From patchwork Fri Sep 3 17:44:43 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474867 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.6 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A2320C433EF for ; Fri, 3 Sep 2021 17:56:39 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 365CD6069E for ; Fri, 3 Sep 2021 17:56:39 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 365CD6069E Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:48442 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mMDQc-0001U7-Cp for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 13:56:38 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:50952) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDFm-00072l-PB for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:45:26 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:37016) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDFi-0000Wd-Gw for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:45:26 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630691120; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=K59TWFNfhgS3efbWdzQjx6xmDgV9ebFReZvuleU1Sck=; b=Nr+bJgHh9BeBU8We15v74E73D9PlWpIhUYiJU5nUApjLx1AbiEGRhMLssNT6ypFpU+1CQT 1V92Op9JpIQOLxe/GRW9SKILEQgxlaAYXh1OpMyA4L2DDd4/4gWgIyzUH4RfcecQCFBq/M irO8niW13SscFe2wLUasduqAHbBW4iM= Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-485-8UDDxnyCPVaM2WGSyNf1cA-1; Fri, 03 Sep 2021 13:45:19 -0400 X-MC-Unique: 8UDDxnyCPVaM2WGSyNf1cA-1 Received: by mail-wm1-f71.google.com with SMTP id r4-20020a1c4404000000b002e728beb9fbso39293wma.9 for ; Fri, 03 Sep 2021 10:45:19 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=K59TWFNfhgS3efbWdzQjx6xmDgV9ebFReZvuleU1Sck=; b=j2ohByN3HiMiflsKVLcCKUS5bePy8cXUkLG3qHN7ttW3codOZyx/S09ovijC3ejHL+ lnijBZ3svjxq/f9XJDmu5F4ZE6aNM5gpUMRpVWrPfBSRkTiQ6nrNTJmpnM42EiF3hj48 EAFp3rCHA71OYtkN3HtRaDo1MJoJ8FxbUS9gjaoDtOpMAdVp8P4jYNhyRISK19MvYJEH JIQWKD3vQ4C6JSXczPGjT97ZcM7LFHKX+fBUx5xgVJSFMy9jcluc/O5w7CyLiBmxezr1 kunahMtx0WmgwWc4X3DrWfoNK6Oh0nx/1EfjD7tFg7/652lD27wgmh7wbCDiI+zwkOL3 SVpQ== X-Gm-Message-State: AOAM530pFtbMA2BUzylXKhMUypFEU9V7Nl2gbuO5lX6EkRZHrMqSOLIa gE6AMi2Mz5nZ0YVeTUkdF9u0DW9FsI/BzWO8CHk3PVE9KeoiUlQULFmQUwzH7WaHxQjWZEGAYxg 49Md7SHWla+V9DR05y3K3GYu2p20StcrlVNcuoqp30x5vl/41lh1AZQ7M3nkEEMEt X-Received: by 2002:a7b:c94c:: with SMTP id i12mr11438wml.111.1630691118503; Fri, 03 Sep 2021 10:45:18 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyIAy0aMS0kUWMR83r4KtnfjVtz7omyPlHG7oTsDgfA6VHWB/zFqHhD8/3CJcD+7S6W6bdAiA== X-Received: by 2002:a7b:c94c:: with SMTP id i12mr11389wml.111.1630691118170; Fri, 03 Sep 2021 10:45:18 -0700 (PDT) Received: from x1w.. (21.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.21]) by smtp.gmail.com with ESMTPSA id h16sm5224136wre.52.2021.09.03.10.45.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 10:45:17 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH v3 01/28] hw/hyperv/vmbus: Remove unused vmbus_load/save_req() Date: Fri, 3 Sep 2021 19:44:43 +0200 Message-Id: <20210903174510.751630-2-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903174510.751630-1-philmd@redhat.com> References: <20210903174510.751630-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -12 X-Spam_score: -1.3 X-Spam_bar: - X-Spam_report: (-1.3 / 5.0 requ) DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Gerd Hoffmann , Eric Blake , qemu-block@nongnu.org, =?utf-8?q?Alex_Benn=C3=A9e?= , David Hildenbrand , Markus Armbruster , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Richard Henderson , qemu-arm@nongnu.org, John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , "Daniel P . Berrange" , Hanna Reitz , qemu-ppc@nongnu.org, Paolo Bonzini Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" vmbus_save_req() and vmbus_load_req() are not used. Remove them to avoid maintaining dead code. Signed-off-by: Philippe Mathieu-Daudé --- include/hw/hyperv/vmbus.h | 3 -- hw/hyperv/vmbus.c | 59 --------------------------------------- 2 files changed, 62 deletions(-) diff --git a/include/hw/hyperv/vmbus.h b/include/hw/hyperv/vmbus.h index f98bea3888d..8ea660dd8e6 100644 --- a/include/hw/hyperv/vmbus.h +++ b/include/hw/hyperv/vmbus.h @@ -223,7 +223,4 @@ int vmbus_map_sgl(VMBusChanReq *req, DMADirection dir, struct iovec *iov, void vmbus_unmap_sgl(VMBusChanReq *req, DMADirection dir, struct iovec *iov, unsigned iov_cnt, size_t accessed); -void vmbus_save_req(QEMUFile *f, VMBusChanReq *req); -void *vmbus_load_req(QEMUFile *f, VMBusDevice *dev, uint32_t size); - #endif diff --git a/hw/hyperv/vmbus.c b/hw/hyperv/vmbus.c index c9887d5a7bc..18d3c3b9240 100644 --- a/hw/hyperv/vmbus.c +++ b/hw/hyperv/vmbus.c @@ -1311,65 +1311,6 @@ static const VMStateDescription vmstate_vmbus_chan_req = { } }; -void vmbus_save_req(QEMUFile *f, VMBusChanReq *req) -{ - VMBusChanReqSave req_save; - - req_save.chan_idx = req->chan->subchan_idx; - req_save.pkt_type = req->pkt_type; - req_save.msglen = req->msglen; - req_save.msg = req->msg; - req_save.transaction_id = req->transaction_id; - req_save.need_comp = req->need_comp; - req_save.num = req->sgl.nsg; - req_save.sgl = g_memdup(req->sgl.sg, - req_save.num * sizeof(ScatterGatherEntry)); - - vmstate_save_state(f, &vmstate_vmbus_chan_req, &req_save, NULL); - - g_free(req_save.sgl); -} - -void *vmbus_load_req(QEMUFile *f, VMBusDevice *dev, uint32_t size) -{ - VMBusChanReqSave req_save; - VMBusChanReq *req = NULL; - VMBusChannel *chan = NULL; - uint32_t i; - - vmstate_load_state(f, &vmstate_vmbus_chan_req, &req_save, 0); - - if (req_save.chan_idx >= dev->num_channels) { - error_report("%s: %u(chan_idx) > %u(num_channels)", __func__, - req_save.chan_idx, dev->num_channels); - goto out; - } - chan = &dev->channels[req_save.chan_idx]; - - if (vmbus_channel_reserve(chan, 0, req_save.msglen)) { - goto out; - } - - req = vmbus_alloc_req(chan, size, req_save.pkt_type, req_save.msglen, - req_save.transaction_id, req_save.need_comp); - if (req_save.msglen) { - memcpy(req->msg, req_save.msg, req_save.msglen); - } - - for (i = 0; i < req_save.num; i++) { - qemu_sglist_add(&req->sgl, req_save.sgl[i].base, req_save.sgl[i].len); - } - -out: - if (req_save.msglen) { - g_free(req_save.msg); - } - if (req_save.num) { - g_free(req_save.sgl); - } - return req; -} - static void channel_event_cb(EventNotifier *e) { VMBusChannel *chan = container_of(e, VMBusChannel, notifier); From patchwork Fri Sep 3 17:44:44 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474825 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8C8A1C433F5 for ; Fri, 3 Sep 2021 17:52:17 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 299C16069E for ; Fri, 3 Sep 2021 17:52:17 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 299C16069E Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:34790 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mMDMN-0000pG-9Y for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 13:52:16 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:50990) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDFp-00074g-Tr for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:45:30 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:46618) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDFm-0000bw-IN for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:45:29 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630691125; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=z+3KRRg2uaRwQMu7zo1tfHiyUXSW+kC4va1y4Yzkd4M=; b=AeGfbhhcRLFXMdgvKOamN5LnvwxlE9fjwcSWWV+JaggOcSodVWA9lAxX0+4q3/Dgl97N3K ws9/B9m7lezB9lLlSi5E0LtOZKdloHk4NSd6T2a9ancIZP7iucRpIg8/2PwrMVm3FGJAM+ BI+8qA7n1wi5/VqH3L1s/uvIeNTsmnc= Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-52-nYc256crMoSt3oa22HU-LQ-1; Fri, 03 Sep 2021 13:45:25 -0400 X-MC-Unique: nYc256crMoSt3oa22HU-LQ-1 Received: by mail-wr1-f69.google.com with SMTP id z15-20020adff74f000000b001577d70c98dso1812473wrp.12 for ; Fri, 03 Sep 2021 10:45:24 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=z+3KRRg2uaRwQMu7zo1tfHiyUXSW+kC4va1y4Yzkd4M=; b=Tv6pyBFICryn4qM/fbSoyjVgBrfYv7w85B0hm9LWLalH2cSoJ/oChayLkb2dWPVDos jWVs9mTIsaeMVm7QGD9A9u9nFgXCgB5VfJM0W3amZdgbPAemXju/JCJNZlY7Tvmndv7r CQVOYO3MqkkAsVAsIR48CUbNUSozwybml2momfmhm/XMeJkzxEHosS6SVERbzEuquTD7 LABsPWFr+yblDpV7WwrbGxnJkkDV/ZoumfFGYuYvlzKd+s/YmfmVVtq/nBdV9ZO5+5xn cN8cGlN3Cuys9pmGpKOwkCttMYmqX0hUIL0ZGA3ifpjgQaVQzJ8PYDbEuJiv1LW90MCM FhlA== X-Gm-Message-State: AOAM5309rzLxq8/Dx7SpbkqKOdWH/X02KTpr9inYqTGr/J/1NmEoFueZ y0yeMiE9u7yo4ZuAF5VC2keGt9kth8pdKR6+iSVp8QO4cHOqfppq3znJd4EzxVCsPOWWHlK74K6 WjS6GMqp+FotHaBdb3z2L7XHqbzjU51dFK2LnDo7rBFj5d50LX/px0zYzS/+UKCny X-Received: by 2002:a05:6000:1248:: with SMTP id j8mr259718wrx.97.1630691123512; Fri, 03 Sep 2021 10:45:23 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwAd4ov263AdIcGb50qRWsXji+kwJKPaDVVsyveQ7SCPXa4DXFf0YhGBziR2uIR5zxzjPHgzg== X-Received: by 2002:a05:6000:1248:: with SMTP id j8mr259679wrx.97.1630691123294; Fri, 03 Sep 2021 10:45:23 -0700 (PDT) Received: from x1w.. (21.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.21]) by smtp.gmail.com with ESMTPSA id p5sm5783883wrd.25.2021.09.03.10.45.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 10:45:22 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH v3 02/28] glib-compat: Introduce g_memdup2() wrapper Date: Fri, 3 Sep 2021 19:44:44 +0200 Message-Id: <20210903174510.751630-3-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903174510.751630-1-philmd@redhat.com> References: <20210903174510.751630-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Gerd Hoffmann , Eric Blake , qemu-block@nongnu.org, =?utf-8?q?Alex_Benn=C3=A9e?= , David Hildenbrand , Markus Armbruster , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Richard Henderson , qemu-arm@nongnu.org, John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , "Daniel P . Berrange" , Hanna Reitz , qemu-ppc@nongnu.org, Paolo Bonzini Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" When experimenting raising GLIB_VERSION_MIN_REQUIRED to 2.68 (Fedora 34 provides GLib 2.68.1) we get: hw/virtio/virtio-crypto.c:245:24: error: 'g_memdup' is deprecated: Use 'g_memdup2' instead [-Werror,-Wdeprecated-declarations] ... g_memdup() has been updated by g_memdup2() to fix eventual security issues (size argument is 32-bit and could be truncated / wrapping). GLib recommends to copy their static inline version of g_memdup2(): https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 Our glib-compat.h provides a comment explaining how to deal with these deprecated declarations (see commit e71e8cc0355 "glib: enforce the minimum required version and warn about old APIs"). Following this comment suggestion, implement the g_memdup2_qemu() wrapper to g_memdup2(), and use the safer equivalent inlined when we are using pre-2.68 GLib. Reported-by: Eric Blake Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Eric Blake --- include/glib-compat.h | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/include/glib-compat.h b/include/glib-compat.h index 9e95c888f54..8d01a8c01fb 100644 --- a/include/glib-compat.h +++ b/include/glib-compat.h @@ -68,6 +68,43 @@ * without generating warnings. */ +/* + * g_memdup2_qemu: + * @mem: (nullable): the memory to copy. + * @byte_size: the number of bytes to copy. + * + * Allocates @byte_size bytes of memory, and copies @byte_size bytes into it + * from @mem. If @mem is %NULL it returns %NULL. + * + * This replaces g_memdup(), which was prone to integer overflows when + * converting the argument from a #gsize to a #guint. + * + * This static inline version is a backport of the new public API from + * GLib 2.68, kept internal to GLib for backport to older stable releases. + * See https://gitlab.gnome.org/GNOME/glib/-/issues/2319. + * + * Returns: (nullable): a pointer to the newly-allocated copy of the memory, + * or %NULL if @mem is %NULL. + */ +static inline gpointer g_memdup2_qemu(gconstpointer mem, gsize byte_size) +{ +#if GLIB_CHECK_VERSION(2, 68, 0) + return g_memdup2(mem, byte_size); +#else + gpointer new_mem; + + if (mem && byte_size != 0) { + new_mem = g_malloc(byte_size); + memcpy(new_mem, mem, byte_size); + } else { + new_mem = NULL; + } + + return new_mem; +#endif +} +#define g_memdup2(m, s) g_memdup2_qemu(m, s) + #if defined(G_OS_UNIX) /* * Note: The fallback implementation is not MT-safe, and it returns a copy of From patchwork Fri Sep 3 17:44:45 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474865 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 19678C433F5 for ; Fri, 3 Sep 2021 17:54:36 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id AFC8260EB7 for ; Fri, 3 Sep 2021 17:54:35 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org AFC8260EB7 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:43256 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mMDOc-0006QK-Sr for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 13:54:34 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51048) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDFv-00078w-2x for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:45:36 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:52140) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDFr-0000g1-MF for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:45:34 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630691131; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=6axIh+16/DTX2QUR6MOtSJVf4S/aGvlneoKk63wKfEE=; b=FgbEut2wMqtxgHKoW/P00o3g/+3BL3HUBsTz2xhK2AKJX3IHLMKH82wTtN7zPPRiBe10pr CM3VmyL8Kgamh6tVQgcKvJVXzOgsd1CSa29ig/WjyVA0nmTlloCPSyVh128zMX1U/9LBFr kmuuaP4uXROSAMHmv+Rxg2ChxbM+pe8= Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-391-dFNzCPq-N82joKsGvASIKA-1; Fri, 03 Sep 2021 13:45:30 -0400 X-MC-Unique: dFNzCPq-N82joKsGvASIKA-1 Received: by mail-wm1-f72.google.com with SMTP id x125-20020a1c3183000000b002e73f079eefso71540wmx.0 for ; Fri, 03 Sep 2021 10:45:30 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=6axIh+16/DTX2QUR6MOtSJVf4S/aGvlneoKk63wKfEE=; b=bqjbIsTe9a7zWPJD4HxI8bX6BBZWXcOUjD3kZx5VkbK+gp8doPRowRgqSD5GSa6oXs nV5yfQa5VyQhCy+PRL8NGxdSicqySunlXFCbYdHoLs7TbYERRZJyjA1RR9Es7dD7wJ0P qp9BJf70YgxjQ5OzEoyV+lpbO0EUQAcWyKcEm99Q44/btod5BzEnBhOVwG9xaLCY1KtY WPs0Zt9vA88wC7c0PSMhCsMIyGoM7abpowpHmwJry6VBcT3IPBXyfS8OTOVthHy43if8 0CHsjG4tndc7ZmX3pWW7ZsWipHDKoa7IUv22WwmRibXBHom70i9lJTOIrX0EZ+4jieJ/ P9zw== X-Gm-Message-State: AOAM53066/QrawbWJYzZonCclLKhaZ6pIfRE79HjKiCCYaIOZvnbHc9y +jRfP7TlSI/37kbR0cRzFFk4La5vQyjT2xcXad6IUwFAnWusQ/wZLD/ZITjIDP/xcYDGWx0aMuI DR9DTabXyXbpPf7r/Cd42TWmziM0K/ze9TR+seONe917FjG9HCvjaijBRIPlpeu0x X-Received: by 2002:a05:600c:2d45:: with SMTP id a5mr10837wmg.125.1630691128716; Fri, 03 Sep 2021 10:45:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyNMVrdhYVGK1jkicnt3+7vy1RAmeuPQL5fiuXrJeBt3IjcZ9OjyziVqH2ju+hi1oi9j6AhKw== X-Received: by 2002:a05:600c:2d45:: with SMTP id a5mr10802wmg.125.1630691128471; Fri, 03 Sep 2021 10:45:28 -0700 (PDT) Received: from x1w.. (21.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.21]) by smtp.gmail.com with ESMTPSA id s13sm56649wmc.47.2021.09.03.10.45.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 10:45:28 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH v3 03/28] qapi: Replace g_memdup() by g_memdup2() Date: Fri, 3 Sep 2021 19:44:45 +0200 Message-Id: <20210903174510.751630-4-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903174510.751630-1-philmd@redhat.com> References: <20210903174510.751630-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Gerd Hoffmann , Eric Blake , qemu-block@nongnu.org, =?utf-8?q?Alex_Benn=C3=A9e?= , David Hildenbrand , Markus Armbruster , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Richard Henderson , qemu-arm@nongnu.org, John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , "Daniel P . Berrange" , Hanna Reitz , qemu-ppc@nongnu.org, Paolo Bonzini Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2() wrapper. Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Eric Blake --- qapi/qapi-clone-visitor.c | 16 ++++++++-------- qapi/qapi-visit-core.c | 6 ++++-- 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/qapi/qapi-clone-visitor.c b/qapi/qapi-clone-visitor.c index c45c5caa3b8..b014119d368 100644 --- a/qapi/qapi-clone-visitor.c +++ b/qapi/qapi-clone-visitor.c @@ -37,7 +37,7 @@ static bool qapi_clone_start_struct(Visitor *v, const char *name, void **obj, return true; } - *obj = g_memdup(*obj, size); + *obj = g_memdup2(*obj, size); qcv->depth++; return true; } @@ -65,8 +65,8 @@ static GenericList *qapi_clone_next_list(Visitor *v, GenericList *tail, QapiCloneVisitor *qcv = to_qcv(v); assert(qcv->depth); - /* Unshare the tail of the list cloned by g_memdup() */ - tail->next = g_memdup(tail->next, size); + /* Unshare the tail of the list cloned by g_memdup2() */ + tail->next = g_memdup2(tail->next, size); return tail->next; } @@ -83,7 +83,7 @@ static bool qapi_clone_type_int64(Visitor *v, const char *name, int64_t *obj, QapiCloneVisitor *qcv = to_qcv(v); assert(qcv->depth); - /* Value was already cloned by g_memdup() */ + /* Value was already cloned by g_memdup2() */ return true; } @@ -93,7 +93,7 @@ static bool qapi_clone_type_uint64(Visitor *v, const char *name, QapiCloneVisitor *qcv = to_qcv(v); assert(qcv->depth); - /* Value was already cloned by g_memdup() */ + /* Value was already cloned by g_memdup2() */ return true; } @@ -103,7 +103,7 @@ static bool qapi_clone_type_bool(Visitor *v, const char *name, bool *obj, QapiCloneVisitor *qcv = to_qcv(v); assert(qcv->depth); - /* Value was already cloned by g_memdup() */ + /* Value was already cloned by g_memdup2() */ return true; } @@ -114,7 +114,7 @@ static bool qapi_clone_type_str(Visitor *v, const char *name, char **obj, assert(qcv->depth); /* - * Pointer was already cloned by g_memdup; create fresh copy. + * Pointer was already cloned by g_memdup2; create fresh copy. * Note that as long as qobject-output-visitor accepts NULL instead of * "", then we must do likewise. However, we want to obey the * input visitor semantics of never producing NULL when the empty @@ -130,7 +130,7 @@ static bool qapi_clone_type_number(Visitor *v, const char *name, double *obj, QapiCloneVisitor *qcv = to_qcv(v); assert(qcv->depth); - /* Value was already cloned by g_memdup() */ + /* Value was already cloned by g_memdup2() */ return true; } diff --git a/qapi/qapi-visit-core.c b/qapi/qapi-visit-core.c index a641adec51e..ebabe63b6ea 100644 --- a/qapi/qapi-visit-core.c +++ b/qapi/qapi-visit-core.c @@ -413,8 +413,10 @@ bool visit_type_enum(Visitor *v, const char *name, int *obj, case VISITOR_OUTPUT: return output_type_enum(v, name, obj, lookup, errp); case VISITOR_CLONE: - /* nothing further to do, scalar value was already copied by - * g_memdup() during visit_start_*() */ + /* + * nothing further to do, scalar value was already copied by + * g_memdup2() during visit_start_*() + */ return true; case VISITOR_DEALLOC: /* nothing to deallocate for a scalar */ From patchwork Fri Sep 3 17:44:46 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474827 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9820FC433FE for ; Fri, 3 Sep 2021 17:53:23 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 3829E60EB7 for ; Fri, 3 Sep 2021 17:53:23 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 3829E60EB7 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:39518 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mMDNS-0003wU-BE for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 13:53:22 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51090) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDFz-0007EV-Tn for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:45:40 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:37139) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDFx-0000ke-0S for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:45:39 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630691136; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=CXCzW8bCYFLnmDpFGRYWy7aRyivvYc+p/NDbg6+FNF8=; b=BfCvZ4cOTUnYP59S8h/fPo++62aztVa1nEUvsMxeKFuZsx4ZWab2yRiI1i7fpL8hk5Kxkh PzG79ihjmVL8y4XSfPkuZYKlOeqfYZbKMpwi1P/NF7ADMHB8KZQ84gpToz7IbhGihxQfjU efiOi49W8E8gSNTdIr9qoTgBSWM5zGU= Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-459-yD27k5_lOhK1do0wT62m4g-1; Fri, 03 Sep 2021 13:45:35 -0400 X-MC-Unique: yD27k5_lOhK1do0wT62m4g-1 Received: by mail-wm1-f70.google.com with SMTP id s197-20020a1ca9ce000000b002e72ba822dcso45280wme.6 for ; Fri, 03 Sep 2021 10:45:35 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=CXCzW8bCYFLnmDpFGRYWy7aRyivvYc+p/NDbg6+FNF8=; b=nvOHhYLO9UrmlPSKMuNUVaiTG8N7M8Ca+EgmC9vUa4qCM/SPIaE9YotdvH+3jaKcYi EpGMirge5iWKwwFEaMn2Xg4Kne8uj9bgUEYJ9Dm7FsjSqCa0cnt/lgrHSKVWc1W0+xT4 EoOYt9K18XdDQwA2XCqpNc6vJm18tamV+Yqj+BbL5T9MOgpd+YC6DguqE63n6ZqOqpLx 0rOxbq9fkwzj5fCUmMsF4gAwWPJ6ExHPZJpxHjZ3Qw/220mSTfXDRELIbrzm/QDZFDIK IUz0vlhAQSwfysb0GC3td9b8x7dxHVSh0jWZ6XbUNoyegxE8rWiMC60pEIDiM0sjsZIL W4vQ== X-Gm-Message-State: AOAM5315merOOj+/OwhkIhodHXSHsnH5c795aALjjY9xw1wU1VMMYmjx shfr+MLvMQRLbAh9zRRsh6MC0SE5O63Aqx+sbi5mwx90i7kTQrKeq/rcEErnDd/fm9pYJh/XmeB Ss370n63wva9oVQOy1ru/VJB6UMotFi5Q5I3nhtI1vVVqMm4j1b+hNKhSS4XLKs4L X-Received: by 2002:adf:c54a:: with SMTP id s10mr238944wrf.405.1630691134114; Fri, 03 Sep 2021 10:45:34 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy+zMZZBdsiCnPGLNZOqOowTX12oFIDz5c69PhgosuOGX74PNQuE1lnRJ5RJkQ6708CDi+C5g== X-Received: by 2002:adf:c54a:: with SMTP id s10mr238902wrf.405.1630691133892; Fri, 03 Sep 2021 10:45:33 -0700 (PDT) Received: from x1w.. (21.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.21]) by smtp.gmail.com with ESMTPSA id i20sm67976wml.37.2021.09.03.10.45.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 10:45:33 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH v3 04/28] accel/tcg: Replace g_memdup() by g_memdup2() Date: Fri, 3 Sep 2021 19:44:46 +0200 Message-Id: <20210903174510.751630-5-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903174510.751630-1-philmd@redhat.com> References: <20210903174510.751630-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Gerd Hoffmann , Eric Blake , qemu-block@nongnu.org, =?utf-8?q?Alex_Benn=C3=A9e?= , David Hildenbrand , Markus Armbruster , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Richard Henderson , qemu-arm@nongnu.org, John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , "Daniel P . Berrange" , Hanna Reitz , qemu-ppc@nongnu.org, Paolo Bonzini Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2() wrapper. Signed-off-by: Philippe Mathieu-Daudé --- accel/tcg/cputlb.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c index b1e5471f949..08951f0683e 100644 --- a/accel/tcg/cputlb.c +++ b/accel/tcg/cputlb.c @@ -826,7 +826,7 @@ void tlb_flush_range_by_mmuidx(CPUState *cpu, target_ulong addr, tlb_flush_range_by_mmuidx_async_0(cpu, d); } else { /* Otherwise allocate a structure, freed by the worker. */ - TLBFlushRangeData *p = g_memdup(&d, sizeof(d)); + TLBFlushRangeData *p = g_memdup2(&d, sizeof(d)); async_run_on_cpu(cpu, tlb_flush_range_by_mmuidx_async_1, RUN_ON_CPU_HOST_PTR(p)); } @@ -868,7 +868,7 @@ void tlb_flush_range_by_mmuidx_all_cpus(CPUState *src_cpu, /* Allocate a separate data block for each destination cpu. */ CPU_FOREACH(dst_cpu) { if (dst_cpu != src_cpu) { - TLBFlushRangeData *p = g_memdup(&d, sizeof(d)); + TLBFlushRangeData *p = g_memdup2(&d, sizeof(d)); async_run_on_cpu(dst_cpu, tlb_flush_range_by_mmuidx_async_1, RUN_ON_CPU_HOST_PTR(p)); @@ -918,13 +918,13 @@ void tlb_flush_range_by_mmuidx_all_cpus_synced(CPUState *src_cpu, /* Allocate a separate data block for each destination cpu. */ CPU_FOREACH(dst_cpu) { if (dst_cpu != src_cpu) { - p = g_memdup(&d, sizeof(d)); + p = g_memdup2(&d, sizeof(d)); async_run_on_cpu(dst_cpu, tlb_flush_range_by_mmuidx_async_1, RUN_ON_CPU_HOST_PTR(p)); } } - p = g_memdup(&d, sizeof(d)); + p = g_memdup2(&d, sizeof(d)); async_safe_run_on_cpu(src_cpu, tlb_flush_range_by_mmuidx_async_1, RUN_ON_CPU_HOST_PTR(p)); } From patchwork Fri Sep 3 17:44:47 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474869 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0B4DEC433F5 for ; Fri, 3 Sep 2021 17:56:51 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id C1602601FF for ; Fri, 3 Sep 2021 17:56:50 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org C1602601FF Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:49206 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mMDQo-00021S-0Q for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 13:56:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51146) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDG4-0007Os-MO for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:45:44 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:53665) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDG2-0000ot-9x for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:45:44 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630691141; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=rgz4N5sK9eNw2u+qkgd75rHPsNPlAqGemaTOb2TEMto=; b=cJERTV2/4zRXVgv4Ix3Aw16xrEdZe0LYqEmbtHtLqnZ9RzRzA0h0WQLlLZ+clEQrTMQa4c VW0mi83qV8rq5evqvio+HyDy7LgKTSZPGG4jT68VqlOyJ0gDrag3MERQj66oDaMA8TX5OY 7iYAaGqBtOMeVJrMUCAk11jn2xPcr9E= Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-475-CuOQ5eB-MTmrTO2f-kkhqg-1; Fri, 03 Sep 2021 13:45:40 -0400 X-MC-Unique: CuOQ5eB-MTmrTO2f-kkhqg-1 Received: by mail-wr1-f71.google.com with SMTP id q14-20020a5d574e000000b00157b0978ddeso1818735wrw.5 for ; Fri, 03 Sep 2021 10:45:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=rgz4N5sK9eNw2u+qkgd75rHPsNPlAqGemaTOb2TEMto=; b=sfnK7mKDy+bA7tQ+cMDqnM8tSOINGCzNgTN9U6PPWxb8rwPE76wzth8Qu3qOhx7o/q umUUEOv3SbAvRAnohCQCGwMP71kdBYYHSLCtOb6GxB2lRyuo7SLYIj+V9pN1QASOT+Y7 og6Bib7DDQWE2UdWBdJvTUiBnP1sia2d7puJcA5aYp5ruMB+m3dvlQvBxUaQ6tUC80KC 4Vdgtei4Y2WKiRd7O0XIDTXpOnnd+cGqsZFZKoKq+2LxPupkJWpk8Nby0dodszsyuTTU R5SODN6LdYk3k9nr7IsNhQvjkXLgXP0MNQJPzExkSFYqDoQ7fLkYfmPOY+6p7bjCFXBu 9O9w== X-Gm-Message-State: AOAM532TBs0LrtXVyzu73nZ3ngnnwF0DHCaQ4eUedTHax/m8DYRNwmwc fXgSAb165MKIbLG+i4ApcnrIGe6YkE0geCh5psuGnmnrKzKeABMPRstAQ44dY/KTizJTFO32Dso NJmlX8KWJdnDpBDEwTyKmZfgBRkumhDwgHc6r/Asf+tBtP38KFeGg/3RNYU7bEoCo X-Received: by 2002:adf:8b03:: with SMTP id n3mr230487wra.439.1630691139081; Fri, 03 Sep 2021 10:45:39 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxxUQTFn0pSH3mqIPJn6NS/lwalYBnLzKRBcQ/Zv+2L76UepAxA9zqa3bf6N2J0MuiLIjUr4A== X-Received: by 2002:adf:8b03:: with SMTP id n3mr230452wra.439.1630691138896; Fri, 03 Sep 2021 10:45:38 -0700 (PDT) Received: from x1w.. (21.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.21]) by smtp.gmail.com with ESMTPSA id d24sm23436wmb.35.2021.09.03.10.45.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 10:45:38 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH v3 05/28] block/qcow2-bitmap: Replace g_memdup() by g_memdup2() Date: Fri, 3 Sep 2021 19:44:47 +0200 Message-Id: <20210903174510.751630-6-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903174510.751630-1-philmd@redhat.com> References: <20210903174510.751630-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Gerd Hoffmann , Eric Blake , qemu-block@nongnu.org, =?utf-8?q?Alex_Benn=C3=A9e?= , David Hildenbrand , Markus Armbruster , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Richard Henderson , qemu-arm@nongnu.org, John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , "Daniel P . Berrange" , Hanna Reitz , qemu-ppc@nongnu.org, Paolo Bonzini Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2() wrapper. Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Eric Blake --- block/qcow2-bitmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/block/qcow2-bitmap.c b/block/qcow2-bitmap.c index 8fb47315515..218a0dc712a 100644 --- a/block/qcow2-bitmap.c +++ b/block/qcow2-bitmap.c @@ -1599,7 +1599,7 @@ bool qcow2_store_persistent_dirty_bitmaps(BlockDriverState *bs, name); goto fail; } - tb = g_memdup(&bm->table, sizeof(bm->table)); + tb = g_memdup2(&bm->table, sizeof(bm->table)); bm->table.offset = 0; bm->table.size = 0; QSIMPLEQ_INSERT_TAIL(&drop_tables, tb, entry); From patchwork Fri Sep 3 17:44:48 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474823 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id EC4A0C433F5 for ; Fri, 3 Sep 2021 17:51:44 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id B370B6069E for ; Fri, 3 Sep 2021 17:51:44 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org B370B6069E Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:60920 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mMDLr-0007nS-SZ for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 13:51:43 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51208) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDGA-0007h4-ID for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:45:50 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:31340) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDG7-0000u2-IZ for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:45:50 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630691146; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=UOJQhlETtOueKegWcvS/QPbLXEVYKjhJkC5dBOYp7Ak=; b=QZYPVCkoT2IM0oVZP9Mar6xhiv58OJNMd42wuaWVPS1K0JsEpi7SW3vbl44AoIF6XGyyVQ awAUnkvm7X+fjxjKeOhgmHJsO//kN0qPX5lQCt4fKf0K/n67GO186y8PrT4gSjcbp/n6U5 tdLYAHWuOzfc8fAkgMsTEMak1dM9qZU= Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-57-8NiH3swGNk-XkniKj2wQ0w-1; Fri, 03 Sep 2021 13:45:46 -0400 X-MC-Unique: 8NiH3swGNk-XkniKj2wQ0w-1 Received: by mail-wm1-f70.google.com with SMTP id h1-20020a05600c350100b002e751bf6733so34519wmq.8 for ; Fri, 03 Sep 2021 10:45:45 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=UOJQhlETtOueKegWcvS/QPbLXEVYKjhJkC5dBOYp7Ak=; b=DouDzAp0SA/PTfLgLITXw6Nt+n1947bDHkEvDZ4lgJNDCA2utWCV76qoPnsp0GT9VT eesCyflT3qSbNpChUXki7FF9lXy0MY3zWHohIM+FvdZxQnwYHQuWIo8AkKvzM+V44SWd 3WNmHLGkwmYfYbsOSAddo3sjOYT8tLpVzbmdCEJlzFWcYAmlN87PZS/5ppauGqQr++iG XlYG320v2cDo08L5GiYqpVsBm2hYboowXSC97zxtjbpj/jPG9Se10fBaj6baZz+uv7IM vgdyDdsmlA2kDga1SdImkZ5o0FthSgB6iTBZXj2YvzS474jhVneqgQPP0FouVktj7W5z cJ3Q== X-Gm-Message-State: AOAM531rLBrTvIb0faHmGXlf3hVFb7Llv8RrJQfvN1sg489eNsvTjBNf reuks/Ced5cvdPn1UJTHioTrIjFnjY8SyrS07KgsdrwfOSH/oi8YPOSTzsUfxuVeHLHkGjCBVhf yg4ssHpSGdgnzAVVJYtOnopYP6otJQm/QWAN+Vqm2kCyJOmh6ptaFVCI0GPqq9XgP X-Received: by 2002:a7b:cb09:: with SMTP id u9mr18613wmj.63.1630691144516; Fri, 03 Sep 2021 10:45:44 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxRcKTaz97wda548576WB0Zd/5O2JWIA53BBlXPcv5Ju9z6ytfJ7STvVT7J3SpaUUWN07DYGw== X-Received: by 2002:a7b:cb09:: with SMTP id u9mr18578wmj.63.1630691144215; Fri, 03 Sep 2021 10:45:44 -0700 (PDT) Received: from x1w.. (21.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.21]) by smtp.gmail.com with ESMTPSA id q195sm23691wme.37.2021.09.03.10.45.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 10:45:43 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH v3 06/28] softmmu: Replace g_memdup() by g_memdup2() Date: Fri, 3 Sep 2021 19:44:48 +0200 Message-Id: <20210903174510.751630-7-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903174510.751630-1-philmd@redhat.com> References: <20210903174510.751630-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -12 X-Spam_score: -1.3 X-Spam_bar: - X-Spam_report: (-1.3 / 5.0 requ) DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Gerd Hoffmann , Eric Blake , qemu-block@nongnu.org, =?utf-8?q?Alex_Benn=C3=A9e?= , David Hildenbrand , Markus Armbruster , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Richard Henderson , qemu-arm@nongnu.org, John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , "Daniel P . Berrange" , Hanna Reitz , qemu-ppc@nongnu.org, Paolo Bonzini Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2() wrapper. Signed-off-by: Philippe Mathieu-Daudé --- softmmu/memory.c | 2 +- softmmu/vl.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/softmmu/memory.c b/softmmu/memory.c index bfedaf9c4df..1db019393b6 100644 --- a/softmmu/memory.c +++ b/softmmu/memory.c @@ -1140,7 +1140,7 @@ static char *memory_region_escape_name(const char *name) bytes += memory_region_need_escape(*p) ? 4 : 1; } if (bytes == p - name) { - return g_memdup(name, bytes + 1); + return g_memdup2(name, bytes + 1); } escaped = g_malloc(bytes + 1); diff --git a/softmmu/vl.c b/softmmu/vl.c index ea05bb39c50..7a44c63a6ad 100644 --- a/softmmu/vl.c +++ b/softmmu/vl.c @@ -1154,7 +1154,7 @@ static int parse_fw_cfg(void *opaque, QemuOpts *opts, Error **errp) } if (nonempty_str(str)) { size = strlen(str); /* NUL terminator NOT included in fw_cfg blob */ - buf = g_memdup(str, size); + buf = g_memdup2(str, size); } else if (nonempty_str(gen_id)) { if (!fw_cfg_add_from_generator(fw_cfg, name, gen_id, errp)) { return -1; From patchwork Fri Sep 3 17:44:49 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474871 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A6ACFC433EF for ; Fri, 3 Sep 2021 17:58:02 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 675936069E for ; Fri, 3 Sep 2021 17:58:02 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 675936069E Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:53862 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mMDRx-00055B-JI for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 13:58:01 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51258) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDGF-0007tY-HT for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:45:55 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:24550) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDGC-0000yV-PL for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:45:55 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630691152; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YNHli5WAUQfrv0OkZqAsB5uiM9Te0pWSHkWdm+hWGxw=; b=Q7sUmmfyrVNPYXJzZ3QVpgCaZwceGRKxu/hlfGt3xOz8ZL3jNrbW6KKoVXnUU3dZHA9Zm8 hJUyoS4QGsFs1FRTclQ4DHziEpw3MTP9uu29b4rr8y+8s9wjN7c4iA1iAyGNHxDqlyPYZ2 2nwtMp4W+dGkdxQ3BxqOgWLdPYUVOJo= Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-409-zJcHrhPZPsCriNFbsbjXSQ-1; Fri, 03 Sep 2021 13:45:51 -0400 X-MC-Unique: zJcHrhPZPsCriNFbsbjXSQ-1 Received: by mail-wm1-f72.google.com with SMTP id f17-20020a05600c155100b002f05f30ff03so56806wmg.3 for ; Fri, 03 Sep 2021 10:45:51 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=YNHli5WAUQfrv0OkZqAsB5uiM9Te0pWSHkWdm+hWGxw=; b=sThVopuq1S4IyeGVkuzOPMbX3A6ZQdJCrGGCrHgrnA+UQS6nQr/dg1HaMFAjfIBp85 0Kfh0PR4TIW2MdNYNcRBtqrMaYUby3DIuqFbeT3nk+zrkmzyCvF4f+yEMiKh9jGhgPU5 OtAOobLo/us+Xipaj4yNEfHSEqWV3cezBL+VFHSalYsT65JHQHCVp2kL0kuZo5vRselP ul/9rIc858gu7S2azSIhaZbPn/ioKxiDXWCmlwNe3Y7CCG34rm58pjzQErnNh3rwMBnW eGFKhO3nKfE2c7yRwHGxD6LzNFZkItuO+Ymlywg2m4JmvbQT40BuIYLcl2IzgZJjtGXH FY4w== X-Gm-Message-State: AOAM532w6S44INWgld6YL8pTYMt5ForouWVPUfbN+qkp0ToULzBA/GkT h1dR9TCCgGPOOrmFED2Xv/mYicJCvftmKJ1Z+2W+jbPtCjmtVDYWgS6KObpRExNxo1GLIr4K/j7 Er+8sjWBS87yHsnof/wYhqUJFPFYbDHMrlUBrFMDKsqWTwdeaQszN9hn7MniozHpJ X-Received: by 2002:a7b:c1c7:: with SMTP id a7mr4860wmj.181.1630691149714; Fri, 03 Sep 2021 10:45:49 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz6dMuRfFSb91XjZJBaqh19j7JloMfPCOEUTi+KosVOBTNd3SX6rgsgwQZY/JW1/Js37jcXsA== X-Received: by 2002:a7b:c1c7:: with SMTP id a7mr4807wmj.181.1630691149340; Fri, 03 Sep 2021 10:45:49 -0700 (PDT) Received: from x1w.. (21.