[PATCH 3/4] firmware: arm_scmi: Validate SENSOR_UPDATE payload size

Tue May 19 02:40:24 PDT 2026

On Sun, May 17, 2026 at 08:02:42PM +0100, Sudeep Holla wrote:
> SENSOR_UPDATE carries one or more sensor readings after the fixed
> notification header. The parser derives the expected reading count
> from the sensor description, but it did not verify that the received
> payload contains those entries before parsing them.
> 
> Reject truncated update notifications before reading the variable
> array.
> 
> Signed-off-by: Sudeep Holla <sudeep.holla at kernel.org>
> ---
>  drivers/firmware/arm_scmi/sensors.c | 10 +++++++++-
>  1 file changed, 9 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/firmware/arm_scmi/sensors.c b/drivers/firmware/arm_scmi/sensors.c
> index 836c294a9f42..b14bb1146356 100644
> --- a/drivers/firmware/arm_scmi/sensors.c
> +++ b/drivers/firmware/arm_scmi/sensors.c
> @@ -1072,12 +1072,15 @@ scmi_sensor_fill_custom_report(const struct scmi_protocol_handle *ph,
>  	case SCMI_EVENT_SENSOR_UPDATE:
>  	{
>  		int i;
> +		size_t expected_sz;
>  		struct scmi_sensor_info *s;
>  		const struct scmi_sensor_update_notify_payld *p = payld;
>  		struct scmi_sensor_update_report *r = report;
>  		struct sensors_info *sinfo = ph->get_priv(ph);
>  
> -		/* payld_sz is variable for this event */
> +		if (payld_sz < sizeof(*p))
> +			break;
> +
>  		r->sensor_id = le32_to_cpu(p->sensor_id);
>  		if (r->sensor_id >= sinfo->num_sensors)
>  			break;
> @@ -1091,6 +1094,11 @@ scmi_sensor_fill_custom_report(const struct scmi_protocol_handle *ph,
>  		 * readings defined for this sensor or 1 for scalar sensors.
>  		 */
>  		r->readings_count = s->num_axis ?: 1;
> +		expected_sz = sizeof(*p) + r->readings_count *
> +			      sizeof(p->readings[0]);
> +		if (payld_sz < expected_sz)
> +			break;
> +

LGTM.
Reviewed-by: Cristian Marussi <cristian.marussi at arm.com>

Thanks,
Cristian