Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538
The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2() wrapper. Signed-off-by: Philippe Mathieu-Daudé <phi...@redhat.com> --- do_open_by_handle_at() doesn't check: size + sizeof(struct file_handle) < 4GiB --- linux-user/syscall.c | 2 +- linux-user/uaccess.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index ccd3892b2df..d3701007cb3 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -7665,7 +7665,7 @@ static abi_long do_open_by_handle_at(abi_long mount_fd, abi_long handle, return -TARGET_EFAULT; } - fh = g_memdup(target_fh, total_size); + fh = g_memdup2(target_fh, total_size); fh->handle_bytes = size; fh->handle_type = tswap32(target_fh->handle_type); diff --git a/linux-user/uaccess.c b/linux-user/uaccess.c index 6a5b029607c..49eddbf4a4d 100644 --- a/linux-user/uaccess.c +++ b/linux-user/uaccess.c @@ -15,7 +15,7 @@ void *lock_user(int type, abi_ulong guest_addr, ssize_t len, bool copy) host_addr = g2h_untagged(guest_addr); #ifdef DEBUG_REMAP if (copy) { - host_addr = g_memdup(host_addr, len); + host_addr = g_memdup2(host_addr, len); } else { host_addr = g_malloc0(len); } -- 2.31.1