[PATCH v3] platform/chrome: sensorhub: bound the EC-reported sensor number

[PATCH v3] platform/chrome: sensorhub: bound the EC-reported sensor number

[Bryam Vargas via B4 Relay]

From: Bryam Vargas <hexlabsecurity@proton.me>

Each EC FIFO event carries an 8-bit sensor number (in->sensor_num).
cros_ec_sensorhub_ring_handler() validates the FIFO event count, the
per-read count and the ring bound, but not the sensor number, which
cros_ec_sensor_ring_process_event() then uses unchecked to index
sensorhub->batch_state[] - allocated with only sensorhub->sensor_num
entries. A sensor number of sensor_num or larger is an out-of-bounds
read and write of batch_state[].

Validate the sensor number in the ring handler, where each event is read
from the EC, and drop a malformed event before it is used.

Fixes: 145d59baff59 ("platform/chrome: cros_ec_sensorhub: Add FIFO support")
Cc: stable@vger.kernel.org
Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
Reviewed-by: Tzung-Bi Shih <tzungbi@kernel.org>
---
v3 (per Tzung-Bi Shih's review):
- Fixes: -> 145d59baff59 ("Add FIFO support") as requested.
- Added Tzung-Bi's Reviewed-by.
- Trimmed the commit message.
No code change from v2 (single bound in the FIFO read loop).

The out-of-bounds write was reproduced under KASAN with an in-kernel test
driving the batch_state[] indexing, plus a 32/64-bit AddressSanitizer
model of the same geometry; reproducer available on request.
---
 drivers/platform/chrome/cros_ec_sensorhub_ring.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/platform/chrome/cros_ec_sensorhub_ring.c b/drivers/platform/chrome/cros_ec_sensorhub_ring.c
index a10579144c34..64e9615ed6f4 100644
--- a/drivers/platform/chrome/cros_ec_sensorhub_ring.c
+++ b/drivers/platform/chrome/cros_ec_sensorhub_ring.c
@@ -890,6 +890,14 @@ static void cros_ec_sensorhub_ring_handler(struct cros_ec_sensorhub *sensorhub)
 
 		for (in = sensorhub->resp->fifo_read.data, j = 0;
 		     j < number_data; j++, in++) {
+			/* Skip event if sensor_num from EC is out of bounds. */
+			if (in->sensor_num >= sensorhub->sensor_num) {
+				dev_warn_ratelimited(sensorhub->dev,
+						     "Invalid sensor number %u from EC\n",
+						     in->sensor_num);
+				continue;
+			}
+
 			if (cros_ec_sensor_ring_process_event(
 						sensorhub, fifo_info,
 						fifo_timestamp,

---
base-commit: 8e65320d91cdc3b241d4b94855c88459b91abf66
change-id: 20260618-b4-disp-adb3f790-af128ce95e5c

Best regards,
-- 
Bryam Vargas <hexlabsecurity@proton.me>

Re: [PATCH v3] platform/chrome: sensorhub: bound the EC-reported sensor number

[Tzung-Bi Shih]

On Thu, Jun 18, 2026 at 12:46:28AM -0500, Bryam Vargas via B4 Relay wrote:
> From: Bryam Vargas <hexlabsecurity@proton.me>
> 
> Each EC FIFO event carries an 8-bit sensor number (in->sensor_num).
> cros_ec_sensorhub_ring_handler() validates the FIFO event count, the
> per-read count and the ring bound, but not the sensor number, which
> cros_ec_sensor_ring_process_event() then uses unchecked to index
> sensorhub->batch_state[] - allocated with only sensorhub->sensor_num
> entries. A sensor number of sensor_num or larger is an out-of-bounds
> read and write of batch_state[].
> 
> [...]

Applied to

    https://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux.git for-next

[1/1] platform/chrome: sensorhub: bound the EC-reported sensor number
      commit: 833740a2333c2e4db4e02e3d0ffba04e8718a5f3

Thanks!