From patchwork Wed May 8 17:44:47 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 795486 Delivered-To: patch@linaro.org Received: by 2002:a5d:525c:0:b0:34e:ceec:bfcd with SMTP id k28csp903041wrc; Wed, 8 May 2024 10:46:37 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUC6XwstJpMt2qDyRzp2ZSA4FsCgevjMQQELatCneqt9LQLz+Pt7a249wQChHDyFz1QdkyqrGF+rXPgtZI33hH9 X-Google-Smtp-Source: AGHT+IFb5szEedwEkBVIz50CBVDNVfMeb4Jnr3eJT+z99Cde0/xTUGBqBxocEr74spjalZadu3Ci X-Received: by 2002:a05:622a:14cc:b0:43a:c0c7:a218 with SMTP id d75a77b69052e-43dec29bae3mr5943241cf.33.1715190396806; Wed, 08 May 2024 10:46:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1715190396; cv=none; d=google.com; s=arc-20160816; b=MeZ+ixLOt/aJ0ChtzIBoDXkC5Es4QxFwcHbGc0E6ygAp8448Z6Vyunw+VVrcg1rknY GlFo/0Kel7WrN+HvtZTj02fh5DO4riUJlg9xk0dPPTl5pxK9NbOc33PymKzGSCKJxX8G x7mVoVAeum8ElFOE3d7q9938bgHPNZsG/zasQNddDEgEEJlk3D7lx2u1CtOYQ4pYxuxC hsLU8yp63mlPciEDqwpu9Uo1NNWM8VT8nxtwblE4KX7TURNaJUemHTC4V3oQJo7OXIvR d+XAdcFnMXJbXdzBC/dnbrWxKHpigXhMYqc4/m0RydAv3kcPYDQO2s9TX8O7Tm1JMcQq 8uAA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=4OH+OdSI3NRi6kwuyf3vIVlVnfRZUW2MUDqdsivDFuU=; fh=VYNIGuz1bvz9M+32omCvGpW6ajzEyopbeioIflIHiIg=; b=G+2tqzC7YvKjGilixx2cpWTdh7nj4rj020ujx+EQ6FzLdLvw/yhtpZL7PAR3QJZ2wI 2i7yRqU3B2PMKFdQ9Y9e3rTVdwlEYwu0W/9TgKr5ZeEwzZvi+2QoJ35pTab6Ke60XNKB p7Lf2ScQ09R3iqckGsUkCe1VgL+XE7czWIqyeECk09lafGV7ak8KrWlrV9a1XhYzxFSb tkBFjW8v9IUcFke8dwJKNHlE8hobkxz4dWu84Z+X+mq9vkn1SzHgbuqU4+h+LRNbLlJP XyEbHUv1oox3wPCUjbu7HUKTsp1uvKZFUDssAMDpOCtDI/atp6Jvd2cNBroDf27fNLWv 0vLQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=pE8Tg3Xz; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id t11-20020a05622a180b00b0043aee694b9esi14225529qtc.632.2024.05.08.10.46.36 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Wed, 08 May 2024 10:46:36 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=pE8Tg3Xz; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1s4lMk-0000PK-0n; Wed, 08 May 2024 13:46:14 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1s4lMD-0000Kz-6q for qemu-devel@nongnu.org; Wed, 08 May 2024 13:45:34 -0400 Received: from mail-ej1-x62f.google.com ([2a00:1450:4864:20::62f]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1s4lMB-0007Kc-Bj for qemu-devel@nongnu.org; Wed, 08 May 2024 13:45:32 -0400 Received: by mail-ej1-x62f.google.com with SMTP id a640c23a62f3a-a59ad344f7dso2301066b.0 for ; Wed, 08 May 2024 10:45:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1715190329; x=1715795129; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=4OH+OdSI3NRi6kwuyf3vIVlVnfRZUW2MUDqdsivDFuU=; b=pE8Tg3XzkDRBNFc/Gbh6fHTM/R5yf5Bz3y02Sz75FzBChxpvmgD3koGUjqvRqAFVU4 AwcLKl6sFriFUkuWHL/+zsMOLU1g5+KSAJzn6+S8wAbsidilNTE4KYVDfVLLxIXhD6FW G9FnLjlbgu2qej2vbONp0aqFTpOMAHfiCjvxy62EiTfocjGNQ5XnoNZLYtEREeGpNjAG 7Fmhs40Lw6O/st8GBP8h76fbWntzuxCIbFUJel2RGJNL2UQFNxzRe1jN2AjgR1kIoe+q gxjuwJ9PwKXXxC8zhPBrYG3NFZUeMRzuror701smBBmUyqGg41g2WezHECXkXj+t0n70 61kA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715190329; x=1715795129; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=4OH+OdSI3NRi6kwuyf3vIVlVnfRZUW2MUDqdsivDFuU=; b=qk7Z14NBS9/TAbdWIp4z+kx8/8lI8IfsikIneVXTxIlXBE/J6OI04ZPEF9xA6Xt5jD rCcQGOAZMR6s3zioNGcTHddbC4nLQ55RgKsEcrf7twIPyE5RZJjpEnGYNdTuZhEve9/Q ZOmu9WyUMWzFd5yhmbPdFM0x1OmQoSoPCFXZi2h407bUajVOeCdvI0Z6EJSGCqD9cu7h SuGu+UP47FZhOWEjsWxqTkds8q82KQyxRRWxuoVR1iETfO1MmLNJ6gHnmQtI3TX1orZB