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.21]) by smtp.gmail.com with ESMTPSA id w9sm32748wmc.19.2021.09.03.10.45.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 10:45:48 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH v3 07/28] hw/9pfs: Replace g_memdup() by g_memdup2() Date: Fri, 3 Sep 2021 19:44:49 +0200 Message-Id: <20210903174510.751630-8-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903174510.751630-1-philmd@redhat.com> References: <20210903174510.751630-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Gerd Hoffmann , Eric Blake , qemu-block@nongnu.org, =?utf-8?q?Alex_Benn=C3=A9e?= , David Hildenbrand , Markus Armbruster , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Richard Henderson , qemu-arm@nongnu.org, John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , "Daniel P . Berrange" , Hanna Reitz , qemu-ppc@nongnu.org, Paolo Bonzini Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2() wrapper. Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Christian Schoenebeck --- hw/9pfs/9p-synth.c | 2 +- hw/9pfs/9p.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/9pfs/9p-synth.c b/hw/9pfs/9p-synth.c index b38088e0664..d6168c653d2 100644 --- a/hw/9pfs/9p-synth.c +++ b/hw/9pfs/9p-synth.c @@ -497,7 +497,7 @@ static int synth_name_to_path(FsContext *ctx, V9fsPath *dir_path, out: /* Copy the node pointer to fid */ g_free(target->data); - target->data = g_memdup(&node, sizeof(void *)); + target->data = g_memdup2(&node, sizeof(void *)); target->size = sizeof(void *); return 0; } diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c index c857b313213..a80166fcaff 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -202,7 +202,7 @@ void v9fs_path_copy(V9fsPath *dst, const V9fsPath *src) { v9fs_path_free(dst); dst->size = src->size; - dst->data = g_memdup(src->data, src->size); + dst->data = g_memdup2(src->data, src->size); } int v9fs_name_to_path(V9fsState *s, V9fsPath *dirpath, From patchwork Fri Sep 3 17:44:50 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474863 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.6 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 613C5C4332F for ; Fri, 3 Sep 2021 17:54:08 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 0DAF760EB7 for ; Fri, 3 Sep 2021 17:54:08 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 0DAF760EB7 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:41768 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mMDOB-0005Qj-6A for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 13:54:07 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51312) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDGM-00087k-5s for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:46:02 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:24219) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDGI-00013I-1h for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:46:01 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630691157; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=6osDXRphDo8TIq2I2JrJLj4Iq8ymwMld3GU8FS2XmwE=; b=h7FHLJBjnRkDuPIleL5LeoeRYVjchRYaPXWh18QyYDa+j/IZzB4NbVxbQ3jn280eytLAzE kGcsOhawObVEqKoqjrYqSqNxGRzhn0iQUR3hqNIWQN8EbQsIJ8klaDGT0MmqCr3Ta4uGpt xoAChLf2zuir8MZODrUyUhrfQMNOBgs= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-469-5AWaDLZiP8mR0KVTopsJhQ-1; Fri, 03 Sep 2021 13:45:56 -0400 X-MC-Unique: 5AWaDLZiP8mR0KVTopsJhQ-1 Received: by mail-wm1-f69.google.com with SMTP id c4-20020a1c9a04000000b002e864b7edd1so2138654wme.6 for ; Fri, 03 Sep 2021 10:45:56 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=6osDXRphDo8TIq2I2JrJLj4Iq8ymwMld3GU8FS2XmwE=; b=RueDoMGA+FiyDz1Zwjztw44IREzQwu+vUCBsZGkYP+McPHwjT3AEXanunhgW8jirp3 WFmRmi+xxPm3E5oTNTkLLKG0ilZlvrASo4NtFmHaeP/EVCwl8OYmLTErfSVmk/s+riHQ VH3f8kjdNQmrHsUIfe5q9Bt9pPT2UrxORBDXxKknEgVLlycTL/6GmFntK2jFLzlk1cV8 gTnvejp7q3JotiuGVh9frKm6Dfm9AQ8JCQLlycPPt/FflvlQnJ6HYXUhM9cpA5pn39Yi 7hLH/M0OhDhTuBUImJxzM4OXEMHHMUbqMQqiMPD0SxBdi8NXWJn8dAnQ3Se889/HPKCK vVXg== X-Gm-Message-State: AOAM533mgB5Da0ZPpPKS9R5yoE8vz5n6ChrvWIVJoFS/PpJ5mLD5CZ31 WlJcbM5EDqkarCbF6GDnM7dt/SWe4ZgIaV614Vxhui4oTbb73pTtq6l9uP5LKyPO5hrukQgMQEA Di/kVI7ScBpUhBMDJlDiSvakAPwTJPG7Qa+4XU5g463vDngX1T/CdA1nAYFnLqM+k X-Received: by 2002:a7b:cb09:: with SMTP id u9mr19281wmj.63.1630691155033; Fri, 03 Sep 2021 10:45:55 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzvICEoePWDdVv201fWjAJYQJgNTljhMxvLXfLqfqFtkx3so0aowhDnNuia6XImhOtdvl/Mqw== X-Received: by 2002:a7b:cb09:: with SMTP id u9mr19251wmj.63.1630691154811; Fri, 03 Sep 2021 10:45:54 -0700 (PDT) Received: from x1w.. (21.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.21]) by smtp.gmail.com with ESMTPSA id j18sm5524762wrd.56.2021.09.03.10.45.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 10:45:54 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH v3 08/28] hw/acpi: Avoid truncating acpi_data_len() to 32-bit Date: Fri, 3 Sep 2021 19:44:50 +0200 Message-Id: <20210903174510.751630-9-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903174510.751630-1-philmd@redhat.com> References: <20210903174510.751630-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -12 X-Spam_score: -1.3 X-Spam_bar: - X-Spam_report: (-1.3 / 5.0 requ) DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Gerd Hoffmann , Eric Blake , qemu-block@nongnu.org, =?utf-8?q?Alex_Benn=C3=A9e?= , David Hildenbrand , Markus Armbruster , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Richard Henderson , qemu-arm@nongnu.org, John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , "Daniel P . Berrange" , Hanna Reitz , qemu-ppc@nongnu.org, Paolo Bonzini Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" acpi_data_len() returns an unsigned type, which might be bigger than 32-bit (although it is unlikely such value is returned). Hold the returned value in an 'unsigned' type to avoid unlikely size truncation. Signed-off-by: Philippe Mathieu-Daudé --- hw/arm/virt-acpi-build.c | 2 +- hw/i386/acpi-build.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c index 037cc1fd82c..95543d43e2a 100644 --- a/hw/arm/virt-acpi-build.c +++ b/hw/arm/virt-acpi-build.c @@ -885,7 +885,7 @@ void virt_acpi_build(VirtMachineState *vms, AcpiBuildTables *tables) static void acpi_ram_update(MemoryRegion *mr, GArray *data) { - uint32_t size = acpi_data_len(data); + unsigned size = acpi_data_len(data); /* Make sure RAM size is correct - in case it got changed * e.g. by migration */ diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c index a33ac8b91e1..aa269914b49 100644 --- a/hw/i386/acpi-build.c +++ b/hw/i386/acpi-build.c @@ -2660,7 +2660,7 @@ void acpi_build(AcpiBuildTables *tables, MachineState *machine) static void acpi_ram_update(MemoryRegion *mr, GArray *data) { - uint32_t size = acpi_data_len(data); + unsigned size = acpi_data_len(data); /* Make sure RAM size is correct - in case it got changed e.g. by migration */ memory_region_ram_resize(mr, size, &error_abort); @@ -2783,7 +2783,7 @@ void acpi_setup(void) * Though RSDP is small, its contents isn't immutable, so * we'll update it along with the rest of tables on guest access. */ - uint32_t rsdp_size = acpi_data_len(tables.rsdp); + unsigned rsdp_size = acpi_data_len(tables.rsdp); build_state->rsdp = g_memdup(tables.rsdp->data, rsdp_size); fw_cfg_add_file_callback(x86ms->fw_cfg, ACPI_BUILD_RSDP_FILE, From patchwork Fri Sep 3 17:44:51 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474877 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B3C11C433F5 for ; Fri, 3 Sep 2021 17:59:25 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 71D6E6069E for ; Fri, 3 Sep 2021 17:59:25 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 71D6E6069E Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:59114 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mMDTI-000071-IH for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 13:59:24 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51366) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDGP-0008FM-Uc for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:46:07 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:22046) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDGN-00016w-Dl for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:46:05 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630691162; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vuT0E6Tl+Ny+4npFTuPZzaTG6opZzVO57bTMu99Gkj8=; b=TcTMoLN/LjT5OgqSmYz1GXrPFd3k8kB56DCaD1RqIbiv8mGUUaKeY+4O9duMu8DoLOsutj 4d3Hm1HWXYF85yese0q1g61p0sldcUXmy4MhyjQ6gJj4vUwFHpZNOZZkid635NokiWFBG5 8n1i6zLeRgZpOYqLvNFLzVNoXswO91s= Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-204-7w84aotjO26uBoPBsuhvkA-1; Fri, 03 Sep 2021 13:46:01 -0400 X-MC-Unique: 7w84aotjO26uBoPBsuhvkA-1 Received: by mail-wm1-f70.google.com with SMTP id y188-20020a1c7dc5000000b002e80e0b2f87so60565wmc.1 for ; Fri, 03 Sep 2021 10:46:01 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=vuT0E6Tl+Ny+4npFTuPZzaTG6opZzVO57bTMu99Gkj8=; b=ZnYf0w4y217eF4RHN7n3Fng8CvCpOHcEcrDJcN7tMsdfQ9XbcqR39UtAoxc9QLv0r4 u112T8YAo0Com++8cdmuTNkFPW9LyJxIQ5dZBGkLr5klO8IfFdUq38PSWC0Wd/gmI1KZ +cSAp9TFbLNCEkyZymIpb/rtUwyoaFcTLS7dVpnqGaFAQJqId6zPoH836XKmIRRVRTHU kb/vK6EpJWEZjQU0feBmjAzxT3bVBu9r4SKEv3pPaaHG2nX6IvlcCoMA9A/ybTn8McxQ 4DqUwS3RaJiMg2uQEEUwAo2ECvEEdQs6UzpEEZRo6W0UPaeUvCTN7ApqExUAMZyDk6w+ bdWw== X-Gm-Message-State: AOAM5308XpCk6KykJyKCrskhRHTpShXgDUID+InhXaZ897t7xBIxXval td8hQi4HTfVtiXIlB9Kl1++y49YOt0HfDu95b+y//R8DQ1yrvBY8jCBRH53UZZ3Vzo7PpLVK8w+ MWYyf7CZTzGUMjlmEBxwv80eyoxP55TAm51TH9RvG6VG7vHS4MSLcCCZbnjTyZ52W X-Received: by 2002:a7b:c351:: with SMTP id l17mr36847wmj.120.1630691160225; Fri, 03 Sep 2021 10:46:00 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzOfy7GndEJXUQXcty/5RLx6EqPg62DeFtIgRu/L1L+w+fM59AGQmNYo6tvuwvhSAu/jq0T8g== X-Received: by 2002:a7b:c351:: with SMTP id l17mr36811wmj.120.1630691159937; Fri, 03 Sep 2021 10:45:59 -0700 (PDT) Received: from x1w.. (21.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.21]) by smtp.gmail.com with ESMTPSA id l7sm39739wmj.9.2021.09.03.10.45.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 10:45:59 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH v3 09/28] hw/acpi: Replace g_memdup() by g_memdup2() Date: Fri, 3 Sep 2021 19:44:51 +0200 Message-Id: <20210903174510.751630-10-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903174510.751630-1-philmd@redhat.com> References: <20210903174510.751630-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -12 X-Spam_score: -1.3 X-Spam_bar: - X-Spam_report: (-1.3 / 5.0 requ) DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Gerd Hoffmann , Eric Blake , qemu-block@nongnu.org, =?utf-8?q?Alex_Benn=C3=A9e?= , David Hildenbrand , Markus Armbruster , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Richard Henderson , qemu-arm@nongnu.org, John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , "Daniel P . Berrange" , Hanna Reitz , qemu-ppc@nongnu.org, Paolo Bonzini Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2() wrapper. Signed-off-by: Philippe Mathieu-Daudé --- hw/acpi/core.c | 3 ++- hw/i386/acpi-build.c | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/hw/acpi/core.c b/hw/acpi/core.c index 1e004d0078d..50ee821aae5 100644 --- a/hw/acpi/core.c +++ b/hw/acpi/core.c @@ -637,7 +637,8 @@ void acpi_pm1_cnt_init(ACPIREGS *ar, MemoryRegion *parent, suspend[3] = 1 | ((!disable_s3) << 7); suspend[4] = s4_val | ((!disable_s4) << 7); - fw_cfg_add_file(fw_cfg, "etc/system-states", g_memdup(suspend, 6), 6); + fw_cfg_add_file(fw_cfg, "etc/system-states", + g_memdup2(suspend, 6), 6); } } diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c index aa269914b49..dd5c06c8cd5 100644 --- a/hw/i386/acpi-build.c +++ b/hw/i386/acpi-build.c @@ -2785,7 +2785,7 @@ void acpi_setup(void) */ unsigned rsdp_size = acpi_data_len(tables.rsdp); - build_state->rsdp = g_memdup(tables.rsdp->data, rsdp_size); + build_state->rsdp = g_memdup2(tables.rsdp->data, rsdp_size); fw_cfg_add_file_callback(x86ms->fw_cfg, ACPI_BUILD_RSDP_FILE, acpi_build_update, NULL, build_state, build_state->rsdp, rsdp_size, true); From patchwork Fri Sep 3 17:44:52 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474879 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 73E9FC433EF for ; Fri, 3 Sep 2021 18:02:17 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 1BFAE6069E for ; Fri, 3 Sep 2021 18:02:17 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 1BFAE6069E Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:37432 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mMDW4-0004XI-5T for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 14:02:16 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51406) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDGV-0008HI-IV for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:46:13 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:57118) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDGT-0001Fm-Mc for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:46:11 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630691168; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=gZ88+NQf7Dpg62xRnIhpn8RZKl/GOm/FncpeFehqzR4=; b=BwYsLPNrnL1gbKGonIZp4VWtOfSbgy7WAb0EG13m6zfeDanMAV5X35e4WdG/6D8x1jvT1U f/CxUWhAjtqQocusKq5HHwLJCQfKKn2T6crsoVuTvbKJBOSdk/+eV2PGMSLb41SD1WQSOG gxI9b5OUrXaVLAbl7HjVRZ4awHwLFkY= Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-276-xUHYecLuMvCOuKvJAw4oNQ-1; Fri, 03 Sep 2021 13:46:07 -0400 X-MC-Unique: xUHYecLuMvCOuKvJAw4oNQ-1 Received: by mail-wr1-f70.google.com with SMTP id 102-20020adf82ef000000b001576e345169so1815714wrc.7 for ; Fri, 03 Sep 2021 10:46:07 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=gZ88+NQf7Dpg62xRnIhpn8RZKl/GOm/FncpeFehqzR4=; b=Lo82yLqwghjVJiFXKshR833JZCLE0lMkFMBT4690JWRLkuyI30zziMgUgl4wQaTPH2 4ZJpoahzCnNAEVZt45PM7Kr/ByykGPgWzWg9uxeqoWRDfE4so2rUlvvny+zJgX9hfclk oO9jmIbhA+Km271KiyOfTJC178G/2NJxiAkiG0EpYppbOfrnozyOOYHrFIg1/T2elYXZ NvAclmmejN+eeqi+LNORdSegXweMDiFHRlwnbF8dP8jnnJiqIks4cTE7JTmTF39aGd1x l4kexh77sTLKUcgXd5Q/pG2dHrgKH0G/EA3/3nLJcFRPnf5dEe580ctYnu7q0TA1QpE6 r5qg== X-Gm-Message-State: AOAM531NeuPDZBOF+u9ygjhy6djJWiutCIT4BhyDwASlusAiXbnOZhBB zb+VSsSCtrd87N/WRLWl5vgVQe3eBr2DJK3Djw17eXOyTpvl9UFScmrROdRH8O4cTy74PAFYfSF jC7XwdYyeIxmiOjG+jEZDOrz+TB7k8ogvtIbLbi3z44SyX7wbpA/gxk0ijMzQXkpc X-Received: by 2002:a7b:c351:: with SMTP id l17mr37223wmj.120.1630691166062; Fri, 03 Sep 2021 10:46:06 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxnbGb/5PdPXDZwKEbmMehtIJPJlaA2azMtdkAgAUsjA6nXV46GChTvnD9r0KoEWU2HymBibw== X-Received: by 2002:a7b:c351:: with SMTP id l17mr37191wmj.120.1630691165825; Fri, 03 Sep 2021 10:46:05 -0700 (PDT) Received: from x1w.. (21.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.21]) by smtp.gmail.com with ESMTPSA id z2sm17928wma.45.2021.09.03.10.46.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 10:46:05 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH v3 10/28] hw/core/machine: Replace g_memdup() by g_memdup2() Date: Fri, 3 Sep 2021 19:44:52 +0200 Message-Id: <20210903174510.751630-11-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903174510.751630-1-philmd@redhat.com> References: <20210903174510.751630-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Gerd Hoffmann , Eric Blake , qemu-block@nongnu.org, =?utf-8?q?Alex_Benn=C3=A9e?= , David Hildenbrand , Markus Armbruster , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Richard Henderson , qemu-arm@nongnu.org, John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , "Daniel P . Berrange" , Hanna Reitz , qemu-ppc@nongnu.org, Paolo Bonzini Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2() wrapper. Signed-off-by: Philippe Mathieu-Daudé --- hw/core/machine.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/core/machine.c b/hw/core/machine.c index 067f42b528f..c3e5371b177 100644 --- a/hw/core/machine.c +++ b/hw/core/machine.c @@ -615,8 +615,8 @@ HotpluggableCPUList *machine_query_hotpluggable_cpus(MachineState *machine) cpu_item->type = g_strdup(machine->possible_cpus->cpus[i].type); cpu_item->vcpus_count = machine->possible_cpus->cpus[i].vcpus_count; - cpu_item->props = g_memdup(&machine->possible_cpus->cpus[i].props, - sizeof(*cpu_item->props)); + cpu_item->props = g_memdup2(&machine->possible_cpus->cpus[i].props, + sizeof(*cpu_item->props)); cpu = machine->possible_cpus->cpus[i].cpu; if (cpu) { From patchwork Fri Sep 3 17:44:53 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474887 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 77B93C433F5 for ; Fri, 3 Sep 2021 18:05:32 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 1817160F12 for ; Fri, 3 Sep 2021 18:05:32 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 1817160F12 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:47162 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mMDZD-0002cV-8n for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 14:05:31 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51472) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDGb-0008PA-OG for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:46:17 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:28456) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDGY-0001Mc-Ij for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:46:17 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630691174; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=nAmVr0P2f5a4xc1MIJOvBsewcON3KB/MGRqhcdH2gFU=; b=Y3M3JnIzwWQQwZdGYMg22DiPbe4yk+Fzi74/tZYWphKTEI/CJWKV+69ZqnglHlFAMEwnA/ lqhVtKCvpoIEg2s+SHaaUuUl9rCFFwwT/cloY0khnfFhvnJ1xCbzDS/3e4TWlXsMt626/z O/7OzthjdXdLEVAK9hHMQWEMOcZQGMo= Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-383-dNm54HY-N32ZkRAiCCqAPw-1; Fri, 03 Sep 2021 13:46:12 -0400 X-MC-Unique: dNm54HY-N32ZkRAiCCqAPw-1 Received: by mail-wr1-f71.google.com with SMTP id v6-20020adfe4c6000000b001574f9d8336so1817402wrm.15 for ; Fri, 03 Sep 2021 10:46:12 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=nAmVr0P2f5a4xc1MIJOvBsewcON3KB/MGRqhcdH2gFU=; b=su7KO4yNx2LgQOiStN8m5RaZmuQZ2on/07YLMrAf3wkF/tDEP0QaSc5bIhsXQgQu+n b/nkCGEBJ3CsVbopASThKVE5MBdz8nowvAf7CFXconzJ0yd/ll5eXdNlh4O92XiWJRrE tAkwUCC4oDAaS6icApg/9ZGNn/7P3vPw27YDGYMpl/q2v6pEqiYvqg5xTk07F04lZEwN nXYK8FS29ssrMEicyKsG6pOvFhfhkALsVQzblkXNfJG8R1SYNMOjVyF9wVX1AeCHunMa v7KtA8YWxOr4TjHri8eEqodoad1DVLF5QVkVHiNAy8YjpqGe07i9H2uRyjmGP3popfgj eRYg== X-Gm-Message-State: AOAM532dXZvWYh9svWa5KFOTuyIKjVcMl4NT36V6k/oLUvMzhCmmi5k4 yszwxorMgnBA9QFE3RcrAjwFpujTRedHlyayOLQWTRuFXnjEps9rKLwFZJpfw0MfxMEWsEkWAua NNG1PvcnrZyVf3xpa23S3eBN5whUapZbuPBfl/pX4oJ7WA+TsGTjZvTZnJ2PRzEII X-Received: by 2002:adf:e645:: with SMTP id b5mr305992wrn.34.1630691171568; Fri, 03 Sep 2021 10:46:11 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxnAlDIyHr7FCqFrbe2m3zVeuBgEVlR8Qzxh3PTd82qXbinY8ZxqTS/s06WTpnyHk4xTdjyJA== X-Received: by 2002:adf:e645:: with SMTP id b5mr305964wrn.34.1630691171380; Fri, 03 Sep 2021 10:46:11 -0700 (PDT) Received: from x1w.. (21.