From: Cristian Marussi <cristian.marussi@arm.com>
To: Sudeep Holla <sudeep.holla@kernel.org>
Cc: Cristian Marussi <cristian.marussi@arm.com>,
arm-scmi@vger.kernel.org, linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH 3/4] firmware: arm_scmi: Validate SENSOR_UPDATE payload size
Date: Tue, 19 May 2026 10:40:24 +0100 [thread overview]
Message-ID: <agwwCJ5_cL-Ip-xm@pluto> (raw)
In-Reply-To: <20260517-scmi_fixes-v1-3-d86daec4defd@kernel.org>
On Sun, May 17, 2026 at 08:02:42PM +0100, Sudeep Holla wrote:
> SENSOR_UPDATE carries one or more sensor readings after the fixed
> notification header. The parser derives the expected reading count
> from the sensor description, but it did not verify that the received
> payload contains those entries before parsing them.
>
> Reject truncated update notifications before reading the variable
> array.
>
> Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
> ---
> drivers/firmware/arm_scmi/sensors.c | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/firmware/arm_scmi/sensors.c b/drivers/firmware/arm_scmi/sensors.c
> index 836c294a9f42..b14bb1146356 100644
> --- a/drivers/firmware/arm_scmi/sensors.c
> +++ b/drivers/firmware/arm_scmi/sensors.c
> @@ -1072,12 +1072,15 @@ scmi_sensor_fill_custom_report(const struct scmi_protocol_handle *ph,
> case SCMI_EVENT_SENSOR_UPDATE:
> {
> int i;
> + size_t expected_sz;
> struct scmi_sensor_info *s;
> const struct scmi_sensor_update_notify_payld *p = payld;
> struct scmi_sensor_update_report *r = report;
> struct sensors_info *sinfo = ph->get_priv(ph);
>
> - /* payld_sz is variable for this event */
> + if (payld_sz < sizeof(*p))
> + break;
> +
> r->sensor_id = le32_to_cpu(p->sensor_id);
> if (r->sensor_id >= sinfo->num_sensors)
> break;
> @@ -1091,6 +1094,11 @@ scmi_sensor_fill_custom_report(const struct scmi_protocol_handle *ph,
> * readings defined for this sensor or 1 for scalar sensors.
> */
> r->readings_count = s->num_axis ?: 1;
> + expected_sz = sizeof(*p) + r->readings_count *
> + sizeof(p->readings[0]);
> + if (payld_sz < expected_sz)
> + break;
> +
LGTM.
Reviewed-by: Cristian Marussi <cristian.marussi@arm.com>
Thanks,
Cristian
next prev parent reply other threads:[~2026-05-19 9:40 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-17 19:02 [PATCH 0/4] firmware: arm_scmi: Fix protocol parsing and validation Sudeep Holla
2026-05-17 19:02 ` [PATCH 1/4] firmware: arm_scmi: Read sensor config as 32-bit value Sudeep Holla
2026-05-19 8:38 ` Cristian Marussi
2026-05-17 19:02 ` [PATCH 2/4] firmware: arm_scmi: Validate BASE_ERROR_EVENT payload size Sudeep Holla
2026-05-19 9:07 ` Cristian Marussi
2026-05-17 19:02 ` [PATCH 3/4] firmware: arm_scmi: Validate SENSOR_UPDATE " Sudeep Holla
2026-05-19 9:40 ` Cristian Marussi [this message]
2026-05-17 19:02 ` [PATCH 4/4] firmware: arm_scmi: Validate Powercap domains before state access Sudeep Holla
2026-05-19 10:04 ` Cristian Marussi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=agwwCJ5_cL-Ip-xm@pluto \
--to=cristian.marussi@arm.com \
--cc=arm-scmi@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=sudeep.holla@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox