On Fri, Sep 03, 2021 at 07:44:45PM +0200, Philippe Mathieu-Daudé wrote: > Per > https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 > > The old API took the size of the memory to duplicate as a guint, > whereas most memory functions take memory sizes as a gsize. This > made it easy to accidentally pass a gsize to g_memdup(). For large > values, that would lead to a silent truncation of the size from 64 > to 32 bits, and result in a heap area being returned which is > significantly smaller than what the caller expects. This can likely > be exploited in various modules to cause a heap buffer overflow. > > Replace g_memdup() by the safer g_memdup2() wrapper. > > Signed-off-by: Philippe Mathieu-Daudé <phi...@redhat.com> > --- > qapi/qapi-clone-visitor.c | 16 ++++++++-------- > qapi/qapi-visit-core.c | 6 ++++-- > 2 files changed, 12 insertions(+), 10 deletions(-)
Reviewed-by: Eric Blake <ebl...@redhat.com> > > diff --git a/qapi/qapi-clone-visitor.c b/qapi/qapi-clone-visitor.c > index c45c5caa3b8..b014119d368 100644 > --- a/qapi/qapi-clone-visitor.c > +++ b/qapi/qapi-clone-visitor.c > @@ -37,7 +37,7 @@ static bool qapi_clone_start_struct(Visitor *v, const char > *name, void **obj, > return true; > } > > - *obj = g_memdup(*obj, size); > + *obj = g_memdup2(*obj, size); I did not audit whether any callers were previously vulnerable, although I suspect most (if not all) callers were from the generated QAPI code passing in the results of sizeof, and none of our QAPI types are 4G large to cause overflow. -- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3266 Virtualization: qemu.org | libvirt.org