From: Thomas Huth <thuth@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Richard Henderson" <richard.henderson@linaro.org>,
"Peter Maydell" <peter.maydell@linaro.org>,
"Philippe Mathieu-Daudé" <philmd@redhat.com>
Subject: [PULL 11/14] tests/unit: Replace g_memdup() by g_memdup2()
Date: Tue, 19 Jul 2022 09:04:09 +0200 [thread overview]
Message-ID: <20220719070412.16757-12-thuth@redhat.com> (raw)
In-Reply-To: <20220719070412.16757-1-thuth@redhat.com>
From: Philippe Mathieu-Daudé <philmd@redhat.com>
Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538
The old API took the size of the memory to duplicate as a guint,
whereas most memory functions take memory sizes as a gsize. This
made it easy to accidentally pass a gsize to g_memdup(). For large
values, that would lead to a silent truncation of the size from 64
to 32 bits, and result in a heap area being returned which is
significantly smaller than what the caller expects. This can likely
be exploited in various modules to cause a heap buffer overflow.
Replace g_memdup() by the safer g_memdup2() wrapper.
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20210903174510.751630-24-philmd@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
---
tests/unit/ptimer-test.c | 22 +++++++++++-----------
tests/unit/test-iov.c | 26 +++++++++++++-------------
2 files changed, 24 insertions(+), 24 deletions(-)
diff --git a/tests/unit/ptimer-test.c b/tests/unit/ptimer-test.c
index a80ef5aff4..04b5f4e3d0 100644
--- a/tests/unit/ptimer-test.c
+++ b/tests/unit/ptimer-test.c
@@ -798,64 +798,64 @@ static void add_ptimer_tests(uint8_t policy)
g_test_add_data_func_full(
tmp = g_strdup_printf("/ptimer/set_count policy=%s", policy_name),
- g_memdup(&policy, 1), check_set_count, g_free);
+ g_memdup2(&policy, 1), check_set_count, g_free);
g_free(tmp);
g_test_add_data_func_full(
tmp = g_strdup_printf("/ptimer/set_limit policy=%s", policy_name),
- g_memdup(&policy, 1), check_set_limit, g_free);
+ g_memdup2(&policy, 1), check_set_limit, g_free);
g_free(tmp);
g_test_add_data_func_full(
tmp = g_strdup_printf("/ptimer/oneshot policy=%s", policy_name),
- g_memdup(&policy, 1), check_oneshot, g_free);
+ g_memdup2(&policy, 1), check_oneshot, g_free);
g_free(tmp);
g_test_add_data_func_full(
tmp = g_strdup_printf("/ptimer/periodic policy=%s", policy_name),
- g_memdup(&policy, 1), check_periodic, g_free);
+ g_memdup2(&policy, 1), check_periodic, g_free);
g_free(tmp);
g_test_add_data_func_full(
tmp = g_strdup_printf("/ptimer/on_the_fly_mode_change policy=%s",
policy_name),
- g_memdup(&policy, 1), check_on_the_fly_mode_change, g_free);
+ g_memdup2(&policy, 1), check_on_the_fly_mode_change, g_free);
g_free(tmp);
g_test_add_data_func_full(
tmp = g_strdup_printf("/ptimer/on_the_fly_period_change policy=%s",
policy_name),
- g_memdup(&policy, 1), check_on_the_fly_period_change, g_free);
+ g_memdup2(&policy, 1), check_on_the_fly_period_change, g_free);
g_free(tmp);
g_test_add_data_func_full(
tmp = g_strdup_printf("/ptimer/on_the_fly_freq_change policy=%s",
policy_name),
- g_memdup(&policy, 1), check_on_the_fly_freq_change, g_free);
+ g_memdup2(&policy, 1), check_on_the_fly_freq_change, g_free);
g_free(tmp);
g_test_add_data_func_full(
tmp = g_strdup_printf("/ptimer/run_with_period_0 policy=%s",
policy_name),
- g_memdup(&policy, 1), check_run_with_period_0, g_free);
+ g_memdup2(&policy, 1), check_run_with_period_0, g_free);
