From patchwork Fri Sep 3 11:06:35 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474155 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.6 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7E36EC433F5 for ; Fri, 3 Sep 2021 11:10:17 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id CEDA46108E for ; Fri, 3 Sep 2021 11:10:16 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org CEDA46108E Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:57594 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mM75K-0000x4-DT for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 07:10:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:42414) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM72U-0004Kn-Mv for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:07:18 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:33442) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM72R-0008KP-Bs for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:07:18 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667234; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=K59TWFNfhgS3efbWdzQjx6xmDgV9ebFReZvuleU1Sck=; b=VI1FlFkQ40Pp4Hhjgab4vXQWuxpOBXuoLGuzYlLwXcnCEL0c2btDLpBmhaKkxlilSQFL6I dc7Si49tFDYV8GsH8GBrMMYWCvRSEe9L0il+kjZb/UId7z5Fn0yWp8jbC9rXHtjWtUNmUo LxxhUgChahHe1a8nWcsE8Epgq0Eqswg= Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-64-yb2RrzIdPNqDR3_nxZJYsw-1; Fri, 03 Sep 2021 07:07:13 -0400 X-MC-Unique: yb2RrzIdPNqDR3_nxZJYsw-1 Received: by mail-wr1-f72.google.com with SMTP id p18-20020a5d4e12000000b0015940dc586aso1463465wrt.6 for ; Fri, 03 Sep 2021 04:07:13 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=K59TWFNfhgS3efbWdzQjx6xmDgV9ebFReZvuleU1Sck=; b=dzFcMHivFbx9FN433bd5avy6oCYfjQtSiBPEHCVpZXi5Y25ZKW89UOvMWE3jkuhJDb qb2PXp4iB8a6nf3lzAVHNAZ+24/uaO9PjrxcJPVNM5d2A0UnqiRjYTehm2gWbejiLu2G +ta5BbDrAYgoCvX+zRVuo+9k+I4oB7Czj2IBMZcdL0G17duXwH1RixOD+H6b1So80fEe hRgjKXLls23ss8acTvmVPbRULVADQsAsE7YV7EgGhOaErMoaUKgzmcbcxCz74CH2Zu3N HqdKIph8rVk1Czzytz9ByKhasP3J6NuXSmEXK2DzhxfpTLU572LXAc8RTF4W8b8z1kIp gGAw== X-Gm-Message-State: AOAM532KqFPJUY6L6IyqBRhaE+g72rpxuCACst3tkV5EV8InztmKotpA 85gGr5qSEH3mezO12MY1S7EeOd7lH583RiPbyN8ViX+Ko/juJfKoaOzXfonul3RWULWNzKCLLk+ yNUfBD+lHZ4LtWAHBwjHqwdRLwOO2aiJ8F0LFUTL9+F7A71EKro+7ZQWxbZuBGR3j X-Received: by 2002:adf:d0c3:: with SMTP id z3mr3510264wrh.108.1630667232248; Fri, 03 Sep 2021 04:07:12 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzuQzt1zQyOoV195AnoVvGJcFGlsPxFtDdDER46/qDKajNyUtQpmHaCMGAGB07QiI3cNCdLCA== X-Received: by 2002:adf:d0c3:: with SMTP id z3mr3510188wrh.108.1630667231886; Fri, 03 Sep 2021 04:07:11 -0700 (PDT) Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id j207sm4380948wmj.40.2021.09.03.04.07.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:07:11 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 01/28] hw/hyperv/vmbus: Remove unused vmbus_load/save_req() Date: Fri, 3 Sep 2021 13:06:35 +0200 Message-Id: <20210903110702.588291-2-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Fam Zheng , Peter Maydell , Li Zhijian , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Yuval Shaia , Peter Xu , Gerd Hoffmann , Alexandre Iooss , Eric Blake , qemu-block@nongnu.org, Zhang Chen , =?utf-8?q?Alex_Benn=C3=A9e?= , Helge Deller , David Hildenbrand , Markus Armbruster , "Gonglei \(Arei\)" , Stefan Weil , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Michael Roth , Richard Henderson , Greg Kurz , Alex Williamson , qemu-arm@nongnu.org, Paolo Bonzini , John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , Laurent Vivier , Shannon Zhao , Hanna Reitz , qemu-ppc@nongnu.org, Igor Mammedov , Mahmoud Mandour Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" vmbus_save_req() and vmbus_load_req() are not used. Remove them to avoid maintaining dead code. Signed-off-by: Philippe Mathieu-Daudé --- include/hw/hyperv/vmbus.h | 3 -- hw/hyperv/vmbus.c | 59 --------------------------------------- 2 files changed, 62 deletions(-) diff --git a/include/hw/hyperv/vmbus.h b/include/hw/hyperv/vmbus.h index f98bea3888d..8ea660dd8e6 100644 --- a/include/hw/hyperv/vmbus.h +++ b/include/hw/hyperv/vmbus.h @@ -223,7 +223,4 @@ int vmbus_map_sgl(VMBusChanReq *req, DMADirection dir, struct iovec *iov, void vmbus_unmap_sgl(VMBusChanReq *req, DMADirection dir, struct iovec *iov, unsigned iov_cnt, size_t accessed); -void vmbus_save_req(QEMUFile *f, VMBusChanReq *req); -void *vmbus_load_req(QEMUFile *f, VMBusDevice *dev, uint32_t size); - #endif diff --git a/hw/hyperv/vmbus.c b/hw/hyperv/vmbus.c index c9887d5a7bc..18d3c3b9240 100644 --- a/hw/hyperv/vmbus.c +++ b/hw/hyperv/vmbus.c @@ -1311,65 +1311,6 @@ static const VMStateDescription vmstate_vmbus_chan_req = { } }; -void vmbus_save_req(QEMUFile *f, VMBusChanReq *req) -{ - VMBusChanReqSave req_save; - - req_save.chan_idx = req->chan->subchan_idx; - req_save.pkt_type = req->pkt_type; - req_save.msglen = req->msglen; - req_save.msg = req->msg; - req_save.transaction_id = req->transaction_id; - req_save.need_comp = req->need_comp; - req_save.num = req->sgl.nsg; - req_save.sgl = g_memdup(req->sgl.sg, - req_save.num * sizeof(ScatterGatherEntry)); - - vmstate_save_state(f, &vmstate_vmbus_chan_req, &req_save, NULL); - - g_free(req_save.sgl); -} - -void *vmbus_load_req(QEMUFile *f, VMBusDevice *dev, uint32_t size) -{ - VMBusChanReqSave req_save; - VMBusChanReq *req = NULL; - VMBusChannel *chan = NULL; - uint32_t i; - - vmstate_load_state(f, &vmstate_vmbus_chan_req, &req_save, 0); - - if (req_save.chan_idx >= dev->num_channels) { - error_report("%s: %u(chan_idx) > %u(num_channels)", __func__, - req_save.chan_idx, dev->num_channels); - goto out; - } - chan = &dev->channels[req_save.chan_idx]; - - if (vmbus_channel_reserve(chan, 0, req_save.msglen)) { - goto out; - } - - req = vmbus_alloc_req(chan, size, req_save.pkt_type, req_save.msglen, - req_save.transaction_id, req_save.need_comp); - if (req_save.msglen) { - memcpy(req->msg, req_save.msg, req_save.msglen); - } - - for (i = 0; i < req_save.num; i++) { - qemu_sglist_add(&req->sgl, req_save.sgl[i].base, req_save.sgl[i].len); - } - -out: - if (req_save.msglen) { - g_free(req_save.msg); - } - if (req_save.num) { - g_free(req_save.sgl); - } - return req; -} - static void channel_event_cb(EventNotifier *e) { VMBusChannel *chan = container_of(e, VMBusChannel, notifier); From patchwork Fri Sep 3 11:06:36 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474159 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 622F3C433EF for ; Fri, 3 Sep 2021 11:12:32 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id EB75C6108E for ; Fri, 3 Sep 2021 11:12:31 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org EB75C6108E Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:37824 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mM77X-00072b-6J for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 07:12:31 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:42512) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM72c-0004j7-Fj for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:07:26 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:25870) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM72Y-0008RU-99 for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:07:25 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667241; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5oIQyOxRLkXvAZeThJneQzsCWvWqxZQLcKV/EKIlWcU=; b=ZT7AvZ85hukwcigaE3Q4IpaYpEhZjSZdEBBPU/17MWpw34tgSDuXP9/vzAqI3rhpN51DZe WDxI01qu9Hblyr3z+5T/Gl7wJCYpVCy43IGUe1uZM/66JTKyLDVY6ZWs+TLpTP7Yq8q4UF 4HMUWDiiodE/JJBRbaPJ2ihWHj9Bnok= Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-365-2jpmOQh_PW2Evj5SHllKUw-1; Fri, 03 Sep 2021 07:07:19 -0400 X-MC-Unique: 2jpmOQh_PW2Evj5SHllKUw-1 Received: by mail-wr1-f72.google.com with SMTP id r11-20020a5d4e4b000000b001575c5ed4b4so1457277wrt.4 for ; Fri, 03 Sep 2021 04:07:19 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=5oIQyOxRLkXvAZeThJneQzsCWvWqxZQLcKV/EKIlWcU=; b=smZhldoGDa1XiII6GI/+vPDRrct2d2jy/jMcfT7O0m856s45Cn9ahI50y5Fkw4Wg24 MUngZVyb9PARz7bRSnPhT08WoFU+j/RabCo6ikeuDhTT5GcopcPFmm5+S2k3b/7yaVbl ypBQQcvzgP7qTokPdWTf7G+reOmWdw4ZegTgYmtC2pcYcqiEugAk8VV8erkjOMHZgnzD PvvAUlhl02/r2XscLucvMAioWKpfot3ZQXevugAEMhCT6/R1BHmMmSTXGitnVtVlgaDW XLEN+F3PTC2O3AQjqEW8C/tk01KpnFu7/U0cQm4/3qzJ3LrzqmMTdXIeRWvLy4iHE723 Y0vg== X-Gm-Message-State: AOAM530EaD6ASltA8deyvNuEAS/5tYM4wRq4TRc9dhZsrWK92zYvx/6N fLdnjNhfCa075hmg6rHsbhGai2TlxmYQUHb/pguK4QS3A3llAHlM8ADQj9fFyvtSIqQ5Qe2X1e4 WyQHDHBAA2EDvf5IZ+qr82IY0Mv39MS3eqmJ6kRJBo5VGTK1XRDZ5LkXdM4b3U+nF X-Received: by 2002:a7b:c38a:: with SMTP id s10mr2702658wmj.109.1630667237645; Fri, 03 Sep 2021 04:07:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJymGMUQnajUM6zCJFy33nugdk1EqfzYF9E55VNsnGFQkFplYskbiyvVLelKH/gLWPqURal3aw== X-Received: by 2002:a7b:c38a:: with SMTP id s10mr2702602wmj.109.1630667237397; Fri, 03 Sep 2021 04:07:17 -0700 (PDT) Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id t23sm4706476wrb.71.2021.09.03.04.07.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:07:17 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 02/28] glib-compat: Introduce g_memdup2() wrapper Date: Fri, 3 Sep 2021 13:06:36 +0200 Message-Id: <20210903110702.588291-3-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Fam Zheng , Peter Maydell , Li Zhijian , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Yuval Shaia , Peter Xu , Gerd Hoffmann , Alexandre Iooss , Eric Blake , qemu-block@nongnu.org, Zhang Chen , =?utf-8?q?Alex_Benn=C3=A9e?= , Helge Deller , David Hildenbrand , Markus Armbruster , "Gonglei \(Arei\)" , Stefan Weil , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Michael Roth , Richard Henderson , Greg Kurz , Alex Williamson , qemu-arm@nongnu.org, Paolo Bonzini , John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , Laurent Vivier , Shannon Zhao , Hanna Reitz , qemu-ppc@nongnu.org, Igor Mammedov , Mahmoud Mandour Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" When experimenting raising GLIB_VERSION_MIN_REQUIRED to 2.68 (Fedora 34 provides GLib 2.68.1) we get: hw/virtio/virtio-crypto.c:245:24: error: 'g_memdup' is deprecated: Use 'g_memdup2' instead [-Werror,-Wdeprecated-declarations] ... g_memdup() has been updated by g_memdup2() to fix eventual security issues (size argument is 32-bit and could be truncated / wrapping). GLib recommends to copy their static inline version of g_memdup2(): https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 Our glib-compat.h provides a comment explaining how to deal with these deprecated declarations (see commit e71e8cc0355 "glib: enforce the minimum required version and warn about old APIs"). Following this comment suggestion, implement the g_memdup2_qemu() wrapper to g_memdup2(), and use the safer equivalent inlined when we are using pre-2.68 GLib. Reported-by: Eric Blake Signed-off-by: Philippe Mathieu-Daudé --- include/glib-compat.h | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/include/glib-compat.h b/include/glib-compat.h index 9e95c888f54..6577d9ab393 100644 --- a/include/glib-compat.h +++ b/include/glib-compat.h @@ -68,6 +68,42 @@ * without generating warnings. */ +/* + * g_memdup2_qemu: + * @mem: (nullable): the memory to copy. + * @byte_size: the number of bytes to copy. + * + * Allocates @byte_size bytes of memory, and copies @byte_size bytes into it + * from @mem. If @mem is %NULL it returns %NULL. + * + * This replaces g_memdup(), which was prone to integer overflows when + * converting the argument from a #gsize to a #guint. + * + * This static inline version is a backport of the new public API from + * GLib 2.68, kept internal to GLib for backport to older stable releases. + * See https://gitlab.gnome.org/GNOME/glib/-/issues/2319. + * + * Returns: (nullable): a pointer to the newly-allocated copy of the memory, + * or %NULL if @mem is %NULL. + */ +static inline gpointer g_memdup2_qemu(gconstpointer mem, gsize byte_size) +{ +#if GLIB_CHECK_VERSION(2, 68, 0) + return g_memdup2(mem, byte_size); +#else + gpointer new_mem; + + if (mem && byte_size != 0) { + new_mem = g_malloc(byte_size); + memcpy(new_mem, mem, byte_size); + } else { + new_mem = NULL; + } + + return new_mem; +#endif +} + #if defined(G_OS_UNIX) /* * Note: The fallback implementation is not MT-safe, and it returns a copy of From patchwork Fri Sep 3 11:06:37 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474167 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 361CAC433F5 for ; Fri, 3 Sep 2021 11:16:06 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id A97A860F91 for ; Fri, 3 Sep 2021 11:16:05 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org A97A860F91 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:46322 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mM7Ax-0004JG-Ow for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 07:16:04 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:42552) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM72f-0004tE-77 for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:07:29 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:21696) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM72d-0008WA-5A for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:07:28 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667246; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=IJcPcmBTlXv680lRxXxIAa1x+QW8hhus++pQyqguqCw=; b=V/SfpYV7HmvJcM0PSpEHkrMoa4BgjNle/sjDb4SjLc5s+yzzqfpr9sYZ81SDdwOYvXNayI 4P/0a62EDus10mELJcW0TjGFHhkarUD+GWH4yFulcrVpXKcJG6atm8diSl68oBfp3AONx8 Onsx4IL3moTH0NOGFcMCdf5OalmeGTw= Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-566-ALShyFXlPoSao37Z8RQQPg-1; Fri, 03 Sep 2021 07:07:25 -0400 X-MC-Unique: ALShyFXlPoSao37Z8RQQPg-1 Received: by mail-wr1-f70.google.com with SMTP id h15-20020adff18f000000b001574654fbc2so1458750wro.10 for ; Fri, 03 Sep 2021 04:07:24 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=IJcPcmBTlXv680lRxXxIAa1x+QW8hhus++pQyqguqCw=; b=C5tDgzgiAqss40OqFXybevtcrqQc9HXkVCyMahMNJNBTVi775gy0LvwXkcM/eionh/ 7TrqAxuhG1RAqMLtqRqmFEyOd15SxjK/cl1dBdZDZPbOz6HE/1XTbcqSOxz1CV9la9bW tqDwUQrZQicJw8mXOLjhjZk8fynVdvqEGNiJFN8AXKPOEGeKOZSg+pZ1+K+92oMhJ2Fq jWHPTCho32FEMiM+ffnrtcg8t7A01ZCCS7PoBnkGsDpzuovswtW4rB4iat7Y625QtkDO uqDDAcst2XUv0zPf9hiMFbiV7F5f23OzF9aYiMMCsGuU9jnElIyd+qMSFmWGH0c6D7Ed pnMA== X-Gm-Message-State: AOAM530LPveyc8UwpZDmJCqnJS9z4TRNvzobNmTfOVUbHjduycdGTTfe D2rmfykXT01F7MfoEeki1XEkD5YjaAWUM+fgxH8ehvHPdEGf5Snw6u9/Rn8cBdxez1wdJcBs0ou shbZNpNXah4WEtY0vo1Es/Elgvwwu2xd8i8qTUZ5Uey58gKpHXbEpyWfPjqmRTVwM X-Received: by 2002:a7b:c014:: with SMTP id c20mr2767843wmb.81.1630667243404; Fri, 03 Sep 2021 04:07:23 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx907zJ6KqO6waEP4roxOCLkQUMR0ZCH7m0SU6uYQccu8GgebksOgpFBvIeXxJzbM2ctmPo7w== X-Received: by 2002:a7b:c014:: with SMTP id c20mr2767781wmb.81.1630667243141; Fri, 03 Sep 2021 04:07:23 -0700 (PDT) Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id k25sm4747138wrd.42.2021.09.03.04.07.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:07:22 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 03/28] qapi: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:37 +0200 Message-Id: <20210903110702.588291-4-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Fam Zheng , Peter Maydell , Li Zhijian , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Yuval Shaia , Peter Xu , Gerd Hoffmann , Alexandre Iooss , Eric Blake , qemu-block@nongnu.org, Zhang Chen , =?utf-8?q?Alex_Benn=C3=A9e?