Re: [PATCH v2] iio: accel: fxls8962af: clamp the device-reported FIFO sample count

From: Andy Shevchenko

Date: Tue Jun 16 2026 - 04:44:02 EST


On Mon, Jun 15, 2026 at 03:57:38PM -0500, Bryam Vargas via B4 Relay wrote:

> fxls8962af_fifo_flush() copies the number of samples the device reports
> in its hardware FIFO into an on-stack buffer
>
> u16 buffer[FXLS8962AF_FIFO_LENGTH * 3];
>
> which is sized for at most FXLS8962AF_FIFO_LENGTH (32) samples. The count
> is read from the BUF_STATUS register and masked with a 6-bit field:
>
> count = reg & FXLS8962AF_BUF_STATUS_BUF_CNT;
>
> where FXLS8962AF_BUF_STATUS_BUF_CNT is GENMASK(5, 0), so count can be
> 0..63 - nearly double the 32-deep FIFO the buffer is sized for. The only
> check applied to it is the zero test; unlike the bmc150 flush there is no
> caller-supplied bound at all. count samples are then transferred into
> buffer[]:
>
> fxls8962af_fifo_transfer(data, buffer, count);
>
> fxls8962af_fifo_transfer() reads count * 3 * sizeof(u16) = count * 6
> bytes through regmap, so a malfunctioning, malicious or counterfeit
> accelerometer (or an attacker tampering with the I2C/SPI bus) that
> reports a count of 33..63 writes up to 63 * 6 = 378 bytes into the
> 192-byte buffer: a stack out-of-bounds write of up to 186 bytes that
> clobbers the stack canary, saved registers and the return address.
>
> Clamp count to FXLS8962AF_FIFO_LENGTH, the number of samples buffer[] is
> sized for, before the transfer, mirroring the watermark clamp already
> done in fxls8962af_set_watermark(). A well-formed flush reports at most
> FXLS8962AF_FIFO_LENGTH samples, so legitimate devices are unaffected.
>
> This hardens the flush against a malformed device-reported count; it is
> not reachable with conforming hardware (it requires a malicious or
> defective device, or bus tampering), so it is not marked for stable. The
> unbounded count has been present since hardware-FIFO support was added in
> commit 79e3a5bdd9ef ("iio: accel: fxls8962af: add hw buffered sampling").

The commit message is most likely AI-assisted. Please, try to make it triple
times smaller in each of the patch. Most of the content should gone or be moved
to the comment block (beneath '---' line).

--
With Best Regards,
Andy Shevchenko