Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538
The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daudé <phi...@redhat.com> --- contrib/plugins/lockstep.c | 2 +- contrib/rdmacm-mux/main.c | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/contrib/plugins/lockstep.c b/contrib/plugins/lockstep.c index 7fd35eb6692..119a8054b3f 100644 --- a/contrib/plugins/lockstep.c +++ b/contrib/plugins/lockstep.c @@ -130,7 +130,7 @@ static void report_divergance(ExecState *us, ExecState *them) } } divergence_log = g_slist_prepend(divergence_log, - g_memdup(&divrec, sizeof(divrec))); + g_memdup2_qemu(&divrec, sizeof(divrec))); /* Output short log entry of going out of sync... */ if (verbose || divrec.distance == 1 || diverged) { diff --git a/contrib/rdmacm-mux/main.c b/contrib/rdmacm-mux/main.c index 771ca01e03f..d447d50f538 100644 --- a/contrib/rdmacm-mux/main.c +++ b/contrib/rdmacm-mux/main.c @@ -227,8 +227,8 @@ static RdmaCmMuxErrCode add_fd_ifid_pair(int fd, __be64 gid_ifid) RDMACM_MUX_ERR_CODE_EACCES; } - g_hash_table_insert(server.umad_agent.gid2fd, g_memdup(&gid_ifid, - sizeof(gid_ifid)), g_memdup(&fd, sizeof(fd))); + g_hash_table_insert(server.umad_agent.gid2fd, g_memdup2_qemu(&gid_ifid, + sizeof(gid_ifid)), g_memdup2_qemu(&fd, sizeof(fd))); pthread_rwlock_unlock(&server.lock); @@ -250,7 +250,7 @@ static RdmaCmMuxErrCode delete_fd_ifid_pair(int fd, __be64 gid_ifid) return RDMACM_MUX_ERR_CODE_ENOTFOUND; } - g_hash_table_remove(server.umad_agent.gid2fd, g_memdup(&gid_ifid, + g_hash_table_remove(server.umad_agent.gid2fd, g_memdup2_qemu(&gid_ifid, sizeof(gid_ifid))); pthread_rwlock_unlock(&server.lock); @@ -267,8 +267,8 @@ static void hash_tbl_save_fd_comm_id_pair(int fd, uint32_t comm_id, pthread_rwlock_wrlock(&server.lock); g_hash_table_insert(server.umad_agent.commid2fd, - g_memdup(&comm_id, sizeof(comm_id)), - g_memdup(&fde, sizeof(fde))); + g_memdup2_qemu(&comm_id, sizeof(comm_id)), + g_memdup2_qemu(&fde, sizeof(fde))); pthread_rwlock_unlock(&server.lock); } -- 2.31.1