= , Helge Deller , David Hildenbrand , Markus Armbruster , "Gonglei \(Arei\)" , Stefan Weil , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Michael Roth , Richard Henderson , Greg Kurz , Alex Williamson , qemu-arm@nongnu.org, Paolo Bonzini , John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , Laurent Vivier , Shannon Zhao , Hanna Reitz , qemu-ppc@nongnu.org, Igor Mammedov , Mahmoud Mandour Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daudé --- qapi/qapi-clone-visitor.c | 16 ++++++++-------- qapi/qapi-visit-core.c | 6 ++++-- 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/qapi/qapi-clone-visitor.c b/qapi/qapi-clone-visitor.c index c45c5caa3b8..fb38505d982 100644 --- a/qapi/qapi-clone-visitor.c +++ b/qapi/qapi-clone-visitor.c @@ -37,7 +37,7 @@ static bool qapi_clone_start_struct(Visitor *v, const char *name, void **obj, return true; } - *obj = g_memdup(*obj, size); + *obj = g_memdup2_qemu(*obj, size); qcv->depth++; return true; } @@ -65,8 +65,8 @@ static GenericList *qapi_clone_next_list(Visitor *v, GenericList *tail, QapiCloneVisitor *qcv = to_qcv(v); assert(qcv->depth); - /* Unshare the tail of the list cloned by g_memdup() */ - tail->next = g_memdup(tail->next, size); + /* Unshare the tail of the list cloned by g_memdup2() */ + tail->next = g_memdup2_qemu(tail->next, size); return tail->next; } @@ -83,7 +83,7 @@ static bool qapi_clone_type_int64(Visitor *v, const char *name, int64_t *obj, QapiCloneVisitor *qcv = to_qcv(v); assert(qcv->depth); - /* Value was already cloned by g_memdup() */ + /* Value was already cloned by g_memdup2() */ return true; } @@ -93,7 +93,7 @@ static bool qapi_clone_type_uint64(Visitor *v, const char *name, QapiCloneVisitor *qcv = to_qcv(v); assert(qcv->depth); - /* Value was already cloned by g_memdup() */ + /* Value was already cloned by g_memdup2() */ return true; } @@ -103,7 +103,7 @@ static bool qapi_clone_type_bool(Visitor *v, const char *name, bool *obj, QapiCloneVisitor *qcv = to_qcv(v); assert(qcv->depth); - /* Value was already cloned by g_memdup() */ + /* Value was already cloned by g_memdup2() */ return true; } @@ -114,7 +114,7 @@ static bool qapi_clone_type_str(Visitor *v, const char *name, char **obj, assert(qcv->depth); /* - * Pointer was already cloned by g_memdup; create fresh copy. + * Pointer was already cloned by g_memdup2; create fresh copy. * Note that as long as qobject-output-visitor accepts NULL instead of * "", then we must do likewise. However, we want to obey the * input visitor semantics of never producing NULL when the empty @@ -130,7 +130,7 @@ static bool qapi_clone_type_number(Visitor *v, const char *name, double *obj, QapiCloneVisitor *qcv = to_qcv(v); assert(qcv->depth); - /* Value was already cloned by g_memdup() */ + /* Value was already cloned by g_memdup2() */ return true; } diff --git a/qapi/qapi-visit-core.c b/qapi/qapi-visit-core.c index a641adec51e..ebabe63b6ea 100644 --- a/qapi/qapi-visit-core.c +++ b/qapi/qapi-visit-core.c @@ -413,8 +413,10 @@ bool visit_type_enum(Visitor *v, const char *name, int *obj, case VISITOR_OUTPUT: return output_type_enum(v, name, obj, lookup, errp); case VISITOR_CLONE: - /* nothing further to do, scalar value was already copied by - * g_memdup() during visit_start_*() */ + /* + * nothing further to do, scalar value was already copied by + * g_memdup2() during visit_start_*() + */ return true; case VISITOR_DEALLOC: /* nothing to deallocate for a scalar */ From patchwork Fri Sep 3 11:06:38 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474163 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 44151C433EF for ; Fri, 3 Sep 2021 11:13:14 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id D0D5460FC4 for ; Fri, 3 Sep 2021 11:13:13 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org D0D5460FC4 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:40234 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mM78C-0000DW-Rm for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 07:13:12 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:42632) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM72k-000565-Ub for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:07:34 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:34717) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM72h-0000B0-P4 for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:07:34 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667251; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YRPx8k5aASvYP1xf6/9soHjF4TaI9K/GxMLKkwWKabI=; b=cRs8otB9zwvwNsebMCRJ9sn295kK0l+hblhfe8ywFoqFJOebI4mi+02XBCuItr14yPEbMY 0haEFfwg/2cRlRcq7WasZDcBtt5Hqw7InBEuSqHrGJ2kEzp+Lk1q/axO/WkTjsxJldK4wj kPPxqdcNaFHA/xbmhr7v6BSB9Moytt4= Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-313-walzWl42Mo6VqyC03e9x5Q-1; Fri, 03 Sep 2021 07:07:30 -0400 X-MC-Unique: walzWl42Mo6VqyC03e9x5Q-1 Received: by mail-wm1-f72.google.com with SMTP id c2-20020a7bc8420000b0290238db573ab7so2517792wml.5 for ; Fri, 03 Sep 2021 04:07:30 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=YRPx8k5aASvYP1xf6/9soHjF4TaI9K/GxMLKkwWKabI=; b=X9kdsYu9E2rNCNv4AQRwVUbJjL59LauiuABhEaTmsSSHMVk4L/dJ1sQfSxBCscFHyI uDkjlTkQpnAKIvcPBKz0ucNmM1yjRmnBhWyWGguF6pTNgiFZNuCo0UkpiixI9+8d724c WkxavLwXTvhL0xxQcKkqEM/L2ylU70eXE/G4dXW8LXzzwYHcxLa9/uD6GS62iBRqr0fe 05umpxtBGRmqgvgTpT0ULxkUPZUVPHEEhUFeerBYoNO/Za0VpruoLc/gLd9BkE5vyH23 S8YIxY1h3bdbIN5ZU1gHCyt4azwi/UY8Nxce4qp7lVBBNriu1NDVEUR0JMoRB6q9glE5 uFwQ== X-Gm-Message-State: AOAM533b9O6XbWZgVyQyv+F7YgDOMLDlArYvgkdg383xHm9x8yic2ZY0 mQBp7P21zA7nLY0z/o7T28uyadI9XUaglglFA3JxvsWtMxeM6XuEJkYyGHA0VfQFxTkP2D/j0TK 8riOyi3i+OCT6vrxcthfk05WgQ8br1wR3Qc5o+dWYIYu8PHFdPD2bZ7KiRge6p6wl X-Received: by 2002:a05:6000:92:: with SMTP id m18mr3355304wrx.293.1630667248845; Fri, 03 Sep 2021 04:07:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxlwFkOP0MVQF4y1XJ9fLv0qg256KT5I44ftRi9235B9/2W1BEuHyhR7G5P4RskcOmyCVOd6Q== X-Received: by 2002:a05:6000:92:: with SMTP id m18mr3355251wrx.293.1630667248603; Fri, 03 Sep 2021 04:07:28 -0700 (PDT) Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id f5sm4032824wmb.47.2021.09.03.04.07.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:07:28 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 04/28] accel/tcg: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:38 +0200 Message-Id: <20210903110702.588291-5-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -12 X-Spam_score: -1.3 X-Spam_bar: - X-Spam_report: (-1.3 / 5.0 requ) DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Fam Zheng , Peter Maydell , Li Zhijian , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Yuval Shaia , Peter Xu , Gerd Hoffmann , Alexandre Iooss , Eric Blake , qemu-block@nongnu.org, Zhang Chen , =?utf-8?q?Alex_Benn=C3=A9e?= , Helge Deller , David Hildenbrand , Markus Armbruster , "Gonglei \(Arei\)" , Stefan Weil , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Michael Roth , Richard Henderson , Greg Kurz , Alex Williamson , qemu-arm@nongnu.org, Paolo Bonzini , John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , Laurent Vivier , Shannon Zhao , Hanna Reitz , qemu-ppc@nongnu.org, Igor Mammedov , Mahmoud Mandour Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daudé --- accel/tcg/cputlb.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c index b1e5471f949..1d5069a30d1 100644 --- a/accel/tcg/cputlb.c +++ b/accel/tcg/cputlb.c @@ -826,7 +826,7 @@ void tlb_flush_range_by_mmuidx(CPUState *cpu, target_ulong addr, tlb_flush_range_by_mmuidx_async_0(cpu, d); } else { /* Otherwise allocate a structure, freed by the worker. */ - TLBFlushRangeData *p = g_memdup(&d, sizeof(d)); + TLBFlushRangeData *p = g_memdup2_qemu(&d, sizeof(d)); async_run_on_cpu(cpu, tlb_flush_range_by_mmuidx_async_1, RUN_ON_CPU_HOST_PTR(p)); } @@ -868,7 +868,7 @@ void tlb_flush_range_by_mmuidx_all_cpus(CPUState *src_cpu, /* Allocate a separate data block for each destination cpu. */ CPU_FOREACH(dst_cpu) { if (dst_cpu != src_cpu) { - TLBFlushRangeData *p = g_memdup(&d, sizeof(d)); + TLBFlushRangeData *p = g_memdup2_qemu(&d, sizeof(d)); async_run_on_cpu(dst_cpu, tlb_flush_range_by_mmuidx_async_1, RUN_ON_CPU_HOST_PTR(p)); @@ -918,13 +918,13 @@ void tlb_flush_range_by_mmuidx_all_cpus_synced(CPUState *src_cpu, /* Allocate a separate data block for each destination cpu. */ CPU_FOREACH(dst_cpu) { if (dst_cpu != src_cpu) { - p = g_memdup(&d, sizeof(d)); + p = g_memdup2_qemu(&d, sizeof(d)); async_run_on_cpu(dst_cpu, tlb_flush_range_by_mmuidx_async_1, RUN_ON_CPU_HOST_PTR(p)); } } - p = g_memdup(&d, sizeof(d)); + p = g_memdup2_qemu(&d, sizeof(d)); async_safe_run_on_cpu(src_cpu, tlb_flush_range_by_mmuidx_async_1, RUN_ON_CPU_HOST_PTR(p)); } From patchwork Fri Sep 3 11:06:39 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474157 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 37B86C433F5 for ; Fri, 3 Sep 2021 11:11:39 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id D836260FC4 for ; Fri, 3 Sep 2021 11:11:38 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org D836260FC4 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:33652 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mM76g-0004EG-2X for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 07:11:38 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:42710) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM72p-0005GC-NH for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:07:39 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:53594) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM72n-0000It-IZ for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:07:39 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667257; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=FZHOag7nyoHENtq9LgEUpVfsjfcHne0EwT0c8I8en8s=; b=CY21na76qJ/M4LaKX2ShO4OLJlII9GtO9kWqFiYSYWXDTLRdAguZy/uymVjeyXc8uwuyg5 ZF9d5a284c9Zf5uB6Ywe33+y/Y3I9g97c9PXfj+/+Yr6JxWjrzBynNI14N9jh4R101DuyD HmyBye6AxHGlAiejdrQan8c4nhBwvcU= Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-446-9X848af9MoW8zDjFw1st-A-1; Fri, 03 Sep 2021 07:07:36 -0400 X-MC-Unique: 9X848af9MoW8zDjFw1st-A-1 Received: by mail-wr1-f70.google.com with SMTP id t15-20020a5d42cf000000b001565f9c9ee8so1457956wrr.2 for ; Fri, 03 Sep 2021 04:07:35 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=FZHOag7nyoHENtq9LgEUpVfsjfcHne0EwT0c8I8en8s=; b=MZ+Pp5OreW7/3i/Wr8wAT86mMTblcEDyaHcIDXonSGxAarpYMzd7TSg4Hrv9fgIC0O 0zcjuhs4i87NXo8gXK752RB9TosIvMyAZiDruS1dLwzb27QXrHaIfjvXLTt7ADdi7Yfv t1qFdQudJENchBIP//p1LoSQmyB7fyZq+0iESCMCehPcUnvXsUHHvy2bRiw/Zp1hoxVB 2Y/yv3uAqFvyGbiAwindYRrmELNI8d1EEbxlaQj1NBs7j78AlXpHcWTRCKQaAbovQAb/ DmLTQZDx4Rl+0pWT9H1TV2+pOpo7bzR9kXC6tZCh2XoAwQlio/MZw62I0fj4kzFIAb1F dVsA== X-Gm-Message-State: AOAM533FsoaHVWvwtMwVz85c9O+SYGZ/eveFWSPXelBVpEDe92P7E/D1 oLOGS6Hhnif3SdONfTZjgxWshfiHK6zVvVR58NZpbM2X451UUsaUK1myyGUXbVwv5N99fExxymt n/Duxvhss92vfpoDGWVpBHZ1Zq3pyeeqLPsf5iK5cmWHDXuFSTOR2xZ3ubLiBUBss X-Received: by 2002:a05:6000:18c2:: with SMTP id w2mr3345307wrq.282.1630667254435; Fri, 03 Sep 2021 04:07:34 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyoB5TMIuInAl2n/PRtQj2iipmUHWUxT2HqaGZ7Zes9XsQggaJR678emY6uLRnPMCNKGATEww== X-Received: by 2002:a05:6000:18c2:: with SMTP id w2mr3345238wrq.282.1630667254198; Fri, 03 Sep 2021 04:07:34 -0700 (PDT) Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id w1sm3983986wmc.19.2021.09.03.04.07.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:07:33 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 05/28] block/qcow2-bitmap: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:39 +0200 Message-Id: <20210903110702.588291-6-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Fam Zheng , Peter Maydell , Li Zhijian , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Yuval Shaia , Peter Xu , Gerd Hoffmann , Alexandre Iooss , Eric Blake , qemu-block@nongnu.org, Zhang Chen , =?utf-8?q?Alex_Benn=C3=A9e?= , Helge Deller , David Hildenbrand , Markus Armbruster , "Gonglei \(Arei\)" , Stefan Weil , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Michael Roth , Richard Henderson , Greg Kurz , Alex Williamson , qemu-arm@nongnu.org, Paolo Bonzini , John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , Laurent Vivier , Shannon Zhao , Hanna Reitz , qemu-ppc@nongnu.org, Igor Mammedov , Mahmoud Mandour Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daudé --- block/qcow2-bitmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/block/qcow2-bitmap.c b/block/qcow2-bitmap.c index 8fb47315515..ec303acb46b 100644 --- a/block/qcow2-bitmap.c +++ b/block/qcow2-bitmap.c @@ -1599,7 +1599,7 @@ bool qcow2_store_persistent_dirty_bitmaps(BlockDriverState *bs, name); goto fail; } - tb = g_memdup(&bm->table, sizeof(bm->table)); + tb = g_memdup2_qemu(&bm->table, sizeof(bm->table)); bm->table.offset = 0; bm->table.size = 0; QSIMPLEQ_INSERT_TAIL(&drop_tables, tb, entry); From patchwork Fri Sep 3 11:06:40 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474161 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 98DC2C433F5 for ; Fri, 3 Sep 2021 11:12:59 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 3588E6108E for ; Fri, 3 Sep 2021 11:12:59 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 3588E6108E Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:38808 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mM77y-0007hC-BL for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 07:12:58 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:42766) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM72w-0005U6-GA for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:07:46 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:57225) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM72t-0000R4-0E for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:07:46 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667262; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vyN09QcPG+VDBDsPFQVE2hfeE/VYAwQywY+WfYVVI7k=; b=fZqZNun+zNtXeoksX6tHw8kpKKGJuqvfH/m/uATVizBNPydrSfBdyVvByR3FX/2kkfh6sT avNpxln1ai9+mE3iOtMt05FKbpcDPVWv4j13wSNn8rmzoU+TGf51iF7opc+2YO06G57cP6 02LdDM8dNlgHj0AVy/BrCHAMjJt4DD4= Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-278-iDuKfvsVPriCZ4FLvHR_tw-1; Fri, 03 Sep 2021 07:07:41 -0400 X-MC-Unique: iDuKfvsVPriCZ4FLvHR_tw-1 Received: by mail-wm1-f70.google.com with SMTP id x125-20020a1c3183000000b002e73f079eefso2541721wmx.0 for ; Fri, 03 Sep 2021 04:07:41 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=vyN09QcPG+VDBDsPFQVE2hfeE/VYAwQywY+WfYVVI7k=; b=dXw/Tvx4ECsx3pXXbI2MhCKr7ehkTKvHcAgzh5bBiSVGI3p/f80icKOiFbLhrc072S 8p7YoyOE7fyaLWXlcBdIRWAZYsvZf0MAtSrLrBaf6f1LThPZ+xEFIPiOXvTJ/S12o6qK p+ci/iWRqrG0qbY0Zk3V9Hh3rHXG7cflEmYpbSxVC8lTHuGEhW7N6l+G8rDj+gi7Llx6 OT6a/TaRpzgtwMHK0sN/0Mha2oJiMI5e2qZ2lkSnFNvUwR4gIdDQakBCaD2B41U8n59n 1sxTMcyWjoo3zhxhOZj3qCPVu2OLACt5yhrww2y9p5UBlfd2LVdycUZztmse9IN+/r5C HP8g== X-Gm-Message-State: AOAM5310XD0UOEQQ5Im6Im/PJFYCo8fPsfEun3jb0Ds60W+r/XQHbCVA gJW0eeuR7ORD3xaHxRQ6GHDc+BbvlgrxVQ+6IsXcxuTK5MXn0tNHGkZYUJM1NsdqnXCoFeS8ifp ZxJcutA6na64YzO8CIBxIGckGp0d2TedCbY1557UbZyAVICJDZcyzqeUg2RryPalI X-Received: by 2002:adf:e6c5:: with SMTP id y5mr3584634wrm.198.1630667259977; Fri, 03 Sep 2021 04:07:39 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwTXAcCGMILiN6BBKbtvJurMFFvfI5fIWlIBSfIhCVNo+ciUFdo+9M1Slhc1REyU+6QphSpBA== X-Received: by 2002:adf:e6c5:: with SMTP id y5mr3584577wrm.198.1630667259732; Fri, 03 Sep 2021 04:07:39 -0700 (PDT) Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id f3sm3966844wmj.28.2021.09.03.04.07.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:07:39 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 06/28] softmmu: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:40 +0200 Message-Id: <20210903110702.588291-7-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Fam Zheng , Peter Maydell , Li Zhijian , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Yuval Shaia , Peter Xu , Gerd Hoffmann , Alexandre Iooss , Eric Blake , qemu-block@nongnu.org, Zhang Chen , =?utf-8?q?Alex_Benn=C3=A9e?= , Helge Deller , David Hildenbrand , Markus Armbruster , "Gonglei \(Arei\)" , Stefan Weil , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Michael Roth , Richard Henderson , Greg Kurz , Alex Williamson , qemu-arm@nongnu.org, Paolo Bonzini , John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , Laurent Vivier , Shannon Zhao , Hanna Reitz , qemu-ppc@nongnu.org, Igor Mammedov , Mahmoud Mandour Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daudé --- softmmu/memory.c | 2 +- softmmu/vl.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/softmmu/memory.c b/softmmu/memory.c index bfedaf9c4df..838a274b627 100644 --- a/softmmu/memory.c +++ b/softmmu/memory.c @@ -1140,7 +1140,7 @@ static char *memory_region_escape_name(const char *name) bytes += memory_region_need_escape(*p) ? 4 : 1; } if (bytes == p - name) { - return g_memdup(name, bytes + 1); + return g_memdup2_qemu(name, bytes + 1); } escaped = g_malloc(bytes + 1); diff --git a/softmmu/vl.c b/softmmu/vl.c index ea05bb39c50..a136ef0bfb6 100644 --- a/softmmu/vl.c +++ b/softmmu/vl.c @@ -1154,7 +1154,7 @@ static int parse_fw_cfg(void *opaque, QemuOpts *opts, Error **errp) } if (nonempty_str(str)) { size = strlen(str); /* NUL terminator NOT included in fw_cfg blob */ - buf = g_memdup(str, size); + buf = g_memdup2_qemu(str, size); } else if (nonempty_str(gen_id)) { if (!fw_cfg_add_from_generator(fw_cfg, name, gen_id, errp)) { return -1; From patchwork Fri Sep 3 11:06:41 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474165 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 94301C433EF for ; Fri, 3 Sep 2021 11:14:49 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 1CEB66108E for ; Fri, 3 Sep 2021 11:14:49 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 1CEB66108E Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:44064 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mM79k-0002nq-9Q for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 07:14:48 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:42830) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM731-0005ZC-MK for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:07:52 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:30918) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM72y-0000YA-Nt for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:07:51 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667268; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=E9PypJHZFiMU1wwHSEPf1Pz6upK9EcgUKxTQXXjwTWw=; b=HyP2mEFD6oNZaK0NsMzwxTpQ4ZeYmKCMuuxU3XHCvy8rzABCkPyNZxeV+0kJYL6vP0Rg4o NaKYvbagQAwXN9mU6Ob8XE7P7J3vsFTiK/KEjuDtPCJvxn5p1YtnpVKfNEXsGe1pmDWu33 FeU2edGvmhLJHlQGUi0Y5d0H85a5vtE= Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-283-vdN5_NqjMXWqTZ5hSloccA-1; Fri, 03 Sep 2021 07:07:47 -0400 X-MC-Unique: vdN5_NqjMXWqTZ5hSloccA-1 Received: by mail-wm1-f71.google.com with SMTP id b126-20020a1c8084000000b002f152a868a2so1706173wmd.1 for ; Fri, 03 Sep 2021 04:07:47 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=E9PypJHZFiMU1wwHSEPf1Pz6upK9EcgUKxTQXXjwTWw=; b=te3wCcUG39+fTyGnIbHRO7YORR+nhmZ9OQK9lAFGMtemzufz428xdgzIW/0rBfqujB 1AI6oPMhB3gPhsB8UE+EGs1al6QdVzSTCpcB1TIbehTwXcSpVPPOEEU2l/2/8u2P+2Mf u2z1HXSJMfJY7n5CT0PbFA65wLxut8m8oA7NBBivAnALM1e92CG8K4McTfGvHF99ix6T OXrVQ6djnLaFOjZ19CrcuUIcdc1u3beppdBCGvzcQKkc88LVFISuOZTLb3p0tAvnVAVZ vRX2EIcn7v9Xafy4aSJOtzGuAl4U4FxMVfgVxFeMuCLVYjZbx2XLrsgFKDyHnUp8tXsJ Bs2Q== X-Gm-Message-State: AOAM533H3AFfmGd6TYk2UcXEpUlGgPzMImwN5Q9bT2s4QoUSgW5FbTKN pWs1Xl9uImcVQ9UgJuo0EHGl1CDxzPLN5Rbg7CTNgWfA9GVlZxJoRUa3GbT5+O000bqiUPgB1kq 68IYTvSXnlBOm1vsN62/lvWY6o47qrNeYoSyJDQdqjt0tC5ddtgoY/SRWRTyDFFIt X-Received: by 2002:adf:e887:: with SMTP id d7mr3332698wrm.79.1630667265747; Fri, 03 Sep 2021 04:07:45 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxOpfMVNquMJIWDXetxTHCuL3Fzb8lZKKWemq9NT4HySMg6qKhGx6koZ2JlS7tbzuIj9REIrw== X-Received: by 2002:adf:e887:: with SMTP id d7mr3332646wrm.79.1630667265554; Fri, 03 Sep 2021 04:07:45 -0700 (PDT) Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id o5sm4341463wrw.17.2021.09.03.04.07.