g_free(tmp);
g_test_add_data_func_full(
tmp = g_strdup_printf("/ptimer/run_with_delta_0 policy=%s",
policy_name),
- g_memdup(&policy, 1), check_run_with_delta_0, g_free);
+ g_memdup2(&policy, 1), check_run_with_delta_0, g_free);
g_free(tmp);
g_test_add_data_func_full(
tmp = g_strdup_printf("/ptimer/periodic_with_load_0 policy=%s",
policy_name),
- g_memdup(&policy, 1), check_periodic_with_load_0, g_free);
+ g_memdup2(&policy, 1), check_periodic_with_load_0, g_free);
g_free(tmp);
g_test_add_data_func_full(
tmp = g_strdup_printf("/ptimer/oneshot_with_load_0 policy=%s",
policy_name),
- g_memdup(&policy, 1), check_oneshot_with_load_0, g_free);
+ g_memdup2(&policy, 1), check_oneshot_with_load_0, g_free);
g_free(tmp);
}
diff --git a/tests/unit/test-iov.c b/tests/unit/test-iov.c
index 93bda00f0e..6f7623d310 100644
--- a/tests/unit/test-iov.c
+++ b/tests/unit/test-iov.c
@@ -172,7 +172,7 @@ static void test_io(void)
}
iov_from_buf(iov, niov, 0, buf, sz);
- siov = g_memdup(iov, sizeof(*iov) * niov);
+ siov = g_memdup2(iov, sizeof(*iov) * niov);
if (socketpair(PF_UNIX, SOCK_STREAM, 0, sv) < 0) {
perror("socketpair");
@@ -349,7 +349,7 @@ static void test_discard_front_undo(void)
/* Discard zero bytes */
iov_random(&iov, &iov_cnt);
- iov_orig = g_memdup(iov, sizeof(iov[0]) * iov_cnt);
+ iov_orig = g_memdup2(iov, sizeof(iov[0]) * iov_cnt);
iov_tmp = iov;
iov_cnt_tmp = iov_cnt;
iov_discard_front_undoable(&iov_tmp, &iov_cnt_tmp, 0, &undo);
@@ -360,7 +360,7 @@ static void test_discard_front_undo(void)
/* Discard more bytes than vector size */
iov_random(&iov, &iov_cnt);
- iov_orig = g_memdup(iov, sizeof(iov[0]) * iov_cnt);
+ iov_orig = g_memdup2(iov, sizeof(iov[0]) * iov_cnt);
iov_tmp = iov;
iov_cnt_tmp = iov_cnt;
size = iov_size(iov, iov_cnt);
@@ -372,7 +372,7 @@ static void test_discard_front_undo(void)
/* Discard entire vector */
iov_random(&iov, &iov_cnt);
- iov_orig = g_memdup(iov, sizeof(iov[0]) * iov_cnt);
+ iov_orig = g_memdup2(iov, sizeof(iov[0]) * iov_cnt);
iov_tmp = iov;
iov_cnt_tmp = iov_cnt;
size = iov_size(iov, iov_cnt);
@@ -384,7 +384,7 @@ static void test_discard_front_undo(void)
/* Discard within first element */
iov_random(&iov, &iov_cnt);
- iov_orig = g_memdup(iov, sizeof(iov[0]) * iov_cnt);
+ iov_orig = g_memdup2(iov, sizeof(iov[0]) * iov_cnt);
iov_tmp = iov;
iov_cnt_tmp = iov_cnt;
size = g_test_rand_int_range(1, iov->iov_len);
@@ -396,7 +396,7 @@ static void test_discard_front_undo(void)
/* Discard entire first element */
iov_random(&iov, &iov_cnt);
- iov_orig = g_memdup(iov, sizeof(iov[0]) * iov_cnt);
+ iov_orig = g_memdup2(iov, sizeof(iov[0]) * iov_cnt);
iov_tmp = iov;
iov_cnt_tmp = iov_cnt;
iov_discard_front_undoable(&iov_tmp, &iov_cnt_tmp, iov->iov_len, &undo);
@@ -407,7 +407,7 @@ static void test_discard_front_undo(void)
/* Discard within second element */
iov_random(&iov, &iov_cnt);
- iov_orig = g_memdup(iov, sizeof(iov[0]) * iov_cnt);
+ iov_orig = g_memdup2(iov, sizeof(iov[0]) * iov_cnt);
iov_tmp = iov;
iov_cnt_tmp = iov_cnt;
size = iov->iov_len + g_test_rand_int_range(1, iov[1].iov_len);
@@ -498,7 +498,7 @@ static void test_discard_back_undo(void)
/* Discard zero bytes */
iov_random(&iov, &iov_cnt);
- iov_orig = g_memdup(iov, sizeof(iov[0]) * iov_cnt);
+ iov_orig = g_memdup2(iov, sizeof(iov[0]) * iov_cnt);
iov_cnt_tmp = iov_cnt;
iov_discard_back_undoable(iov, &iov_cnt_tmp, 0, &undo);
iov_discard_undo(&undo);