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.21]) by smtp.gmail.com with ESMTPSA id j18sm5525383wrd.56.2021.09.03.10.46.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 10:46:10 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH v3 11/28] hw/hppa/machine: Replace g_memdup() by g_memdup2() Date: Fri, 3 Sep 2021 19:44:53 +0200 Message-Id: <20210903174510.751630-12-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903174510.751630-1-philmd@redhat.com> References: <20210903174510.751630-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Gerd Hoffmann , Eric Blake , qemu-block@nongnu.org, =?utf-8?q?Alex_Benn=C3=A9e?= , David Hildenbrand , Markus Armbruster , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Richard Henderson , qemu-arm@nongnu.org, John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , "Daniel P . Berrange" , Hanna Reitz , qemu-ppc@nongnu.org, Paolo Bonzini Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2() wrapper. Signed-off-by: Philippe Mathieu-Daudé --- hw/hppa/machine.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/hw/hppa/machine.c b/hw/hppa/machine.c index 2a46af5bc9b..e602e863a7d 100644 --- a/hw/hppa/machine.c +++ b/hw/hppa/machine.c @@ -101,19 +101,19 @@ static FWCfgState *create_fw_cfg(MachineState *ms) val = cpu_to_le64(MIN_SEABIOS_HPPA_VERSION); fw_cfg_add_file(fw_cfg, "/etc/firmware-min-version", - g_memdup(&val, sizeof(val)), sizeof(val)); + g_memdup2(&val, sizeof(val)), sizeof(val)); val = cpu_to_le64(HPPA_TLB_ENTRIES); fw_cfg_add_file(fw_cfg, "/etc/cpu/tlb_entries", - g_memdup(&val, sizeof(val)), sizeof(val)); + g_memdup2(&val, sizeof(val)), sizeof(val)); val = cpu_to_le64(HPPA_BTLB_ENTRIES); fw_cfg_add_file(fw_cfg, "/etc/cpu/btlb_entries", - g_memdup(&val, sizeof(val)), sizeof(val)); + g_memdup2(&val, sizeof(val)), sizeof(val)); val = cpu_to_le64(HPA_POWER_BUTTON); fw_cfg_add_file(fw_cfg, "/etc/power-button-addr", - g_memdup(&val, sizeof(val)), sizeof(val)); + g_memdup2(&val, sizeof(val)), sizeof(val)); fw_cfg_add_i16(fw_cfg, FW_CFG_BOOT_DEVICE, ms->boot_order[0]); qemu_register_boot_set(fw_cfg_boot_set, fw_cfg); From patchwork Fri Sep 3 17:44:54 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474889 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A5500C433F5 for ; Fri, 3 Sep 2021 18:05:55 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 59FE460F90 for ; Fri, 3 Sep 2021 18:05:55 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 59FE460F90 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:47744 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mMDZa-00030r-Gt for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 14:05:54 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51670) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDGu-0000Rm-T3 for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:46:36 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:47112) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDGe-0001R6-6T for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:46:36 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630691179; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=3Z0QUNuHHLKTpTAzIZmgjtHARc7fEMtqBBgS6AoxAXY=; b=gs/UND5YOngyHDZn9I6PN8eHn+TcK3JhQTGQ/gdoNEx2W07BqW/zAxl6AM+e22S0PHi8WZ nJVqSTR4xI12f4Jaw3aKkNpwSghCEgoIsnNOiXquiAjNQDy+XSx9qdftIwApNA9fP1b0hR rXWuMLnEdB87TPwh3BG2KlL5WnmRACk= Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-573-7u51FXM8OpOh4wvWhu0uZA-1; Fri, 03 Sep 2021 13:46:18 -0400 X-MC-Unique: 7u51FXM8OpOh4wvWhu0uZA-1 Received: by mail-wm1-f71.google.com with SMTP id b126-20020a1c8084000000b002f152a868a2so39239wmd.1 for ; Fri, 03 Sep 2021 10:46:18 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=3Z0QUNuHHLKTpTAzIZmgjtHARc7fEMtqBBgS6AoxAXY=; b=igWfMmDMI0NBv1ci+YT74evQzNDyQSWcE8b/uuPjXHTRfX5xLm5N/NAsPHxl3MJXWS Q5DjWzbtpltkg8nL9+NzM08RbY5/XAWWJ9ON0xHpH+FjNtgGtbmVrHleHWlb7sNFjpuu VKD4Mgtb/69u0hz6W8kgv62MBrEr6DF36Nbowgjo/u8sPV532JlLyw6vMU3K48Cdi1IE DekBhY3A7fHots9YBitStbuO5b+1zEf67GM75327BJj6rEtm0jzahFX3Tc7u0prny9FD JcnRC1DZvYUxDYSBRBPlulbtyI17lQMhfMDp+1lYlg6rd+YHtHUjF6tcZ0oBEUSo3oSV WO5g== X-Gm-Message-State: AOAM530OGDkk9ToE7hIOzCNOrmr+uH1SHOFb2dO8zF9g6aVWcd5fESXy rTaeeNclTJoNGwSXryP0Ow4ZW/PgRphSjfmA/8NTMaNFvV3B808fnkcwYAOoxyQCduON8sI4fo7 LbYi/ke5KZprpec3eXpI2IM6IJPbTkgcYarLmgZObJcS9YT4K8To3us+egUhslICj X-Received: by 2002:a1c:791a:: with SMTP id l26mr42919wme.100.1630691177349; Fri, 03 Sep 2021 10:46:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyzqcf6Hbm3oqFkT6XUTtPylEpNworI588FihIEeehShOy2CyDT2IkiButXZnCpFY4zNho+yA== X-Received: by 2002:a1c:791a:: with SMTP id l26mr42882wme.100.1630691177104; Fri, 03 Sep 2021 10:46:17 -0700 (PDT) Received: from x1w.. (21.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.21]) by smtp.gmail.com with ESMTPSA id c1sm69751wml.33.2021.09.03.10.46.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 10:46:16 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH v3 12/28] hw/i386/multiboot: Replace g_memdup() by g_memdup2() Date: Fri, 3 Sep 2021 19:44:54 +0200 Message-Id: <20210903174510.751630-13-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903174510.751630-1-philmd@redhat.com> References: <20210903174510.751630-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -5 X-Spam_score: -0.6 X-Spam_bar: / X-Spam_report: (-0.6 / 5.0 requ) DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Gerd Hoffmann , Eric Blake , qemu-block@nongnu.org, =?utf-8?q?Alex_Benn=C3=A9e?= , David Hildenbrand , Markus Armbruster , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Richard Henderson , qemu-arm@nongnu.org, John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , "Daniel P . Berrange" , Hanna Reitz , qemu-ppc@nongnu.org, Paolo Bonzini Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2() wrapper. Signed-off-by: Philippe Mathieu-Daudé --- hw/i386/multiboot.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c index 9e7d69d4705..754415d17f3 100644 --- a/hw/i386/multiboot.c +++ b/hw/i386/multiboot.c @@ -387,7 +387,7 @@ int load_multiboot(FWCfgState *fw_cfg, mb_debug(" mb_mods_count = %d", mbs.mb_mods_count); /* save bootinfo off the stack */ - mb_bootinfo_data = g_memdup(bootinfo, sizeof(bootinfo)); + mb_bootinfo_data = g_memdup2(bootinfo, sizeof(bootinfo)); /* Pass variables to option rom */ fw_cfg_add_i32(fw_cfg, FW_CFG_KERNEL_ENTRY, mh_entry_addr); From patchwork Fri Sep 3 17:44:55 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474881 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 52B4FC433EF for ; Fri, 3 Sep 2021 18:02:37 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 04CAC6069E for ; Fri, 3 Sep 2021 18:02:36 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 04CAC6069E Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:38592 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mMDWO-0005IW-62 for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 14:02:36 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51598) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDGm-0000Az-Oc for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:46:28 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:50215) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDGk-0001Wq-TS for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:46:28 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630691186; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=2lubK1L7hm9+FJXOL2oDyFlScplW+khcKViFJMmufcU=; b=ZL+6px4G8lKzIc6a54g09cKBpPuNFTp4Ez7FxEeOGPiQMx5kdbXzHUfHT5UcMY4TGTdNEa sOqJogTMbm8OFAVPNxrqYCVx6YoqjEzkDGJHjuyc9Oy8dENrTAAU/RurBqhUlWQ2k7EtEn ubMv9iu34TX6gDZgkifFhAb7WEz6jlk= Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-603-3B8A3xOIM4ywdxmTCdmSzw-1; Fri, 03 Sep 2021 13:46:25 -0400 X-MC-Unique: 3B8A3xOIM4ywdxmTCdmSzw-1 Received: by mail-wr1-f70.google.com with SMTP id q14-20020a5d574e000000b00157b0978ddeso1819489wrw.5 for ; Fri, 03 Sep 2021 10:46:25 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=2lubK1L7hm9+FJXOL2oDyFlScplW+khcKViFJMmufcU=; b=cR8S2+qzUZSUfYPoiiDtcnuxqjGvSN27CkzwWrAY1CX7kJjUbIm7PH9m/R5WxZnQnl jctaNvw4f52guDqdBUQv1mxA7OqWAmbw4YVOZBSpaXtE65ro7vVWAdRUvx25KJqtlvj7 uKEaS34S9zGORLzFuT90nsvXV8obyqeu9zdVqv2u0+qKVzHDoIFsUDFbZgu3yjSoijEB pIZX1kA19iLcQsKcO+Wqzf3Btdc675hqQHOmsu89rq5jAaBX/EyLCQo2EEApPOz1MoEH +Wm0ux1nrKwTExdCmvsIpiAuMXuSZqqN/VcxiCmwT/PPQgW++HBPlrK0nPSQOlivYQgX 6ooQ== X-Gm-Message-State: AOAM533WYlm4hPgMx75siWXOfEoA2Cg0FVwBIBbYNaee0C3dwWtOTxyj lF0XKuVOwjdFgh8MaN6mlTe5jppS6Hf/F6OBhO51DXclXaD1L2qREWtnwEcCACru0GnQq9VSK+X dScKRnEiM+wqvNGuSo4qmViZ7UZV2stC1OXJy+46ExB+Zt2vKX5lKPJ1yNO4uicEm X-Received: by 2002:a05:600c:1c91:: with SMTP id k17mr44535wms.84.1630691183855; Fri, 03 Sep 2021 10:46:23 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy7efRsKiaGHm4B8cGDCNnjrYmsWc2OJkxfNG6okEx1O5HHSjlY3xT/vlyw0IawdBf4LktvPA== X-Received: by 2002:a05:600c:1c91:: with SMTP id k17mr44498wms.84.1630691183579; Fri, 03 Sep 2021 10:46:23 -0700 (PDT) Received: from x1w.. (21.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.21]) by smtp.gmail.com with ESMTPSA id v21sm5588100wra.92.2021.09.03.10.46.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 10:46:23 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH v3 13/28] hw/net/eepro100: Replace g_memdup() by g_memdup2() Date: Fri, 3 Sep 2021 19:44:55 +0200 Message-Id: <20210903174510.751630-14-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903174510.751630-1-philmd@redhat.com> References: <20210903174510.751630-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -12 X-Spam_score: -1.3 X-Spam_bar: - X-Spam_report: (-1.3 / 5.0 requ) DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Gerd Hoffmann , Eric Blake , qemu-block@nongnu.org, =?utf-8?q?Alex_Benn=C3=A9e?= , David Hildenbrand , Markus Armbruster , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Richard Henderson , qemu-arm@nongnu.org, John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , "Daniel P . Berrange" , Hanna Reitz , qemu-ppc@nongnu.org, Paolo Bonzini Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2() wrapper. Signed-off-by: Philippe Mathieu-Daudé --- hw/net/eepro100.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c index 16e95ef9cc9..a4e67f69752 100644 --- a/hw/net/eepro100.c +++ b/hw/net/eepro100.c @@ -1872,7 +1872,7 @@ static void e100_nic_realize(PCIDevice *pci_dev, Error **errp) qemu_register_reset(nic_reset, s); - s->vmstate = g_memdup(&vmstate_eepro100, sizeof(vmstate_eepro100)); + s->vmstate = g_memdup2(&vmstate_eepro100, sizeof(vmstate_eepro100)); s->vmstate->name = qemu_get_queue(s->nic)->model; vmstate_register(VMSTATE_IF(&pci_dev->qdev), VMSTATE_INSTANCE_ID_ANY, s->vmstate, s); From patchwork Fri Sep 3 17:44:56 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474895 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E2C03C433F5 for ; Fri, 3 Sep 2021 18:08:26 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 66B1D61057 for ; Fri, 3 Sep 2021 18:08:26 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 66B1D61057 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:56112 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mMDc1-0000U8-Ia for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 14:08:25 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51668) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDGt-0000N2-07 for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:46:35 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:46556) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDGq-0001bf-8t for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:46:34 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630691191; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ZGrkYkWYoLzH5iMc48eZuN5QzKFZuweWVF3z5URSivI=; b=H4awcQLfaDuBGcrO8nZyKq/jb9ddDrdpx1aVfAWb9rWYQa8hIG+4j4HbqF3Ef5kR/emK8C W21fKMzpXB/P47A9hU9XC//JwfXYAIfAboBJ1a+vZqt3ynGV+aE2SbZt5JPGPXzrcCKZCj Ju/d5R9MdikYHHozmhXnSJPO6ZHRsbs= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-106-K6SBTpEJNqmKYOz-sYrYrg-1; Fri, 03 Sep 2021 13:46:30 -0400 X-MC-Unique: K6SBTpEJNqmKYOz-sYrYrg-1 Received: by mail-wm1-f69.google.com with SMTP id p11-20020a05600c204b00b002f05aff1663so52065wmg.2 for ; Fri, 03 Sep 2021 10:46:30 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ZGrkYkWYoLzH5iMc48eZuN5QzKFZuweWVF3z5URSivI=; b=mjvcDfN7Sve6r+QLHbmV9ljo5LnZrOMPMFlap8DjgQOX+MDVjIJd/KqsvPT1W6zuL6 DAl1aVNSshRkYZRR96zz+/pnW8+ox805TkTZxiBXj1IIblVbCjY5Y01uroCKWtGlkmTw qjpAQvbh1Budspyn8YSa4vTUvFTUDARzwr5x4s9fEt9sZgwHtPGqyl5yNA6Px98Of7fi 2S6a6cb/8IMhMg2NvJnWu97MsDH01GffyW9KN4t1d/35S54GQRXQJLmv/tTUs2vfBqjR FePFNnP2Hw5aRcAyCyA/YzjmwZVvPE3SrgVStUfEuXagY/vjCXBPMdfOO8eWkxEOmAAV iVrQ== X-Gm-Message-State: AOAM530mLxT/vdCkacZKirt9Op4yMwc4g+WugiwkWfXf4nZ4wKfe1jnM vzUXQKnfAzuH2HR1xhLTCwg6N2NLvS2GHGtTxB5OCM2wLW0a2Iq2CjOBNnHevktKujld6pEL3Iw A6ZiXV7IvAgF8xMEL5qesTN9Lul7e/8/laZMOeZ1PMlORS0qlyie5Vzi+CdtLTxms X-Received: by 2002:a5d:548e:: with SMTP id h14mr272664wrv.7.1630691189155; Fri, 03 Sep 2021 10:46:29 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzPe8oY+g0m15Fyl8eQQA1m4+jvAHKdDzW8237kXkmm3QKvsfVssWG5DJZ+wBMXydsZMq9/dg== X-Received: by 2002:a5d:548e:: with SMTP id h14mr272621wrv.7.1630691188926; Fri, 03 Sep 2021 10:46:28 -0700 (PDT) Received: from x1w.. (21.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.21]) by smtp.gmail.com with ESMTPSA id w9sm5295828wrs.7.2021.09.03.10.46.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 10:46:28 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH v3 14/28] hw/nvram/fw_cfg: Replace g_memdup() by g_memdup2() Date: Fri, 3 Sep 2021 19:44:56 +0200 Message-Id: <20210903174510.751630-15-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903174510.751630-1-philmd@redhat.com> References: <20210903174510.751630-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -12 X-Spam_score: -1.3 X-Spam_bar: - X-Spam_report: (-1.3 / 5.0 requ) DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Gerd Hoffmann , Eric Blake , qemu-block@nongnu.org, =?utf-8?q?Alex_Benn=C3=A9e?= , David Hildenbrand , Markus Armbruster , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Richard Henderson , qemu-arm@nongnu.org, John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , "Daniel P . Berrange" , Hanna Reitz , qemu-ppc@nongnu.org, Paolo Bonzini Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2() wrapper. Signed-off-by: Philippe Mathieu-Daudé --- hw/nvram/fw_cfg.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c index 9b8dcca4ead..0c3cfa8a41e 100644 --- a/hw/nvram/fw_cfg.c +++ b/hw/nvram/fw_cfg.c @@ -205,7 +205,8 @@ static void fw_cfg_bootsplash(FWCfgState *s) /* use little endian format */ bst_le16 = cpu_to_le16(bst_val); fw_cfg_add_file(s, "etc/boot-menu-wait", - g_memdup(&bst_le16, sizeof bst_le16), sizeof bst_le16); + g_memdup2(&bst_le16, sizeof bst_le16), + sizeof bst_le16); } /* insert splash file if user configurated */ @@ -260,7 +261,7 @@ static void fw_cfg_reboot(FWCfgState *s) } rt_le32 = cpu_to_le32(rt_val); - fw_cfg_add_file(s, "etc/boot-fail-wait", g_memdup(&rt_le32, 4), 4); + fw_cfg_add_file(s, "etc/boot-fail-wait", g_memdup2(&rt_le32, 4), 4); } static void fw_cfg_write(FWCfgState *s, uint8_t value) @@ -755,7 +756,7 @@ void fw_cfg_add_string(FWCfgState *s, uint16_t key, const char *value) size_t sz = strlen(value) + 1; trace_fw_cfg_add_string(key, trace_key_name(key), value); - fw_cfg_add_bytes(s, key, g_memdup(value, sz), sz); + fw_cfg_add_bytes(s, key, g_memdup2(value, sz), sz); } void fw_cfg_modify_string(FWCfgState *s, uint16_t key, const char *value) @@ -763,7 +764,7 @@ void fw_cfg_modify_string(FWCfgState *s, uint16_t key, const char *value) size_t sz = strlen(value) + 1; char *old; - old = fw_cfg_modify_bytes_read(s, key, g_memdup(value, sz), sz); + old = fw_cfg_modify_bytes_read(s, key, g_memdup2(value, sz), sz); g_free(old); } From patchwork Fri Sep 3 17:44:57 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474897 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A327BC433F5 for ; Fri, 3 Sep 2021 18:08:38 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 28C4E61057 for ; Fri, 3 Sep 2021 18:08:38 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 28C4E61057 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:57080 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mMDcD-00018U-A0 for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 14:08:37 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51728) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDGx-0000XA-SH for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:46:40 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:37733) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDGv-0001fK-76 for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:46:39 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630691196; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=0QJ+ZJ2wYbkbh5C53mqGRb04DGQVHna3HImowkBrJ1s=; b=ZyM7rnV5ICHIFh5Chkn066jmLPNp5OPd3kknbPdyePncsyMl/uOhOOCUOHox7BVHU92Wdw Ckj/YtGdeLFMz4awL5wk1tGYxvyOT758ZzmQNpSyjy98QWXFos5oAKK61bCOLAh1sZ1NgF UlQLqB0nuMc2DD3end/4LpTuR5b7UXM= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-458-eAVjL8R7OeSRNzC0oAjqTg-1; Fri, 03 Sep 2021 13:46:35 -0400 X-MC-Unique: eAVjL8R7OeSRNzC0oAjqTg-1 Received: by mail-wm1-f69.google.com with SMTP id f17-20020a05600c155100b002f05f30ff03so58434wmg.3 for ; Fri, 03 Sep 2021 10:46:35 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=0QJ+ZJ2wYbkbh5C53mqGRb04DGQVHna3HImowkBrJ1s=; b=dp7sH8shC1Oje2AfEP4p+JW33SOT3c8MEi//m/vloFSgL0I9+4kB/V+yfr2uNE5B/r iWLyW/1gkK4YV505VpidjsAJn2mvtFMGGj7rzvU2cIvPcFsf24m0mBuyc6nzmoL79rf2 ElYWjrnm2KXnQO+rTVENUyLKOnjfuE/jCnwu4C1UXgE94QsTlOvKYhslZjYfKENzYbeN iX8OJT/XtpDzV+nxA3VGX9xJj1SMyc6npizHiyAbt31mqDGdJIXrzsFWevUeWsYcbcMc T93xcEtdjCpifWjShHx9eye1+KGTKOwDmWf4crxUfO7YgbHbwSOXOWjO57+CUZ/k9mRS najg== X-Gm-Message-State: AOAM531XEvyCA9Rbk6qCJfwc0sBmYvqG5qazQi4nKxwZyVzenoqw8oJs qEqRFULqkkELwWDyyKJvJ2M7pRMpUXGsZ7y9T0+VqiZ2ToFxrRE8M7aC+03Tbj2qGdocGi/dv31 MHmHVqdcNTqkzqpD9KyA5LQeOaAl0caAA6A/nmXTBE1E0k8Uk9nLjD/SAn3ooXtBu X-Received: by 2002:a7b:c94f:: with SMTP id i15mr52321wml.58.1630691194116; Fri, 03 Sep 2021 10:46:34 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyZqQsq6HBKHy9x9qio8mxnBjpJsxTBszffdMNEh489cGyvNi3naDUVQvDvDlHI1owNaY9ECw== X-Received: by 2002:a7b:c94f:: with SMTP id i15mr52292wml.58.1630691193942; Fri, 03 Sep 2021 10:46:33 -0700 (PDT) Received: from x1w.. (21.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.21]) by smtp.gmail.com with ESMTPSA id l10sm5820044wrg.50.2021.09.03.10.46.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 10:46:33 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH v3 15/28] hw/scsi/mptsas: Replace g_memdup() by g_memdup2() Date: Fri, 3 Sep 2021 19:44:57 +0200 Message-Id: <20210903174510.751630-16-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903174510.751630-1-philmd@redhat.com> References: <20210903174510.751630-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Gerd Hoffmann , Eric Blake , qemu-block@nongnu.org, =?utf-8?q?Alex_Benn=C3=A9e?= , David Hildenbrand , Markus Armbruster , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Richard Henderson , qemu-arm@nongnu.org, John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , "Daniel P . Berrange" , Hanna Reitz , qemu-ppc@nongnu.org, Paolo Bonzini Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2() wrapper. Signed-off-by: Philippe Mathieu-Daudé --- hw/scsi/mptsas.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c index db3219e7d20..f53ea358161 100644 --- a/hw/scsi/mptsas.c +++ b/hw/scsi/mptsas.c @@ -449,7 +449,8 @@ static void mptsas_process_scsi_task_mgmt(MPTSASState *s, MPIMsgSCSITaskMgmt *re } else { MPTSASCancelNotifier *notifier; - reply_async = g_memdup(&reply, sizeof(MPIMsgSCSITaskMgmtReply)); + reply_async = g_memdup2(&reply, + sizeof(MPIMsgSCSITaskMgmtReply)); reply_async->IOCLogInfo = INT_MAX; count = 1; @@ -476,7 +477,7 @@ static void mptsas_process_scsi_task_mgmt(MPTSASState *s, MPIMsgSCSITaskMgmt *re goto out; } - reply_async = g_memdup(&reply, sizeof(MPIMsgSCSITaskMgmtReply)); + reply_async = g_memdup2(&reply, sizeof(MPIMsgSCSITaskMgmtReply)); reply_async->IOCLogInfo = INT_MAX; count = 0; From patchwork Fri Sep 3 17:44:58 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474885 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3139CC433EF for ; Fri, 3 Sep 2021 18:04:52 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id C8BDF60F12 for ; Fri, 3 Sep 2021 18:04:51 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org C8BDF60F12 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:44344 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mMDYX-0000hM-S3 for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 14:04:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51794) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDH4-0000la-6m for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:46:46 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:49471) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDH0-0001jj-9l for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:46:45 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630691201; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bmgDp5DDf2ZYN3DOZIz+XL4zsyjy3fDEm1GYA+/wcf0=; b=f/2WtxnzQxHPB9VgehUVrYWuBr+kCuZLQ+fEjFANEo97R1jE7zAnlvM71ViipoTjVDWnIh yW0syCTX6Nf2mkEI0tQEo9MS1FH9+hEI8ZWBd+D/KR8O1eNkBgynBMAhVed0Rs6KuMrmaN VmikQNzmS9frryu+77Lb82YQJ2V/m/s= Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-543-VsdaVgcyNUujRcrGtd6moA-1; Fri, 03 Sep 2021 13:46:40 -0400 X-MC-Unique: VsdaVgcyNUujRcrGtd6moA-1 Received: by mail-wm1-f71.google.com with SMTP id w25-20020a1cf6190000b0290252505ddd56so2143644wmc.3 for ; Fri, 03 Sep 2021 10:46:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=bmgDp5DDf2ZYN3DOZIz+XL4zsyjy3fDEm1GYA+/wcf0=; b=D/1oDAgHeHOgfXXrx8ujSHLOQb4Qa7q3r9tyqfXH5cYYKm24lyn04GooSe1WHyQZBh NzFxyhirfbU4ww1ihBlsXmlTO6I/zp7LbSIllJ+6DSprMT5542YB5YdPQ83eCnvRgW2Y SvkQiFOogW7DgYHI42R8BwP+EhXXUS+yMF1PmJPl0DMBC3AvTbcf42a8CqyoD8xvNOrw FiRrVr2lmflxtcVcMSVI+xLNA0qz+0q0Pr9WXPFEM2+ta7K6auJtQBRUE7YqwwJdxt70 o7wqZHfrYv38qtu6s5H0c2D5TLjdZDQyIGUjuTcjpcVjA9azh1PZ3upXIJtYOeH0F8fJ rc5A== X-Gm-Message-State: AOAM530kj4K7d4078mdeNIhfGRQC1tZgBIBpWpAmN5xkGEJFghCpdsWK ga8G+dMLoYN1quEx0HLHQKflgBeDGeh/CzXhXsD/NrA4NF9ruir113dc3tDyzqc0UPjtsuj/uGf hDXbnCMfwR0Uh96KmoI1ymhl2ba5s25hp/DyhSB0wcSxOL3C540EhKGk6AnB3z9d6 X-Received: by 2002:a5d:69c8:: with SMTP id s8mr279765wrw.324.1630691199330; Fri, 03 Sep 2021 10:46:39 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx+ttKzuPIZq+gni0UYRID0f4YHvdMTp6gk8JaYOj2INPtxFbcJQed34V6fveyYjSwmdgWDmQ== X-Received: by 2002:a5d:69c8:: with SMTP id s8mr279735wrw.324.1630691199158; Fri, 03 Sep 2021 10:46:39 -0700 (PDT) Received: from x1w.. (21.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.21]) by smtp.gmail.com with ESMTPSA id g138sm30217wmg.34.2021.09.03.10.46.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 10:46:38 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH v3 16/28] hw/ppc/spapr_pci: Replace g_memdup() by g_memdup2() Date: Fri, 3 Sep 2021 19:44:58 +0200 Message-Id: <20210903174510.751630-17-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903174510.751630-1-philmd@redhat.com> References: <20210903174510.751630-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Gerd Hoffmann , Eric Blake , qemu-block@nongnu.org, =?utf-8?q?Alex_Benn=C3=A9e?= , David Hildenbrand , Markus Armbruster , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Richard Henderson , qemu-arm@nongnu.org, John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , "Daniel P . Berrange" , Hanna Reitz , qemu-ppc@nongnu.org, Paolo Bonzini Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2() wrapper. Signed-off-by: Philippe Mathieu-Daudé Acked-by: David Gibson --- hw/ppc/spapr_pci.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/hw/ppc/spapr_pci.c b/hw/ppc/spapr_pci.c index 7430bd63142..8e36cffab79 100644 --- a/hw/ppc/spapr_pci.c +++ b/hw/ppc/spapr_pci.c @@ -2201,10 +2201,9 @@ static int spapr_pci_post_load(void *opaque, int version_id) int i; for (i = 0; i < sphb->msi_devs_num; ++i) { - key = g_memdup(&sphb->msi_devs[i].key, - sizeof(sphb->msi_devs[i].key)); - value = g_memdup(&sphb->msi_devs[i].value, - sizeof(sphb->msi_devs[i].value)); + key = g_memdup2(&sphb->msi_devs[i].key, sizeof(sphb->msi_devs[i].key)); + value = g_memdup2(&sphb->msi_devs[i].value, + sizeof(sphb->msi_devs[i].value)); g_hash_table_insert(sphb->msi, key, value); } g_free(sphb->msi_devs); From patchwork Fri Sep 3 17:44:59 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474875 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C5D9AC433F5 for ; Fri, 3 Sep 2021 17:59:15 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 5BE81601FF for ; Fri, 3 Sep 2021 17:59:15 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 5BE81601FF Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:58160 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mMDT8-0007tx-Eb for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 13:59:14 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51844) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDH9-0000t6-K9 for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:46:51 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:29343) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDH5-0001pO-JB for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:46:51 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630691207; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=RC7jHm0YE2K1GdbYZ8il6kV9I4tGJG8Mj2QiHey69tU=; b=bTs5roZhdbu7tae5mzlU+PPfr6h54CG0GiNmBkJLAtda1iGdXMtXDa5G4RvxIgkYx8Uxm+ B0t7MKfXAVuSvjt3TYZDkCRA0L6tN3cPBqkv3Sd6A7JKINlzGoqrkaTd4ROntXTmP4Wndj C03VcPD6/jCITZhPAj8wSnp0Kxw98tI= Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-554-mLZJkXjYN_6JYx4RUKueEw-1; Fri, 03 Sep 2021 13:46:46 -0400 X-MC-Unique: mLZJkXjYN_6JYx4RUKueEw-1 Received: by mail-wr1-f71.google.com with SMTP id b8-20020a5d5508000000b001574e8e9237so1817566wrv.16 for ; Fri, 03 Sep 2021 10:46:45 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=RC7jHm0YE2K1GdbYZ8il6kV9I4tGJG8Mj2QiHey69tU=; b=uK4xFXQvlIBi3dAxc/+E6eYUj0bUa4OEXdTj9pLjIFIruzUWfSjPzP0W7RbPCFnQyu /AXex5XBRFdPn5VqsNg1a9yA1tvUwKuQp3OkNZKIj87U+RfbykAZapvc8hC+EZSTR94W IM2N0cXEfEkWIDCRjY0tpUoNujNSK8xILGsEQG/GyPnAdu7c80xyL0zDJaNjGsnmeh3K SLu1qiJIy4ncYLGq1pO6/QEfV9OJ8bLr4qcO4zv92F6iV2ppPDWxUW2ddVBRQWleNeac o2Szh1gpOUoaSiDYk6btoi6VgTkrtMhTWKnv4mQV/TxIsRwqhHA/v/PTe7NaEjJAdTc6 kTYg== X-Gm-Message-State: AOAM533k0eROk+GgFlCDBGJ4dojT2WutgUx/VB4dGXK3jePSiKC3jwW/ lkV3EZR0Et3f/RJrjK0LFV6R6ol8/i6rXRWFQ/zftOebCHbyjo+ZpQtVX8JLwjSTyqf/hu5CivQ 6Pnki7DpfLx5yS8qFsdkkKRdI3yIoJo1AtrErhooe/CeX+U/MjV3UAhg0VI64CTdl X-Received: by 2002:adf:df08:: with SMTP id y8mr295592wrl.124.1630691204712; Fri, 03 Sep 2021 10:46:44 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyEqlLCvDbe8I1c0cYqTm2SctcTai282wCFFigi8GMIfzPOHrQq6E8hmfp7BS2oQrCH6lRkbQ== X-Received: by 2002:adf:df08:: with SMTP id y8mr295545wrl.124.1630691204405; Fri, 03 Sep 2021 10:46:44 -0700 (PDT) Received: from x1w.. (21.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.21]) by smtp.gmail.com with ESMTPSA id z2sm18833wma.45.2021.09.03.10.46.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 10:46:44 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH v3 17/28] hw/rdma: Replace g_memdup() by g_memdup2() Date: Fri, 3 Sep 2021 19:44:59 +0200 Message-Id: <20210903174510.751630-18-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903174510.751630-1-philmd@redhat.com> References: <20210903174510.751630-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -12 X-Spam_score: -1.3 X-Spam_bar: - X-Spam_report: (-1.3 / 5.0 requ) DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Gerd Hoffmann , Eric Blake , qemu-block@nongnu.org, =?utf-8?q?Alex_Benn=C3=A9e?= , David Hildenbrand , Markus Armbruster , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Richard Henderson , qemu-arm@nongnu.org, John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , "Daniel P . Berrange" , Hanna Reitz , qemu-ppc@nongnu.org, Paolo Bonzini Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2() wrapper. Signed-off-by: Philippe Mathieu-Daudé --- hw/rdma/rdma_utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/rdma/rdma_utils.c b/hw/rdma/rdma_utils.c index 98df58f6897..6d6b8286b69 100644 --- a/hw/rdma/rdma_utils.c +++ b/hw/rdma/rdma_utils.c @@ -71,7 +71,7 @@ void rdma_protected_gqueue_append_int64(RdmaProtectedGQueue *list, int64_t value) { qemu_mutex_lock(&list->lock); - g_queue_push_tail(list->list, g_memdup(&value, sizeof(value))); + g_queue_push_tail(list->list, g_memdup2(&value, sizeof(value))); qemu_mutex_unlock(&list->lock); } From patchwork Fri Sep 3 17:45:00 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474905 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D8050C433EF for ; Fri, 3 Sep 2021 18:11:47 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 9BDDB60FDC for ; Fri, 3 Sep 2021 18:11:47 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 9BDDB60FDC Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:39594 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mMDfF-0000Cp-Ox for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 14:11:45 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51930) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDHD-00011v-SR for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:46:56 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:57503) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDHA-0001ti-NB for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:46:55 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630691212; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=rzFMsSs1nd+aiUV96h1dpanaGme0JuJTgHaVGdLrH2M=; b=EWaxzTNbATESbdFqP75y4riFOexBMt7MlUBiac+n5dFsJjzeVc75RSmM2u3slZ2DjDT4Fj KwARGyvxtSrFVHP1m29t99XpxGDdkRZeg7D5M1aTyPCk8b+I3SLjzuKizj5qXcg0o0Mc/9 I0878V59DeSEDbyyHP/NrYoHyI57rLs= Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-429-rRBr7VoWNO24CfxRyGkP7Q-1; Fri, 03 Sep 2021 13:46:51 -0400 X-MC-Unique: rRBr7VoWNO24CfxRyGkP7Q-1 Received: by mail-wr1-f71.google.com with SMTP id 102-20020adf82ef000000b001576e345169so1816342wrc.7 for ; Fri, 03 Sep 2021 10:46:51 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=rzFMsSs1nd+aiUV96h1dpanaGme0JuJTgHaVGdLrH2M=; b=oq6aBzdIe5COYwdGgpGg5mzGY7qIQ1FpX9ulWTk54cLtZEY9btBs1eV5UKW2FmM3K/ O3oKNtY1UDeQ6SNuScWLRkKR0Ps8iKbjAuMZlYsW0Ogs0yzGpqIdsmNg5YCrACdHtIE4 W6ohJ6LWeqIQPI+bCoJAUuM76tbsegq/vyi5ADjTQueG4bmLEyq3imYvRRhARHnpK+vC ljmMxjeiChkbhSdvAP5a7WYwu1eGc2/ABT4O4XQSeZbpmtRdZTY+oRjlGGSydCQomvzc lHMwuzwMmnEoM9sp/BMzKuMuoD3bB1OxAx63NAG1JAEcH2eaMt6Ami89KUFXw/12N3xV OvMQ== X-Gm-Message-State: AOAM532H4y5LeZ7kiP7e5/j4sh6Pv3zxHyKG0DIY0oTMlBVCwHTX+5W0 ZnkY5RcfpNcU1oSE3JUyxrOZSavCEERuIAYGvYEbHcMUSsnBEBj3uylbK2s3ceM85LDGVwfbX4D fxPoG18fM3UYPRXj61Nv6xFv9ndu5qDjLDl8K9AKBoouYXzzh/hQ6FPVg6FYtIRKR X-Received: by 2002:adf:fd0a:: with SMTP id e10mr315735wrr.2.1630691209822; Fri, 03 Sep 2021 10:46:49 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwUeS2utKm7+sLyvF4dr62IvkjabZJK0eWLwuqoxhDWx0EvBXgWXpAZJZYfs9inrIRcTWvO3g== X-Received: by 2002:adf:fd0a:: with SMTP id e10mr315703wrr.2.1630691209642; Fri, 03 Sep 2021 10:46:49 -0700 (PDT) Received: from x1w.. (21.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.21]) by smtp.gmail.com with ESMTPSA id f20sm23207wml.38.2021.09.03.10.46.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 10:46:49 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH v3 18/28] hw/vfio/pci: Replace g_memdup() by g_memdup2() Date: Fri, 3 Sep 2021 19:45:00 +0200 Message-Id: <20210903174510.751630-19-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903174510.751630-1-philmd@redhat.com> References: <20210903174510.751630-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -12 X-Spam_score: -1.3 X-Spam_bar: - X-Spam_report: (-1.3 / 5.0 requ) DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Gerd Hoffmann , Eric Blake , qemu-block@nongnu.org, =?utf-8?q?Alex_Benn=C3=A9e?