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:07:45 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 07/28] hw/9pfs: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:41 +0200 Message-Id: <20210903110702.588291-8-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Fam Zheng , Peter Maydell , Li Zhijian , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Yuval Shaia , Peter Xu , Gerd Hoffmann , Alexandre Iooss , Eric Blake , qemu-block@nongnu.org, Zhang Chen , =?utf-8?q?Alex_Benn=C3=A9e?= , Helge Deller , David Hildenbrand , Markus Armbruster , "Gonglei \(Arei\)" , Stefan Weil , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Michael Roth , Richard Henderson , Greg Kurz , Alex Williamson , qemu-arm@nongnu.org, Paolo Bonzini , John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , Laurent Vivier , Shannon Zhao , Hanna Reitz , qemu-ppc@nongnu.org, Igor Mammedov , Mahmoud Mandour Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daudé --- hw/9pfs/9p-synth.c | 2 +- hw/9pfs/9p.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/9pfs/9p-synth.c b/hw/9pfs/9p-synth.c index b38088e0664..7d983574af5 100644 --- a/hw/9pfs/9p-synth.c +++ b/hw/9pfs/9p-synth.c @@ -497,7 +497,7 @@ static int synth_name_to_path(FsContext *ctx, V9fsPath *dir_path, out: /* Copy the node pointer to fid */ g_free(target->data); - target->data = g_memdup(&node, sizeof(void *)); + target->data = g_memdup2_qemu(&node, sizeof(void *)); target->size = sizeof(void *); return 0; } diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c index 2815257f425..5bf1bd7229f 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -202,7 +202,7 @@ void v9fs_path_copy(V9fsPath *dst, const V9fsPath *src) { v9fs_path_free(dst); dst->size = src->size; - dst->data = g_memdup(src->data, src->size); + dst->data = g_memdup2_qemu(src->data, src->size); } int v9fs_name_to_path(V9fsState *s, V9fsPath *dirpath, From patchwork Fri Sep 3 11:06:42 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474179 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.6 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 38C6CC433EF for ; Fri, 3 Sep 2021 11:22:40 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id AD0AB6108E for ; Fri, 3 Sep 2021 11:22:39 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org AD0AB6108E Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:32830 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mM7HJ-0006Ab-MK for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 07:22:38 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:42888) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM738-0005g3-IQ for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:08:00 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:55380) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM735-0000fY-1S for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:07:58 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667274; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=6osDXRphDo8TIq2I2JrJLj4Iq8ymwMld3GU8FS2XmwE=; b=W1DnljpiBY9qB3ZSegVKjfn+TYRTSSmvIbawbN4BUSFVPnpyYugJKvlHj0YiACPgWD+pGL QBY1ulWppzy1i0WHshtBMhwFSrGyemfvBsd3g+51F/Fa6c14EtW1eY3l0jKOT3g75R1nxS F6k58msnOQMd+45MqvgueyHRWDaZ5RY= Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-326-bGciXd1RPPmJmnkqyXvzng-1; Fri, 03 Sep 2021 07:07:53 -0400 X-MC-Unique: bGciXd1RPPmJmnkqyXvzng-1 Received: by mail-wr1-f71.google.com with SMTP id i16-20020adfded0000000b001572ebd528eso1443187wrn.19 for ; Fri, 03 Sep 2021 04:07:52 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=6osDXRphDo8TIq2I2JrJLj4Iq8ymwMld3GU8FS2XmwE=; b=o5sbmwKgPtkzDF/AhfWcYUwGTpGrXUDpxc68ZOYHxkCj2nLT32/6M9p5Emm2L0TKG3 znTv2VfhL8RpQplz0G3QLj/vCGM8ZhxJSbC8w5v9J1DzOw1x9+woSqUT26GWZnnosF14 4zJdZFlWWc3o9ausSXlDiXL6OS6bLv1C4xl05licSDQf5c0BVjvi/4vVgxfmlDpp1BvQ bdl2DgQtgme9xRctZZkjmdOM8OzJHijo6POuNETYFOD2WqHlPR0dIqwiQwqZKLqV0Cvy XTVyNtjCzHE86X99rcyOUx0m9yjqZfEELtw3JQqF8sdqejVyqgrcVUu6ox1HsVHdTe/T L1Ow== X-Gm-Message-State: AOAM5339XlvaIeHCxkCBCsPP7aqXMEkhNaXz/C04G/qTn7vWy1o07Y9H 1r+jKDf/wWUa7EfingwOw22PsHaJrsWBVwtA6K5EPM2qDoN04gYkKVmgsL9yo66OsIQBEaPLVmv WX71bSwy+PI0jsnuoxnatYLU7nHMJ5XT9mf8dvpYt/ijY3Ddd+b/hPLQtQW5hgntY X-Received: by 2002:a5d:526a:: with SMTP id l10mr3307842wrc.279.1630667271474; Fri, 03 Sep 2021 04:07:51 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxcJFg+fUtt74cezEjGtPfJjbB/p8oBH6n6a0g8f/lUmZ5V9PLYMGF1/ZME4j9YjZI6HscUjA== X-Received: by 2002:a5d:526a:: with SMTP id l10mr3307771wrc.279.1630667271215; Fri, 03 Sep 2021 04:07:51 -0700 (PDT) Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id b12sm5141598wrx.72.2021.09.03.04.07.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:07:50 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 08/28] hw/acpi: Avoid truncating acpi_data_len() to 32-bit Date: Fri, 3 Sep 2021 13:06:42 +0200 Message-Id: <20210903110702.588291-9-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -12 X-Spam_score: -1.3 X-Spam_bar: - X-Spam_report: (-1.3 / 5.0 requ) DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Fam Zheng , Peter Maydell , Li Zhijian , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Yuval Shaia , Peter Xu , Gerd Hoffmann , Alexandre Iooss , Eric Blake , qemu-block@nongnu.org, Zhang Chen , =?utf-8?q?Alex_Benn=C3=A9e?= , Helge Deller , David Hildenbrand , Markus Armbruster , "Gonglei \(Arei\)" , Stefan Weil , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Michael Roth , Richard Henderson , Greg Kurz , Alex Williamson , qemu-arm@nongnu.org, Paolo Bonzini , John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , Laurent Vivier , Shannon Zhao , Hanna Reitz , qemu-ppc@nongnu.org, Igor Mammedov , Mahmoud Mandour Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" acpi_data_len() returns an unsigned type, which might be bigger than 32-bit (although it is unlikely such value is returned). Hold the returned value in an 'unsigned' type to avoid unlikely size truncation. Signed-off-by: Philippe Mathieu-Daudé Acked-by: Igor Mammedov --- hw/arm/virt-acpi-build.c | 2 +- hw/i386/acpi-build.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c index 037cc1fd82c..95543d43e2a 100644 --- a/hw/arm/virt-acpi-build.c +++ b/hw/arm/virt-acpi-build.c @@ -885,7 +885,7 @@ void virt_acpi_build(VirtMachineState *vms, AcpiBuildTables *tables) static void acpi_ram_update(MemoryRegion *mr, GArray *data) { - uint32_t size = acpi_data_len(data); + unsigned size = acpi_data_len(data); /* Make sure RAM size is correct - in case it got changed * e.g. by migration */ diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c index a33ac8b91e1..aa269914b49 100644 --- a/hw/i386/acpi-build.c +++ b/hw/i386/acpi-build.c @@ -2660,7 +2660,7 @@ void acpi_build(AcpiBuildTables *tables, MachineState *machine) static void acpi_ram_update(MemoryRegion *mr, GArray *data) { - uint32_t size = acpi_data_len(data); + unsigned size = acpi_data_len(data); /* Make sure RAM size is correct - in case it got changed e.g. by migration */ memory_region_ram_resize(mr, size, &error_abort); @@ -2783,7 +2783,7 @@ void acpi_setup(void) * Though RSDP is small, its contents isn't immutable, so * we'll update it along with the rest of tables on guest access. */ - uint32_t rsdp_size = acpi_data_len(tables.rsdp); + unsigned rsdp_size = acpi_data_len(tables.rsdp); build_state->rsdp = g_memdup(tables.rsdp->data, rsdp_size); fw_cfg_add_file_callback(x86ms->fw_cfg, ACPI_BUILD_RSDP_FILE, From patchwork Fri Sep 3 11:06:43 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474191 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B2BE5C433F5 for ; Fri, 3 Sep 2021 11:25:25 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 54D1C6108E for ; Fri, 3 Sep 2021 11:25:25 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 54D1C6108E Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:42270 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mM7K0-00040c-HB for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 07:25:24 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:42940) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM73D-0005sL-UL for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:08:03 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:40781) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM739-0000iw-PL for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:08:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667279; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=jdbGO9h9jnqrOlFY+xUPTR+ImPF+i+blj+6DLU+L+so=; b=Kps/7ugDjxtyTCdW8xTjS1hPapwN//3dW7TJZaSHIOGdoeGpnV+bozJ3Z/T+TVp8IIaopN inj2grkGyDXjNjJoG8Hh5p1IrYiXg8NFMZNxLG5onWRc6zQiZlyY1zNsO0WyhhiPBgBY8N X+Am8CikF9Iy7wqaJ42ycSfr2lB6F1I= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-519-jhywmdGRPLStobP4eiDbww-1; Fri, 03 Sep 2021 07:07:58 -0400 X-MC-Unique: jhywmdGRPLStobP4eiDbww-1 Received: by mail-wm1-f69.google.com with SMTP id f19-20020a1c1f13000000b002e6bd83c344so1844847wmf.3 for ; Fri, 03 Sep 2021 04:07:58 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=jdbGO9h9jnqrOlFY+xUPTR+ImPF+i+blj+6DLU+L+so=; b=AFZbHCT5B4QhSGb/SbefJCpI9S19zhTqiffldjaV/i5EBgY0K86Qa+7DUaBpYfakx9 BfHdkWeJA999xCm8NALqrO7Ys2CNEeLuh7cxgyjkCc4BlTkgRRuHep0igCMv+wQkz/E9 tPErcF/u79LxpXEgP/6+up3X6SMOvCwUW/Vm3uKj5NawXk20WYxZqgpWsAHTp0sb0Pe9 ewOpgZNWLBJ1pjXd+DUG+l/LOeq36O/QzxntyBqC8t6xF9bzT0Xg1ua+GdemduYW5z7H B78rNaFqrKrpWNnWvEmvVZ9rZbEuRS47jpdwKTuDw0bmWNpES//0cm8nUg8r9XqORbBy uIzA== X-Gm-Message-State: AOAM533mkjMjq/lumZ1FsixEsgZX/xWeWD0nHmXe8FNKOCzrTwo4tlLW RH8XyF6HdlhYVSJeg4gJ1YINUq1fZA3SLuSGRbO1JgAnjX9Law+bSKreHk8iRTxsbk2M3W9FfIc Q8gvN1HKVDS7ZkoW72aabrYVXLld0kd6yE+wnLgw/Q7QrXxNR0i3kO2U/+IvRYSSa X-Received: by 2002:a05:600c:230c:: with SMTP id 12mr2762197wmo.41.1630667276931; Fri, 03 Sep 2021 04:07:56 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyaAweBFiZwGaMpvEF57j+Ip2CFlgT7mOREgnEpdZoNjDiORDuB5ABI4Md7tnxGgAvNN6sfhA== X-Received: by 2002:a05:600c:230c:: with SMTP id 12mr2762155wmo.41.1630667276703; Fri, 03 Sep 2021 04:07:56 -0700 (PDT) Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id l124sm4039567wml.8.2021.09.03.04.07.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:07:56 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 09/28] hw/acpi: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:43 +0200 Message-Id: <20210903110702.588291-10-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Fam Zheng , Peter Maydell , Li Zhijian , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Yuval Shaia , Peter Xu , Gerd Hoffmann , Alexandre Iooss , Eric Blake , qemu-block@nongnu.org, Zhang Chen , =?utf-8?q?Alex_Benn=C3=A9e?= , Helge Deller , David Hildenbrand , Markus Armbruster , "Gonglei \(Arei\)" , Stefan Weil , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Michael Roth , Richard Henderson , Greg Kurz , Alex Williamson , qemu-arm@nongnu.org, Paolo Bonzini , John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , Laurent Vivier , Shannon Zhao , Hanna Reitz , qemu-ppc@nongnu.org, Igor Mammedov , Mahmoud Mandour Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daudé Acked-by: Igor Mammedov --- hw/acpi/core.c | 3 ++- hw/i386/acpi-build.c | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/hw/acpi/core.c b/hw/acpi/core.c index 1e004d0078d..9dd2cf09a0b 100644 --- a/hw/acpi/core.c +++ b/hw/acpi/core.c @@ -637,7 +637,8 @@ void acpi_pm1_cnt_init(ACPIREGS *ar, MemoryRegion *parent, suspend[3] = 1 | ((!disable_s3) << 7); suspend[4] = s4_val | ((!disable_s4) << 7); - fw_cfg_add_file(fw_cfg, "etc/system-states", g_memdup(suspend, 6), 6); + fw_cfg_add_file(fw_cfg, "etc/system-states", + g_memdup2_qemu(suspend, 6), 6); } } diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c index aa269914b49..54494ca1f65 100644 --- a/hw/i386/acpi-build.c +++ b/hw/i386/acpi-build.c @@ -2785,7 +2785,7 @@ void acpi_setup(void) */ unsigned rsdp_size = acpi_data_len(tables.rsdp); - build_state->rsdp = g_memdup(tables.rsdp->data, rsdp_size); + build_state->rsdp = g_memdup2_qemu(tables.rsdp->data, rsdp_size); fw_cfg_add_file_callback(x86ms->fw_cfg, ACPI_BUILD_RSDP_FILE, acpi_build_update, NULL, build_state, build_state->rsdp, rsdp_size, true); From patchwork Fri Sep 3 11:06:44 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474173 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0BDC0C433F5 for ; Fri, 3 Sep 2021 11:20:31 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 8E0CE61056 for ; Fri, 3 Sep 2021 11:20:30 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 8E0CE61056 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:54680 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mM7FF-0001m2-Mh for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 07:20:29 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43002) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM73I-000699-Hv for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:08:08 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:39114) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM73F-0000nR-R2 for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:08:08 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667285; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=TAjmPmjyX5Sum8VvmviC+qTvvfAZSwR9odfcOrS4BTU=; b=fGWajPIQC9tuAdXAIqx+ktyRe3mBJ/NE7UDXeJOzEV2W7oTOcP3DN2u7mQlmwAtDEoMGoy C2shAeNZjmVfKhBt0khh1v6PaGc7EKtYyp4IMkrI3DSoSXVjBAV57sDh2W/bvNu00P4joG kh2pZcDdqHKRUCoGmq8bbqyFPreDm+g= Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-235-GzbssvOLNye_azlku01kfA-1; Fri, 03 Sep 2021 07:08:04 -0400 X-MC-Unique: GzbssvOLNye_azlku01kfA-1 Received: by mail-wr1-f71.google.com with SMTP id j1-20020adff541000000b001593715d384so1464089wrp.1 for ; Fri, 03 Sep 2021 04:08:04 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=TAjmPmjyX5Sum8VvmviC+qTvvfAZSwR9odfcOrS4BTU=; b=B5Ka6QMEJwApc2f6gBlynK//e+zrzCT1Ni7ND9r5rMNR2DcywQJvVaSGJEWpiR/yIQ Md5wdRWZibEo6U7v/SsYUI395KJmF2bFI9bdD2kbeLqEjGghNfin4D1eOdJ64cSAq5uh +M+ANkczdCZWOBJTCw+wx88g5DH6hSWWAahKlNSMcp+PD+3s8nfwNeFa5jVHAnBTvitk bmBODyaSJFog0zYKd8QYgs2hj2StULvAY2/d2YKabgO2HJkfaF6Qi0lua5dzg0VKhVNg SjxxpjR1okHYs9NBun139PB2LOjYV7MyhU1pnZ6RIAOK//iaqgHrKCJgels8K5cYXFjp FqZA== X-Gm-Message-State: AOAM532T53V99BjjAu4Is3u1TvXgHKkqUH0i/8pzH5ItEJqY8hEAG4DC X1mvTtlwbHcFTL4stYpiELTJ4tuDCwX5SO7OEhmMcCfht7QLEJ51PB699KSY4mij/Mjh1qIvNue pQ5YKJ7yG3Bi/LBBjxC6ufCTZYuzP/1EVB2a8RnxyTQhMtfi8vv53dlliA6c+0djd X-Received: by 2002:adf:e809:: with SMTP id o9mr3379850wrm.425.1630667282777; Fri, 03 Sep 2021 04:08:02 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxsmF09EK4NrKvycxeBcaS8cKieqRtT6B1h254T7rl6pFmdlrTvZWeo11IMse515sDwDeakbw== X-Received: by 2002:adf:e809:: with SMTP id o9mr3379776wrm.425.1630667282465; Fri, 03 Sep 2021 04:08:02 -0700 (PDT) Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id m1sm3842996wmq.10.2021.09.03.04.08.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:08:01 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 10/28] hw/core/machine: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:44 +0200 Message-Id: <20210903110702.588291-11-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -12 X-Spam_score: -1.3 X-Spam_bar: - X-Spam_report: (-1.3 / 5.0 requ) DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Fam Zheng , Peter Maydell , Li Zhijian , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Yuval Shaia , Peter Xu , Gerd Hoffmann , Alexandre Iooss , Eric Blake , qemu-block@nongnu.org, Zhang Chen , =?utf-8?q?Alex_Benn=C3=A9e?= , Helge Deller , David Hildenbrand , Markus Armbruster , "Gonglei \(Arei\)" , Stefan Weil , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Michael Roth , Richard Henderson , Greg Kurz , Alex Williamson , qemu-arm@nongnu.org, Paolo Bonzini , John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , Laurent Vivier , Shannon Zhao , Hanna Reitz , qemu-ppc@nongnu.org, Igor Mammedov , Mahmoud Mandour Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daudé --- hw/core/machine.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/core/machine.c b/hw/core/machine.c index 067f42b528f..0808a681360 100644 --- a/hw/core/machine.c +++ b/hw/core/machine.c @@ -615,8 +615,8 @@ HotpluggableCPUList *machine_query_hotpluggable_cpus(MachineState *machine) cpu_item->type = g_strdup(machine->possible_cpus->cpus[i].type); cpu_item->vcpus_count = machine->possible_cpus->cpus[i].vcpus_count; - cpu_item->props = g_memdup(&machine->possible_cpus->cpus[i].props, - sizeof(*cpu_item->props)); + cpu_item->props = g_memdup2_qemu(&machine->possible_cpus->cpus[i].props, + sizeof(*cpu_item->props)); cpu = machine->possible_cpus->cpus[i].cpu; if (cpu) { From patchwork Fri Sep 3 11:06:45 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474187 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 67479C433F5 for ; Fri, 3 Sep 2021 11:23:46 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 07CF96108E for ; Fri, 3 Sep 2021 11:23:46 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 07CF96108E Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:34972 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mM7IP-0007ar-7L for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 07:23:45 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43028) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM73M-0006Mg-OS for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:08:12 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:25398) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM73L-0000s1-1X for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:08:12 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667290; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=FntGbVxFK+XtYARw6XcNLA9NRLn2kntvBlBnFrP4mzA=; b=Vd51tuVY1Z9HyXLYZPURuG/6O1RUbzks88CePnvgH9EbHUJM65nkHsc+TJjtvV2R8IHmYu 5zWiWEyym3c+cyybqLXIr7X1BlZOc9FhRFTo77AHADwTvgZi/lOAo3cokzlnvleltaVVeE iv3Z7xFMaVqOy9qeJNfAZEsM8nWXsfE= Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-437-KdxWngOePBynnNJDB1-8Cg-1; Fri, 03 Sep 2021 07:08:09 -0400 X-MC-Unique: KdxWngOePBynnNJDB1-8Cg-1 Received: by mail-wm1-f72.google.com with SMTP id n16-20020a1c7210000000b002ea2ed60dc6so1719320wmc.0 for ; Fri, 03 Sep 2021 04:08:09 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=FntGbVxFK+XtYARw6XcNLA9NRLn2kntvBlBnFrP4mzA=; b=EqXaD+t24iBuiT3LpIAV0pTqt47T/MpmWR9qvOkAc84Ous0oAspB3KBqBXQRN5zDTB WfLAe2kp+MtAlhJRisBQN58ztPRkGd+fTkMjP0b+gJ+zbOPeK2WZzXqsUiGl7KdWbeHk wtJpOjFxTIhAHlaokaHCBi2b1CrL0RTLuEIwokHzdfyBFH6xYUgCFZN9v2Xn6FJW78/7 V6p/aIYtu5nxuj3FMaM9WslBrAraa92EFlMzWlL+79AtDJJR1kiJ4Wx+xEtomHY1V9wb fcishvpJozZMK6cI1bgCjhCwEjlE9tWRthBaXczzLpXDWlcSvDCcuq0HPia3TsEyCG3d bW/g== X-Gm-Message-State: AOAM532me+f8XV9VU6lTBatflntLSUROlj3ZPfsOnVKkF7qIubnxA4OL J0a4uhXFCFtWOsA3M2SxQyyWDA81zxj0iaAebB1pEAZnDJHsnhz06TPTHvJn6QrUdHOBGMV1kWO nO2KLNWj4aOFYziympndLGiHtbKyEo1kQV3FH1OjbnSCV2oQ3z/smOB5haLspMcbE X-Received: by 2002:a1c:f30b:: with SMTP id q11mr7737855wmq.91.1630667288284; Fri, 03 Sep 2021 04:08:08 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwN+kSFBVyveYXn5+sGs4JVUNV4P0ZW7WHxEXMqHi40ecnicQxkfAmkq1xp5ilgKOE4A+RKyg== X-Received: by 2002:a1c:f30b:: with SMTP id q11mr7737785wmq.91.1630667287932; Fri, 03 Sep 2021 04:08:07 -0700 (PDT) Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id j207sm4383064wmj.40.2021.09.03.04.08.