From: Andy Shevchenko <andriy.shevchenko@intel.com>
To: 林妙倩 <linmq006@gmail.com>
Cc: "Nuno Sá" <noname.nuno@gmail.com>,
"Markus Burri" <markus.burri@mt.com>,
"Lars-Peter Clausen" <lars@metafoo.de>,
"Michael Hennerich" <Michael.Hennerich@analog.com>,
"Jonathan Cameron" <jic23@kernel.org>,
"David Lechner" <dlechner@baylibre.com>,
"Nuno Sá" <nuno.sa@analog.com>,
"Andy Shevchenko" <andy@kernel.org>,
"Angelo Dureghello" <adureghello@baylibre.com>,
linux-iio@vger.kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH] iio: dac: ad3552r-hs: fix out-of-bound write in ad3552r_hs_write_data_source
Date: Sun, 28 Dec 2025 19:33:46 +0200 [thread overview]
Message-ID: <aVFp-peLKtvyLL9D@smile.fi.intel.com> (raw)
In-Reply-To: <CAH-r-ZE0brfZ_T0tDjV5+D90V9QVLhWUO_-zvPxS7kd=LnDrWg@mail.gmail.com>
On Wed, Dec 17, 2025 at 02:47:17PM +0800, 林妙倩 wrote:
> Hi,
>
> I don’t have the actual hardware, so I built a similar demo module to
> mirror the bug and ran it in QEMU.
> With KASAN enabled, the PoC triggers BUG: KASAN: stack-out-of-bounds.
>
> Pattern of the bug:
> - A fixed 64-byte stack buffer is filled using count.
> - If count > 64, the code still does buf[count] = '\0', causing an
> out-of-bounds write on the stack.
>
> PoC (what it does):
> - Opens the device node.
> - Writes 128 bytes of A to it.
> - This overflows the 64-byte stack buffer and KASAN reports the stack OOB.
>
> If you have the real device, you may run the similar PoC on your driver
> to validate—just ensure KASAN is enabled to see the report.
> I also tested the straightforward fix buf[ret] = '\0'; with that
> change, the issue no longer reproduces.
> Below are the trace, the demo module, and the PoC for reference.
Thanks for the additional information, I think it would be good to have a
summary of it in the commit message of the fix.
--
With Best Regards,
Andy Shevchenko
next prev parent reply other threads:[~2025-12-28 17:33 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-27 15:07 [PATCH] iio: dac: ad3552r-hs: fix out-of-bound write in ad3552r_hs_write_data_source Miaoqian Lin
2025-10-27 15:19 ` David Lechner
2025-10-27 16:05 ` Nuno Sá
2025-10-28 8:18 ` Andy Shevchenko
2025-10-28 8:19 ` Andy Shevchenko
2025-10-28 9:07 ` Andy Shevchenko
2025-10-28 9:46 ` 林妙倩
2025-10-28 9:58 ` Andy Shevchenko
2025-10-28 12:31 ` Nuno Sá
2025-10-28 14:45 ` Andy Shevchenko
2025-10-28 15:12 ` Nuno Sá
2025-10-28 15:19 ` Andy Shevchenko
2025-12-17 6:47 ` 林妙倩
2025-12-28 17:33 ` Andy Shevchenko [this message]
2025-10-28 11:40 ` Andy Shevchenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aVFp-peLKtvyLL9D@smile.fi.intel.com \
--to=andriy.shevchenko@intel.com \
--cc=Michael.Hennerich@analog.com \
--cc=adureghello@baylibre.com \
--cc=andy@kernel.org \
--cc=dlechner@baylibre.com \
--cc=jic23@kernel.org \
--cc=lars@metafoo.de \
--cc=linmq006@gmail.com \
--cc=linux-iio@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=markus.burri@mt.com \
--cc=noname.nuno@gmail.com \
--cc=nuno.sa@analog.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.