lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <b40e19122f340f106ae744dd568d6f04fbc525d4.camel@gmail.com>
Date: Thu, 08 Jan 2026 09:19:52 +0000
From: Nuno Sá <noname.nuno@...il.com>
To: Miaoqian Lin <linmq006@...il.com>, Lars-Peter Clausen <lars@...afoo.de>,
  Michael Hennerich <Michael.Hennerich@...log.com>, Jonathan Cameron
 <jic23@...nel.org>, David Lechner	 <dlechner@...libre.com>, Nuno
 Sá <nuno.sa@...log.com>,  Andy Shevchenko	
 <andy@...nel.org>, Angelo Dureghello <adureghello@...libre.com>, 
	linux-iio@...r.kernel.org, linux-kernel@...r.kernel.org
Cc: stable@...r.kernel.org
Subject: Re: [PATCH v2] iio: dac: ad3552r-hs: fix out-of-bound write in
 ad3552r_hs_write_data_source

On Wed, 2026-01-07 at 22:35 +0800, Miaoqian Lin wrote:
> When simple_write_to_buffer() succeeds, it returns the number of bytes
> actually copied to the buffer. The code incorrectly uses 'count'
> as the index for null termination instead of the actual bytes copied.
> If count exceeds the buffer size, this leads to out-of-bounds write.
> Add a check for the count and use the return value as the index.
> 
> The bug was validated using a demo module that mirrors the original
> code and was tested under QEMU.
> 
> Pattern of the bug:
> - A fixed 64-byte stack buffer is filled using count.
> - If count > 64, the code still does buf[count] = '\0', causing an
> - out-of-bounds write on the stack.
> 
> Steps for reproduce:
> - Opens the device node.
> - Writes 128 bytes of A to it.
> - This overflows the 64-byte stack buffer and KASAN reports the OOB.
> 
> Found via static analysis. This is similar to the
> commit da9374819eb3 ("iio: backend: fix out-of-bound write")
> 
> Fixes: b1c5d68ea66e ("iio: dac: ad3552r-hs: add support for internal ramp")
> Cc: stable@...r.kernel.org
> Signed-off-by: Miaoqian Lin <linmq006@...il.com>
> ---

Reviewed-by: Nuno Sá <nuno.sa@...log.com>

> changes in v2:
> - update commit message
> - v1 link: https://lore.kernel.org/all/20251027150713.59067-1-linmq006@gmail.com/
> ---
>  drivers/iio/dac/ad3552r-hs.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/iio/dac/ad3552r-hs.c b/drivers/iio/dac/ad3552r-hs.c
> index 41b96b48ba98..a9578afa7015 100644
> --- a/drivers/iio/dac/ad3552r-hs.c
> +++ b/drivers/iio/dac/ad3552r-hs.c
> @@ -549,12 +549,15 @@ static ssize_t ad3552r_hs_write_data_source(struct file *f,
>  
>  	guard(mutex)(&st->lock);
>  
> +	if (count >= sizeof(buf))
> +		return -ENOSPC;
> +
>  	ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, userbuf,
>  				     count);
>  	if (ret < 0)
>  		return ret;
>  
> -	buf[count] = '\0';
> +	buf[ret] = '\0';
>  
>  	ret = match_string(dbgfs_attr_source, ARRAY_SIZE(dbgfs_attr_source),
>  			   buf);

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