@@ -508,7 +508,7 @@ static void test_discard_back_undo(void)
/* Discard more bytes than vector size */
iov_random(&iov, &iov_cnt);
- iov_orig = g_memdup(iov, sizeof(iov[0]) * iov_cnt);
+ iov_orig = g_memdup2(iov, sizeof(iov[0]) * iov_cnt);
iov_cnt_tmp = iov_cnt;
size = iov_size(iov, iov_cnt);
iov_discard_back_undoable(iov, &iov_cnt_tmp, size + 1, &undo);
@@ -519,7 +519,7 @@ static void test_discard_back_undo(void)
/* Discard entire vector */
iov_random(&iov, &iov_cnt);
- iov_orig = g_memdup(iov, sizeof(iov[0]) * iov_cnt);
+ iov_orig = g_memdup2(iov, sizeof(iov[0]) * iov_cnt);
iov_cnt_tmp = iov_cnt;
size = iov_size(iov, iov_cnt);
iov_discard_back_undoable(iov, &iov_cnt_tmp, size, &undo);
@@ -530,7 +530,7 @@ static void test_discard_back_undo(void)
/* Discard within last element */
iov_random(&iov, &iov_cnt);
- iov_orig = g_memdup(iov, sizeof(iov[0]) * iov_cnt);
+ iov_orig = g_memdup2(iov, sizeof(iov[0]) * iov_cnt);
iov_cnt_tmp = iov_cnt;
size = g_test_rand_int_range(1, iov[iov_cnt - 1].iov_len);
iov_discard_back_undoable(iov, &iov_cnt_tmp, size, &undo);
@@ -541,7 +541,7 @@ static void test_discard_back_undo(void)
/* Discard entire last element */
iov_random(&iov, &iov_cnt);
- iov_orig = g_memdup(iov, sizeof(iov[0]) * iov_cnt);
+ iov_orig = g_memdup2(iov, sizeof(iov[0]) * iov_cnt);
iov_cnt_tmp = iov_cnt;
size = iov[iov_cnt - 1].iov_len;
iov_discard_back_undoable(iov, &iov_cnt_tmp, size, &undo);
@@ -552,7 +552,7 @@ static void test_discard_back_undo(void)
/* Discard within second-to-last element */
iov_random(&iov, &iov_cnt);
- iov_orig = g_memdup(iov, sizeof(iov[0]) * iov_cnt);
+ iov_orig = g_memdup2(iov, sizeof(iov[0]) * iov_cnt);
iov_cnt_tmp = iov_cnt;
size = iov[iov_cnt - 1].iov_len +
g_test_rand_int_range(1, iov[iov_cnt - 2].iov_len);
--
2.31.1
next prev parent reply other threads:[~2022-07-19 7:06 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-19 7:03 [PULL 00/14] Testing and misc patches Thomas Huth
2022-07-19 7:03 ` [PULL 01/14] qga: treat get-guest-fsinfo as "best effort" Thomas Huth
2022-07-19 7:04 ` [PULL 02/14] tests/vm: use 'cp' instead of 'ln' for temporary vm images Thomas Huth
2022-07-19 7:04 ` [PULL 03/14] tests/vm: switch CentOS 8 to CentOS 8 Stream Thomas Huth
2022-07-19 7:04 ` [PULL 04/14] tests/vm: switch centos.aarch64 " Thomas Huth
2022-07-19 7:04 ` [PULL 05/14] tests/vm: upgrade Ubuntu 18.04 VM to 20.04 Thomas Huth
2022-07-19 7:04 ` [PULL 06/14] tests/vm: remove ubuntu.i386 VM test Thomas Huth
2022-07-19 7:04 ` [PULL 07/14] tests/vm: remove duplicate 'centos' " Thomas Huth
2022-07-19 7:04 ` [PULL 08/14] tests/vm: add 1GB extra memory per core Thomas Huth
2022-07-19 7:04 ` [PULL 09/14] tests/vm: Remove docker cross-compile test from CentOS VM Thomas Huth
2022-07-19 7:04 ` [PULL 10/14] qtest/machine-none: Add LoongArch support Thomas Huth
2022-07-19 7:04 ` Thomas Huth [this message]
2022-07-19 7:04 ` [PULL 12/14] Replace 'whitelist' with 'allow' Thomas Huth
2022-07-19 7:04 ` [PULL 13/14] util: Fix broken build on Haiku Thomas Huth
2022-07-19 7:04 ` [PULL 14/14] python/qemu/qmp/legacy: Replace 'returns-whitelist' with the correct type Thomas Huth
2022-07-19 16:14 ` [PULL 00/14] Testing and misc patches Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220719070412.16757-12-thuth@redhat.com \
--to=thuth@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=philmd@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.