mirrors/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

hw/ppc/spapr_pci: Replace g_memdup() by g_memdup2()

Browse Source 
Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538

  The old API took the size of the memory to duplicate as a guint,
  whereas most memory functions take memory sizes as a gsize. This
  made it easy to accidentally pass a gsize to g_memdup(). For large
  values, that would lead to a silent truncation of the size from 64
  to 32 bits, and result in a heap area being returned which is
  significantly smaller than what the caller expects. This can likely
  be exploited in various modules to cause a heap buffer overflow.

Replace g_memdup() by the safer g_memdup2() wrapper.

Trivially safe because the argument was directly from sizeof.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Acked-by: David Gibson <david@gibson.dropber.id.au>
Message-Id: <20210903174510.751630-17-philmd@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
This commit is contained in:
Philippe Mathieu-Daudé 2021-09-03 12:05:50 +02:00 committed by Philippe Mathieu-Daudé
parent 0572f01117
commit 09d98a241c
1 changed files with 3 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
hw/ppc/spapr_pci.c
View File

@ -2188,10 +2188,9 @@ static int spapr_pci_post_load(void *opaque, int version_id)
int i; int i;
for (i = 0; i < sphb->msi_devs_num; ++i) { for (i = 0; i < sphb->msi_devs_num; ++i) {
key = g_memdup(&sphb->msi_devs[i].key, key = g_memdup2(&sphb->msi_devs[i].key, sizeof(sphb->msi_devs[i].key));
sizeof(sphb->msi_devs[i].key)); value = g_memdup2(&sphb->msi_devs[i].value,
value = g_memdup(&sphb->msi_devs[i].value, sizeof(sphb->msi_devs[i].value));
sizeof(sphb->msi_devs[i].value));
g_hash_table_insert(sphb->msi, key, value); g_hash_table_insert(sphb->msi, key, value);
} }
g_free(sphb->msi_devs); g_free(sphb->msi_devs);