= , David Hildenbrand , Markus Armbruster , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Richard Henderson , qemu-arm@nongnu.org, John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , "Daniel P . Berrange" , Hanna Reitz , qemu-ppc@nongnu.org, Paolo Bonzini Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2() wrapper. Signed-off-by: Philippe Mathieu-Daudé --- hw/vfio/pci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c index e1ea1d8a23b..f7d0ef8cc61 100644 --- a/hw/vfio/pci.c +++ b/hw/vfio/pci.c @@ -2040,7 +2040,7 @@ static void vfio_add_ext_cap(VFIOPCIDevice *vdev) * physical device, we cache the config space to avoid overwriting * the original config space when we parse the extended capabilities. */ - config = g_memdup(pdev->config, vdev->config_size); + config = g_memdup2(pdev->config, vdev->config_size); /* * Extended capabilities are chained with each pointing to the next, so we From patchwork Fri Sep 3 17:45:01 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474903 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D14D9C433EF for ; Fri, 3 Sep 2021 18:11:44 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 6D44360FDC for ; Fri, 3 Sep 2021 18:11:44 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 6D44360FDC Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:39444 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mMDfD-00006G-JF for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 14:11:43 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52042) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDHK-00016o-Qb for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:47:02 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:44295) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDHH-0001zO-3L for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:47:02 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630691217; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=o2TJ5bgBbqJh6moqyxGQ53K360Y/vHE7RhxA+Q/Y7Gk=; b=OdLizQlnKCZvb1BHzj0lHC7wZqQ2cKPrwciy4IBWfFDhuzW4+lyy+Va8MRSq/BvF/yBsyG 1BD9q5m2N3o10TdUN4l0xlpYI4yh5zqhGlOjrUfXgTIJFBwEEGegct5R7UHCXEVDNWlchs 73Oc1jTTC92k/Cu9N16tOFsJh3DaLQ8= Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-62-QDJW5ljcPjqtHz75O_R5LA-1; Fri, 03 Sep 2021 13:46:56 -0400 X-MC-Unique: QDJW5ljcPjqtHz75O_R5LA-1 Received: by mail-wm1-f72.google.com with SMTP id a201-20020a1c7fd2000000b002e748bf0544so61181wmd.2 for ; Fri, 03 Sep 2021 10:46:56 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=o2TJ5bgBbqJh6moqyxGQ53K360Y/vHE7RhxA+Q/Y7Gk=; b=EJpIQ8Ds3S6rP3n77LTVsq56Yryiphxiqo12tN3pmnHDpw9+KerR1oS6VyTiVR2Mym 2aQrO6C81nWLcE2wBviL4SwiF5Hjaznutn7RuDBicAZqXgAeL/YMlluy1nxFGt+SVueL SVuZc14wJiti/4rVtMhl6p4XxxnIDmmuH9wZ9zH8h5tHSSNzyck+Bf30TglZt2OkVuCq M4teNywmgeFAqcvt5vXL0EN9Vbca9rYa0ITybGMkIEzRGDsiLWTHewXf0izyyFFQNseg W9y8ESZnFDJCMkHVH/LUVvvpUz/QiEcUrgxyRBieHxwAO9JRrfxwbB/koyAfNNuIZM8q zeyw== X-Gm-Message-State: AOAM530f/VPSpQCq44EfXSNcBUFDLw1Vj7sN3rhtMUoYVomDVSQ8k5sR sZ9li2y/2yRf0Oo/Y8nOQyH1sw83MQ8HJhAG1VQV5wxA3YcjObLlQSYF0oBCOL95HHZN6fjmQE9 efRwPdR6xCb29kry0dTiFcEyeYifFzfk4xTVNaaooV7gabzOEwWWYJ1iTWhSqr65X X-Received: by 2002:a05:600c:3b0e:: with SMTP id m14mr43410wms.118.1630691215141; Fri, 03 Sep 2021 10:46:55 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwwW59MQVKIujC3QxI8hOMGARHeRzbm1pMLdPaJFA3rYa2qY9RNUZufFPWaRQw0L8ldNpu53w== X-Received: by 2002:a05:600c:3b0e:: with SMTP id m14mr43368wms.118.1630691214854; Fri, 03 Sep 2021 10:46:54 -0700 (PDT) Received: from x1w.. (21.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.21]) by smtp.gmail.com with ESMTPSA id y15sm94518wmi.18.2021.09.03.10.46.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 10:46:54 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [RFC PATCH v3 19/28] hw/virtio: Replace g_memdup() by g_memdup2() Date: Fri, 3 Sep 2021 19:45:01 +0200 Message-Id: <20210903174510.751630-20-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903174510.751630-1-philmd@redhat.com> References: <20210903174510.751630-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Gerd Hoffmann , Eric Blake , qemu-block@nongnu.org, =?utf-8?q?Alex_Benn=C3=A9e?= , David Hildenbrand , Markus Armbruster , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Richard Henderson , qemu-arm@nongnu.org, John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , "Daniel P . Berrange" , Hanna Reitz , qemu-ppc@nongnu.org, Paolo Bonzini Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2() wrapper. Signed-off-by: Philippe Mathieu-Daudé Acked-by: Eugenio Pérez --- Should we check in_num/out_num in range? --- hw/net/virtio-net.c | 3 ++- hw/virtio/virtio-crypto.c | 6 +++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c index 16d20cdee52..338fbeb8c57 100644 --- a/hw/net/virtio-net.c +++ b/hw/net/virtio-net.c @@ -1449,7 +1449,8 @@ static void virtio_net_handle_ctrl(VirtIODevice *vdev, VirtQueue *vq) } iov_cnt = elem->out_num; - iov2 = iov = g_memdup(elem->out_sg, sizeof(struct iovec) * elem->out_num); + iov2 = iov = g_memdup2(elem->out_sg, + sizeof(struct iovec) * elem->out_num); s = iov_to_buf(iov, iov_cnt, 0, &ctrl, sizeof(ctrl)); iov_discard_front(&iov, &iov_cnt, sizeof(ctrl)); if (s != sizeof(ctrl)) { diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c index 54f9bbb789c..59886c1790d 100644 --- a/hw/virtio/virtio-crypto.c +++ b/hw/virtio/virtio-crypto.c @@ -242,7 +242,7 @@ static void virtio_crypto_handle_ctrl(VirtIODevice *vdev, VirtQueue *vq) } out_num = elem->out_num; - out_iov_copy = g_memdup(elem->out_sg, sizeof(out_iov[0]) * out_num); + out_iov_copy = g_memdup2(elem->out_sg, sizeof(out_iov[0]) * out_num); out_iov = out_iov_copy; in_num = elem->in_num; @@ -605,11 +605,11 @@ virtio_crypto_handle_request(VirtIOCryptoReq *request) } out_num = elem->out_num; - out_iov_copy = g_memdup(elem->out_sg, sizeof(out_iov[0]) * out_num); + out_iov_copy = g_memdup2(elem->out_sg, sizeof(out_iov[0]) * out_num); out_iov = out_iov_copy; in_num = elem->in_num; - in_iov_copy = g_memdup(elem->in_sg, sizeof(in_iov[0]) * in_num); + in_iov_copy = g_memdup2(elem->in_sg, sizeof(in_iov[0]) * in_num); in_iov = in_iov_copy; if (unlikely(iov_to_buf(out_iov, out_num, 0, &req, sizeof(req)) From patchwork Fri Sep 3 17:45:02 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474893 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id EDE74C433F5 for ; Fri, 3 Sep 2021 18:07:53 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id AC27B60F92 for ; Fri, 3 Sep 2021 18:07:53 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org AC27B60F92 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:53380 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mMDbU-0006x5-R5 for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 14:07:52 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52084) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDHM-00018C-PD for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:47:06 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:37250) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDHL-00023i-9w for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:47:04 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630691222; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5jTTyRIRdKRcyyksDhIQtsIfP0HdMwBPVkpA2Kky8G4=; b=GvzZPvKA9MtQDAH2G4/y3FmoKPXrZ7Z50mzK01fO6OT0CET9IUUjGpJZ/2QD+FRan6z1vw 2uUVKvY6z2sCaWpxGbK58Ka5+xJPfhw6RM36A4VD1PwgSz7N09Wjw99a6cp8SPoahFOUUW 52xcw3GEOjnfZJSyEkYr3P0gJdIVHFw= Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-179-ZgS3NmUyMku0wgS8tITllA-1; Fri, 03 Sep 2021 13:47:01 -0400 X-MC-Unique: ZgS3NmUyMku0wgS8tITllA-1 Received: by mail-wm1-f72.google.com with SMTP id m22-20020a7bcb96000000b002f7b840d9dcso53350wmi.1 for ; Fri, 03 Sep 2021 10:47:01 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=5jTTyRIRdKRcyyksDhIQtsIfP0HdMwBPVkpA2Kky8G4=; b=D5lkt20A1kY5gXtav/eDYEAV2Xx21eCJCjI1SMB4GPqvpGVKKr6de1RZP0sxbxk376 uoCDEBpg2yWj3AoDGmdKP/MoV6QPVeNYCobgDlm6VZuT6aOzTMu43a6hVNPfd2ICvpaq P2t9L+6B9aJgJ2AjqqNOTWDNDvMQZLONItmFeUn7G+uIpC4DhjcLoGh33NPjC8VZUVZq U9BcX8atHXu/FWVJiPv5r8vuCWBogGiM9Q5araG1yYMyFD70RIyuNQ8FLrXms6mtFZla Bw/tnOCrKGjMpmKDtB5qmUH1DMzbItHzv2wwY0cxewpbGsJEZi27/xXsralRmZpWKBIr H//w== X-Gm-Message-State: AOAM532j3v9p7fDH2mPcU3TYA+yJU26pDErDhD6zfNz9aIrL6Tz30c++ ay/wN3FY//wXxAXeT7j9pVg2JSeXWAYrY1mYi2jD3r6ksEdMPu+hdcO6x18JQgzBEUuDQY4YryT nb77U/t90PfuDpjlm4EsEsgJDeO3+C4uww1C1nAyOh/UpebAiZ8xKZSehpeRIq87z X-Received: by 2002:a5d:61c1:: with SMTP id q1mr274638wrv.87.1630691220333; Fri, 03 Sep 2021 10:47:00 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwSKLJ/7MkFkd9pUXcCv0S3F42xYhGiHMWvbaSxRWPoc5stUMLvYZIuRP+TOp+ExWxzGTKDEg== X-Received: by 2002:a5d:61c1:: with SMTP id q1mr274603wrv.87.1630691220144; Fri, 03 Sep 2021 10:47:00 -0700 (PDT) Received: from x1w.. (21.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.21]) by smtp.gmail.com with ESMTPSA id d145sm85215wmd.3.2021.09.03.10.46.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 10:46:59 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH v3 20/28] net/colo: Replace g_memdup() by g_memdup2() Date: Fri, 3 Sep 2021 19:45:02 +0200 Message-Id: <20210903174510.751630-21-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903174510.751630-1-philmd@redhat.com> References: <20210903174510.751630-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -12 X-Spam_score: -1.3 X-Spam_bar: - X-Spam_report: (-1.3 / 5.0 requ) DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Gerd Hoffmann , Eric Blake , qemu-block@nongnu.org, =?utf-8?q?Alex_Benn=C3=A9e?= , David Hildenbrand , Markus Armbruster , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Richard Henderson , qemu-arm@nongnu.org, John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , "Daniel P . Berrange" , Hanna Reitz , qemu-ppc@nongnu.org, Paolo Bonzini Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. packet_new() is called from packet_enqueue() with size being 32-bit (of type SocketReadState::packet_len). Replace g_memdup() by the safer g_memdup2() wrapper. Signed-off-by: Philippe Mathieu-Daudé --- net/colo.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/colo.c b/net/colo.c index 3a3e6e89a0c..c04a7fe6dbb 100644 --- a/net/colo.c +++ b/net/colo.c @@ -159,7 +159,7 @@ Packet *packet_new(const void *data, int size, int vnet_hdr_len) { Packet *pkt = g_slice_new0(Packet); - pkt->data = g_memdup(data, size); + pkt->data = g_memdup2(data, size); pkt->size = size; pkt->creation_ms = qemu_clock_get_ms(QEMU_CLOCK_HOST); pkt->vnet_hdr_len = vnet_hdr_len; @@ -214,7 +214,7 @@ Connection *connection_get(GHashTable *connection_track_table, Connection *conn = g_hash_table_lookup(connection_track_table, key); if (conn == NULL) { - ConnectionKey *new_key = g_memdup(key, sizeof(*key)); + ConnectionKey *new_key = g_memdup2(key, sizeof(*key)); conn = connection_new(key); From patchwork Fri Sep 3 17:45:03 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474883 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6E1AFC433F5 for ; Fri, 3 Sep 2021 18:03:40 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 2C69D6069E for ; Fri, 3 Sep 2021 18:03:40 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 2C69D6069E Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:41972 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mMDXP-0007XX-00 for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 14:03:39 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52174) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDHV-0001IW-Fg for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:47:13 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:53290) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDHQ-000281-J2 for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:47:13 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630691228; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vC6PIuQnjMImB1rzjEb7/fuKsW0b+ne9BdxKzdZmtOI=; b=JGdhMoCjClfq95XjnKrtrgNvCaGBKzUScrrz+9YbWBKFOH3gxLudrPxjyWZeiFG29IvfKG UzKbfXH0Sw41lZ2/3wMwmHU+ZsVQZebAhmTsEBh4l6zDt2GDSCHpOGtNqk0QyOt/oJPRet 2IelFz5RKo6cKccLAcqW3qhRw36R2qE= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-145-iSIVBwxSPpWzw2ipKRYqnA-1; Fri, 03 Sep 2021 13:47:07 -0400 X-MC-Unique: iSIVBwxSPpWzw2ipKRYqnA-1 Received: by mail-wm1-f69.google.com with SMTP id y24-20020a7bcd98000000b002eb50db2b62so42681wmj.5 for ; Fri, 03 Sep 2021 10:47:06 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=vC6PIuQnjMImB1rzjEb7/fuKsW0b+ne9BdxKzdZmtOI=; b=ci+xVDvXlI05cxlOd2QZduJtLaOGe3iZ8I9OqXBCkl4qRZijixpW7hdJD4MX/iDT45 gCoZutNVmAqt4uemcXM9vugpbpp2FwIGzeYURskhAkTXd3z3Ch3m7/7Q0iUHX7GZJtk9 j0ZWyFXK3OptbwMdbJKsi5IuGNGKKJ1aONqHvNMw2PHFTRXPHqIVy3w+sQF8fkpxL8xd +NFONClMsG+zSEC3x4EDRQqco0PEv6y+kmhHo4/KyCslQVHu8IbQ6iiVuyFqiUa4O3Ba qJFwhHeeEPz3P92X/VPXMNDIADcBlVN5AarBD3LsOS3Zo/odOdjrbT5vKjoaaYT6FZ5k kzoQ== X-Gm-Message-State: AOAM532w8NTAuJq1xBPUZ5DhJAmoCzzV9lvKjbLsKtJWfSU3UtsTmhGi yoOfNzk51JTpdgw1ZHqdeZ/dR0GqXfcoq9RSytoMEGnIzDZr5UqxsbuIWLmuEchisYIz2BUh0q4 YReSJC3eTcGZcAk7/edo3tq2nMJSWvFSyjg+VFR2kpEYlUZRWrefQxRkJcDTM9Ibn X-Received: by 2002:a1c:7304:: with SMTP id d4mr17219wmb.119.1630691225590; Fri, 03 Sep 2021 10:47:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyPU/5cLYuhYqsTcAzaJSAxmX/L8p2iA8qsSiz4BRSPdtah1qveeKGv8kgF4TPpGGeX3DJ+yQ== X-Received: by 2002:a1c:7304:: with SMTP id d4mr17190wmb.119.1630691225406; Fri, 03 Sep 2021 10:47:05 -0700 (PDT) Received: from x1w.. (21.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.21]) by smtp.gmail.com with ESMTPSA id f3sm30821wmj.28.2021.09.03.10.47.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 10:47:05 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [RFC PATCH v3 21/28] ui/clipboard: Replace g_memdup() by g_memdup2() Date: Fri, 3 Sep 2021 19:45:03 +0200 Message-Id: <20210903174510.751630-22-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903174510.751630-1-philmd@redhat.com> References: <20210903174510.751630-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Gerd Hoffmann , Eric Blake , qemu-block@nongnu.org, =?utf-8?q?Alex_Benn=C3=A9e?= , David Hildenbrand , Markus Armbruster , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Richard Henderson , qemu-arm@nongnu.org, John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , "Daniel P . Berrange" , Hanna Reitz , qemu-ppc@nongnu.org, Paolo Bonzini Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2() wrapper. Signed-off-by: Philippe Mathieu-Daudé --- TODO: audit qemu_clipboard_set_data() calls --- ui/clipboard.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ui/clipboard.c b/ui/clipboard.c index d7b008d62a0..d8e11bb6596 100644 --- a/ui/clipboard.c +++ b/ui/clipboard.c @@ -123,7 +123,7 @@ void qemu_clipboard_set_data(QemuClipboardPeer *peer, } g_free(info->types[type].data); - info->types[type].data = g_memdup(data, size); + info->types[type].data = g_memdup2(data, size); info->types[type].size = size; info->types[type].available = true; From patchwork Fri Sep 3 17:45:04 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474891 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8B064C433F5 for ; Fri, 3 Sep 2021 18:06:51 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 2F87760F92 for ; Fri, 3 Sep 2021 18:06:51 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 2F87760F92 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:50190 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mMDaT-0004kT-M2 for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 14:06:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52198) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDHX-0001Kc-E4 for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:47:18 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:29925) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDHV-0002CH-E3 for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:47:14 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630691232; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1D5rERJEHNGMGGp+1t4xLb9P3Gyvmnka2+4rie4dvUA=; b=F8e5Y4v0O/4vGo3Gg+vjCHieMmcLsY5dBAYjv/PYdpnEivwBizTH5R+LNyUxhrpMfqdoU0 wDNIRmcIS6BUX521fZqy793IBe5YgiHkRjKssCM1B4bmLp/MZ30GsodGOTBx0pT0tdm7xW VAVDsdjwle/JgKgpYkXqPySveOcNAp0= Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-312-7EbkpVAbNoSo6RyTiLLjfQ-1; Fri, 03 Sep 2021 13:47:12 -0400 X-MC-Unique: 7EbkpVAbNoSo6RyTiLLjfQ-1 Received: by mail-wr1-f72.google.com with SMTP id i16-20020adfded0000000b001572ebd528eso1802291wrn.19 for ; Fri, 03 Sep 2021 10:47:11 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=1D5rERJEHNGMGGp+1t4xLb9P3Gyvmnka2+4rie4dvUA=; b=nABf/IUT8OxdfkFDkziX1PT3KDxRzvHymlpft0Qtz1qccKQMaXSZpsOtmlbeTqD4t+ TmQl29GjuezX+LZFNKDFjrgItU4nBxLbgWQEeK3kTeV063nQiNBgfp+OKrUGR9b/LI8v aTwsqr7ZvMZzj23zL7HcLYjntRgOfD5pCxFklzCIjCL8E+UQWh8t2waby4EesmU43kE0 DuSMaH4bCiM3kDOBaJBkVuiadqsnCIP4m4N5Bt3A5dMxNq/PXpjGiX9yKRaiwdJAQCO6 9oFToOkfUjvj68P7hNW+iaLkvPDgtxMlFx8v6c9tLwplnxZbFPc3lNOJGb4UOtOlqj9B za7w== X-Gm-Message-State: AOAM5337SDgOKFtn58EGyesHyn1lhNRneBsnC8OtzPUshYKaiSqbrDWp 83DiRzwWjrtoKCleH+0x65ghLZTiSqLjG8ZS2qWjweSMQvuOGG8XWA6qA5THJHULxretmd+pAuY l/SNLxiXQW63eMyI82HBZw1lgywwdPvFeRmfspVLbSB/a9fJObr/ii6qq0qdgsZrM X-Received: by 2002:a1c:91:: with SMTP id 139mr42817wma.116.1630691230575; Fri, 03 Sep 2021 10:47:10 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwJJYv71G+zPp4R3Pb5U4pxnt7BGxZ5OmK6RHqxGPfGkQtJikx/HJs13cZRgL0t1NZzNuz5+w== X-Received: by 2002:a1c:91:: with SMTP id 139mr42779wma.116.1630691230386; Fri, 03 Sep 2021 10:47:10 -0700 (PDT) Received: from x1w.. (21.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.21]) by smtp.gmail.com with ESMTPSA id d24sm25941wmb.35.2021.09.03.10.47.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 10:47:10 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [RFC PATCH v3 22/28] linux-user: Replace g_memdup() by g_memdup2() Date: Fri, 3 Sep 2021 19:45:04 +0200 Message-Id: <20210903174510.751630-23-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903174510.751630-1-philmd@redhat.com> References: <20210903174510.751630-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Gerd Hoffmann , Eric Blake , qemu-block@nongnu.org, =?utf-8?q?Alex_Benn=C3=A9e?= , David Hildenbrand , Markus Armbruster , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Richard Henderson , qemu-arm@nongnu.org, John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , "Daniel P . Berrange" , Hanna Reitz , qemu-ppc@nongnu.org, Paolo Bonzini Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2() wrapper. Signed-off-by: Philippe Mathieu-Daudé --- do_open_by_handle_at() doesn't check: size + sizeof(struct file_handle) < 4GiB --- linux-user/syscall.c | 2 +- linux-user/uaccess.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index ccd3892b2df..d3701007cb3 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -7665,7 +7665,7 @@ static abi_long do_open_by_handle_at(abi_long mount_fd, abi_long handle, return -TARGET_EFAULT; } - fh = g_memdup(target_fh, total_size); + fh = g_memdup2(target_fh, total_size); fh->handle_bytes = size; fh->handle_type = tswap32(target_fh->handle_type); diff --git a/linux-user/uaccess.c b/linux-user/uaccess.c index 6a5b029607c..49eddbf4a4d 100644 --- a/linux-user/uaccess.c +++ b/linux-user/uaccess.c @@ -15,7 +15,7 @@ void *lock_user(int type, abi_ulong guest_addr, ssize_t len, bool copy) host_addr = g2h_untagged(guest_addr); #ifdef DEBUG_REMAP if (copy) { - host_addr = g_memdup(host_addr, len); + host_addr = g_memdup2(host_addr, len); } else { host_addr = g_malloc0(len); } From patchwork Fri Sep 3 17:45:05 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474899 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C889BC433F5 for ; Fri, 3 Sep 2021 18:09:29 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 56F97610F7 for ; Fri, 3 Sep 2021 18:09:29 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 56F97610F7 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:58542 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mMDd2-00027Q-Gq for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 14:09:28 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52286) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDHg-0001NS-5p for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:47:26 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:44413) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDHb-0002H2-Po for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:47:23 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630691238; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Opy48p+U/1m19PPU36BLWzc0HjoV+sfbnePbr/WuVoc=; b=T1OsbebQV0TbWEzfkHEcCSsRmGrv++LToSoYkAya/rBG5zg2/+GskmttXVuvGZpCBcq7TU h7cDXaFGlIhhOLWb0zarZhkYJbicEM0p5n1QC5UI6L153tVTYe2xXTKhgF4/Bg6j59V9uO ExFNdBJ68EWr/l6rhBNg1TCpFqrtqkk= Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-191-LcE1r0YvPJ6qaeWXTCTTMA-1; Fri, 03 Sep 2021 13:47:17 -0400 X-MC-Unique: LcE1r0YvPJ6qaeWXTCTTMA-1 Received: by mail-wr1-f71.google.com with SMTP id p18-20020a5d4e12000000b0015940dc586aso1822558wrt.6 for ; Fri, 03 Sep 2021 10:47:17 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Opy48p+U/1m19PPU36BLWzc0HjoV+sfbnePbr/WuVoc=; b=RCLTbxilPicltQTxdB8HMm2epaUkr4q7138vuxtA50OLyk5SaVYs2cDGs4C9LKxvTx yZiEusSlmY4ARgoO5Rk6zBQCR3p1vXtsyZokF37bcn8YIjIOd0fmfyRpJEvWV0w0bSlP K1z0LNIENUYMYxNYUi7fuc0OQo18rJU8Urw2m/uxcwqbKNRTVCLZ2UA2ozY/HlzJ1ydA 52R4w9J318Oo9wW17prsLmoGSBgoSJGntuxZtEcHBCRwtSJT4LeqLZphmy82/6IZ1SSN Asno/rH41KkFM0So7h9yXWYBsrP+WBV9AH34+HXBzIanXBE022oEG8pI1+1Kn3rviYon fR7w== X-Gm-Message-State: AOAM530Zhpw90Z9475NojvUrGis6NtUetwEgSmz367iPynnWtbQi2h6g QK4bQgfwCAcD8XrR/CEepMhOibvzE5RnGo5svvuglwEV+NS3N8OcF9vYDwYMw5rxtawPshfWlLD lLJKg+f/tSj3bs1YiNBWRruXSzNzsH96wj3sUHQuw98nmNqTVY5mAUEJlngQdObO8 X-Received: by 2002:a05:600c:2245:: with SMTP id a5mr28891wmm.19.1630691235820; Fri, 03 Sep 2021 10:47:15 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwJg+qZ6BEtxbNy7Lg4PurxBeihaAX8ItzuPREESTcffBSoIFZqpAWJ0xG3KqpBv44WbAumMA== X-Received: by 2002:a05:600c:2245:: with SMTP id a5mr28842wmm.19.1630691235390; Fri, 03 Sep 2021 10:47:15 -0700 (PDT) Received: from x1w.. (21.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.21]) by smtp.gmail.com with ESMTPSA id f5sm19441wmb.47.2021.09.03.10.47.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 10:47:14 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH v3 23/28] tests/unit: Replace g_memdup() by g_memdup2() Date: Fri, 3 Sep 2021 19:45:05 +0200 Message-Id: <20210903174510.751630-24-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903174510.751630-1-philmd@redhat.com> References: <20210903174510.751630-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -12 X-Spam_score: -1.3 X-Spam_bar: - X-Spam_report: (-1.3 / 5.0 requ) DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Gerd Hoffmann , Eric Blake , qemu-block@nongnu.org, =?utf-8?q?Alex_Benn=C3=A9e?= , David Hildenbrand , Markus Armbruster , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Richard Henderson , qemu-arm@nongnu.org, John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , "Daniel P . Berrange" , Hanna Reitz , qemu-ppc@nongnu.org, Paolo Bonzini Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2() wrapper. Signed-off-by: Philippe Mathieu-Daudé --- tests/unit/ptimer-test.c | 22 +++++++++++----------- tests/unit/test-iov.c | 26 +++++++++++++------------- 2 files changed, 24 insertions(+), 24 deletions(-) diff --git a/tests/unit/ptimer-test.c b/tests/unit/ptimer-test.c index 9176b96c1ce..9ba5ffe273b 100644 --- a/tests/unit/ptimer-test.c +++ b/tests/unit/ptimer-test.c @@ -798,64 +798,64 @@ static void add_ptimer_tests(uint8_t policy) g_test_add_data_func_full( tmp = g_strdup_printf("/ptimer/set_count policy=%s", policy_name), - g_memdup(&policy, 1), check_set_count, g_free); + g_memdup2(&policy, 1), check_set_count, g_free); g_free(tmp); g_test_add_data_func_full( tmp = g_strdup_printf("/ptimer/set_limit policy=%s", policy_name), - g_memdup(&policy, 1), check_set_limit, g_free); + g_memdup2(&policy, 1), check_set_limit, g_free); g_free(tmp); g_test_add_data_func_full( tmp = g_strdup_printf("/ptimer/oneshot policy=%s", policy_name), - g_memdup(&policy, 1), check_oneshot, g_free); + g_memdup2(&policy, 1), check_oneshot, g_free); g_free(tmp); g_test_add_data_func_full( tmp = g_strdup_printf("/ptimer/periodic policy=%s", policy_name), - g_memdup(&policy, 1), check_periodic, g_free); + g_memdup2(&policy, 1), check_periodic, g_free); g_free(tmp); g_test_add_data_func_full( tmp = g_strdup_printf("/ptimer/on_the_fly_mode_change policy=%s", policy_name), - g_memdup(&policy, 1), check_on_the_fly_mode_change, g_free); + g_memdup2(&policy, 1), check_on_the_fly_mode_change, g_free); g_free(tmp); g_test_add_data_func_full( tmp = g_strdup_printf("/ptimer/on_the_fly_period_change policy=%s", policy_name), - g_memdup(&policy, 1), check_on_the_fly_period_change, g_free); + g_memdup2(&policy, 1), check_on_the_fly_period_change, g_free); g_free(tmp); g_test_add_data_func_full( tmp = g_strdup_printf("/ptimer/on_the_fly_freq_change policy=%s", policy_name), - g_memdup(&policy, 1), check_on_the_fly_freq_change, g_free); + g_memdup2(&policy, 1), check_on_the_fly_freq_change, g_free); g_free(tmp); g_test_add_data_func_full( tmp = g_strdup_printf("/ptimer/run_with_period_0 policy=%s", policy_name), - g_memdup(&policy, 1), check_run_with_period_0, g_free); + g_memdup2(&policy, 1), check_run_with_period_0, g_free); g_free(tmp); g_test_add_data_func_full( tmp = g_strdup_printf("/ptimer/run_with_delta_0 policy=%s", policy_name), - g_memdup(&policy, 1), check_run_with_delta_0, g_free); + g_memdup2(&policy, 1), check_run_with_delta_0, g_free); g_free(tmp); g_test_add_data_func_full( tmp = g_strdup_printf("/ptimer/periodic_with_load_0 policy=%s", policy_name), - g_memdup(&policy, 1), check_periodic_with_load_0, g_free); + g_memdup2(&policy, 1), check_periodic_with_load_0, g_free); g_free(tmp); g_test_add_data_func_full( tmp = g_strdup_printf("/ptimer/oneshot_with_load_0 policy=%s", policy_name), - g_memdup(&policy, 1), check_oneshot_with_load_0, g_free); + g_memdup2(&policy, 1), check_oneshot_with_load_0, g_free); g_free(tmp); } diff --git a/tests/unit/test-iov.c b/tests/unit/test-iov.c index 5371066fb6a..aa679b56131 100644 --- a/tests/unit/test-iov.c +++ b/tests/unit/test-iov.c @@ -173,7 +173,7 @@ static void test_io(void) } iov_from_buf(iov, niov, 0, buf, sz); - siov = g_memdup(iov, sizeof(*iov) * niov); + siov = g_memdup2(iov, sizeof(*iov) * niov); if (socketpair(PF_UNIX, SOCK_STREAM, 0, sv) < 0) { perror("socketpair"); @@ -350,7 +350,7 @@ static void test_discard_front_undo(void) /* Discard zero bytes */ iov_random(&iov, &iov_cnt); - iov_orig = g_memdup(iov, sizeof(iov[0]) * iov_cnt); + iov_orig = g_memdup2(iov, sizeof(iov[0]) * iov_cnt); iov_tmp = iov; iov_cnt_tmp = iov_cnt; iov_discard_front_undoable(&iov_tmp, &iov_cnt_tmp, 0, &undo); @@ -361,7 +361,7 @@ static void test_discard_front_undo(void) /* Discard more bytes than vector size */ iov_random(&iov, &iov_cnt); - iov_orig = g_memdup(iov, sizeof(iov[0]) * iov_cnt); + iov_orig = g_memdup2(iov, sizeof(iov[0]) * iov_cnt); iov_tmp = iov; iov_cnt_tmp = iov_cnt; size = iov_size(iov, iov_cnt); @@ -373,7 +373,7 @@ static void test_discard_front_undo(void) /* Discard entire vector */ iov_random(&iov, &iov_cnt); - iov_orig = g_memdup(iov, sizeof(iov[0]) * iov_cnt); + iov_orig = g_memdup2(iov, sizeof(iov[0]) * iov_cnt); iov_tmp = iov; iov_cnt_tmp = iov_cnt; size = iov_size(iov, iov_cnt); @@ -385,7 +385,7 @@ static void test_discard_front_undo(void) /* Discard within first element */ iov_random(&iov, &iov_cnt); - iov_orig = g_memdup(iov, sizeof(iov[0]) * iov_cnt); + iov_orig = g_memdup2(iov, sizeof(iov[0]) * iov_cnt); iov_tmp = iov; iov_cnt_tmp = iov_cnt; size = g_test_rand_int_range(1, iov->iov_len); @@ -397,7 +397,7 @@ static void test_discard_front_undo(void) /* Discard entire first element */ iov_random(&iov, &iov_cnt); - iov_orig = g_memdup(iov, sizeof(iov[0]) * iov_cnt); + iov_orig = g_memdup2(iov, sizeof(iov[0]) * iov_cnt); iov_tmp = iov; iov_cnt_tmp = iov_cnt; iov_discard_front_undoable(&iov_tmp, &iov_cnt_tmp, iov->iov_len, &undo); @@ -408,7 +408,7 @@ static void test_discard_front_undo(void) /* Discard within second element */ iov_random(&iov, &iov_cnt); - iov_orig = g_memdup(iov, sizeof(iov[0]) * iov_cnt); + iov_orig = g_memdup2(iov, sizeof(iov[0]) * iov_cnt); iov_tmp = iov; iov_cnt_tmp = iov_cnt; size = iov->iov_len + g_test_rand_int_range(1, iov[1].iov_len); @@ -499,7 +499,7 @@ static void test_discard_back_undo(void) /* Discard zero bytes */ iov_random(&iov, &iov_cnt); - iov_orig = g_memdup(iov, sizeof(iov[0]) * iov_cnt); + iov_orig = g_memdup2(iov, sizeof(iov[0]) * iov_cnt); iov_cnt_tmp = iov_cnt; iov_discard_back_undoable(iov, &iov_cnt_tmp, 0, &undo); iov_discard_undo(&undo); @@ -509,7 +509,7 @@ static void test_discard_back_undo(void) /* Discard more bytes than vector size */ iov_random(&iov, &iov_cnt); - iov_orig = g_memdup(iov, sizeof(iov[0]) * iov_cnt); + iov_orig = g_memdup2(iov, sizeof(iov[0]) * iov_cnt); iov_cnt_tmp = iov_cnt; size = iov_size(iov, iov_cnt); iov_discard_back_undoable(iov, &iov_cnt_tmp, size + 1, &undo); @@ -520,7 +520,7 @@ static void test_discard_back_undo(void) /* Discard entire vector */ iov_random(&iov, &iov_cnt); - iov_orig = g_memdup(iov, sizeof(iov[0]) * iov_cnt); + iov_orig = g_memdup2(iov, sizeof(iov[0]) * iov_cnt); iov_cnt_tmp = iov_cnt; size = iov_size(iov, iov_cnt); iov_discard_back_undoable(iov, &iov_cnt_tmp, size, &undo); @@ -531,7 +531,7 @@ static void test_discard_back_undo(void) /* Discard within last element */ iov_random(&iov, &iov_cnt); - iov_orig = g_memdup(iov, sizeof(iov[0]) * iov_cnt); + iov_orig = g_memdup2(iov, sizeof(iov[0]) * iov_cnt); iov_cnt_tmp = iov_cnt; size = g_test_rand_int_range(1, iov[iov_cnt - 1].iov_len); iov_discard_back_undoable(iov, &iov_cnt_tmp, size, &undo); @@ -542,7 +542,7 @@ static void test_discard_back_undo(void) /* Discard entire last element */ iov_random(&iov, &iov_cnt); - iov_orig = g_memdup(iov, sizeof(iov[0]) * iov_cnt); + iov_orig = g_memdup2(iov, sizeof(iov[0]) * iov_cnt); iov_cnt_tmp = iov_cnt; size = iov[iov_cnt - 1].iov_len; iov_discard_back_undoable(iov, &iov_cnt_tmp, size, &undo); @@ -553,7 +553,7 @@ static void test_discard_back_undo(void) /* Discard within second-to-last element */ iov_random(&iov, &iov_cnt); - iov_orig = g_memdup(iov, sizeof(iov[0]) * iov_cnt); + iov_orig = g_memdup2(iov, sizeof(iov[0]) * iov_cnt); iov_cnt_tmp = iov_cnt; size = iov[iov_cnt - 1].iov_len + g_test_rand_int_range(1, iov[iov_cnt - 2].iov_len); From patchwork Fri Sep 3 17:45:06 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474901 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 589F3C433EF for ; Fri, 3 Sep 2021 18:11:40 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id CC96461056 for ; Fri, 3 Sep 2021 18:11:39 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org CC96461056 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:39210 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mMDf8-0008P4-Uf for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 14:11:38 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52328) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDHk-0001P1-10 for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:47:30 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:29921) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDHh-0002LB-6q for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:47:27 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630691243; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=HfBgU8tXBhRtj+0DsLha9N1gD6ohGgwq/9K/iXISLUs=; b=NkOypPddGVL624tO6W65wIrMl/rmTmUViikmVCHHPvWXdbbohm0Sp9+w3uos3V1z+QRcMq ZgPqZqFEuQL2+FKuBPe2qXCoyphQ9+pSEHQVioRasvPqQJPipd/mSkzf9GqUi29BJvHdrm qKja2RikYKl146ajP/QwF5kU8yF+HrY= Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-422-2hD8PajvMCun3l7ygiFc4g-1; Fri, 03 Sep 2021 13:47:22 -0400 X-MC-Unique: 2hD8PajvMCun3l7ygiFc4g-1 Received: by mail-wm1-f71.google.com with SMTP id j33-20020a05600c48a100b002e879427915so2142464wmp.5 for ; Fri, 03 Sep 2021 10:47:22 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=HfBgU8tXBhRtj+0DsLha9N1gD6ohGgwq/9K/iXISLUs=; b=FAxg+C8uMvp4MtKyoDlE6tmfQRpuHJBam6ebhXfbb/uLHz9W71xQ1adAi1sNtOFkD8 5P8VAdLwFJo1zg75z+zXsEer0UUbwiniAfotH/tosnW3WjeNhDko3sOne/fQAinQFZGQ jlnLBFSbWs/lh67+VuGLRtCbSMSm2tiub63chKLklQZPnAjrBIsxCvPs/mei3kZLK0bk AbILnI+vh/7OE1AI7rBmTyAtANNgj2fQLxlsg1TJhPfN6ey5nmbOU+Z3K6bBl7UbzFei bt4CeRvmhycrZZNXwZZxAgkEifsyBulmBK3cbp/YIy5TCbgR8ApjT4wx8mjfk+hcX/bZ sXWw== X-Gm-Message-State: AOAM531nzEovK1Jt/Zs1D3DVpqU46tx7bcvFSciSqYXCtFIwBtOcfu/B IYUto7W1EVZncCPEx3LhkzZbeWzDDSnhNsSpnRB5vpEJfFC6btU/Zs5y3LD+TwbJ4qmPtGX0YFa TSZBAxHF/2cUdovYuq0o2cz8bHNPUQrhUKHS4QRSOMbANdWW+9sdlVH1XwqiuH/6M X-Received: by 2002:a1c:202:: with SMTP id 2mr41005wmc.122.1630691240998; Fri, 03 Sep 2021 10:47:20 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyMs/PNrg4oydY+FJfacdcvMKH3UGlm4Oxp7CQHpTUjCRFpxUEYkzL86VHtd72hJ35d4steCQ== X-Received: by 2002:a1c:202:: with SMTP id 2mr40964wmc.122.1630691240736; Fri, 03 Sep 2021 10:47:20 -0700 (PDT) Received: from x1w.. (21.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.21]) by smtp.gmail.com with ESMTPSA id b4sm5373991wrp.33.2021.09.03.10.47.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 10:47:20 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH v3 24/28] tests/qtest: Replace g_memdup() by g_memdup2() Date: Fri, 3 Sep 2021 19:45:06 +0200 Message-Id: <20210903174510.751630-25-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903174510.751630-1-philmd@redhat.com> References: <20210903174510.751630-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Gerd Hoffmann , Eric Blake , qemu-block@nongnu.org, =?utf-8?q?Alex_Benn=C3=A9e?= , David Hildenbrand , Markus Armbruster , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Richard Henderson , qemu-arm@nongnu.org, John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , "Daniel P . Berrange" , Hanna Reitz , qemu-ppc@nongnu.org, Paolo Bonzini Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2() wrapper. Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Thomas Huth --- tests/qtest/libqos/ahci.c | 6 +++--- tests/qtest/libqos/qgraph.c | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/qtest/libqos/ahci.c b/tests/qtest/libqos/ahci.c index fba3e7a954e..eaa2096512e 100644 --- a/tests/qtest/libqos/ahci.c +++ b/tests/qtest/libqos/ahci.c @@ -639,8 +639,8 @@ void ahci_exec(AHCIQState *ahci, uint8_t port, AHCIOpts *opts; uint64_t buffer_in; - opts = g_memdup((opts_in == NULL ? &default_opts : opts_in), - sizeof(AHCIOpts)); + opts = g_memdup2((opts_in == NULL ? &default_opts : opts_in), + sizeof(AHCIOpts)); buffer_in = opts->buffer; @@ -860,7 +860,7 @@ AHCICommand *ahci_command_create(uint8_t command_name) g_assert(!props->ncq || props->lba48); /* Defaults and book-keeping */ - cmd->props = g_memdup(props, sizeof(AHCICommandProp)); + cmd->props = g_memdup2(props, sizeof(AHCICommandProp)); cmd->name = command_name; cmd->xbytes = props->size; cmd->prd_size = 4096; diff --git a/tests/qtest/libqos/qgraph.c b/tests/qtest/libqos/qgraph.c index d1dc4919305..109ff04e1e8 100644 --- a/tests/qtest/libqos/qgraph.c +++ b/tests/qtest/libqos/qgraph.c @@ -93,7 +93,7 @@ static void add_edge(const char *source, const char *dest, edge->type = type; edge->dest = g_strdup(dest); edge->edge_name = g_strdup(opts->edge_name ?: dest); - edge->arg = g_memdup(opts->arg, opts->size_arg); + edge->arg = g_memdup2(opts->arg, opts->size_arg); edge->before_cmd_line = opts->before_cmd_line ? g_strconcat(" ", opts->before_cmd_line, NULL) : NULL; From patchwork Fri Sep 3 17:45:07 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474921 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 67EA9C433EF for ; Fri, 3 Sep 2021 18:15:20 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 1A04960FDC for ; Fri, 3 Sep 2021 18:15:20 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 1A04960FDC Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:49062 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mMDib-0006T8-3q for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 14:15:13 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52376) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDHn-0001Pz-Vy for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:47:32 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:60926) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDHk-0002Pr-VR for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:47:31 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630691248; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YK/6tC4z9KDPJlWm5GSX2+ZhH64J9HoZElqQqFMEcSI=; b=QPHWWv01eUprPDVa+QNEL01vLyT6kBHCfobGSx7VokIujoL7PaqYPJOGiOMIA5TMRK9UeC SYL/iKuStg2uK3r+JDM6j76SPeUpOnw3j+SH2OLtjRD5KYqK+6Xw4rwaqk0FWUU/98TpOu sMpOpVlsD7kizLg8LXmCOkY/fmBIZWk= Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-429-5cqkPzvGMCGMBdwjr2UuiQ-1; Fri, 03 Sep 2021 13:47:27 -0400 X-MC-Unique: 5cqkPzvGMCGMBdwjr2UuiQ-1 Received: by mail-wr1-f70.google.com with SMTP id p10-20020a5d68ca000000b001552bf8b9daso1809890wrw.22 for ; Fri, 03 Sep 2021 10:47:27 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=YK/6tC4z9KDPJlWm5GSX2+ZhH64J9HoZElqQqFMEcSI=; b=K5OLP0M09msXfqouU9rQ2nyP2FDjFzDBXn1MWcI7JIE9dL+KlBHkSZNRPUPSCxe4Yt cqbyolpEBKCzCK8n459A8xEXOi1Xwi8rsjeGCtQKe/W+wlJ1FtDrdnFheooICYLqLKN/ bLWc0ZIsRSWBGv4uvFRJewGUJcUrluijrO27i0RFuPiUWIIV+mKmwGknkmQOq3SHbn2H EzB2yrVAusXumTRG+JmaoV4NyolXuSBFE6n4eXjtIDT/AKnO9JH9wmwzicK4E/r8m5v1 q5HYGbRVbk6knPzoN9cVqpurifBkyqdFPXcvZ5viDeT1OwiXdDQgyh47kw21ziNVUqqV WA8A== X-Gm-Message-State: AOAM531biROeu5S0Qb1sAgo/EERyvPiCKgDIRXPB7RGYjMQ8vow4u3EB xGMOtyEM1+Xw3x+Xc5d+8wvwFVDWxOEadPge7Wh9fqneltZvOfDBJNkR2I+k0or/virCaiKP5vP IXN+/+Tnr44SvY7PZnavAsEcpAkkqvjdwy+DkgrXl1EzBIThIyw3CRQ5wGTVch08l X-Received: by 2002:a5d:504f:: with SMTP id h15mr276252wrt.69.1630691245963; Fri, 03 Sep 2021 10:47:25 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwXfGOTKjppiBCawGGdQaZ88W6PQt2FRP6ODEJORPoMNo4hmgz2Z0r5JxVkEK3PuVgwPOQpMw== X-Received: by 2002:a5d:504f:: with SMTP id h15mr276215wrt.69.1630691245679; Fri, 03 Sep 2021 10:47:25 -0700 (PDT) Received: from x1w.. (21.