Re: [PATCH v3] iio: accel: fxls8962af: clamp the device-reported FIFO sample count

Next message: Chunkai Deng: "Re: [PATCH 3/3] rpmsg: glink: smem: Use modulo for FIFO tail wrap-around in rx_advance"
Previous message: Philipp Stanner: "Re: Properly synchronize dma_fence-&gt;signaled bit (Was: Re: [RFC PATCH] dma-fence: Fix races of fence callbacks versus destructors by locking)"
In reply to: Bryam Vargas via B4 Relay: "[PATCH v3] iio: accel: fxls8962af: clamp the device-reported FIFO sample count"
Next in thread: Jonathan Cameron: "Re: [PATCH v3] iio: accel: fxls8962af: clamp the device-reported FIFO sample count"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andy Shevchenko

Date: Wed Jun 17 2026 - 06:30:12 EST

On Tue, Jun 16, 2026 at 08:56:15PM -0500, Bryam Vargas via B4 Relay wrote:
>
> fxls8962af_fifo_flush() transfers the sample count the device reports in
> BUF_STATUS into an on-stack buffer sized for FXLS8962AF_FIFO_LENGTH (32)
> samples, but the count is a 6-bit field (0..63) that is only checked for
> zero. A device, or an attacker on the I2C/SPI bus, reporting 33..63
> overflows the buffer by up to 186 bytes: a stack out-of-bounds write.
>
> Clamp the count to FXLS8962AF_FIFO_LENGTH before the transfer, mirroring
> the clamp already applied in fxls8962af_set_watermark(). Conforming
> hardware reports at most that many samples and is unaffected.

OK!
Reviewed-by: Andy Shevchenko <andriy.shevchenko@xxxxxxxxx>

--
With Best Regards,
Andy Shevchenko