From nobody Mon Apr 6 16:47:31 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1773863186; cv=none; d=zohomail.com; s=zohoarc; b=DeIT/0NduQNLOeoMXFgIN3Adr2FT/f1n/sYeRY59qfhouviovFTEmTmKX8HDTDn188dtOlt3PFkd4GKvjVIcFw7R3TwtaT0agnZk2MhePreUa4Vswr2MQ52EcYEWNQcr0sqogITwtFzZslTB/PuLbnS4yCWbyU421hoBmvFuv2o= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1773863186; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=pZ1STxHanH7uDSXL/hEGwgt1+ssrfoHCJHHnIo3lWLQ=; b=gXFO2BfzTugyImC3UPVv82qim3ZC2TP/b5MkxiZ5HrocpTsyPg8RV0OH4+P0oh+C61BYS+FgXCfnMt96I5ApQivZVFWiVyx77Q6SO8GwFwjB1KBVudeDJKEcgotRuhpOR7LkrjGsoRQ1JvA5qsJ8dkU08xpXKrIiT7zH/w3ykS8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1773863186861778.6066246334591; Wed, 18 Mar 2026 12:46:26 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w2wod-0005wx-Mc; Wed, 18 Mar 2026 15:44:27 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w2wa1-00030I-Lo for qemu-devel@nongnu.org; Wed, 18 Mar 2026 15:29:21 -0400 Received: from mail-qt1-x82d.google.com ([2607:f8b0:4864:20::82d]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1w2wa0-0004VC-A1 for qemu-devel@nongnu.org; Wed, 18 Mar 2026 15:29:21 -0400 Received: by mail-qt1-x82d.google.com with SMTP id d75a77b69052e-50912a097b0so1329341cf.1 for ; Wed, 18 Mar 2026 12:29:19 -0700 (PDT) Received: from 192-222-50-213.ll.local ([192.222.50.213]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-50b135d523bsm28906831cf.27.2026.03.18.12.29.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 18 Mar 2026 12:29:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773862159; x=1774466959; darn=nongnu.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=pZ1STxHanH7uDSXL/hEGwgt1+ssrfoHCJHHnIo3lWLQ=; b=a+vJkJQnmW7FPFzO5d03YwT6CN8EqJ18h3/s9YfWveywHiImPGxRVu3WqGzDzxb7Bw e+w88qmy/MRW1TY86UkgQ2KIzOAMFPEVHbd1xxMddHs1YoWvph6g5wU60n1JEFJeL+eJ qUQfxYRm4af2iBwDwYYiHcEKI5l0yAiHXBKy87PjCrShJxBDbryoRyAMpTIa4tm9bdhj oJ0vzIojACSgVgmj1A/cnsdqN/sYCw4UNCQgeXXn1hQvxZ/LKa1qMyglzg6xYwLb6tbI +dozrZMFMG/olLHhP3nZ32MT6EYdyuGyTxt2VCX2jm9zjtJ0bDR/+KYQ7j3LfgFiDOfe 716A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773862159; x=1774466959; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=pZ1STxHanH7uDSXL/hEGwgt1+ssrfoHCJHHnIo3lWLQ=; b=asZIbCqsYndASlLtyTCyJRY2wuRHmq4K651sA/HxdyySKWbDRKVdy6D2QUPBU1Cy9S ljNIJUZSqu6F70BASLfmtXE/88DPNlOa+q2F9VLO4dgfNABMlC97MF8PVicGOk2vAVeE iEwfAIQKFIl4eATeE9eyRlFhaIydBnG6nG+yQGCdDi3K67GrXcuYbZnUj7KrNmAEAsrb 1BxUd6o+fI6vshBfs1/3pxFnEp4/7bzbaR40jo9K3AubBYW7FLZjD7lM8Ddp+I9pbfv0 +rqZYjfwJIfzZwIslhONaWHRpNpoCvCDDlqALcvipHNCRdBRKkHtkFrGkBsg+WAgaB4R Offg== X-Gm-Message-State: AOJu0Ywwx1KC2kbUnlLZDYsKvOpSXIK+mtiqaUjUxHy5wkGOV4TfmBh9 8BZMknckrN9QSxANF4PMWbklMhm3WpKayd+gQII7MwrvRiHUrYG3gFW8WJb50nKeFxI= X-Gm-Gg: ATEYQzwG5+U82zlXxMX0Mo3lJVMEtZDN8OkRt9qUbJwxgipkM9x2umCFTlxqCc9pLjj YvOEHgGV7StTShtVdDoaoGCQF817+Ru1Y7tOe4te32J5Uck09BE54oMSsnFP2YHDjVDfRjwSgvu N3qiVXhQa1Eb5SDHT0kNRKhjnMNOe7dx/9lefLxcieypTTfVVidJxrleFzseNxpM90trzOqb5+G Q4ihtNArhDk3Qtmh45R/nvdUYvybMD3TIqtAJOhldEenwwKlwrvmaWC1zq0Vs4aZmbURiEm1HDa 2UwQhQvp2BjKzAN/p4Xu50s6ChR/HQUUC/sD64kqdaTsp0/mapCCwNihEU5hfU98+5LuKMjdnDJ /Gzt6KwB4nvH5NZIqT7JASTsy1ob8zcnQcm4ldk9rSGQfh/L2S4Lp0hbgDlEJ3KlMz8uE/3cojB XeHnHJWGmJwO7UdN+R/18CLjPf5ehF4CxEdA== X-Received: by 2002:ac8:5fd0:0:b0:509:23c5:328b with SMTP id d75a77b69052e-50b1485a788mr60445931cf.41.1773862158681; Wed, 18 Mar 2026 12:29:18 -0700 (PDT) From: Jenny Guanni Qu To: qemu-devel@nongnu.org Cc: thuth@redhat.com, berrange@redhat.com, Jenny Guanni Qu Subject: [PATCH] hw/audio/sb16: validate VMState fields in post_load Date: Wed, 18 Mar 2026 19:29:18 +0000 Message-Id: <20260318192918.65481-1-qguanni@gmail.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2607:f8b0:4864:20::82d; envelope-from=qguanni@gmail.com; helo=mail-qt1-x82d.google.com X-Spam_score_int: -10 X-Spam_score: -1.1 X-Spam_bar: - X-Spam_report: (-1.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_GMAIL_RCVD=1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Wed, 18 Mar 2026 15:44:25 -0400 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @gmail.com) X-ZM-MESSAGEID: 1773863187821158500 Content-Type: text/plain; charset="utf-8" The SB16 VMState loads in_index and out_data_len as raw INT32 values with no bounds validation. A crafted migration stream or VM snapshot can set these to values exceeding their respective buffer sizes (in2_data[10] and out_data[50]), causing heap OOB write in dsp_write() and heap OOB read in dsp_read(). Add bounds checks in sb16_post_load() to reject invalid values before they can be used as array indices. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3326 Reported-by: Jenny Guanni Qu Signed-off-by: Jenny Guanni Qu --- hw/audio/sb16.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/hw/audio/sb16.c b/hw/audio/sb16.c index 1b5e452a29..1838d3ef7b 100644 --- a/hw/audio/sb16.c +++ b/hw/audio/sb16.c @@ -1286,6 +1286,13 @@ static int sb16_post_load (void *opaque, int version= _id) { SB16State *s =3D opaque; =20 + + if (s->in_index < 0 || s->in_index > (int)sizeof(s->in2_data)) { + return -1; + } + if (s->out_data_len < 0 || s->out_data_len > (int)sizeof(s->out_data))= { + return -1; + } if (s->voice) { audio_be_close_out(s->audio_be, s->voice); s->voice =3D NULL; --=20 2.34.1