Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538
The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2() wrapper. Signed-off-by: Philippe Mathieu-Daudé <phi...@redhat.com> --- hw/nvram/fw_cfg.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c index 9b8dcca4ead..0c3cfa8a41e 100644 --- a/hw/nvram/fw_cfg.c +++ b/hw/nvram/fw_cfg.c @@ -205,7 +205,8 @@ static void fw_cfg_bootsplash(FWCfgState *s) /* use little endian format */ bst_le16 = cpu_to_le16(bst_val); fw_cfg_add_file(s, "etc/boot-menu-wait", - g_memdup(&bst_le16, sizeof bst_le16), sizeof bst_le16); + g_memdup2(&bst_le16, sizeof bst_le16), + sizeof bst_le16); } /* insert splash file if user configurated */ @@ -260,7 +261,7 @@ static void fw_cfg_reboot(FWCfgState *s) } rt_le32 = cpu_to_le32(rt_val); - fw_cfg_add_file(s, "etc/boot-fail-wait", g_memdup(&rt_le32, 4), 4); + fw_cfg_add_file(s, "etc/boot-fail-wait", g_memdup2(&rt_le32, 4), 4); } static void fw_cfg_write(FWCfgState *s, uint8_t value) @@ -755,7 +756,7 @@ void fw_cfg_add_string(FWCfgState *s, uint16_t key, const char *value) size_t sz = strlen(value) + 1; trace_fw_cfg_add_string(key, trace_key_name(key), value); - fw_cfg_add_bytes(s, key, g_memdup(value, sz), sz); + fw_cfg_add_bytes(s, key, g_memdup2(value, sz), sz); } void fw_cfg_modify_string(FWCfgState *s, uint16_t key, const char *value) @@ -763,7 +764,7 @@ void fw_cfg_modify_string(FWCfgState *s, uint16_t key, const char *value) size_t sz = strlen(value) + 1; char *old; - old = fw_cfg_modify_bytes_read(s, key, g_memdup(value, sz), sz); + old = fw_cfg_modify_bytes_read(s, key, g_memdup2(value, sz), sz); g_free(old); } -- 2.31.1