Re: [PATCH v3] iio: accel: fxls8962af: clamp the device-reported FIFO sample count

Next message: Krzysztof Kozlowski: "Re: [PATCH 1/3] dt-bindings: arm: qcom: Add HP EliteBook X G2q 14 AI"
Previous message: Abd-Alrhman Masalkhi: "Re: [PATCH] md/raid1: honor REQ_NOWAIT when waiting for behind writes"
In reply to: Andy Shevchenko: "Re: [PATCH v3] iio: accel: fxls8962af: clamp the device-reported FIFO sample count"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jonathan Cameron

Date: Sun Jun 21 2026 - 14:09:31 EST

On Wed, 17 Jun 2026 13:17:17 +0300
Andy Shevchenko <andriy.shevchenko@xxxxxxxxx> wrote:

> On Tue, Jun 16, 2026 at 08:56:15PM -0500, Bryam Vargas via B4 Relay wrote:
> >
> > fxls8962af_fifo_flush() transfers the sample count the device reports in
> > BUF_STATUS into an on-stack buffer sized for FXLS8962AF_FIFO_LENGTH (32)
> > samples, but the count is a 6-bit field (0..63) that is only checked for
> > zero. A device, or an attacker on the I2C/SPI bus, reporting 33..63
> > overflows the buffer by up to 186 bytes: a stack out-of-bounds write.
> >
> > Clamp the count to FXLS8962AF_FIFO_LENGTH before the transfer, mirroring
> > the clamp already applied in fxls8962af_set_watermark(). Conforming
> > hardware reports at most that many samples and is unaffected.
>
> OK!
> Reviewed-by: Andy Shevchenko <andriy.shevchenko@xxxxxxxxx>
>

Applied to the testing branch of iio.git

Thanks,

Jonathan