From: Tzung-Bi Shih <tzungbi@kernel.org>
To: hexlabsecurity@proton.me
Cc: Benson Leung <bleung@chromium.org>,
chrome-platform@lists.linux.dev, linux-kernel@vger.kernel.org,
Guenter Roeck <groeck@chromium.org>,
Gwendal Grignou <gwendal@chromium.org>
Subject: Re: [PATCH v2] platform/chrome: sensorhub: bound the EC-reported sensor number
Date: Thu, 18 Jun 2026 04:35:34 +0000 [thread overview]
Message-ID: <ajN1liwdJz30CNzz@google.com> (raw)
In-Reply-To: <20260617-b4-disp-4e176cdc-v2-1-160f9ffa463e@proton.me>
On Wed, Jun 17, 2026 at 12:42:27AM -0500, Bryam Vargas via B4 Relay wrote:
> From: Bryam Vargas <hexlabsecurity@proton.me>
>
> Each EC FIFO event carries a sensor number (in->sensor_num, an 8-bit
> value). cros_ec_sensorhub_ring_handler() validates the FIFO event count,
> the per-read count and the ring bound, but not the per-event sensor
> number. cros_ec_sensor_ring_process_event() then uses it unchecked to
> index sensorhub->batch_state[], which is allocated with only
> sensorhub->sensor_num entries, so a sensor number of sensor_num or larger
> is an out-of-bounds read and write of batch_state[] - in the ODR and
> FLUSH paths and, via cros_ec_sensor_ring_check_for_past_timestamp(), as
> an out-of-bounds read that is fed back into the event timestamp.
>
> Validate the sensor number in the ring handler, where each event is read
> from the EC, and drop a malformed event before it is used. This is the
> bound cros_sensorhub_send_sample() already applies on the push path,
> hoisted to the point where the EC data enters the kernel so it also
> covers the batch_state[] indexing in cros_ec_sensor_ring_process_event()
> and sensor_mask |= BIT(in->sensor_num) in the handler.
>
> Fixes: 93fe48a58590 ("platform/chrome: cros_ec_sensorhub: Add median filter")
> Cc: stable@vger.kernel.org
> Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
I'd trim the commit message and use:
Fixes: 145d59baff59 ("platform/chrome: cros_ec_sensorhub: Add FIFO support")
For my reference,
Reviewed-by: Tzung-Bi Shih <tzungbi@kernel.org>
prev parent reply other threads:[~2026-06-18 4:35 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-17 5:42 [PATCH v2] platform/chrome: sensorhub: bound the EC-reported sensor number Bryam Vargas
2026-06-17 5:42 ` Bryam Vargas via B4 Relay
2026-06-18 4:35 ` Tzung-Bi Shih [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ajN1liwdJz30CNzz@google.com \
--to=tzungbi@kernel.org \
--cc=bleung@chromium.org \
--cc=chrome-platform@lists.linux.dev \
--cc=groeck@chromium.org \
--cc=gwendal@chromium.org \
--cc=hexlabsecurity@proton.me \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.