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:08:07 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 11/28] hw/hppa/machine: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:45 +0200 Message-Id: <20210903110702.588291-12-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -12 X-Spam_score: -1.3 X-Spam_bar: - X-Spam_report: (-1.3 / 5.0 requ) DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Fam Zheng , Peter Maydell , Li Zhijian , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Yuval Shaia , Peter Xu , Gerd Hoffmann , Alexandre Iooss , Eric Blake , qemu-block@nongnu.org, Zhang Chen , =?utf-8?q?Alex_Benn=C3=A9e?= , Helge Deller , David Hildenbrand , Markus Armbruster , "Gonglei \(Arei\)" , Stefan Weil , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Michael Roth , Richard Henderson , Greg Kurz , Alex Williamson , qemu-arm@nongnu.org, Paolo Bonzini , John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , Laurent Vivier , Shannon Zhao , Hanna Reitz , qemu-ppc@nongnu.org, Igor Mammedov , Mahmoud Mandour Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daudé --- hw/hppa/machine.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/hw/hppa/machine.c b/hw/hppa/machine.c index 2a46af5bc9b..058a81e85dd 100644 --- a/hw/hppa/machine.c +++ b/hw/hppa/machine.c @@ -101,19 +101,19 @@ static FWCfgState *create_fw_cfg(MachineState *ms) val = cpu_to_le64(MIN_SEABIOS_HPPA_VERSION); fw_cfg_add_file(fw_cfg, "/etc/firmware-min-version", - g_memdup(&val, sizeof(val)), sizeof(val)); + g_memdup2_qemu(&val, sizeof(val)), sizeof(val)); val = cpu_to_le64(HPPA_TLB_ENTRIES); fw_cfg_add_file(fw_cfg, "/etc/cpu/tlb_entries", - g_memdup(&val, sizeof(val)), sizeof(val)); + g_memdup2_qemu(&val, sizeof(val)), sizeof(val)); val = cpu_to_le64(HPPA_BTLB_ENTRIES); fw_cfg_add_file(fw_cfg, "/etc/cpu/btlb_entries", - g_memdup(&val, sizeof(val)), sizeof(val)); + g_memdup2_qemu(&val, sizeof(val)), sizeof(val)); val = cpu_to_le64(HPA_POWER_BUTTON); fw_cfg_add_file(fw_cfg, "/etc/power-button-addr", - g_memdup(&val, sizeof(val)), sizeof(val)); + g_memdup2_qemu(&val, sizeof(val)), sizeof(val)); fw_cfg_add_i16(fw_cfg, FW_CFG_BOOT_DEVICE, ms->boot_order[0]); qemu_register_boot_set(fw_cfg_boot_set, fw_cfg); From patchwork Fri Sep 3 11:06:46 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474195 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E7FF9C433EF for ; Fri, 3 Sep 2021 11:26:01 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id B648A6056C for ; Fri, 3 Sep 2021 11:26:01 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org B648A6056C Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:44494 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mM7Ka-0005Xs-RE for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 07:26:00 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43110) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM73U-0006YR-2h for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:08:20 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:30927) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM73S-0000yD-HU for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:08:19 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667297; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=DAHpDs712oI1Di1eaFqrdG2Typ24HrNYG4qVZsBh0cw=; b=OTAWoo+/Lv1PaK9hp39LKj+kMmwwqL/xm1cRRo7o69GgIpqIMNYFcJZU6k1VWu+91g6g2e P7nPvPHNuDn+OZr6h7lQMYNhr2mK3lRXzZxv8QzMxTCtnkVlrluB2vOcjmZN0SXgceX4+k ARYaZ9D3bpFt0Rgt68nbjbQD2DCUv9U= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-229-e5tTtPj0NmicydQWid-7mQ-1; Fri, 03 Sep 2021 07:08:15 -0400 X-MC-Unique: e5tTtPj0NmicydQWid-7mQ-1 Received: by mail-wm1-f69.google.com with SMTP id m16-20020a7bca50000000b002ee5287d4bfso1833281wml.7 for ; Fri, 03 Sep 2021 04:08:15 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=DAHpDs712oI1Di1eaFqrdG2Typ24HrNYG4qVZsBh0cw=; b=MmqQna9mpvo4KFNCL2gupaOtgs0lUCClgmMSfrp4yPcqGaW51xyKVHmTF8geOKHoqm kxL4jUZYPeD/Jo8Tq/FpzeSDmeGCTFgizicLQh6BbkBPTQy4QqFhtD6FaeIUFj0BXEWD 1VkjU5XftOvlnKnOii6ne/jP/4B9fpdhPj8zj4q2QWTRCbOQf5muJHVnPqEaiEUqzDw7 1tW/CfP9URqzi0eFtOLaJzJoJ9iv8Zy/sziDQSffryhwxNlLH+pZ3K1Yqw1VD/LbIlYL UU4zaAasx5A+mHoZ33Y9/yIUnDu3y/oROvPF1N/SVzS0iP0WrRB/ow2KYkDl9HzNWszz ny0A== X-Gm-Message-State: AOAM533BDlH54kkXO8vbVYu1gm+QcEv9f/BDA/inZlHJfl5YeEJl0xlX pZi5f/ZsNN6LC6Ts2vI350UGB5hgcx1fom2OLasGzlQy1AzYtc/OVS+Zhag8axyx49AYE/78vGy IvZHzgLbWqsXyidJuiSRgwGuNmmONlu848EFenwgoHPGbx2AUFUNTmQBivrXsgCTi X-Received: by 2002:adf:db83:: with SMTP id u3mr3485719wri.363.1630667293760; Fri, 03 Sep 2021 04:08:13 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxhSQcK5FJTs0sGhQbUmpLfHDCygADufnlCA9XiiEfi1zCH7QtVMSqQu/dZo926/mNxJx5weg== X-Received: by 2002:adf:db83:: with SMTP id u3mr3485647wri.363.1630667293467; Fri, 03 Sep 2021 04:08:13 -0700 (PDT) Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id y21sm4191900wmc.11.2021.09.03.04.08.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:08:13 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 12/28] hw/i386/multiboot: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:46 +0200 Message-Id: <20210903110702.588291-13-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Fam Zheng , Peter Maydell , Li Zhijian , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Yuval Shaia , Peter Xu , Gerd Hoffmann , Alexandre Iooss , Eric Blake , qemu-block@nongnu.org, Zhang Chen , =?utf-8?q?Alex_Benn=C3=A9e?= , Helge Deller , David Hildenbrand , Markus Armbruster , "Gonglei \(Arei\)" , Stefan Weil , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Michael Roth , Richard Henderson , Greg Kurz , Alex Williamson , qemu-arm@nongnu.org, Paolo Bonzini , John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , Laurent Vivier , Shannon Zhao , Hanna Reitz , qemu-ppc@nongnu.org, Igor Mammedov , Mahmoud Mandour Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daudé --- hw/i386/multiboot.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c index 9e7d69d4705..f536e3c8c96 100644 --- a/hw/i386/multiboot.c +++ b/hw/i386/multiboot.c @@ -387,7 +387,7 @@ int load_multiboot(FWCfgState *fw_cfg, mb_debug(" mb_mods_count = %d", mbs.mb_mods_count); /* save bootinfo off the stack */ - mb_bootinfo_data = g_memdup(bootinfo, sizeof(bootinfo)); + mb_bootinfo_data = g_memdup2_qemu(bootinfo, sizeof(bootinfo)); /* Pass variables to option rom */ fw_cfg_add_i32(fw_cfg, FW_CFG_KERNEL_ENTRY, mh_entry_addr); From patchwork Fri Sep 3 11:06:47 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474171 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DA7A0C433EF for ; Fri, 3 Sep 2021 11:18:53 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id A5FEC61056 for ; Fri, 3 Sep 2021 11:18:53 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org A5FEC61056 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:51994 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mM7Dg-0008Hm-OU for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 07:18:52 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43224) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM73m-000763-0w for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:08:38 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:36052) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM73W-00011F-HU for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:08:37 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667302; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=9Eu7asELFex4yFplfKK/zMZmk6Z93QlAJxAwuUJzsvI=; b=D7Yd4U7f8sAv6wB8Wr8KjQ/bE0P1zo5K/6sTjHGdP54z30+geJkrrOHjg+y4zJWb4uTLiv +wqR0+ntlTEbs5FkLmrCXNr4b7YUBm6kZlCKcZA/oGnMOixcyMmrxCdGy8EluCNBZiY+7I QPXkv1XUdkm+lrxl2WKTiy3bOR7qaVk= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-34-dF8gWug_PlqDrXfcdfwong-1; Fri, 03 Sep 2021 07:08:21 -0400 X-MC-Unique: dF8gWug_PlqDrXfcdfwong-1 Received: by mail-wm1-f69.google.com with SMTP id n16-20020a1c7210000000b002ea2ed60dc6so1719559wmc.0 for ; Fri, 03 Sep 2021 04:08:20 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=9Eu7asELFex4yFplfKK/zMZmk6Z93QlAJxAwuUJzsvI=; b=IYnj8ZaFh0MgXX/GOJcW3oCD2rDELe10YsUmgW4ssBlKlnQejk6RRkJ8SGE4e0I3hM wHJ0SR4pw3PWHuICuE8oDpg3/F8h2YfQhAJ3OLd59RGZsnhJrmBrGHg6eE3+0FBzIRg7 /ovZc3eVErp8BOqNjHdG7GCwtkVi5mk4Mv00cGLNCtBeASls2u8T+uNBg1qj9qaZ+pWD r2qBBb2/vVstk8S6fu68J1yfklwZNCeb9AlUC46uuSvEiPsj7HWApNtkTeeNnde9WAd7 j8KeoeU6b08llsuE5e8X9E2+1jbfcYvo+ECUiAKfqCSd0bPXHce9bW3p2ilLIdudiEBn wq8A== X-Gm-Message-State: AOAM531KkvS1/eMDaPEtxn3aXFEq53EDWfeCGxWUnuyTb5WZU1Au5DFS RD19Q25f+Y+wzgKOmGAXLszTu+l4HVUKBxpUD7X5BuqaRO/Bpg5dx+viyqBJo6PE3XzmmNMsCfc EViWepTNUQEdBhQOmBEK5ZZSdB5xwyWthPj8uEiDJo2S5szgNdt77XlUtIp1IdYyt X-Received: by 2002:a1c:3102:: with SMTP id x2mr7947491wmx.122.1630667299740; Fri, 03 Sep 2021 04:08:19 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzlUaVFt+tJT5LaJ3kyuGO1VaY8TUngaLwcpu0pipKrSkdlOz7rImuHU2SzJPLLISqxx4e5tQ== X-Received: by 2002:a1c:3102:: with SMTP id x2mr7947440wmx.122.1630667299523; Fri, 03 Sep 2021 04:08:19 -0700 (PDT) Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id d7sm4401782wrs.39.2021.09.03.04.08.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:08:19 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 13/28] hw/net/eepro100: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:47 +0200 Message-Id: <20210903110702.588291-14-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -24 X-Spam_score: -2.5 X-Spam_bar: -- X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Fam Zheng , Peter Maydell , Li Zhijian , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Yuval Shaia , Peter Xu , Gerd Hoffmann , Alexandre Iooss , Eric Blake , qemu-block@nongnu.org, Zhang Chen , =?utf-8?q?Alex_Benn=C3=A9e?= , Helge Deller , David Hildenbrand , Markus Armbruster , "Gonglei \(Arei\)" , Stefan Weil , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Michael Roth , Richard Henderson , Greg Kurz , Alex Williamson , qemu-arm@nongnu.org, Paolo Bonzini , John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , Laurent Vivier , Shannon Zhao , Hanna Reitz , qemu-ppc@nongnu.org, Igor Mammedov , Mahmoud Mandour Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daudé --- hw/net/eepro100.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c index 16e95ef9cc9..ed2bc54c052 100644 --- a/hw/net/eepro100.c +++ b/hw/net/eepro100.c @@ -1872,7 +1872,7 @@ static void e100_nic_realize(PCIDevice *pci_dev, Error **errp) qemu_register_reset(nic_reset, s); - s->vmstate = g_memdup(&vmstate_eepro100, sizeof(vmstate_eepro100)); + s->vmstate = g_memdup2_qemu(&vmstate_eepro100, sizeof(vmstate_eepro100)); s->vmstate->name = qemu_get_queue(s->nic)->model; vmstate_register(VMSTATE_IF(&pci_dev->qdev), VMSTATE_INSTANCE_ID_ANY, s->vmstate, s); From patchwork Fri Sep 3 11:06:48 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474233 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CB09BC433EF for ; Fri, 3 Sep 2021 11:29:51 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 5FB96610CC for ; Fri, 3 Sep 2021 11:29:51 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 5FB96610CC Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:56174 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mM7OI-0004v6-GX for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 07:29:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43202) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM73f-0006pJ-IL for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:08:32 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:27483) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM73c-00016L-DI for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:08:31 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667307; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=eD1qqZlm+MV+YIIGwjAnZcGqFrpvQZPW91qRyOYFT9E=; b=IvgR3Hu2pVG9GY6o066s3a5jOEFoc4AsyPxZzCe7mQ2Na4NshrlIvef8A/ktZw08KxyLP9 oDVeNyi2ms111OHkLAANFW8qvvHT46aXvLXapPnDDMZXDd3RqP2hYfmRaAXkgX1eSxUMaj ebaN3Ti9VnKET1IXPIgwlgJHd2BJt2k= Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-561-4XwMSePqOu24CcvsMu4GVA-1; Fri, 03 Sep 2021 07:08:27 -0400 X-MC-Unique: 4XwMSePqOu24CcvsMu4GVA-1 Received: by mail-wr1-f71.google.com with SMTP id v6-20020adfe4c6000000b001574f9d8336so1459773wrm.15 for ; Fri, 03 Sep 2021 04:08:26 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=eD1qqZlm+MV+YIIGwjAnZcGqFrpvQZPW91qRyOYFT9E=; b=V93PhueeNl+mdadKnpAvxS+nFFZRFahi74oPZ6mqZLe04EP/mkV/CZTdzySkwyHtT+ csXshKSxEtLeRCBKtKeMIlkS8JsF20BZfVhF1br/Lz2WIEmZN30mseIN3bdSjBDOjgXn bUbiOa22qOd7HQapq2c8K4HcK9lpV4Tevjwe7Lfi7Ss8TURZOXQRrHEevmwSDh4iGUcQ SkB2UYi5obfDDeq4Auq6GmniOOpu/q83HOWDP6Khi4+km8vE8pyyq+Rz4YdrjlT7Ytfw 5P0HUpVSSXmmzJPXLNkqideZFRIoxu3esyINJEzs0j7Lv4WY5nV0C07xiXatXG8neTAx MnmA== X-Gm-Message-State: AOAM532/QyQAY/VOBCsVquEQsZFkBaseAfBPW2Zgq8BluYulp7bqXRPk IF8LCf3bLUpAM6g9Z3Lrf3YbPg1M/wOrjEdZIB7UbVl+LC+E5Ef5SCuwW2ExUHd2div79kGKDNX s9d4gvUQl+3ziw+5Brlb4PjE424DmNNo6qxBGNRIQ0M2aWg3xW9iQHiIQVVQ3R4Kh X-Received: by 2002:a1c:c903:: with SMTP id f3mr7737108wmb.101.1630667305460; Fri, 03 Sep 2021 04:08:25 -0700 (PDT) X-Google-Smtp-Source: ABdhPJySTjPFgphZi0Ha8ChgIVmQjp9uZBff9gP4iaRxu5Bv69t9K0UO/ElQXH2XkzX2xYryeljCRA== X-Received: by 2002:a1c:c903:: with SMTP id f3mr7737046wmb.101.1630667305212; Fri, 03 Sep 2021 04:08:25 -0700 (PDT) Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id t64sm3914121wma.48.2021.09.03.04.08.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:08:24 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 14/28] hw/nvram/fw_cfg: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:48 +0200 Message-Id: <20210903110702.588291-15-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Fam Zheng , Peter Maydell , Li Zhijian , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Yuval Shaia , Peter Xu , Gerd Hoffmann , Alexandre Iooss , Eric Blake , qemu-block@nongnu.org, Zhang Chen , =?utf-8?q?Alex_Benn=C3=A9e?= , Helge Deller , David Hildenbrand , Markus Armbruster , "Gonglei \(Arei\)" , Stefan Weil , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Michael Roth , Richard Henderson , Greg Kurz , Alex Williamson , qemu-arm@nongnu.org, Paolo Bonzini , John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , Laurent Vivier , Shannon Zhao , Hanna Reitz , qemu-ppc@nongnu.org, Igor Mammedov , Mahmoud Mandour Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daudé --- hw/nvram/fw_cfg.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c index 9b8dcca4ead..fefcdeb8241 100644 --- a/hw/nvram/fw_cfg.c +++ b/hw/nvram/fw_cfg.c @@ -205,7 +205,8 @@ static void fw_cfg_bootsplash(FWCfgState *s) /* use little endian format */ bst_le16 = cpu_to_le16(bst_val); fw_cfg_add_file(s, "etc/boot-menu-wait", - g_memdup(&bst_le16, sizeof bst_le16), sizeof bst_le16); + g_memdup2_qemu(&bst_le16, sizeof bst_le16), + sizeof bst_le16); } /* insert splash file if user configurated */ @@ -260,7 +261,7 @@ static void fw_cfg_reboot(FWCfgState *s) } rt_le32 = cpu_to_le32(rt_val); - fw_cfg_add_file(s, "etc/boot-fail-wait", g_memdup(&rt_le32, 4), 4); + fw_cfg_add_file(s, "etc/boot-fail-wait", g_memdup2_qemu(&rt_le32, 4), 4); } static void fw_cfg_write(FWCfgState *s, uint8_t value) @@ -755,7 +756,7 @@ void fw_cfg_add_string(FWCfgState *s, uint16_t key, const char *value) size_t sz = strlen(value) + 1; trace_fw_cfg_add_string(key, trace_key_name(key), value); - fw_cfg_add_bytes(s, key, g_memdup(value, sz), sz); + fw_cfg_add_bytes(s, key, g_memdup2_qemu(value, sz), sz); } void fw_cfg_modify_string(FWCfgState *s, uint16_t key, const char *value) @@ -763,7 +764,7 @@ void fw_cfg_modify_string(FWCfgState *s, uint16_t key, const char *value) size_t sz = strlen(value) + 1; char *old; - old = fw_cfg_modify_bytes_read(s, key, g_memdup(value, sz), sz); + old = fw_cfg_modify_bytes_read(s, key, g_memdup2_qemu(value, sz), sz); g_free(old); } From patchwork Fri Sep 3 11:06:49 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474235 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 15B56C433EF for ; Fri, 3 Sep 2021 11:31:52 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 98932608FB for ; Fri, 3 Sep 2021 11:31:51 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 98932608FB Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:33508 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mM7QE-0000aO-Nx for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 07:31:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:47578) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM7Ep-0002e8-QF for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:20:07 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:51105) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM7Eo-0007xa-8W for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:20:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630668001; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=dJwik153XkNmqJfLX2OaJbitNFOzhpORupSCbSGdFBs=; b=apfo9CF2S45jFlq2bzmaSN7qoGd9Nig4vBfLmMiQbpZpJxNJMT0oPBp075A4eyCnbeBQE0 TWkWv5Ui+8nbyOSfrdZAARt6MnPZvoNjeM6nlZFE2TeieyCXbA++yqyW48LkBeBv0KlJPi kDaCct4E9trwuVWLW+jAjuJu4b0Csys= Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-405-rrPYA-0bOGOpZAk_5Pjqzg-1; Fri, 03 Sep 2021 07:08:32 -0400 X-MC-Unique: rrPYA-0bOGOpZAk_5Pjqzg-1 Received: by mail-wr1-f71.google.com with SMTP id m16-20020a056000181000b0015964e4ae48so417708wrh.14 for ; Fri, 03 Sep 2021 04:08:32 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=dJwik153XkNmqJfLX2OaJbitNFOzhpORupSCbSGdFBs=; b=I1nMNJ9ED/NKWUYRlsA1knqso8BK+VkywppLR32vjjK+b1zeGtf5b53w0wPCfMcE5Q +J7wf07c27S8hM53VKcHfaFBYAuosFrem88eYgpzuNxTNoPTI4J5+Yw6IafaybA5SXT4 w6Uo8WOs1QeD2FuH+2mtVMrALriRFtxWkk4oTnfCr/saYA4VeWrIM7myXMa2dFJNHu80 mGue9rNBqEMamO7eOoIKcymiU8tAtDY1kKGC6f0Xefl5D9eJPdSxlEF393YgemFLV0c9 HY4DmA5IG1oWch0FuJCKF1uVJus7z0iTXGh36hr9BDKYYWlcRACXjw8fOzbDWdmg3Wzw 35Vg== X-Gm-Message-State: AOAM5318lrPZee52wEtZz4h0yLqyQJvZxOUP8Aa99AKnUq+mML675gRq eBdC/Lu46mQefnQsH2QEobO7xIs8Ham21wx7SlTFRG3fi84+FBz0Kl6jczFjwoVu50/wdGL493f NIryXBbC/fQs3fi/lQv3GCMq6Btoh8oTtU0i+BmpnwgZ4QeFhycAowOJVKFFo00kP X-Received: by 2002:a1c:3587:: with SMTP id c129mr7583869wma.57.1630667311259; Fri, 03 Sep 2021 04:08:31 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw5r0XeeX6oDBAmIiFbFCHjKsXYnfVoM/it+dWZcDkZmIgH65YEMVRXHS9DXEpfLuhGguK5bg== X-Received: by 2002:a1c:3587:: with SMTP id c129mr7583780wma.57.1630667310694; Fri, 03 Sep 2021 04:08:30 -0700 (PDT) Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id x21sm890930wmc.14.2021.09.03.04.08.