Re: [PATCH v3] platform/chrome: sensorhub: bound the EC-reported sensor number
From: Tzung-Bi Shih
Date: Sun Jun 28 2026 - 22:50:55 EST
On Thu, Jun 18, 2026 at 12:46:28AM -0500, Bryam Vargas via B4 Relay wrote:
> From: Bryam Vargas <hexlabsecurity@xxxxxxxxx>
>
> Each EC FIFO event carries an 8-bit sensor number (in->sensor_num).
> cros_ec_sensorhub_ring_handler() validates the FIFO event count, the
> per-read count and the ring bound, but not the sensor number, which
> cros_ec_sensor_ring_process_event() then uses unchecked to index
> sensorhub->batch_state[] - allocated with only sensorhub->sensor_num
> entries. A sensor number of sensor_num or larger is an out-of-bounds
> read and write of batch_state[].
>
> [...]
Applied to
https://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux.git for-next
[1/1] platform/chrome: sensorhub: bound the EC-reported sensor number
commit: 833740a2333c2e4db4e02e3d0ffba04e8718a5f3
Thanks!