Re: [PATCH v3] iio: imu: inv_icm45600: clamp the device-reported FIFO sample count
From: Andy Shevchenko
Date: Wed Jun 17 2026 - 06:22:49 EST
On Tue, Jun 16, 2026 at 08:57:28PM -0500, Bryam Vargas via B4 Relay wrote:
> inv_icm45600_buffer_fifo_read() uses the FIFO_COUNT the device reports,
> unclamped, as the length of a regmap_noinc_read() into the fixed 8 KiB
> st->fifo.data buffer. The only bound is the caller's "max", which the
> interrupt path skips (it passes 0). A device, or an attacker on the bus,
> reporting up to 65535 makes the read as large as ~1 MiB: a heap
> out-of-bounds write of device-controlled data.
>
> Clamp fifo_nb to the buffer capacity (INV_ICM45600_FIFO_SIZE_MAX /
> packet_size) before the read, mirroring the watermark cap in
> inv_icm45600_wm_truncate() and the sibling inv_icm42600 driver. The clamp
> is a no-op for conforming hardware.
Reviewed-by: Andy Shevchenko <andriy.shevchenko@xxxxxxxxx>
--
With Best Regards,
Andy Shevchenko