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:08:30 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 15/28] hw/scsi/mptsas: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:49 +0200 Message-Id: <20210903110702.588291-16-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Fam Zheng , Peter Maydell , Li Zhijian , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Yuval Shaia , Peter Xu , Gerd Hoffmann , Alexandre Iooss , Eric Blake , qemu-block@nongnu.org, Zhang Chen , =?utf-8?q?Alex_Benn=C3=A9e?= , Helge Deller , David Hildenbrand , Markus Armbruster , "Gonglei \(Arei\)" , Stefan Weil , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Michael Roth , Richard Henderson , Greg Kurz , Alex Williamson , qemu-arm@nongnu.org, Paolo Bonzini , John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , Laurent Vivier , Shannon Zhao , Hanna Reitz , qemu-ppc@nongnu.org, Igor Mammedov , Mahmoud Mandour Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daudé --- hw/scsi/mptsas.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c index db3219e7d20..d05735d3e11 100644 --- a/hw/scsi/mptsas.c +++ b/hw/scsi/mptsas.c @@ -449,7 +449,8 @@ static void mptsas_process_scsi_task_mgmt(MPTSASState *s, MPIMsgSCSITaskMgmt *re } else { MPTSASCancelNotifier *notifier; - reply_async = g_memdup(&reply, sizeof(MPIMsgSCSITaskMgmtReply)); + reply_async = g_memdup2_qemu(&reply, + sizeof(MPIMsgSCSITaskMgmtReply)); reply_async->IOCLogInfo = INT_MAX; count = 1; @@ -476,7 +477,7 @@ static void mptsas_process_scsi_task_mgmt(MPTSASState *s, MPIMsgSCSITaskMgmt *re goto out; } - reply_async = g_memdup(&reply, sizeof(MPIMsgSCSITaskMgmtReply)); + reply_async = g_memdup2_qemu(&reply, sizeof(MPIMsgSCSITaskMgmtReply)); reply_async->IOCLogInfo = INT_MAX; count = 0; From patchwork Fri Sep 3 11:06:50 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474175 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.6 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C1ED1C433F5 for ; Fri, 3 Sep 2021 11:21:14 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 4674C604AC for ; Fri, 3 Sep 2021 11:21:14 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 4674C604AC Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:56960 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mM7Fx-0003R5-Eh for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 07:21:13 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43278) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM73q-0007K3-A4 for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:08:42 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:29784) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM73n-0001Pd-KQ for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:08:42 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667318; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=EzShw/2xTdEPPWeNVs4kSs4t7kGgMmp/B6AgbgiX3Ec=; b=jEfAYhgDvqjHnyQH1ge2icy6Ap1XH5HgSIVGQeidbmEu7+IYiQJ0ujB/8C+Wm7GLW41CKT kkRE2HSRjz3Ast5s+5f929NAv1CiXpxMBjP86glLKBV91Iznxfy3JOeOH5v+3eRXHw3Qbb 1pa99PFhSQUYHyklNg4FkUZJwrap5e0= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-299-Kr3mjOFAMmSLFJSJJ6MxnQ-1; Fri, 03 Sep 2021 07:08:37 -0400 X-MC-Unique: Kr3mjOFAMmSLFJSJJ6MxnQ-1 Received: by mail-wm1-f69.google.com with SMTP id c4-20020a1c9a04000000b002e864b7edd1so1766907wme.6 for ; Fri, 03 Sep 2021 04:08:37 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=EzShw/2xTdEPPWeNVs4kSs4t7kGgMmp/B6AgbgiX3Ec=; b=NLy7W9+3xj1iP7gMtN/NXVwnqyWVzBSFcNBuboJqvpuVPppWnihJZ49sATzdDx4GFn rYC37MmcL0TxMBYt+Yhy8xCr8ZRbg7Gmo2jYf0pAazr6VAylTHZG9lo0Db7dHeiJaRD1 c5KtXYdJ/aqCj5P0ZIVk52svfykMRqEzv6gS5OLHskMYdJYIkR95Qja3ndi+5h/ZXTSH V92iQ5tvvtZ0IGaHZsYqaytOlFVkzu5mY7Qc18NX/FV46Ymahs5MwSsP8797cBb3BFlx VdWI17T6YIdoC7DpOyVJwNI7M3ZnnAmvdHyDtrVMgULIuaDwtcI+LlzNtzhcEcfhUU1I WxaA== X-Gm-Message-State: AOAM531cEuoivIGIDEBmKV+2xMTOTFCVxI41VANqKla2V33q9xwHneh0 6aUQc7Q31cuKtjd6qF3th6qZ/gUtQW0SWon8FYepRvI7I/G5SeTr1MElHdqwZ0y+p8YlkY+/1Qg f5HmMlh6AbgD0ofq9rY4iN+VoHqEOsZQpM9TXujFCg526HhqzTo1MS0XK3cy/mO3D X-Received: by 2002:a5d:4fc7:: with SMTP id h7mr3395779wrw.333.1630667316348; Fri, 03 Sep 2021 04:08:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyr0apXucGqUcpjJT9otdfT31A80MSNUrFt2Om2OTvUQfQWLMSjkVr2uNK1Wh00u5HzgpymFw== X-Received: by 2002:a5d:4fc7:: with SMTP id h7mr3395724wrw.333.1630667316143; Fri, 03 Sep 2021 04:08:36 -0700 (PDT) Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id s1sm4548992wrs.53.2021.09.03.04.08.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:08:35 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 16/28] hw/ppc/spapr_pci: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:50 +0200 Message-Id: <20210903110702.588291-17-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -12 X-Spam_score: -1.3 X-Spam_bar: - X-Spam_report: (-1.3 / 5.0 requ) DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Fam Zheng , Peter Maydell , Li Zhijian , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Yuval Shaia , Peter Xu , Gerd Hoffmann , Alexandre Iooss , Eric Blake , qemu-block@nongnu.org, Zhang Chen , =?utf-8?q?Alex_Benn=C3=A9e?= , Helge Deller , David Hildenbrand , Markus Armbruster , "Gonglei \(Arei\)" , Stefan Weil , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Michael Roth , Richard Henderson , Greg Kurz , Alex Williamson , qemu-arm@nongnu.org, Paolo Bonzini , John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , Laurent Vivier , Shannon Zhao , Hanna Reitz , qemu-ppc@nongnu.org, Igor Mammedov , Mahmoud Mandour Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daudé Acked-by: David Gibson --- hw/ppc/spapr_pci.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/hw/ppc/spapr_pci.c b/hw/ppc/spapr_pci.c index 7430bd63142..79c0e8d4f98 100644 --- a/hw/ppc/spapr_pci.c +++ b/hw/ppc/spapr_pci.c @@ -2201,10 +2201,10 @@ static int spapr_pci_post_load(void *opaque, int version_id) int i; for (i = 0; i < sphb->msi_devs_num; ++i) { - key = g_memdup(&sphb->msi_devs[i].key, - sizeof(sphb->msi_devs[i].key)); - value = g_memdup(&sphb->msi_devs[i].value, - sizeof(sphb->msi_devs[i].value)); + key = g_memdup2_qemu(&sphb->msi_devs[i].key, + sizeof(sphb->msi_devs[i].key)); + value = g_memdup2_qemu(&sphb->msi_devs[i].value, + sizeof(sphb->msi_devs[i].value)); g_hash_table_insert(sphb->msi, key, value); } g_free(sphb->msi_devs); From patchwork Fri Sep 3 11:06:51 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474177 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 40810C433EF for ; Fri, 3 Sep 2021 11:22:36 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id CE4A3610CE for ; Fri, 3 Sep 2021 11:22:35 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org CE4A3610CE Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:60764 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mM7HH-0005xS-0o for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 07:22:35 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43332) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM73y-0007m2-NZ for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:08:50 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:20710) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM73s-0001US-Os for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:08:50 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667324; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=dyVB6AzxmMS8BlTCGJx6yUBvjK62NisiC2d6bnlid2E=; b=V4WrOfve+2o/sCv5zyC3jTO9ur6gUOUZr5C6+PFzI2mN9p7oPx/nLghhhfRIPPfw2pYG77 hOczQ/GIlZiKaff2JxzX4E2skWqmU4rOZ9M536pvKczctqiO5GELGkOHtc0lUkYtTZp75k PjRAgPKW1DmRrh+OfxsoHqhRg9m1tAY= Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-520-i432d88ANpKW6nktwWJAJw-1; Fri, 03 Sep 2021 07:08:43 -0400 X-MC-Unique: i432d88ANpKW6nktwWJAJw-1 Received: by mail-wr1-f70.google.com with SMTP id p10-20020a5d68ca000000b001552bf8b9daso1449532wrw.22 for ; Fri, 03 Sep 2021 04:08:43 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=dyVB6AzxmMS8BlTCGJx6yUBvjK62NisiC2d6bnlid2E=; b=XgNTdSZKD2PrAQIiQOWnIc0z1K354DOYb/v1v/D7+CWRbjCcBy+8/AlupPR2X/uCFh cTCc4RD3kT0L73/Nsxa6j+5nQ5qUrH0Sfmm4lGfdEo98TCme1KAecYFfcwBixIMVk9Oz LZiFJoUX1apIJA0qIc267xzgxwf3BLinzaO1ef5+pngd5M95jQgGx3Vg3ECPi2kmRjlP EkAimT7jMkg++qJutk91/O7IkuoWkXEvJ2KjtbQpQyLiNkutyMepc0tm5EasWFXVMWyD KYzg02NA5CV7H+/u/WEvbfoygJc6pvxRU0UQWZkEDLN8TM0F5nHR4KfzIron37y1t5T0 gYoA== X-Gm-Message-State: AOAM531Jlu0/sIwGb4vQChY87ArmdEv2OfWu3tzK1rqgkyDHoI+NPrIO WsaQHwSFfAScy2UhNWXrYB4jo4pwRDdNdahxVmAg2Cp++fl6Wrm+3sGaj6RE7eagOxsuu2f3Vr9 xW7JznGZHhne9DabMq+xmayVA/lHr0ez4R3GPvkiLLSCTP902kvbzZezBgXv17oT+ X-Received: by 2002:a05:600c:5102:: with SMTP id o2mr2733937wms.104.1630667322035; Fri, 03 Sep 2021 04:08:42 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzb4sgtV74rpbNMK7lro6Zp2a1Bicv7CxBMUuULP/VYB1PgOM9RnbhlKgyVZuLyyqF/XcA8KA== X-Received: by 2002:a05:600c:5102:: with SMTP id o2mr2733882wms.104.1630667321792; Fri, 03 Sep 2021 04:08:41 -0700 (PDT) Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id w9sm4439669wrs.7.2021.09.03.04.08.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:08:41 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 17/28] hw/rdma: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:51 +0200 Message-Id: <20210903110702.588291-18-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_SPF_HELO_TEMPERROR=0.01 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Fam Zheng , Peter Maydell , Li Zhijian , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Yuval Shaia , Peter Xu , Gerd Hoffmann , Alexandre Iooss , Eric Blake , qemu-block@nongnu.org, Zhang Chen , =?utf-8?q?Alex_Benn=C3=A9e?= , Helge Deller , David Hildenbrand , Markus Armbruster , "Gonglei \(Arei\)" , Stefan Weil , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Michael Roth , Richard Henderson , Greg Kurz , Alex Williamson , qemu-arm@nongnu.org, Paolo Bonzini , John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , Laurent Vivier , Shannon Zhao , Hanna Reitz , qemu-ppc@nongnu.org, Igor Mammedov , Mahmoud Mandour Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daudé --- hw/rdma/rdma_utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/rdma/rdma_utils.c b/hw/rdma/rdma_utils.c index 98df58f6897..9792b1c8ef5 100644 --- a/hw/rdma/rdma_utils.c +++ b/hw/rdma/rdma_utils.c @@ -71,7 +71,7 @@ void rdma_protected_gqueue_append_int64(RdmaProtectedGQueue *list, int64_t value) { qemu_mutex_lock(&list->lock); - g_queue_push_tail(list->list, g_memdup(&value, sizeof(value))); + g_queue_push_tail(list->list, g_memdup2_qemu(&value, sizeof(value))); qemu_mutex_unlock(&list->lock); } From patchwork Fri Sep 3 11:06:52 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474231 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 98BB1C433EF for ; Fri, 3 Sep 2021 11:29:46 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 37C26610CC for ; Fri, 3 Sep 2021 11:29:46 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 37C26610CC Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:55694 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mM7OC-0004b0-Vz for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 07:29:45 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43358) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM740-0007qK-02 for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:08:52 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:23439) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM73y-0001hI-HY for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:08:51 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667330; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=VOTtLJVTxmWiXFyWxgdLM6727jqRmtc6Bq8YlLBzcWE=; b=h/tilX1G/wbKzsdiFSo+jDpSMbVhb0LJcWNGZrLwiBu5nOKmkCpp6YSXUh4aXYG7yG/Rl5 XHf+RjaH0ewMpiJyTsu0S0T8exQ+AkPEkXHgN2uOgcIIu5iREbCl5UfenMuDVE1F1O0Jgy z0TbJPkW855TyloDvH5g3mY2mgPA2rI= Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-342-joHnDo97Pm-rKsxn5tTXqw-1; Fri, 03 Sep 2021 07:08:49 -0400 X-MC-Unique: joHnDo97Pm-rKsxn5tTXqw-1 Received: by mail-wr1-f71.google.com with SMTP id z15-20020adff74f000000b001577d70c98dso1455643wrp.12 for ; Fri, 03 Sep 2021 04:08:48 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=VOTtLJVTxmWiXFyWxgdLM6727jqRmtc6Bq8YlLBzcWE=; b=Y4w6HbLHLIMPhicklJJQe1XP7C07zS+Outh41bEYB9jouTO+tGlWwDioFi601IIxh9 5l1sz6NYILUZaCKajsSF+WV8+3RS2/QYTknrLuxp+DbvumsAW85gTOjg2v34MCvYpPD3 Wcrs1oLTaFnHSDVD/7B9if/T38rQGhw/kLjR1QXelK2rkKAFFvHTa9YZ3VYGH8O+s5Vc yNGn57/ejzJUI/wRmqE57vqCb+jXitDqy74YQ8BB1Zqt9im9rqedmDww+FgdsXcKI04v z4iMqjXaijbdtOeD6IXQnILRgXsDA/OaSZiqbc4KQl8pziWFpAPqawpk9MHaSZmG8mKg 7eXw== X-Gm-Message-State: AOAM533YEghvGhNf94Q4yHUHRxp7LVpOJ++ga8nj9HuXJZzn0N5FB+Ot soG7A+oJVwBRFbPZbS/rzQWN2oLbZIqsNLGqT1QBhmUVVV+HRn4f1ADQmg9ajTVziYPyfhSiQvV ddSdxih+YghxwK25ra3bOYUBcopueWhcSVBVgMd1wOdbMs3NY7wAbSBx9EOwFF2Iv X-Received: by 2002:adf:c14c:: with SMTP id w12mr3481240wre.115.1630667327657; Fri, 03 Sep 2021 04:08:47 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyIBBuXYMK0C2F+Vw5z9iQcRoob5RxQQtk7EF66z9lHOLy5Q7edix8DBRMzSDgVMsm39FO74A== X-Received: by 2002:adf:c14c:: with SMTP id w12mr3481173wre.115.1630667327398; Fri, 03 Sep 2021 04:08:47 -0700 (PDT) Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id g1sm5692199wrb.27.2021.09.03.04.08.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:08:47 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 18/28] hw/vfio/pci: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:52 +0200 Message-Id: <20210903110702.588291-19-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -12 X-Spam_score: -1.3 X-Spam_bar: - X-Spam_report: (-1.3 / 5.0 requ) DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Fam Zheng , Peter Maydell , Li Zhijian , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Yuval Shaia , Peter Xu , Gerd Hoffmann , Alexandre Iooss , Eric Blake , qemu-block@nongnu.org, Zhang Chen , =?utf-8?q?Alex_Benn=C3=A9e?= , Helge Deller , David Hildenbrand , Markus Armbruster , "Gonglei \(Arei\)" , Stefan Weil , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Michael Roth , Richard Henderson , Greg Kurz , Alex Williamson , qemu-arm@nongnu.org, Paolo Bonzini , John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , Laurent Vivier , Shannon Zhao , Hanna Reitz , qemu-ppc@nongnu.org, Igor Mammedov , Mahmoud Mandour Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daudé --- hw/vfio/pci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c index e1ea1d8a23b..5c9acfd9c40 100644 --- a/hw/vfio/pci.c +++ b/hw/vfio/pci.c @@ -2040,7 +2040,7 @@ static void vfio_add_ext_cap(VFIOPCIDevice *vdev) * physical device, we cache the config space to avoid overwriting * the original config space when we parse the extended capabilities. */ - config = g_memdup(pdev->config, vdev->config_size); + config = g_memdup2_qemu(pdev->config, vdev->config_size); /* * Extended capabilities are chained with each pointing to the next, so we From patchwork Fri Sep 3 11:06:53 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474193 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DDFE9C433F5 for ; Fri, 3 Sep 2021 11:25:46 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 856E4608FB for ; Fri, 3 Sep 2021 11:25:46 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 856E4608FB Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:43992 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mM7KL-0005ER-Kx for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 07:25:45 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43438) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM747-0008Fu-Gp for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:08:59 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:24720) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM744-0001ko-JU for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:08:59 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667335; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=e+/T5ni6234ihtWfiY6ChgUlClrUNMBebZZu1LShGeE=; b=fKhf/V9o0yCw71rie0qZw6rMPtGwZsaatLEdvrYZu4Mo2D2PjvCz30sKbIeFNadFNwLD4E dD8SWv4mFtvfJzC/SO23B3bWHHfpVXaHDoOvudVJqiRxlZXvXjdWcJBuYRY1O/nEJ29DCr QjEO7fIDhPGQ91gpto7qsjl54S9rIto= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-450-O6IP0hhMP36GlzqelxMUaA-1; Fri, 03 Sep 2021 07:08:55 -0400 X-MC-Unique: O6IP0hhMP36GlzqelxMUaA-1 Received: by mail-wm1-f69.google.com with SMTP id c4-20020a1c9a04000000b002e864b7edd1so1766993wme.6 for ; Fri, 03 Sep 2021 04:08:54 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=e+/T5ni6234ihtWfiY6ChgUlClrUNMBebZZu1LShGeE=; b=gov4BDcOUqH+ktFKEWxeVNGu+1D8KD4ieySZghNA6i/baVWUiw8Xj8FaOfGQcq4kdu 8bIfJW5uMJb47KGy5ePV3Dh46nd82+EPVkwi18/3/J8jhjacsoaPWiz0HLwpCm6NUCeO 2ZhmRGJlEB8lvsX9HMxKsBHKbUx1Anb3GC6JKqfjlyI703lNypbJqULgA8jvPsDo2nlF sVex6PDcKhyW46Vlafwy2zNaxEnCWtXJDlaJZZ7uVuoPXmBoWbk27k+xlubBgz7ek5MN GPc78/+/TTsI2X9xaIBlqpuslLK/p54ctrFM3VDRq0nIk2l26styN6KINLE0sSRVIoo7 dAXA== X-Gm-Message-State: AOAM533IFskoMwV4HpXqF0Tlqir+N3iA1D+H6hUXMZNXPxyt7b3La6ff 96Dn3mDHuDH4+bIcfSlkxwqi9hP0GVdXOau5eLspHfgx+D4bq2pAflCXAiz7oqIr/ai4VLCGOGA R2OpFWR07aDmhlzo9qa/jM7qOjwvWfjsXiEAzvxqAAeVILxNktMokl964refV/Ub/ X-Received: by 2002:adf:816f:: with SMTP id 102mr3412396wrm.368.1630667333585; Fri, 03 Sep 2021 04:08:53 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwKVIhqhQclBigb+uSRWXSSmTSWnWM8sjZh3FL9BO89jaiUDjU5xH1NQtxLg8HHW+REZ68Nfw== X-Received: by 2002:adf:816f:: with SMTP id 102mr3412332wrm.368.1630667333320; Fri, 03 Sep 2021 04:08:53 -0700 (PDT) Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id h16sm4386547wre.52.2021.09.03.04.08.