From: Tzung-Bi Shih <tzungbi@kernel.org>
To: hexlabsecurity@proton.me
Cc: Benson Leung <bleung@chromium.org>,
Gwendal Grignou <gwendal@chromium.org>,
chrome-platform@lists.linux.dev,
Guenter Roeck <groeck@chromium.org>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] platform/chrome: sensorhub: bound the EC-reported sensor number
Date: Tue, 16 Jun 2026 09:42:53 +0000 [thread overview]
Message-ID: <ajEanbRM75GASMmj@google.com> (raw)
In-Reply-To: <20260615-b4-disp-42d17651-v1-1-fe599bb972f4@proton.me>
On Mon, Jun 15, 2026 at 11:46:34PM -0500, Bryam Vargas via B4 Relay wrote:
> cros_ec_sensorhub_ring_handler() validates the FIFO event count and the
> ring bound, but not the per-event sensor number, so a value of
> sensor_num or larger results in an out-of-bounds read and write of the
> batch_state array - directly here and, via
> cros_ec_sensor_ring_check_for_past_timestamp(), as an out-of-bounds read
> that is fed back into the event timestamp.
Good catch. The validation for `in->sensor_num` should ideally be done
earlier in cros_ec_sensorhub_ring_handler()[1], which is where the data is
read from the EC. This catches the invalid sensor number at the source.
[1] https://elixir.bootlin.com/linux/v7.1/source/drivers/platform/chrome/cros_ec_sensorhub_ring.c#L892
> The push path cros_sensorhub_send_sample() already rejects a sensor
> number that is not smaller than sensor_num; apply the same check in the
> ring processing path and drop the malformed event.
If the check is added to cros_ec_sensorhub_ring_handler(), the existing
check in cros_sensorhub_send_sample() becomes redundant, as the sensor
number has already been validated.
>
> Fixes: 93fe48a58590 ("platform/chrome: cros_ec_sensorhub: Add median filter")
The out-of-bounds issue seems more fundamentally related to 145d59baff59
("platform/chrome: cros_ec_sensorhub: Add FIFO support").
> @@ -436,6 +436,20 @@ cros_ec_sensor_ring_process_event(struct cros_ec_sensorhub *sensorhub,
> const s64 now = cros_ec_get_time_ns();
> int axis, async_flags;
>
> + /*
> + * The sensor number is reported by the EC and is used unchecked below
> + * to index sensorhub->batch_state[], which is only sensor_num entries
> + * long. Reject an out-of-range value, as cros_sensorhub_send_sample()
> + * already does, so a malformed FIFO event cannot drive an out-of-bounds
> + * access.
> + */
It's a bit verbose. Something more concise like "Skip event if sensor_num
from EC is out of bounds." would be sufficient.
> + if (in->sensor_num >= sensorhub->sensor_num) {
> + dev_warn_ratelimited(sensorhub->dev,
> + "Invalid sensor number %u from EC\n",
> + in->sensor_num);
> + return false;
> + }
As mentioned, this check would be better placed in
cros_ec_sensorhub_ring_handler().
prev parent reply other threads:[~2026-06-16 9:42 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-16 4:46 [PATCH] platform/chrome: sensorhub: bound the EC-reported sensor number Bryam Vargas via B4 Relay
2026-06-16 4:46 ` Bryam Vargas
2026-06-16 9:42 ` Tzung-Bi Shih [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ajEanbRM75GASMmj@google.com \
--to=tzungbi@kernel.org \
--cc=bleung@chromium.org \
--cc=chrome-platform@lists.linux.dev \
--cc=groeck@chromium.org \
--cc=gwendal@chromium.org \
--cc=hexlabsecurity@proton.me \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.