v+jKuN7k9Gfo9/nh+I+dPe8IcxoxewarLXa6j7ce0XR/NFYosy5tEh9lMEbZwjjOEkGM 1RBw== X-Gm-Message-State: AOJu0YzuVNizcE6KrQwUjlh2vnbWsvTNuZk7Gox91e8Em6Ygkbwr0WWY DtM/vvvsD4gCWJVGIYsLQKnuV9Qvsqp0qZ4SE8ABrI7blDtcgslebF+Ydfb+Jp+gJtAGsSdROmX h X-Received: by 2002:a17:906:c802:b0:a59:9a68:7327 with SMTP id a640c23a62f3a-a59fb9ce261mr175867066b.54.1715190329529; Wed, 08 May 2024 10:45:29 -0700 (PDT) Received: from m1x-phil.lan (sar95-h02-176-184-10-250.dsl.sta.abo.bbox.fr. [176.184.10.250]) by smtp.gmail.com with ESMTPSA id g17-20020a170906395100b00a59c3db0c50sm4608038eje.199.2024.05.08.10.45.28 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Wed, 08 May 2024 10:45:29 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , =?utf-8?q?P?= =?utf-8?q?hilippe_Mathieu-Daud=C3=A9?= Subject: [PULL 03/26] hw/hppa/machine: Replace g_memdup() by g_memdup2() Date: Wed, 8 May 2024 19:44:47 +0200 Message-ID: <20240508174510.60470-4-philmd@linaro.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20240508174510.60470-1-philmd@linaro.org> References: <20240508174510.60470-1-philmd@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::62f; envelope-from=philmd@linaro.org; helo=mail-ej1-x62f.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Philippe Mathieu-Daudé Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2() wrapper. Trivially safe because the argument was directly from sizeof. Signed-off-by: Philippe Mathieu-Daudé Message-Id: <20210903174510.751630-12-philmd@redhat.com> Signed-off-by: Philippe Mathieu-Daudé --- hw/hppa/machine.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/hw/hppa/machine.c b/hw/hppa/machine.c index 37ee6387e0..5d0a8739de 100644 --- a/hw/hppa/machine.c +++ b/hw/hppa/machine.c @@ -207,37 +207,37 @@ static FWCfgState *create_fw_cfg(MachineState *ms, PCIBus *pci_bus, val = cpu_to_le64(MIN_SEABIOS_HPPA_VERSION); fw_cfg_add_file(fw_cfg, "/etc/firmware-min-version", - g_memdup(&val, sizeof(val)), sizeof(val)); + g_memdup2(&val, sizeof(val)), sizeof(val)); val = cpu_to_le64(HPPA_TLB_ENTRIES - btlb_entries); fw_cfg_add_file(fw_cfg, "/etc/cpu/tlb_entries", - g_memdup(&val, sizeof(val)), sizeof(val)); + g_memdup2(&val, sizeof(val)), sizeof(val)); val = cpu_to_le64(btlb_entries); fw_cfg_add_file(fw_cfg, "/etc/cpu/btlb_entries", - g_memdup(&val, sizeof(val)), sizeof(val)); + g_memdup2(&val, sizeof(val)), sizeof(val)); len = strlen(mc->name) + 1; fw_cfg_add_file(fw_cfg, "/etc/hppa/machine", - g_memdup(mc->name, len), len); + g_memdup2(mc->name, len), len); val = cpu_to_le64(soft_power_reg); fw_cfg_add_file(fw_cfg, "/etc/hppa/power-button-addr", - g_memdup(&val, sizeof(val)), sizeof(val)); + g_memdup2(&val, sizeof(val)), sizeof(val)); val = cpu_to_le64(CPU_HPA + 16); fw_cfg_add_file(fw_cfg, "/etc/hppa/rtc-addr", - g_memdup(&val, sizeof(val)), sizeof(val)); + g_memdup2(&val, sizeof(val)), sizeof(val)); val = cpu_to_le64(CPU_HPA + 24); fw_cfg_add_file(fw_cfg, "/etc/hppa/DebugOutputPort", - g_memdup(&val, sizeof(val)), sizeof(val)); + g_memdup2(&val, sizeof(val)), sizeof(val)); fw_cfg_add_i16(fw_cfg, FW_CFG_BOOT_DEVICE, ms->boot_config.order[0]); qemu_register_boot_set(fw_cfg_boot_set, fw_cfg); fw_cfg_add_file(fw_cfg, "/etc/qemu-version", - g_memdup(qemu_version, sizeof(qemu_version)), + g_memdup2(qemu_version, sizeof(qemu_version)), sizeof(qemu_version)); fw_cfg_add_extra_pci_roots(pci_bus, fw_cfg);