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:08:52 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [RFC PATCH 19/28] hw/virtio: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:53 +0200 Message-Id: <20210903110702.588291-20-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -12 X-Spam_score: -1.3 X-Spam_bar: - X-Spam_report: (-1.3 / 5.0 requ) DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Fam Zheng , Peter Maydell , Li Zhijian , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Yuval Shaia , Peter Xu , Gerd Hoffmann , Alexandre Iooss , Eric Blake , qemu-block@nongnu.org, Zhang Chen , =?utf-8?q?Alex_Benn=C3=A9e?= , Helge Deller , David Hildenbrand , Markus Armbruster , "Gonglei \(Arei\)" , Stefan Weil , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Michael Roth , Richard Henderson , Greg Kurz , Alex Williamson , qemu-arm@nongnu.org, Paolo Bonzini , John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , Laurent Vivier , Shannon Zhao , Hanna Reitz , qemu-ppc@nongnu.org, Igor Mammedov , Mahmoud Mandour Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daudé --- Should we check in_num/out_num in range? --- hw/net/virtio-net.c | 3 ++- hw/virtio/virtio-crypto.c | 7 ++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c index 16d20cdee52..8fa23d5f941 100644 --- a/hw/net/virtio-net.c +++ b/hw/net/virtio-net.c @@ -1449,7 +1449,8 @@ static void virtio_net_handle_ctrl(VirtIODevice *vdev, VirtQueue *vq) } iov_cnt = elem->out_num; - iov2 = iov = g_memdup(elem->out_sg, sizeof(struct iovec) * elem->out_num); + iov2 = iov = g_memdup2_qemu(elem->out_sg, + sizeof(struct iovec) * elem->out_num); s = iov_to_buf(iov, iov_cnt, 0, &ctrl, sizeof(ctrl)); iov_discard_front(&iov, &iov_cnt, sizeof(ctrl)); if (s != sizeof(ctrl)) { diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c index 54f9bbb789c..43c1a39e469 100644 --- a/hw/virtio/virtio-crypto.c +++ b/hw/virtio/virtio-crypto.c @@ -242,7 +242,8 @@ static void virtio_crypto_handle_ctrl(VirtIODevice *vdev, VirtQueue *vq) } out_num = elem->out_num; - out_iov_copy = g_memdup(elem->out_sg, sizeof(out_iov[0]) * out_num); + out_iov_copy = g_memdup2_qemu(elem->out_sg, + sizeof(out_iov[0]) * out_num); out_iov = out_iov_copy; in_num = elem->in_num; @@ -605,11 +606,11 @@ virtio_crypto_handle_request(VirtIOCryptoReq *request) } out_num = elem->out_num; - out_iov_copy = g_memdup(elem->out_sg, sizeof(out_iov[0]) * out_num); + out_iov_copy = g_memdup2_qemu(elem->out_sg, sizeof(out_iov[0]) * out_num); out_iov = out_iov_copy; in_num = elem->in_num; - in_iov_copy = g_memdup(elem->in_sg, sizeof(in_iov[0]) * in_num); + in_iov_copy = g_memdup2_qemu(elem->in_sg, sizeof(in_iov[0]) * in_num); in_iov = in_iov_copy; if (unlikely(iov_to_buf(out_iov, out_num, 0, &req, sizeof(req)) From patchwork Fri Sep 3 11:06:54 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474229 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 40E3DC433FE for ; Fri, 3 Sep 2021 11:28:48 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 9DC21608FB for ; Fri, 3 Sep 2021 11:28:47 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 9DC21608FB Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:53136 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mM7NG-0002te-Qo for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 07:28:46 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43498) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM74D-0000DP-AY for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:09:05 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:30985) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM74A-0001nd-6V for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:09:05 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667341; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=6LOA6vxWsxNeyRV6PCApiN2cj9fcdeFYW29H3LS1FGk=; b=XOmt4Cha/bbgxq0+mjtpUiQwXx3Ax70QpMsFDB4Qv4OdQZEeDQBI8dbgPwyn8+bKM+IWoK bWO8I+1oeOQfol/pyv4XEg6C6AUPrMxZT6R2GMtTSys+wWJmBL0Y/Xkp5mTyhBJkjJsde+ FjXqtgEov9L6BJO0MkpKrjylYrn3Oys= Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-552-PSt42AH5MrSgLmHo19z8uA-1; Fri, 03 Sep 2021 07:09:00 -0400 X-MC-Unique: PSt42AH5MrSgLmHo19z8uA-1 Received: by mail-wr1-f69.google.com with SMTP id h15-20020adff18f000000b001574654fbc2so1460632wro.10 for ; Fri, 03 Sep 2021 04:09:00 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=6LOA6vxWsxNeyRV6PCApiN2cj9fcdeFYW29H3LS1FGk=; b=tu6ESsX+6u2MAMeT7TESbmWA41tGV7McJc/5a4h9804lrETzioWEtYjLVPRRHt47hM hP4jhrJmZ7aZxWhNROVxfMORtWSjJnOd9xoyVAHGPxhonNTIzhFYi2Td6ylG6AjBuEq2 5ikcyQaTVr3PIM1NV457Mo4fuaisrO6RIuJM06YHO7JvMXBconza3mEu6kvxKZF0QJxa 01OO4S2eAmV2HBsqLT4/V8m8xbxWylhO9lDUbn0nsvqb7F4MIVfRH61dxWovhUJQa8he AWbnpAR5zzLJpzGo9P/DL1wNTvs9PH/N1FGU43wVgXPFjlHdYcZ1t8ANBQnoRNHrOrpI oSTg== X-Gm-Message-State: AOAM531TJbbD2iRvfvBwqDHMRPEOIqCOqdsuc8Vu+6KTlWZPSQB+hqeL +ogIeamTx44IPyjzvg4VAtXK5/tlHyZ0mx0i7K7pURpmzovupCCgkcgXGm2c7rX1mmJG+tYF01B /P2wCm31w9fcNwkzKSzn3CMtxl9IcR1NNA1QjTrLbUaMtLsESvNKF5/1gZqKWzr37 X-Received: by 2002:adf:c54a:: with SMTP id s10mr3382759wrf.405.1630667339158; Fri, 03 Sep 2021 04:08:59 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxzopBsfgspfdDlrpZUpsr41FgOxa6kgWftrebygxzUBuKUb/fPiR/qlP4CZMfiKI3MKwkKmA== X-Received: by 2002:adf:c54a:: with SMTP id s10mr3382702wrf.405.1630667338948; Fri, 03 Sep 2021 04:08:58 -0700 (PDT) Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id e2sm4370145wra.40.2021.09.03.04.08.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:08:58 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 20/28] net/colo: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:54 +0200 Message-Id: <20210903110702.588291-21-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -12 X-Spam_score: -1.3 X-Spam_bar: - X-Spam_report: (-1.3 / 5.0 requ) DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Fam Zheng , Peter Maydell , Li Zhijian , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Yuval Shaia , Peter Xu , Gerd Hoffmann , Alexandre Iooss , Eric Blake , qemu-block@nongnu.org, Zhang Chen , =?utf-8?q?Alex_Benn=C3=A9e?= , Helge Deller , David Hildenbrand , Markus Armbruster , "Gonglei \(Arei\)" , Stefan Weil , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Michael Roth , Richard Henderson , Greg Kurz , Alex Williamson , qemu-arm@nongnu.org, Paolo Bonzini , John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , Laurent Vivier , Shannon Zhao , Hanna Reitz , qemu-ppc@nongnu.org, Igor Mammedov , Mahmoud Mandour Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. packet_new() is called from packet_enqueue() with size being 32-bit (of type SocketReadState::packet_len). Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daudé --- net/colo.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/colo.c b/net/colo.c index 3a3e6e89a0c..cfe37b19eac 100644 --- a/net/colo.c +++ b/net/colo.c @@ -159,7 +159,7 @@ Packet *packet_new(const void *data, int size, int vnet_hdr_len) { Packet *pkt = g_slice_new0(Packet); - pkt->data = g_memdup(data, size); + pkt->data = g_memdup2_qemu(data, size); pkt->size = size; pkt->creation_ms = qemu_clock_get_ms(QEMU_CLOCK_HOST); pkt->vnet_hdr_len = vnet_hdr_len; @@ -214,7 +214,7 @@ Connection *connection_get(GHashTable *connection_track_table, Connection *conn = g_hash_table_lookup(connection_track_table, key); if (conn == NULL) { - ConnectionKey *new_key = g_memdup(key, sizeof(*key)); + ConnectionKey *new_key = g_memdup2_qemu(key, sizeof(*key)); conn = connection_new(key); From patchwork Fri Sep 3 11:06:55 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474251 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3F37BC433F5 for ; Fri, 3 Sep 2021 11:34:07 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id D945460F90 for ; Fri, 3 Sep 2021 11:34:06 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org D945460F90 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:37848 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mM7SQ-0003kQ-3g for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 07:34:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43556) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM74L-0000V6-KR for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:09:14 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:58622) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM74J-0001sn-Hr for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:09:12 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667350; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=mHnJ0cVcteOlyXY2WQSoPOrlbaqqNkIp409L2/nVF/Q=; b=WhHJfzPW255vqVa4J6JhM4F/4+KRMSrbTn76eXL3oZkgssip+q1sw7DiT/g82B7C9egVyg IvoqgBrQl7lhx0hs5KeQ5h1zp0DWH3p5k7YrmwET+qhkMgJemrJtY0izMeuXZOh0QGp5Jh ZhbkwZNbaQ9mUpYXytkdLv6aC1NmU7M= Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-85-8Kn_zo9PMJWY-0bRxLgReg-1; Fri, 03 Sep 2021 07:09:07 -0400 X-MC-Unique: 8Kn_zo9PMJWY-0bRxLgReg-1 Received: by mail-wm1-f70.google.com with SMTP id v2-20020a7bcb420000b02902e6b108fcf1so2513277wmj.8 for ; Fri, 03 Sep 2021 04:09:06 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=mHnJ0cVcteOlyXY2WQSoPOrlbaqqNkIp409L2/nVF/Q=; b=uXwZOIY9xW3vMLqLCW68XPiZnERqqzYqNpircezBiIHVSDD5CfNr2Cpt1yJT587QsK fzCnUQlqtZeCdSsEHJBNgodm1KPs30JSZqYvqnHlMRawPwOIJzL8N1vddpcQy0Iibicf k93eoSSvfASCJg0C1OtBG3ruNKvB/xn08Lrs+i4ABrXD9FZwD66dob9INX6vU1OYgT2f oq7zIey4mDc+i7/KH7ROTKByUidB7q2Zuy/Nf8TfydlJPZa2ZPyY6D/ORdUmAtAMjDgA FGnuL03hdXMoedjkn3J8L/+gJfsYtwQWomfxf6NK+99l4095mKsehnWohLyVMm4EeSGS 5wGA== X-Gm-Message-State: AOAM533zWjr0RX3nT02m1VZ3V0N3Dcwwc4XD+Oj7ZgD273C1edP5Ji2I MJ5jh3DqnYlO64hHj1d7ux7/QkkRtuJiV7iTd3dDOc0Xdw1bp9InF408jPw/H+08Q1feRK630qH ZmiSOpkO2EEzlUre5TnIL2NfRQmnkA1anGKPiM2XBwMjrJTI6pRypOPhzD0taElRh X-Received: by 2002:a05:600c:2210:: with SMTP id z16mr7583429wml.70.1630667344786; Fri, 03 Sep 2021 04:09:04 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyzXN5Abat+u5GhU97+T79No5Nl13oW/wgdhYam21QjGlUyuHjSwW1tSLBF2QoToAE6kZSvQQ== X-Received: by 2002:a05:600c:2210:: with SMTP id z16mr7583359wml.70.1630667344397; Fri, 03 Sep 2021 04:09:04 -0700 (PDT) Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id q13sm3880071wmj.46.2021.09.03.04.09.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:09:04 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [RFC PATCH 21/28] ui/clipboard: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:55 +0200 Message-Id: <20210903110702.588291-22-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Fam Zheng , Peter Maydell , Li Zhijian , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Yuval Shaia , Peter Xu , Gerd Hoffmann , Alexandre Iooss , Eric Blake , qemu-block@nongnu.org, Zhang Chen , =?utf-8?q?Alex_Benn=C3=A9e?= , Helge Deller , David Hildenbrand , Markus Armbruster , "Gonglei \(Arei\)" , Stefan Weil , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Michael Roth , Richard Henderson , Greg Kurz , Alex Williamson , qemu-arm@nongnu.org, Paolo Bonzini , John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , Laurent Vivier , Shannon Zhao , Hanna Reitz , qemu-ppc@nongnu.org, Igor Mammedov , Mahmoud Mandour Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daudé --- TODO: audit qemu_clipboard_set_data() calls --- ui/clipboard.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ui/clipboard.c b/ui/clipboard.c index d7b008d62a0..0e12a55d3e5 100644 --- a/ui/clipboard.c +++ b/ui/clipboard.c @@ -123,7 +123,7 @@ void qemu_clipboard_set_data(QemuClipboardPeer *peer, } g_free(info->types[type].data); - info->types[type].data = g_memdup(data, size); + info->types[type].data = g_memdup2_qemu(data, size); info->types[type].size = size; info->types[type].available = true; From patchwork Fri Sep 3 11:06:56 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474249 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1A408C433F5 for ; Fri, 3 Sep 2021 11:33:43 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 951F06108E for ; Fri, 3 Sep 2021 11:33:42 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 951F06108E Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:35828 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mM7S1-0002IE-Mz for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 07:33:41 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43610) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM74O-0000XO-DX for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:09:18 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:26138) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM74L-0001uC-DI for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:09:16 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667352; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=oWlYVXKgef7rt8tFGoGOU02/9c4fFsb6XOBLj2EPez0=; b=S9iy7IFmkrDOr2aQH+yXD8EUGJo7AkU78rqyKiliCq2Un5E7rxrZFd7AHhLFsIeTCT1O68 KuCXPthuyD4p9pCcs4Kzvn+GHkeDi3T7JXwfyCwyCy7GyWPMF3w2ePnG1Ut0TgapNxsefq /t2QlVWxL9ygl+uDbStZGtPONw5e5EA= Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-520-Zd7oiGPlOkSJor0WpQSUSA-1; Fri, 03 Sep 2021 07:09:11 -0400 X-MC-Unique: Zd7oiGPlOkSJor0WpQSUSA-1 Received: by mail-wr1-f71.google.com with SMTP id p10-20020adfce0a000000b001572d05c970so1457964wrn.21 for ; Fri, 03 Sep 2021 04:09:11 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=oWlYVXKgef7rt8tFGoGOU02/9c4fFsb6XOBLj2EPez0=; b=oGPpvPNNRKc+ZYWxSWKGbvqPbGEDia6znUsrk+aS37qxp7BNkXUuMGLkfmm9AF8yJC avHJ2ALbxEkUZd1OLQMs7sd/4pt3kJP3iFX5lOXfc07uXPnYltixBsuTkeV8SpPtJvAT BFzX/kRWMEkXCoQzYE7I+LC2nCYC+QR13dGU9B43b2zXEK2MjUlToKvFGo+lXYu2az2B Ffvpj6PyVNamTC8Mg9Tch4qMlnPzFweGPDSatcAo2ngbNiBLcANiZbd7iDA6W/PVcBSk IY9tfUsMUiWRWPehBacG9hiTCHIqT++ShvC9OGDkfcPgRxVb9MqLM/bAHdkfnDWjoJEL Ctyw== X-Gm-Message-State: AOAM533+1QEknbbiXGRNkXc/+STmI+O1PRYYm2QHcnhqP36toLpu0wtu 2tKQMn3B3EBDGs0xmtZmJL0aQyKETkKtkWd01nbnWeOzL2R6mI3M3F1z7dAdLmrwLHlY1q6g82w EpUokDQgMFgfvjx+nInDsF2maTLKmBc8k5XnV0KW+MvPNWxL3X3ppaZXQ5cmGlxvH X-Received: by 2002:adf:fb44:: with SMTP id c4mr3357071wrs.179.1630667350293; Fri, 03 Sep 2021 04:09:10 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz04LeqfAek5qhgfGuBb6P5Xc3NkLACwF2mysEtZwYjLBQ5+2iNJmq5HKQGBR6hLi9iuqmVyA== X-Received: by 2002:adf:fb44:: with SMTP id c4mr3356996wrs.179.1630667349988; Fri, 03 Sep 2021 04:09:09 -0700 (PDT) Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id o21sm4479970wms.32.2021.09.03.04.09.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:09:09 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [RFC PATCH 22/28] linux-user: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:56 +0200 Message-Id: <20210903110702.588291-23-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Fam Zheng , Peter Maydell , Li Zhijian , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Yuval Shaia , Peter Xu , Gerd Hoffmann , Alexandre Iooss , Eric Blake , qemu-block@nongnu.org, Zhang Chen , =?utf-8?q?Alex_Benn=C3=A9e?= , Helge Deller , David Hildenbrand , Markus Armbruster , "Gonglei \(Arei\)" , Stefan Weil , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Michael Roth , Richard Henderson , Greg Kurz , Alex Williamson , qemu-arm@nongnu.org, Paolo Bonzini , John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , Laurent Vivier , Shannon Zhao , Hanna Reitz , qemu-ppc@nongnu.org, Igor Mammedov , Mahmoud Mandour Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daudé --- do_open_by_handle_at() doesn't check: size + sizeof(struct file_handle) < 4GiB --- linux-user/syscall.c | 2 +- linux-user/uaccess.