed-by: Eric Blake <eblake@redhat.com>
On 9/3/21 11:13 PM, Eric Blake wrote: > On Fri, Sep 03, 2021 at 07:44:47PM +0200, Philippe Mathieu-Daudé wrote: >> Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 >> >> The old API took the size of the memory to duplicate as a guint, >> whereas most memory functions take memory sizes as a gsize. This >> made it easy to accidentally pass a gsize to g_memdup(). For large >> values, that would lead to a silent truncation of the size from 64 >> to 32 bits, and result in a heap area being returned which is >> significantly smaller than what the caller expects. This can likely >> be exploited in various modules to cause a heap buffer overflow. >> >> Replace g_memdup() by the safer g_memdup2() wrapper. >> >> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> >> --- >> block/qcow2-bitmap.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/block/qcow2-bitmap.c b/block/qcow2-bitmap.c >> index 8fb47315515..218a0dc712a 100644 >> --- a/block/qcow2-bitmap.c >> +++ b/block/qcow2-bitmap.c >> @@ -1599,7 +1599,7 @@ bool qcow2_store_persistent_dirty_bitmaps(BlockDriverState *bs, >> name); >> goto fail; >> } >> - tb = g_memdup(&bm->table, sizeof(bm->table)); >> + tb = g_memdup2(&bm->table, sizeof(bm->table)); > > Trivially safe. It might be worth a comment in the various commit > messages for which patches are trivially safe (because the argument > was directly from sizeof), and which would require a larger audit of > callers to see if we had any (unlikely) bug (such as patch 3/28). Yes, will do. > Reviewed-by: Eric Blake <eblake@redhat.com> Thanks!
diff --git a/block/qcow2-bitmap.c b/block/qcow2-bitmap.c index 8fb47315515..218a0dc712a 100644 --- a/block/qcow2-bitmap.c +++ b/block/qcow2-bitmap.c @@ -1599,7 +1599,7 @@ bool qcow2_store_persistent_dirty_bitmaps(BlockDriverState *bs, name); goto fail; } - tb = g_memdup(&bm->table, sizeof(bm->table)); + tb = g_memdup2(&bm->table, sizeof(bm->table)); bm->table.offset = 0; bm->table.size = 0; QSIMPLEQ_INSERT_TAIL(&drop_tables, tb, entry);
Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2() wrapper. Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> --- block/qcow2-bitmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)