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.21]) by smtp.gmail.com with ESMTPSA id l2sm129077wmi.1.2021.09.03.10.47.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 10:47:25 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH v3 25/28] target/arm: Replace g_memdup() by g_memdup2() Date: Fri, 3 Sep 2021 19:45:07 +0200 Message-Id: <20210903174510.751630-26-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903174510.751630-1-philmd@redhat.com> References: <20210903174510.751630-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Gerd Hoffmann , Eric Blake , qemu-block@nongnu.org, =?utf-8?q?Alex_Benn=C3=A9e?= , David Hildenbrand , Markus Armbruster , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Richard Henderson , qemu-arm@nongnu.org, John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , "Daniel P . Berrange" , Hanna Reitz , qemu-ppc@nongnu.org, Paolo Bonzini Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2() wrapper. Signed-off-by: Philippe Mathieu-Daudé --- target/arm/helper.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index a7ae78146d4..96ff81fe68e 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -6242,8 +6242,8 @@ static void define_arm_vh_e2h_redirects_aliases(ARMCPU *cpu) /* Create alias before redirection so we dup the right data. */ if (a->new_key) { - ARMCPRegInfo *new_reg = g_memdup(src_reg, sizeof(ARMCPRegInfo)); - uint32_t *new_key = g_memdup(&a->new_key, sizeof(uint32_t)); + ARMCPRegInfo *new_reg = g_memdup2(src_reg, sizeof(ARMCPRegInfo)); + uint32_t *new_key = g_memdup2(&a->new_key, sizeof(uint32_t)); bool ok; new_reg->name = a->new_name; @@ -8818,7 +8818,7 @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r, * add a single reginfo struct to the hash table. */ uint32_t *key = g_new(uint32_t, 1); - ARMCPRegInfo *r2 = g_memdup(r, sizeof(ARMCPRegInfo)); + ARMCPRegInfo *r2 = g_memdup2(r, sizeof(ARMCPRegInfo)); int is64 = (r->type & ARM_CP_64BIT) ? 1 : 0; int ns = (secstate & ARM_CP_SECSTATE_NS) ? 1 : 0; From patchwork Fri Sep 3 17:45:08 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474931 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B3BD8C433EF for ; Fri, 3 Sep 2021 18:20:16 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 75E9D60F56 for ; Fri, 3 Sep 2021 18:20:16 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 75E9D60F56 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:59478 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mMDnT-00055x-MB for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 14:20:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52426) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDHt-0001Va-B3 for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:47:37 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:37897) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDHq-0002UI-C0 for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:47:37 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630691253; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=it+7i8x5aVGP9xuuZWqfll4PZf3Q881QXfej9qMTW/k=; b=Ifpz6SSO8JxLowU6ibb0GQEgWD8BGS1Bth4Ryp0V49wLcP1BuK2bMZTsxQndUMsOTo9Oj6 BUtq0aJhBUCGhZLJ4G6U1gvTTNxRAqRW/rg9UkivSVRWEnQdKgz6Zd0nvQj5xQpmHSRulc PquQXq9/4+dLaDR6cTBXQfLbJElp86k= Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-246-E19ZSwr2NcKawKAqz_ipCA-1; Fri, 03 Sep 2021 13:47:32 -0400 X-MC-Unique: E19ZSwr2NcKawKAqz_ipCA-1 Received: by mail-wm1-f71.google.com with SMTP id x125-20020a1c3183000000b002e73f079eefso75301wmx.0 for ; Fri, 03 Sep 2021 10:47:32 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=it+7i8x5aVGP9xuuZWqfll4PZf3Q881QXfej9qMTW/k=; b=aTISgbvdYWiSMt20os/ldJPVoLLn/MmabnJZ8hOpi8mTDaDP6f+YZ7CekjBa+s4gOP lupcN2WfDGaUZV03blvxDQfRlnCzgWCyeoiKNzyDjoilvlbWnjCknkdISiXXMt60fTT+ hFX1h/4wNMceZd6P5lqk+DbYRnc3tR77mGrHbdb0pwC9U2OD0qba99qyz3I673QpHCuu pWM79ITO2TIi5Nv4HdAb90mb4teU3gU66Z6SgQr4ZYgZOfbPwvZpYsQdT+JooLXN/9dY PVoH2BMQcyltfO+v7OvBIuXWwC0SM9ojnQVFs15EW2AEi8sxXAtw6GBvhEXt1Tp8xEFd DH4g== X-Gm-Message-State: AOAM531/v1XkTd5QaVJ1GgZSdtmW5PysY2UTVHhcB2NTliyTTP3mcErH 78bFIYx0eHwwwFR+a1oPhJglnHbXDaLLzbnc03lstSMiXkgW3EqvVcw0fw4N5hrHPrm+fF4cy91 u44KyvgiIf+/D6/2+iJj4r4cl9qRtS9w8CTm+ZS23YFvPCCqdRze/hWWFP00vWT1z X-Received: by 2002:adf:f450:: with SMTP id f16mr269933wrp.35.1630691250969; Fri, 03 Sep 2021 10:47:30 -0700 (PDT) X-Google-Smtp-Source: ABdhPJybv2eyeSDcUMYEIFCnP06h4rCsw/xM1mfj1o9vEr7ztaug+XnUoBDltoXWUHscUxldqPLKyA== X-Received: by 2002:adf:f450:: with SMTP id f16mr269892wrp.35.1630691250692; Fri, 03 Sep 2021 10:47:30 -0700 (PDT) Received: from x1w.. (21.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.21]) by smtp.gmail.com with ESMTPSA id b12sm6141814wrx.72.2021.09.03.10.47.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 10:47:30 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH v3 26/28] target/ppc: Replace g_memdup() by g_memdup2() Date: Fri, 3 Sep 2021 19:45:08 +0200 Message-Id: <20210903174510.751630-27-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903174510.751630-1-philmd@redhat.com> References: <20210903174510.751630-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Gerd Hoffmann , Eric Blake , qemu-block@nongnu.org, =?utf-8?q?Alex_Benn=C3=A9e?= , David Hildenbrand , Markus Armbruster , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Richard Henderson , qemu-arm@nongnu.org, John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , "Daniel P . Berrange" , Hanna Reitz , qemu-ppc@nongnu.org, Paolo Bonzini Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2() wrapper. Signed-off-by: Philippe Mathieu-Daudé Acked-by: David Gibson --- target/ppc/mmu-hash64.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/target/ppc/mmu-hash64.c b/target/ppc/mmu-hash64.c index 19832c4b46f..bc6f8748acb 100644 --- a/target/ppc/mmu-hash64.c +++ b/target/ppc/mmu-hash64.c @@ -1122,7 +1122,7 @@ void ppc_hash64_init(PowerPCCPU *cpu) return; } - cpu->hash64_opts = g_memdup(pcc->hash64_opts, sizeof(*cpu->hash64_opts)); + cpu->hash64_opts = g_memdup2(pcc->hash64_opts, sizeof(*cpu->hash64_opts)); } void ppc_hash64_finalize(PowerPCCPU *cpu) From patchwork Fri Sep 3 17:45:09 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474923 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C094DC433EF for ; Fri, 3 Sep 2021 18:15:34 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 5E97661056 for ; Fri, 3 Sep 2021 18:15:34 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 5E97661056 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:49600 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mMDiv-0006pR-G3 for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 14:15:33 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52454) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDHw-0001bu-Qn for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:47:40 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:57794) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDHu-0002Yn-SI for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:47:40 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630691258; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=75WD5cgGLGf6CXabmurrx2v8dkC4eCS9lx1cW5KQ36E=; b=Zl2wSn9j8mQSBAMT9yBLefxSJffSvnCxk2sRd1+Wk1nu8Gf/1gpK/GMjXukClzVwGqMbDX H5vHnu2r8gI9m1XncczNlodzag7Ld7sVW/BlhuxSYYbcuIjRfhzsJuxuRVzj9drkX5xHF9 ZjaSADaqMkl/ihKrRUlgZryC15rNXC4= Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-218-Qz-i2dA7MbuXF8oza2fy6A-1; Fri, 03 Sep 2021 13:47:37 -0400 X-MC-Unique: Qz-i2dA7MbuXF8oza2fy6A-1 Received: by mail-wr1-f71.google.com with SMTP id p10-20020adfce0a000000b001572d05c970so1817016wrn.21 for ; Fri, 03 Sep 2021 10:47:37 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=75WD5cgGLGf6CXabmurrx2v8dkC4eCS9lx1cW5KQ36E=; b=CbCz43Ya69/DKDe0pOjj7OL9td1SUAuNwJKrbSeNCDKqXdmSweCMXV92IFYBPzqmIK bp0mPtsMEp56uF+oeBGcRkyrM41u+Isr8/o5lQCKpDQtPCMbHokNw3nrryw4wYXc+WZY 1k6J4qO+aH6JgSz+uHnWrRFBM56aTltAqh7KJFYmnn37E5ab8yQ70Pjvc4fMUX+H2LL3 HzkfATgV6V6KT0tD2yIDMmWkjmlFf59j7yyy1bgcLoS2QsNInGjok66AD1tJPxYK5/YN MIh0fe8tZmzmcBxk40HMo+neCdjlH8xvohP54UsrtpwPBk/L3ZV3/WD/09L/P082r8I4 LafA== X-Gm-Message-State: AOAM533GaBK54bGh7vsA3DAeUqI+jmLevh5bIpjTDD1m5RLW+uum/mVf Tcg5HL1G9KLtZn1ikV8caA2JbRGPC6W+7fipU6iFszO20k/6Zhe92bD/VAryyasYJcFk3KNx8YR RAl3Guu2G//njDFGf7oM8oRZTIiUwlBKDHM3yFyHi08ziXET3zBqDsD2N+pJvCHW3 X-Received: by 2002:adf:dd11:: with SMTP id a17mr300015wrm.132.1630691256011; Fri, 03 Sep 2021 10:47:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy7BgK52mtpI3RuPzT5ho7tF6wWlyZMl2NdG2FpuBKkaQ39kg0uIo/dYn7Mgrr7l+Wu1Xe/0w== X-Received: by 2002:adf:dd11:: with SMTP id a17mr299969wrm.132.1630691255750; Fri, 03 Sep 2021 10:47:35 -0700 (PDT) Received: from x1w.. (21.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.21]) by smtp.gmail.com with ESMTPSA id l124sm85542wml.8.2021.09.03.10.47.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 10:47:35 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH v3 27/28] contrib: Replace g_memdup() by g_memdup2() Date: Fri, 3 Sep 2021 19:45:09 +0200 Message-Id: <20210903174510.751630-28-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903174510.751630-1-philmd@redhat.com> References: <20210903174510.751630-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Gerd Hoffmann , Eric Blake , qemu-block@nongnu.org, =?utf-8?q?Alex_Benn=C3=A9e?= , David Hildenbrand , Markus Armbruster , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Richard Henderson , qemu-arm@nongnu.org, John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , "Daniel P . Berrange" , Hanna Reitz , qemu-ppc@nongnu.org, Paolo Bonzini Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2() wrapper. Signed-off-by: Philippe Mathieu-Daudé --- contrib/plugins/lockstep.c | 2 +- contrib/rdmacm-mux/main.c | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/contrib/plugins/lockstep.c b/contrib/plugins/lockstep.c index 7fd35eb6692..1c6a9f7a044 100644 --- a/contrib/plugins/lockstep.c +++ b/contrib/plugins/lockstep.c @@ -130,7 +130,7 @@ static void report_divergance(ExecState *us, ExecState *them) } } divergence_log = g_slist_prepend(divergence_log, - g_memdup(&divrec, sizeof(divrec))); + g_memdup2(&divrec, sizeof(divrec))); /* Output short log entry of going out of sync... */ if (verbose || divrec.distance == 1 || diverged) { diff --git a/contrib/rdmacm-mux/main.c b/contrib/rdmacm-mux/main.c index 771ca01e03f..0899dca2885 100644 --- a/contrib/rdmacm-mux/main.c +++ b/contrib/rdmacm-mux/main.c @@ -227,8 +227,8 @@ static RdmaCmMuxErrCode add_fd_ifid_pair(int fd, __be64 gid_ifid) RDMACM_MUX_ERR_CODE_EACCES; } - g_hash_table_insert(server.umad_agent.gid2fd, g_memdup(&gid_ifid, - sizeof(gid_ifid)), g_memdup(&fd, sizeof(fd))); + g_hash_table_insert(server.umad_agent.gid2fd, g_memdup2(&gid_ifid, + sizeof(gid_ifid)), g_memdup2(&fd, sizeof(fd))); pthread_rwlock_unlock(&server.lock); @@ -250,7 +250,7 @@ static RdmaCmMuxErrCode delete_fd_ifid_pair(int fd, __be64 gid_ifid) return RDMACM_MUX_ERR_CODE_ENOTFOUND; } - g_hash_table_remove(server.umad_agent.gid2fd, g_memdup(&gid_ifid, + g_hash_table_remove(server.umad_agent.gid2fd, g_memdup2(&gid_ifid, sizeof(gid_ifid))); pthread_rwlock_unlock(&server.lock); @@ -267,8 +267,8 @@ static void hash_tbl_save_fd_comm_id_pair(int fd, uint32_t comm_id, pthread_rwlock_wrlock(&server.lock); g_hash_table_insert(server.umad_agent.commid2fd, - g_memdup(&comm_id, sizeof(comm_id)), - g_memdup(&fde, sizeof(fde))); + g_memdup2(&comm_id, sizeof(comm_id)), + g_memdup2(&fde, sizeof(fde))); pthread_rwlock_unlock(&server.lock); } From patchwork Fri Sep 3 17:45:10 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12474929 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 88E66C433EF for ; Fri, 3 Sep 2021 18:19:41 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 38D1960FDC for ; Fri, 3 Sep 2021 18:19:41 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 38D1960FDC Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:57302 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mMDmu-0003ft-Db for qemu-devel@archiver.kernel.org; Fri, 03 Sep 2021 14:19:40 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52520) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDI2-0001oa-UL for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:47:47 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:52725) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMDI0-0002dD-4q for qemu-devel@nongnu.org; Fri, 03 Sep 2021 13:47:46 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630691263; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=dThNb9up0Udv82pZnAoy1KC7krZ7htoDQTtIaOGdW3Q=; b=GVlCAYzkWNRyAbFZ979ENUOuq4jsd7HhLHmG2OmZZ0lXtZ1qt1l+2H0MoSiZSs8SxHmKIG mt6NgnAeMcJppq0bPB0+0Nk8YpjLNSfRuqfiQJexCk2ZQXrbLzV+UPmpHYasSZRgx9cQw/ p/1YlT4FVz34pzpLIOb8sKgxQGR7QKg= Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-514-dxFtDy2_Ox6b27Y0iTWMhA-1; Fri, 03 Sep 2021 13:47:42 -0400 X-MC-Unique: dxFtDy2_Ox6b27Y0iTWMhA-1 Received: by mail-wr1-f69.google.com with SMTP id r11-20020a5d4e4b000000b001575c5ed4b4so1819441wrt.4 for ; Fri, 03 Sep 2021 10:47:42 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=dThNb9up0Udv82pZnAoy1KC7krZ7htoDQTtIaOGdW3Q=; b=ak/ykR5NObbpbGkKBnsKKNHssgI0wkijBPHTRR+LllX9yvI3iT2SI6KL05mmfBXdfO xWFgKkLfWj91b/5QYaA0grrIX8pbe/5SZVNj2Wcn5yhgcmRTNPnASn7R8/+m/lUZZ3Qq orNGr60uxMySZnY6lJHpoFuJ2VwWn7sJgzW+rFP57EWT2NhPT1zYcxKisa5LCcXnzlIf U4b9Iome3+u3815F0C5ad4UI0dnX/pUPbori9G+CNMbLNNCv7K9mixf/DkhBZncI5N6I qzkjSUOLhw2HlDYb5qSRROXmdDbzWOL3KHlrFMb++CuSv1cSsg880Jv5jhI08LL12Ix6 uUZw== X-Gm-Message-State: AOAM532Nv2sRPHbBSoftbbqDTT+SRag9BS9OcpWRDnrDSCuZPd0bb+Xx 77ZF/8hdwwMvSMSIrzvgn/EtD9aDAZnXoQ1Wfp6lKAZV4TOpK1a9kRsWu+iqk3IFqXi3jrAjvR3 Zrycl0XgkXbEjJKJ+mPLmnW1RZwgAW+2SRKRoAs+98XoBLJ1yXol0Dmyik0HnxFvQ X-Received: by 2002:a7b:c3d0:: with SMTP id t16mr12139wmj.169.1630691261326; Fri, 03 Sep 2021 10:47:41 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw2SysOKuoZRdoE1pkwTtmdJbw35VhU7Ev3gABzeU23tq/9p3cRCC2MEatHy61N2yQkO6oWlA== X-Received: by 2002:a7b:c3d0:: with SMTP id t16mr12089wmj.169.1630691260951; Fri, 03 Sep 2021 10:47:40 -0700 (PDT) Received: from x1w.. (21.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.21]) by smtp.gmail.com with ESMTPSA id t11sm38889wmi.23.2021.09.03.10.47.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Sep 2021 10:47:40 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH v3 28/28] checkpatch: Do not allow deprecated g_memdup() Date: Fri, 3 Sep 2021 19:45:10 +0200 Message-Id: <20210903174510.751630-29-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210903174510.751630-1-philmd@redhat.com> References: <20210903174510.751630-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.392, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , "Michael S. Tsirkin" , Jason Wang , Christian Schoenebeck , Gerd Hoffmann , Eric Blake , qemu-block@nongnu.org, =?utf-8?q?Alex_Benn=C3=A9e?= , David Hildenbrand , Markus Armbruster , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Laurent Vivier , Thomas Huth , Eduardo Habkost , Richard Henderson , qemu-arm@nongnu.org, John Snow , David Gibson , Kevin Wolf , Vladimir Sementsov-Ogievskiy , "Daniel P . Berrange" , Hanna Reitz , qemu-ppc@nongnu.org, Paolo Bonzini Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" g_memdup() is insecure and as been deprecated in GLib 2.68. QEMU provides the safely equivalent g_memdup2() wrapper. Do not allow more g_memdup() calls in the repository, provide a hint to use g_memdup2(). Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Eric Blake --- scripts/checkpatch.pl | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl index cb8eff233e0..5caa739db48 100755 --- a/scripts/checkpatch.pl +++ b/scripts/checkpatch.pl @@ -2850,6 +2850,11 @@ sub process { WARN("consider using g_path_get_$1() in preference to g_strdup($1())\n" . $herecurr); } +# enforce g_memdup2() over g_memdup() + if ($line =~ /\bg_memdup\s*\(/) { + ERROR("use g_memdup2() instead of unsafe g_memdup()\n" . $herecurr); + } + # recommend qemu_strto* over strto* for numeric conversions if ($line =~ /\b(strto[^kd].*?)\s*\(/) { ERROR("consider using qemu_$1 in preference to $1\n" . $herecurr);