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index ccd3892b2df..e127927f0b9 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -7665,7 +7665,7 @@ static abi_long do_open_by_handle_at(abi_long mount_fd, abi_long handle, return -TARGET_EFAULT; } - fh = g_memdup(target_fh, total_size); + fh = g_memdup2_qemu(target_fh, total_size); fh->handle_bytes = size; fh->handle_type = tswap32(target_fh->handle_type); diff --git a/linux-user/uaccess.c b/linux-user/uaccess.c index 6a5b029607c..80992e2e233 100644 --- a/linux-user/uaccess.c +++ b/linux-user/uaccess.c @@ -15,7 +15,7 @@ void *lock_user(int type, abi_ulong guest_addr, ssize_t len, bool copy) host_addr = g2h_untagged(guest_addr); #ifdef DEBUG_REMAP if (copy) { - host_addr = g_memdup(host_addr, len); + host_addr = g_memdup2_qemu(host_addr, len); } else { host_addr = g_malloc0(len); } From patchwork Fri Sep 3 11:06:57 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474253 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 165DAC433F5 for ; Fri, 3 Sep 2021 11:35:33 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id AF03B610C8 for ; Fri, 3 Sep 2021 11:35:32 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org AF03B610C8 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:42996 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mM7Tn-0007Dp-Rq for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 07:35:31 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43674) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM74X-0000bq-8P for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:09:26 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:29398) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM74S-0001xR-IO for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:09:23 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667359; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PNmQn7pp74t94Lr73ldUSMDFHfSQgs8qkh8r7R4cWBA=; b=TYaaOXhGK1EOaNbmpZk/kVc8eC3E418M6L2k5Swp9vzSEbOC+h21cWwyPHs5GBX3wvbI6i bzMFuqzkKWdGDrImXMetp4K5VqtFhdwJZjzDwNw6M5xLCSEFCNZ4ucps2CzTmxZUpvHaw8 Bb5BNJdWJyQ125vp5cAJ6PFwjgkY7ds= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-88-saF-8ZSPOh6htx9oKovZuw-1; Fri, 03 Sep 2021 07:09:17 -0400 X-MC-Unique: saF-8ZSPOh6htx9oKovZuw-1 Received: by mail-wm1-f69.google.com with SMTP id p5-20020a7bcc85000000b002e7563efc4cso1839979wma.4 for ; Fri, 03 Sep 2021 04:09:17 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=PNmQn7pp74t94Lr73ldUSMDFHfSQgs8qkh8r7R4cWBA=; b=sYmKT6OnOKbZeDMwJOR0njofqoILGXxuIubBHPkQ7Cdi6zVE+40uio5qTN6HhKPALS oyt6s5hJRCFQULjTwRQlApi6iB5n6YlQfG238Qgan46LisZ5YHyV2lUwxO4mxfFc1wG9 QH6z9mT/aNA3SDxErx5RcLEB93WwVHmTVta5GYM0YU2i3Iu4PEJsBjPGv84K53M+xqyc xbmDv92ay347AIIez86NeJSA16P/PyWiQqtAlwiyMeVAkalF5LpMT6UrzOTVLopLV3bR ecqItG1sIxFio2zWmS5+8bu6ll7mkgx2DoljkNLzwBSR8DQ4V9OvXBTniq+D07a0jV5P LwZw== X-Gm-Message-State: AOAM533+udseWi6CFpildijcgaJQao26kA7babbxDtpD77vZy4Sh7pII P5YynuPbHB89eLLKkbfHRkk4mZJoh7ORnr7qaLl1HYBp2HVW65YnbYjrn6WaM3F0Kj+wFlcNpZE 89mGudnvMITlbcQzXJkGIhvGja1BVqd7LglVVzoyb7vpjeAt8j5h6WJrXHY4lCdsj X-Received: by 2002:a5d:6cb0:: with SMTP id a16mr3413408wra.245.1630667356031; Fri, 03 Sep 2021 04:09:16 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy7GNZSDtH7eNMhcSg/f8Lt0w2oSbtabaXRSOl+1qUAig28an7Yx8aZ5ZPl0WYwewdHyBWloA== X-Received: by 2002:a5d:6cb0:: with SMTP id a16mr3413326wra.245.1630667355660; Fri, 03 Sep 2021 04:09:15 -0700 (PDT) Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id k25sm4751451wrd.42.2021.09.03.04.09.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:09:15 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 23/28] tests/unit: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:57 +0200 Message-Id: <20210903110702.588291-24-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -12 X-Spam_score: -1.3 X-Spam_bar: - X-Spam_report: (-1.3 / 5.0 requ) DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Fam Zheng , Peter Maydell , Li Zhijian , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Yuval Shaia , Peter Xu , Gerd Hoffmann , Alexandre Iooss , Eric Blake , qemu-block@nongnu.org, Zhang Chen , =?utf-8?q?Alex_Benn=C3=A9e?= , Helge Deller , David Hildenbrand , Markus Armbruster , "Gonglei \(Arei\)" , Stefan Weil , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Michael Roth , Richard Henderson , Greg Kurz , Alex Williamson , qemu-arm@nongnu.org, Paolo Bonzini , John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , Laurent Vivier , Shannon Zhao , Hanna Reitz , qemu-ppc@nongnu.org, Igor Mammedov , Mahmoud Mandour Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daudé --- tests/unit/ptimer-test.c | 22 +++++++++++----------- tests/unit/test-iov.c | 26 +++++++++++++------------- 2 files changed, 24 insertions(+), 24 deletions(-) diff --git a/tests/unit/ptimer-test.c b/tests/unit/ptimer-test.c index 9176b96c1ce..23efeb04a57 100644 --- a/tests/unit/ptimer-test.c +++ b/tests/unit/ptimer-test.c @@ -798,64 +798,64 @@ static void add_ptimer_tests(uint8_t policy) g_test_add_data_func_full( tmp = g_strdup_printf("/ptimer/set_count policy=%s", policy_name), - g_memdup(&policy, 1), check_set_count, g_free); + g_memdup2_qemu(&policy, 1), check_set_count, g_free); g_free(tmp); g_test_add_data_func_full( tmp = g_strdup_printf("/ptimer/set_limit policy=%s", policy_name), - g_memdup(&policy, 1), check_set_limit, g_free); + g_memdup2_qemu(&policy, 1), check_set_limit, g_free); g_free(tmp); g_test_add_data_func_full( tmp = g_strdup_printf("/ptimer/oneshot policy=%s", policy_name), - g_memdup(&policy, 1), check_oneshot, g_free); + g_memdup2_qemu(&policy, 1), check_oneshot, g_free); g_free(tmp); g_test_add_data_func_full( tmp = g_strdup_printf("/ptimer/periodic policy=%s", policy_name), - g_memdup(&policy, 1), check_periodic, g_free); + g_memdup2_qemu(&policy, 1), check_periodic, g_free); g_free(tmp); g_test_add_data_func_full( tmp = g_strdup_printf("/ptimer/on_the_fly_mode_change policy=%s", policy_name), - g_memdup(&policy, 1), check_on_the_fly_mode_change, g_free); + g_memdup2_qemu(&policy, 1), check_on_the_fly_mode_change, g_free); g_free(tmp); g_test_add_data_func_full( tmp = g_strdup_printf("/ptimer/on_the_fly_period_change policy=%s", policy_name), - g_memdup(&policy, 1), check_on_the_fly_period_change, g_free); + g_memdup2_qemu(&policy, 1), check_on_the_fly_period_change, g_free); g_free(tmp); g_test_add_data_func_full( tmp = g_strdup_printf("/ptimer/on_the_fly_freq_change policy=%s", policy_name), - g_memdup(&policy, 1), check_on_the_fly_freq_change, g_free); + g_memdup2_qemu(&policy, 1), check_on_the_fly_freq_change, g_free); g_free(tmp); g_test_add_data_func_full( tmp = g_strdup_printf("/ptimer/run_with_period_0 policy=%s", policy_name), - g_memdup(&policy, 1), check_run_with_period_0, g_free); + g_memdup2_qemu(&policy, 1), check_run_with_period_0, g_free); g_free(tmp); g_test_add_data_func_full( tmp = g_strdup_printf("/ptimer/run_with_delta_0 policy=%s", policy_name), - g_memdup(&policy, 1), check_run_with_delta_0, g_free); + g_memdup2_qemu(&policy, 1), check_run_with_delta_0, g_free); g_free(tmp); g_test_add_data_func_full( tmp = g_strdup_printf("/ptimer/periodic_with_load_0 policy=%s", policy_name), - g_memdup(&policy, 1), check_periodic_with_load_0, g_free); + g_memdup2_qemu(&policy, 1), check_periodic_with_load_0, g_free); g_free(tmp); g_test_add_data_func_full( tmp = g_strdup_printf("/ptimer/oneshot_with_load_0 policy=%s", policy_name), - g_memdup(&policy, 1), check_oneshot_with_load_0, g_free); + g_memdup2_qemu(&policy, 1), check_oneshot_with_load_0, g_free); g_free(tmp); } diff --git a/tests/unit/test-iov.c b/tests/unit/test-iov.c index 5371066fb6a..19ae24adb70 100644 --- a/tests/unit/test-iov.c +++ b/tests/unit/test-iov.c @@ -173,7 +173,7 @@ static void test_io(void) } iov_from_buf(iov, niov, 0, buf, sz); - siov = g_memdup(iov, sizeof(*iov) * niov); + siov = g_memdup2_qemu(iov, sizeof(*iov) * niov); if (socketpair(PF_UNIX, SOCK_STREAM, 0, sv) < 0) { perror("socketpair"); @@ -350,7 +350,7 @@ static void test_discard_front_undo(void) /* Discard zero bytes */ iov_random(&iov, &iov_cnt); - iov_orig = g_memdup(iov, sizeof(iov[0]) * iov_cnt); + iov_orig = g_memdup2_qemu(iov, sizeof(iov[0]) * iov_cnt); iov_tmp = iov; iov_cnt_tmp = iov_cnt; iov_discard_front_undoable(&iov_tmp, &iov_cnt_tmp, 0, &undo); @@ -361,7 +361,7 @@ static void test_discard_front_undo(void) /* Discard more bytes than vector size */ iov_random(&iov, &iov_cnt); - iov_orig = g_memdup(iov, sizeof(iov[0]) * iov_cnt); + iov_orig = g_memdup2_qemu(iov, sizeof(iov[0]) * iov_cnt); iov_tmp = iov; iov_cnt_tmp = iov_cnt; size = iov_size(iov, iov_cnt); @@ -373,7 +373,7 @@ static void test_discard_front_undo(void) /* Discard entire vector */ iov_random(&iov, &iov_cnt); - iov_orig = g_memdup(iov, sizeof(iov[0]) * iov_cnt); + iov_orig = g_memdup2_qemu(iov, sizeof(iov[0]) * iov_cnt); iov_tmp = iov; iov_cnt_tmp = iov_cnt; size = iov_size(iov, iov_cnt); @@ -385,7 +385,7 @@ static void test_discard_front_undo(void) /* Discard within first element */ iov_random(&iov, &iov_cnt); - iov_orig = g_memdup(iov, sizeof(iov[0]) * iov_cnt); + iov_orig = g_memdup2_qemu(iov, sizeof(iov[0]) * iov_cnt); iov_tmp = iov; iov_cnt_tmp = iov_cnt; size = g_test_rand_int_range(1, iov->iov_len); @@ -397,7 +397,7 @@ static void test_discard_front_undo(void) /* Discard entire first element */ iov_random(&iov, &iov_cnt); - iov_orig = g_memdup(iov, sizeof(iov[0]) * iov_cnt); + iov_orig = g_memdup2_qemu(iov, sizeof(iov[0]) * iov_cnt); iov_tmp = iov; iov_cnt_tmp = iov_cnt; iov_discard_front_undoable(&iov_tmp, &iov_cnt_tmp, iov->iov_len, &undo); @@ -408,7 +408,7 @@ static void test_discard_front_undo(void) /* Discard within second element */ iov_random(&iov, &iov_cnt); - iov_orig = g_memdup(iov, sizeof(iov[0]) * iov_cnt); + iov_orig = g_memdup2_qemu(iov, sizeof(iov[0]) * iov_cnt); iov_tmp = iov; iov_cnt_tmp = iov_cnt; size = iov->iov_len + g_test_rand_int_range(1, iov[1].iov_len); @@ -499,7 +499,7 @@ static void test_discard_back_undo(void) /* Discard zero bytes */ iov_random(&iov, &iov_cnt); - iov_orig = g_memdup(iov, sizeof(iov[0]) * iov_cnt); + iov_orig = g_memdup2_qemu(iov, sizeof(iov[0]) * iov_cnt); iov_cnt_tmp = iov_cnt; iov_discard_back_undoable(iov, &iov_cnt_tmp, 0, &undo); iov_discard_undo(&undo); @@ -509,7 +509,7 @@ static void test_discard_back_undo(void) /* Discard more bytes than vector size */ iov_random(&iov, &iov_cnt); - iov_orig = g_memdup(iov, sizeof(iov[0]) * iov_cnt); + iov_orig = g_memdup2_qemu(iov, sizeof(iov[0]) * iov_cnt); iov_cnt_tmp = iov_cnt; size = iov_size(iov, iov_cnt); iov_discard_back_undoable(iov, &iov_cnt_tmp, size + 1, &undo); @@ -520,7 +520,7 @@ static void test_discard_back_undo(void) /* Discard entire vector */ iov_random(&iov, &iov_cnt); - iov_orig = g_memdup(iov, sizeof(iov[0]) * iov_cnt); + iov_orig = g_memdup2_qemu(iov, sizeof(iov[0]) * iov_cnt); iov_cnt_tmp = iov_cnt; size = iov_size(iov, iov_cnt); iov_discard_back_undoable(iov, &iov_cnt_tmp, size, &undo); @@ -531,7 +531,7 @@ static void test_discard_back_undo(void) /* Discard within last element */ iov_random(&iov, &iov_cnt); - iov_orig = g_memdup(iov, sizeof(iov[0]) * iov_cnt); + iov_orig = g_memdup2_qemu(iov, sizeof(iov[0]) * iov_cnt); iov_cnt_tmp = iov_cnt; size = g_test_rand_int_range(1, iov[iov_cnt - 1].iov_len); iov_discard_back_undoable(iov, &iov_cnt_tmp, size, &undo); @@ -542,7 +542,7 @@ static void test_discard_back_undo(void) /* Discard entire last element */ iov_random(&iov, &iov_cnt); - iov_orig = g_memdup(iov, sizeof(iov[0]) * iov_cnt); + iov_orig = g_memdup2_qemu(iov, sizeof(iov[0]) * iov_cnt); iov_cnt_tmp = iov_cnt; size = iov[iov_cnt - 1].iov_len; iov_discard_back_undoable(iov, &iov_cnt_tmp, size, &undo); @@ -553,7 +553,7 @@ static void test_discard_back_undo(void) /* Discard within second-to-last element */ iov_random(&iov, &iov_cnt); - iov_orig = g_memdup(iov, sizeof(iov[0]) * iov_cnt); + iov_orig = g_memdup2_qemu(iov, sizeof(iov[0]) * iov_cnt); iov_cnt_tmp = iov_cnt; size = iov[iov_cnt - 1].iov_len + g_test_rand_int_range(1, iov[iov_cnt - 2].iov_len); From patchwork Fri Sep 3 11:06:58 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474257 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D83B4C433F5 for ; Fri, 3 Sep 2021 11:38:48 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 6D5F2610CC for ; Fri, 3 Sep 2021 11:38:48 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 6D5F2610CC Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:51282 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mM7Wx-0004cz-DB for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 07:38:47 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43722) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM74a-0000du-3Q for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:09:28 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:28541) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM74X-00020H-2N for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:09:27 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667364; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=n0triH/V2nmMAjnP2t96Jm0J8HMx9Dls9aYUNoC2xTc=; b=VKEXeGhx8qlYuyTw21/F7tdL9egVYD3Olt3IBKBoTrlevOYCyWRgQC1yUdCfuV6M0aGR80 XrYEEed3gHR8J1odD0O/NlmIOu1Kb79LMRuEGW0o865E86f8yWvWoKObj1MAZ0yJqYf8u8 oi5GroRLg2Q4GB34uOWgA6XepfiCg+Y= Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-191-Q-do4jjVMbKGbjEkTPSTCg-1; Fri, 03 Sep 2021 07:09:23 -0400 X-MC-Unique: Q-do4jjVMbKGbjEkTPSTCg-1 Received: by mail-wr1-f72.google.com with SMTP id b8-20020a5d5508000000b001574e8e9237so1459298wrv.16 for ; Fri, 03 Sep 2021 04:09:23 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=n0triH/V2nmMAjnP2t96Jm0J8HMx9Dls9aYUNoC2xTc=; b=JwcHPZS9f3u3UvzzzazIdp9MBvdOzpIkMwtwy43xb/r8xaBMUJUeVYWwYapUxXkeiG rP0Qn47BoHl8ealYDd3/aWWyDjyKspQlqrYfYJlLC5qo9U7hh+33YZUz0QCQj0dT2AUG 6p1HubbOoBZbJq7x0ldsBcTv1hwjlrM0ZAfxp71vQAJY2IZWxnYUwkttgJQBk/Psj5mf Xd1l40scWhQXIttaUFy8b1GsoaTXN/zgKapZZeQBWyp905734WC2B/ceiEwJrI0KB8f8 ZemVJqClOHX6H7J7bu4XkZn8+RzcyEAzs1dpwRDWhdeIj+XSmRQp8oWoFL9kM6XHm6+g kZ+g== X-Gm-Message-State: AOAM533ysh0ojNVACyIZPmZ/Zt54tX9rf/CItogG/+g883zN2ntApnht hEM5gmuTjCrNhx3Np9tr586RfTEtwtYSCitDtcTJWnOj1CbrcK4xmn1N87+Vno09FIBhYBzNZNS qRk5s1TPAmPUPviLBnGlxPpIX9n9C8J6HRWxtf4cPxJyG+DV/dltosi5J8C1wQ4Uc X-Received: by 2002:a05:6000:34e:: with SMTP id e14mr3400077wre.401.1630667361904; Fri, 03 Sep 2021 04:09:21 -0700 (PDT) X-Google-Smtp-Source: ABdhPJygD1LHKrazXWd2ti6h3NF8Ii1KKU0zYPFqQVcCVwcY1zpr1xnUywyPoJmcGRu+BhfGJLIRwQ== X-Received: by 2002:a05:6000:34e:: with SMTP id e14mr3400010wre.401.1630667361655; Fri, 03 Sep 2021 04:09:21 -0700 (PDT) Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id r25sm4622504wra.12.2021.09.03.04.09.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:09:21 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 24/28] tests/qtest: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:58 +0200 Message-Id: <20210903110702.588291-25-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Fam Zheng , Peter Maydell , Li Zhijian , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Yuval Shaia , Peter Xu , Gerd Hoffmann , Alexandre Iooss , Eric Blake , qemu-block@nongnu.org, Zhang Chen , =?utf-8?q?Alex_Benn=C3=A9e?= , Helge Deller , David Hildenbrand , Markus Armbruster , "Gonglei \(Arei\)" , Stefan Weil , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Michael Roth , Richard Henderson , Greg Kurz , Alex Williamson , qemu-arm@nongnu.org, Paolo Bonzini , John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , Laurent Vivier , Shannon Zhao , Hanna Reitz , qemu-ppc@nongnu.org, Igor Mammedov , Mahmoud Mandour Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daudé --- tests/qtest/libqos/ahci.c | 6 +++--- tests/qtest/libqos/qgraph.c | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/qtest/libqos/ahci.c b/tests/qtest/libqos/ahci.c index fba3e7a954e..8ef1bda7c1c 100644 --- a/tests/qtest/libqos/ahci.c +++ b/tests/qtest/libqos/ahci.c @@ -639,8 +639,8 @@ void ahci_exec(AHCIQState *ahci, uint8_t port, AHCIOpts *opts; uint64_t buffer_in; - opts = g_memdup((opts_in == NULL ? &default_opts : opts_in), - sizeof(AHCIOpts)); + opts = g_memdup2_qemu((opts_in == NULL ? &default_opts : opts_in), + sizeof(AHCIOpts)); buffer_in = opts->buffer; @@ -860,7 +860,7 @@ AHCICommand *ahci_command_create(uint8_t command_name) g_assert(!props->ncq || props->lba48); /* Defaults and book-keeping */ - cmd->props = g_memdup(props, sizeof(AHCICommandProp)); + cmd->props = g_memdup2_qemu(props, sizeof(AHCICommandProp)); cmd->name = command_name; cmd->xbytes = props->size; cmd->prd_size = 4096; diff --git a/tests/qtest/libqos/qgraph.c b/tests/qtest/libqos/qgraph.c index d1dc4919305..c2e7719bed9 100644 --- a/tests/qtest/libqos/qgraph.c +++ b/tests/qtest/libqos/qgraph.c @@ -93,7 +93,7 @@ static void add_edge(const char *source, const char *dest, edge->type = type; edge->dest = g_strdup(dest); edge->edge_name = g_strdup(opts->edge_name ?: dest); - edge->arg = g_memdup(opts->arg, opts->size_arg); + edge->arg = g_memdup2_qemu(opts->arg, opts->size_arg); edge->before_cmd_line = opts->before_cmd_line ? g_strconcat(" ", opts->before_cmd_line, NULL) : NULL; From patchwork Fri Sep 3 11:06:59 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474263 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 34B16C433F5 for ; Fri, 3 Sep 2021 11:45:37 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 8066160F90 for ; Fri, 3 Sep 2021 11:45:36 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 8066160F90 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:60628 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mM7dX-00035V-MJ for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 07:45:35 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43784) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM74f-0000l8-MF for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:09:34 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:44026) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM74c-00023V-UC for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:09:33 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667370; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1TRLuEzHEF/4g6uAMMisPruZyA4xzKhXkVqPhmG3sbs=; b=aGfRIL2442+7+Q8sPvWQSeR678VaGFP3O4nd/Ht2Jw4mbQIGoETLxkx7jWryDhCH1F1rQz HfrzdXIViJCufz7vmNAk7ZrVC94iJr5jdmDiGQYIhC5s1vYAmyZvONOGwkyP7k2CWLT2jp df+xVV+17nHsgyvTWtwZhWoKQQnEYqQ= Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-232-QhLcD8nNPm6H4OLYbWyl4w-1; Fri, 03 Sep 2021 07:09:29 -0400 X-MC-Unique: QhLcD8nNPm6H4OLYbWyl4w-1 Received: by mail-wm1-f72.google.com with SMTP id b126-20020a1c8084000000b002f152a868a2so1707929wmd.1 for ; Fri, 03 Sep 2021 04:09:28 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=1TRLuEzHEF/4g6uAMMisPruZyA4xzKhXkVqPhmG3sbs=; b=lddYwR+ppjzsR3zsip3Gok6xbj/3UV3JntuVSaemGzmFfBKBzC4668AUY1FaOmbR0E MGWASW0IGDXlNAXYiYIVHVTdLiU271ICMRrx7KI0S6BHXJxDYyzc6C9WyyCFYwySobC9 4NFaY3dzqtHuni43JVvCn4jevov6ANFNY7jGqboXHToadx98ChnTxr+BF08nAIBaW8RV vCvHlPzpfrJViTShMBJHd+NVqVFnIfMhaCpkf9nJm8MMV/JsIq9lFfwI8zU7hQ8BBoeT SjTz3TJdYTKC6yKCU/12O6AGqSwQKuw/7jjWymZ014TV6EThBin4mg4ZoFH1cHdG0QQC ucTA== X-Gm-Message-State: AOAM533l+xSroDkHdDuH7SixALUdhzZ3y+YRNvzf/55X+IkRqcBiyQac UqJ+9KJJlDj/6z/ivcBIpX9TJvqLD0LidwgvLtYvogL9evoCZNXfoqbbB3EyXoe0URaTrNA52EN EJw+1QXuU66/Qp3SLUn6akMuV8yUSRzM1x1gpqwvGfDJnFSiartPXPHCwPoUsHzzE X-Received: by 2002:adf:eac3:: with SMTP id o3mr3437748wrn.60.1630667367374; Fri, 03 Sep 2021 04:09:27 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx66CtwoDGpHiwwHLDTWFbbSa3lc4biNGGpcp8z6UWY/Npax4D9p0PpnTBANuSDcT5pc6KZ7g== X-Received: by 2002:adf:eac3:: with SMTP id o3mr3437691wrn.60.1630667367173; Fri, 03 Sep 2021 04:09:27 -0700 (PDT) Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id q195sm4179375wme.37.2021.09.03.04.09.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:09:26 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 25/28] target/arm: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:06:59 +0200 Message-Id: <20210903110702.588291-26-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Fam Zheng , Peter Maydell , Li Zhijian , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Yuval Shaia , Peter Xu , Gerd Hoffmann , Alexandre Iooss , Eric Blake , qemu-block@nongnu.org, Zhang Chen , =?utf-8?q?Alex_Benn=C3=A9e?= , Helge Deller , David Hildenbrand , Markus Armbruster , "Gonglei \(Arei\)" , Stefan Weil , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Michael Roth , Richard Henderson , Greg Kurz , Alex Williamson , qemu-arm@nongnu.org, Paolo Bonzini , John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , Laurent Vivier , Shannon Zhao , Hanna Reitz , qemu-ppc@nongnu.org, Igor Mammedov , Mahmoud Mandour Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daudé --- target/arm/helper.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index a7ae78146d4..f3aeff399b9 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -6242,8 +6242,9 @@ static void define_arm_vh_e2h_redirects_aliases(ARMCPU *cpu) /* Create alias before redirection so we dup the right data. */ if (a->new_key) { - ARMCPRegInfo *new_reg = g_memdup(src_reg, sizeof(ARMCPRegInfo)); - uint32_t *new_key = g_memdup(&a->new_key, sizeof(uint32_t)); + ARMCPRegInfo *new_reg = g_memdup2_qemu(src_reg, + sizeof(ARMCPRegInfo)); + uint32_t *new_key = g_memdup2_qemu(&a->new_key, sizeof(uint32_t)); bool ok; new_reg->name = a->new_name; @@ -8818,7 +8819,7 @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r, * add a single reginfo struct to the hash table. */ uint32_t *key = g_new(uint32_t, 1); - ARMCPRegInfo *r2 = g_memdup(r, sizeof(ARMCPRegInfo)); + ARMCPRegInfo *r2 = g_memdup2_qemu(r, sizeof(ARMCPRegInfo)); int is64 = (r->type & ARM_CP_64BIT) ? 1 : 0; int ns = (secstate & ARM_CP_SECSTATE_NS) ? 1 : 0; From patchwork Fri Sep 3 11:07:00 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474189 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5C16CC433EF for ; Fri, 3 Sep 2021 11:25:06 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 0C2A66108E for ; Fri, 3 Sep 2021 11:25:06 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 0C2A66108E Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:41932 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mM7Jh-0003lz-73 for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 07:25:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43868) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM74j-0000t6-W2 for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:09:38 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:27296) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM74i-00026V-45 for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:09:37 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667375; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=IGLIaIG1oc/f/hK8LLmc1ZCw3aRo0zL/iFOeAMJ8CLs=; b=Qky2GCJAuUP8ghHUYVQd6jR4K6hnU6vn1qZ6GzzY7rMOE3J06M+ZUhPqWzRRff4nuKBXJG t5kd5xhWULM0G8j94RwWQoIfVaycj/mD3GiqzCeayUdpwG8wde4XRwm4hjuF6rcZAGZyyC AvMJpdAsKbqW+1vGAhxEDy9gmUPmeZQ= Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-476-02f3_0d8OF2X6zxxFkRkzw-1; Fri, 03 Sep 2021 07:09:34 -0400 X-MC-Unique: 02f3_0d8OF2X6zxxFkRkzw-1 Received: by mail-wr1-f69.google.com with SMTP id h15-20020adff18f000000b001574654fbc2so1461184wro.10 for ; Fri, 03 Sep 2021 04:09:34 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=IGLIaIG1oc/f/hK8LLmc1ZCw3aRo0zL/iFOeAMJ8CLs=; b=TSbth/HsNEfX1ow0wyMggXa+98eJo26xlYHiByR/29Fmz0kCSaQb+3yQ5fFHqnBpmG SykQwiq2UNExcoG9cxUOU9kfxPmB9erzCFy8dG79JqwNSed7LnmS1u1PYxBVyqfkqKtj upUdwXBIqSHC0REIxuwH0Rr0L+IuH+UAtALbBVQV0jkRK5N9b6wEHaeE6YEoHwkO4BvC t/OFwpQwDoQ3V/IoFtFoXe/Evifg1wanaXGwhSEy4CAg54h4EOBkou0Mk+RYZWylWeZb fhP2My+cQJZRj6CYPiwmU1ViWkSa88BG50OfNcRVtbqmQOZQck/Iw8TGmKYcUPWZF7KZ DJdw== X-Gm-Message-State: AOAM5339wuWl+LJ9lxyMKbjTLhpYorq/pwR6MiZ5/a186DMq2JlBqjG8 5JZMbZWv58gKR8h457Y/neuAqQNOb8ghrE2QsRCnGIjJbf+e7qz89qccR8UmRqCTioTyBBPnQxE zSUGaQYK3NM3uo+PAGOtIfV0IOF074kbFE4l43PLua7Q7fQCmOMVeBbg9/hl8HL9m X-Received: by 2002:adf:fd51:: with SMTP id h17mr3315355wrs.178.1630667372995; Fri, 03 Sep 2021 04:09:32 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzOCmSQ+xc0Q2SgMJRIjaynE2wUiaPQJusQW9eaFrqniAzajXkn5CbXrHEgNUg6VJYO5+nq6Q== X-Received: by 2002:adf:fd51:: with SMTP id h17mr3315291wrs.178.1630667372803; Fri, 03 Sep 2021 04:09:32 -0700 (PDT) Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id z19sm4806706wma.0.2021.09.03.04.09.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:09:32 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 26/28] target/ppc: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:07:00 +0200 Message-Id: <20210903110702.588291-27-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -12 X-Spam_score: -1.3 X-Spam_bar: - X-Spam_report: (-1.3 / 5.0 requ) DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Fam Zheng , Peter Maydell , Li Zhijian , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Yuval Shaia , Peter Xu , Gerd Hoffmann , Alexandre Iooss , Eric Blake , qemu-block@nongnu.org, Zhang Chen , =?utf-8?q?Alex_Benn=C3=A9e?= , Helge Deller , David Hildenbrand , Markus Armbruster , "Gonglei \(Arei\)" , Stefan Weil , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Michael Roth , Richard Henderson , Greg Kurz , Alex Williamson , qemu-arm@nongnu.org, Paolo Bonzini , John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , Laurent Vivier , Shannon Zhao , Hanna Reitz , qemu-ppc@nongnu.org, Igor Mammedov , Mahmoud Mandour Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daudé Acked-by: David Gibson --- target/ppc/mmu-hash64.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/target/ppc/mmu-hash64.c b/target/ppc/mmu-hash64.c index 19832c4b46f..2ee6025a406 100644 --- a/target/ppc/mmu-hash64.c +++ b/target/ppc/mmu-hash64.c @@ -1122,7 +1122,8 @@ void ppc_hash64_init(PowerPCCPU *cpu) return; } - cpu->hash64_opts = g_memdup(pcc->hash64_opts, sizeof(*cpu->hash64_opts)); + cpu->hash64_opts = g_memdup2_qemu(pcc->hash64_opts, + sizeof(*cpu->hash64_opts)); } void ppc_hash64_finalize(PowerPCCPU *cpu) From patchwork Fri Sep 3 11:07:01 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474197 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 318E5C433F5 for ; Fri, 3 Sep 2021 11:28:03 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id C81646108E for ; Fri, 3 Sep 2021 11:28:02 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org C81646108E Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:50468 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mM7MY-00016g-08 for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 07:28:02 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43964) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM74q-0001JC-Sa for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:09:44 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:30312) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM74n-0002AQ-GT for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:09:44 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667380; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=jqD7iyLbQ9DTFxBdziDoBhccB1nGTykeUMkgqm25WoQ=; b=Vb21pMcHoSPZwry1LiOn0Orkon7uiqaGUrrT92zfiMsVyMjmiKQAK+VCxdvwF3XafNMOQF oMieNzoA+o1GMs8irZkEKd/oczv8G+JTM1qbRm77Re1MMFzhP4Y5BntTh2p9wCiW6h2/qD B6D+F5yISnyHOe47MEcxFOUYp4fJMEE= Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-199-LGqMSfsENzqjm6UEG7Ethw-1; Fri, 03 Sep 2021 07:09:40 -0400 X-MC-Unique: LGqMSfsENzqjm6UEG7Ethw-1 Received: by mail-wm1-f71.google.com with SMTP id b126-20020a1c8084000000b002f152a868a2so1708074wmd.1 for ; Fri, 03 Sep 2021 04:09:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=jqD7iyLbQ9DTFxBdziDoBhccB1nGTykeUMkgqm25WoQ=; b=pib1O/7I0xhOkYCoaKE4/R8WIigjPWIO6+iFMezNgHtrvMAUuwB3g+JEBwj9n+7JF2 gEYDjAuDNE6GEDcrgqVMVA47WNAtdXd2L/W0WnG8uuJC4FOrdh2p/qvEh6eCuDavUUoB /oNjBo12Nd06JiH9vRaoilWmCiyHY1N+qMLjNnY9julUvGniuOV74qie9wR6a80WRhnJ Jgd2fKU41vzHEgBUAyuzcU0JCHPLCDhl4e8qeFkGWY/7pV3HnRGNI95Sz9V6dCbLlpk7 gIS5v3QQPbiXLMYUItxHWdXc3nieCHD9Bq5wmCqnLmFPhbjQMTkhe8oW8NGozALBhcMF fMvQ== X-Gm-Message-State: AOAM532tdRkj4U9L9jjHRNy8+s9cfTn4JV0OXSxHO1lK+lbT1dP2F/ps flm9J+fvcfCLGuWCeaJkzOH3ah7INIxIVQEb44AhQd/wGKKLi8BdtCYMneKVyIhaBkiS557adnl ZtbdUYw2sn4OsHO79ChXX8MWarNCLtTg6Kf+3gBTc7tQQZb2T29EX2EHHcV2NNE+0 X-Received: by 2002:adf:f9cb:: with SMTP id w11mr3532015wrr.382.1630667378688; Fri, 03 Sep 2021 04:09:38 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzMOvBdWerfmwLS6/8RuY/Oazm/1aA8TyZs75/crfM2ZbilJZTIPESof8HJh+OnE/0lMkkuSw== X-Received: by 2002:adf:f9cb:: with SMTP id w11mr3531951wrr.382.1630667378445; Fri, 03 Sep 2021 04:09:38 -0700 (PDT) Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id t23sm4712670wrb.71.2021.09.03.04.09.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:09:38 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 27/28] contrib: Replace g_memdup() by g_memdup2_qemu() Date: Fri, 3 Sep 2021 13:07:01 +0200 Message-Id: <20210903110702.588291-28-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Fam Zheng , Peter Maydell , Li Zhijian , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Yuval Shaia , Peter Xu , Gerd Hoffmann , Alexandre Iooss , Eric Blake , qemu-block@nongnu.org, Zhang Chen , =?utf-8?q?Alex_Benn=C3=A9e?= , Helge Deller , David Hildenbrand , Markus Armbruster , "Gonglei \(Arei\)" , Stefan Weil , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Michael Roth , Richard Henderson , Greg Kurz , Alex Williamson , qemu-arm@nongnu.org, Paolo Bonzini , John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , Laurent Vivier , Shannon Zhao , Hanna Reitz , qemu-ppc@nongnu.org, Igor Mammedov , Mahmoud Mandour Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daudé --- contrib/plugins/lockstep.c | 2 +- contrib/rdmacm-mux/main.c | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/contrib/plugins/lockstep.c b/contrib/plugins/lockstep.c index 7fd35eb6692..119a8054b3f 100644 --- a/contrib/plugins/lockstep.c +++ b/contrib/plugins/lockstep.c @@ -130,7 +130,7 @@ static void report_divergance(ExecState *us, ExecState *them) } } divergence_log = g_slist_prepend(divergence_log, - g_memdup(&divrec, sizeof(divrec))); + g_memdup2_qemu(&divrec, sizeof(divrec))); /* Output short log entry of going out of sync... */ if (verbose || divrec.distance == 1 || diverged) { diff --git a/contrib/rdmacm-mux/main.c b/contrib/rdmacm-mux/main.c index 771ca01e03f..d447d50f538 100644 --- a/contrib/rdmacm-mux/main.c +++ b/contrib/rdmacm-mux/main.c @@ -227,8 +227,8 @@ static RdmaCmMuxErrCode add_fd_ifid_pair(int fd, __be64 gid_ifid) RDMACM_MUX_ERR_CODE_EACCES; } - g_hash_table_insert(server.umad_agent.gid2fd, g_memdup(&gid_ifid, - sizeof(gid_ifid)), g_memdup(&fd, sizeof(fd))); + g_hash_table_insert(server.umad_agent.gid2fd, g_memdup2_qemu(&gid_ifid, + sizeof(gid_ifid)), g_memdup2_qemu(&fd, sizeof(fd))); pthread_rwlock_unlock(&server.lock); @@ -250,7 +250,7 @@ static RdmaCmMuxErrCode delete_fd_ifid_pair(int fd, __be64 gid_ifid) return RDMACM_MUX_ERR_CODE_ENOTFOUND; } - g_hash_table_remove(server.umad_agent.gid2fd, g_memdup(&gid_ifid, + g_hash_table_remove(server.umad_agent.gid2fd, g_memdup2_qemu(&gid_ifid, sizeof(gid_ifid))); pthread_rwlock_unlock(&server.lock); @@ -267,8 +267,8 @@ static void hash_tbl_save_fd_comm_id_pair(int fd, uint32_t comm_id, pthread_rwlock_wrlock(&server.lock); g_hash_table_insert(server.umad_agent.commid2fd, - g_memdup(&comm_id, sizeof(comm_id)), - g_memdup(&fde, sizeof(fde))); + g_memdup2_qemu(&comm_id, sizeof(comm_id)), + g_memdup2_qemu(&fde, sizeof(fde))); pthread_rwlock_unlock(&server.lock); } From patchwork Fri Sep 3 11:07:02 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474255 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DECA5C433F5 for ; Fri, 3 Sep 2021 11:37:48 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 9F966610CE for ; Fri, 3 Sep 2021 11:37:48 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 9F966610CE Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:49306 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mM7Vz-0003Hq-ML for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 07:37:47 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:44114) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM74z-0001aC-5P for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:09:53 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:36154) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mM74t-0002Do-UN for qemu-devel@nongnu.org; Fri, 03 Sep 2021 07:09:51 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630667386; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=i6HJ8MqhTy0s+GzLLhKT2UPzz5+277m7r3JgXnumMB8=; b=dj1cw4F4RIxxspQuGotaecoHDO+GCg1YjTub3Qnt2FkapFfXup0YFoKKMTquM00A5D1PFs D8WZYASnx3ZJCiZgBx8U57RPQj6zO+iUlUCuxuzTOKqsmLGDhbIzdg8HWOmpl7uITVP0Dj +yUX+ItTlgoBCaQFlFMRXPcGvm74Wkw= Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-587-RwHkYFLSPGu-hvnkWJXPbQ-1; Fri, 03 Sep 2021 07:09:46 -0400 X-MC-Unique: RwHkYFLSPGu-hvnkWJXPbQ-1 Received: by mail-wr1-f72.google.com with SMTP id y13-20020adfe6cd000000b00159694c711dso262741wrm.17 for ; Fri, 03 Sep 2021 04:09:45 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=i6HJ8MqhTy0s+GzLLhKT2UPzz5+277m7r3JgXnumMB8=; b=d48kx1OZooPRlGEtIK1c8sfP3GwNFIfBV4vZDgBR8J8MuxAuURcjNRN5KkyWQTCchw tY7Va1NNE1c1W6uTDQ5tIE4rQx+niu7hDpyPn1RX/idnW7JWzcTW3I83shNQtHguRLrs PntknPZBgg6N6OXTg5ic6S5N/dA5M2IZrQAMf6NA5w+DpUZIsUbtaI+2hvNwvI6Cp0LE yXCfxf8EWxgwxvZxhuXF/vKjAezAuA1dWEGOLAa/QksYO60pZHQI5d164qs+RCcp4YOY fPByeIdqRHhBwDLLlRyEfsLS96BiQI/g3k5bepUu9B6GPp+3DCEgn6G01Xt08RfpNAmU YZ6g== X-Gm-Message-State: AOAM530/09W/xzsm7+h5rPEH/Xw8y+K+uLJvbpuCyDPjpN9YRRoqtiBU tjPQ6sAuq4T1BkUnuTO2m15dZJ+nWBYPV7qZrIgWlDcbeITuoyO72u18v+l1YQbd3Bzf7MFxJ4P 52FGb4raujUlZydUWy2Rgc9bzvsRv9Dd2PUGfb4zOfpBVPnOGEpUmTRTdLodHnUpt X-Received: by 2002:adf:d1a8:: with SMTP id w8mr3454915wrc.306.1630667384674; Fri, 03 Sep 2021 04:09:44 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzTWWNvgUfXwGCxUu6tWBFBNL+R3tBdmQts4xFcP/prwWKpnKH5frCHZXk2WgxNT0N9oeyPWA== X-Received: by 2002:adf:d1a8:: with SMTP id w8mr3454844wrc.306.1630667384303; Fri, 03 Sep 2021 04:09:44 -0700 (PDT) Received: from x1w.. (163.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.163]) by smtp.gmail.com with ESMTPSA id t14sm3887073wmi.12.2021.09.03.04.09.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 04:09:43 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 28/28] checkpatch: Do not allow deprecated g_memdup() Date: Fri, 3 Sep 2021 13:07:02 +0200 Message-Id: <20210903110702.588291-29-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903110702.588291-1-philmd@redhat.com> References: <20210903110702.588291-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Fam Zheng , Peter Maydell , Li Zhijian , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Yuval Shaia , Peter Xu , Gerd Hoffmann , Alexandre Iooss , Eric Blake , qemu-block@nongnu.org, Zhang Chen , =?utf-8?q?Alex_Benn=C3=A9e?= , Helge Deller , David Hildenbrand , Markus Armbruster , "Gonglei \(Arei\)" , Stefan Weil , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Michael Roth , Richard Henderson , Greg Kurz , Alex Williamson , qemu-arm@nongnu.org, Paolo Bonzini , John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , Laurent Vivier , Shannon Zhao , Hanna Reitz , qemu-ppc@nongnu.org, Igor Mammedov , Mahmoud Mandour Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" g_memdup() is insecure and as been deprecated in GLib 2.68. QEMU provides the safely equivalent g_memdup2_qemu() wrapper. Do not allow more g_memdup() calls in the repository, provide a hint to use g_memdup2_qemu(). Signed-off-by: Philippe Mathieu-Daudé --- scripts/checkpatch.pl | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl index cb8eff233e0..4ce9d753492 100755 --- a/scripts/checkpatch.pl +++ b/scripts/checkpatch.pl @@ -2850,6 +2850,11 @@ sub process { WARN("consider using g_path_get_$1() in preference to g_strdup($1())\n" . $herecurr); } +# enforce g_memdup2_qemu() over g_memdup() + if ($line =~ /\bg_memdup\s*\(/) { + ERROR("use g_memdup2_qemu() instead of unsafe g_memdup()\n" . $herecurr); + } + # recommend qemu_strto* over strto* for numeric conversions if ($line =~ /\b(strto[^kd].*?)\s*\(/) { ERROR("consider using qemu_$1 in preference to $1\n" . $herecurr);