From nobody Sat Feb  7 22:21:12 2026
Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com
 [209.85.214.171])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0299733DEF2
	for <linux-kernel@vger.kernel.org>; Wed,  7 Jan 2026 14:36:02 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.171
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1767796564; cv=none;
 b=Dg/sFpGSu3CoLir6YbxNAk9Fw3siFB/+1KIRdlnCLlHCgzxqDMk2s67ybdS4rjQ7md96mRf1yV24efxKPj34RavosQvnX+SiczYLi/GFEKbHbNPeFyqSWpmMnle4aBi4QsxQ3/cHA8R5/ny9EU5WbcWcKHP1BEhn7duNK6nmvP4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1767796564; c=relaxed/simple;
	bh=D3eswSWoOxyW/MtHHWi4dF9Glhsucht+yuOuez2GrG0=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=cb2C39fbIHm0UlKx/XDIW4a69LX4KBtvnOBX44jYPYLAo7dJjYuWF4Zm8OHi523HHVs1WbjIUSTvoB8e2i78eGHkVmvczdX3TuwSPQovBswdhYoPs0oquF4kUh4R5uCw0AFr+PM10UP2GGLS1/PRHiFdOahxebxVVCrc3LkZSQQ=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=jNJWSe+E; arc=none smtp.client-ip=209.85.214.171
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="jNJWSe+E"
Received: by mail-pl1-f171.google.com with SMTP id
 d9443c01a7336-29f2676bb21so20881125ad.0
        for <linux-kernel@vger.kernel.org>;
 Wed, 07 Jan 2026 06:36:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1767796562; x=1768401362;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=vhej7Rf7RQpGEQbQQS7DPInZNw0X028RqQb1HBJM1hQ=;
        b=jNJWSe+EW6TUw67AtqHHX2vxIF+4cGrD2izAVDOuf0IQUHcxas+kPrDhI5UHH5jV2B
         L3533IdyFBqY8tFApROHTIjqqutbduPiQ2pSqHZGdjbn1Mh1vCqA4B1geNXtxblKzYBO
         YHGfQwjBGfP4ryU7mDhKUkC56EMqcfIyGwaAC9XRTU9KiAMYieWqOCdCBGShCBa3Xbbs
         Hb1wiTrWgoRd600z4oWo0Zz1tvE3zznx6swXQjgM/ADyC9VtO+QEPeAxA3NQUjAxI/ag
         3YW5bSyqln7qtCyWOQpNzAd6JaaU0Ye8kLMiEEsUOdLD7x2OdEtsi6XMuWXa3lXGyi5H
         FsFg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1767796562; x=1768401362;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=vhej7Rf7RQpGEQbQQS7DPInZNw0X028RqQb1HBJM1hQ=;
        b=ZlrqfyVghGNfZN4EM8RP6HbrIe5sT+/USiMM4wOdLTJfSM2bVj7GBvDN4dGgONjwd7
         Oth/n0PWDtcte/cuyJOk6q8hO3qqzsulFXYncmuX9YxKS/X3H28ZePaHQrUTSaKaGaPl
         ILv7+JUrTeWmdy7vi2FMM8XIx07sbzdgMswO/yRPk/BJBXB27FMG6H+uZ0FeVtFS7YV7
         V0jgsuOZy0L7heQ/mO48MduSjaImMYQ0v4Sot4ISRw7FxdvcWlMnfF7DKLsH8h4I+IS5
         P7YTcynz0YAeLWtHlQ1FhgQtSWztPmPBoguzKQChPIv9o0+Z8CbDLvkvL1kv91wOkdBY
         JBtg==
X-Forwarded-Encrypted: i=1;
 AJvYcCW4ZphWlxLQua+VgWsMfSIdOqyjmdk8X9S7pFcYrEKiJ2hAmvJgrMSKgEHZjy1I6quM/S+dn7hlDit63Lg=@vger.kernel.org
X-Gm-Message-State: AOJu0Yye0goyPg4Z8E+1QUvfyrqWx1BlwnMdtqAt0g1cM+ODnuZ9d8sx
	6FjtqR8RZr4Z7FtgiXzVQdhcTKaPOmTMGO+N/pZcGSFsyLTkC0iRaR4q
X-Gm-Gg: AY/fxX76YjHsQPzJ/NDtQkQw5dgRf0mTd4iUHHun9iaMuU5VV3WcYniXnOn3B5nbwKX
	lsXdBdaIBGvID8YxKWhD/CnXQQ4Y+e/X4V5B+dhTuChdbFQoZbhjZdRYZYvmP4cBdzjfdGd2L0h
	EKkJXxtNylzGZj8HxQyA5S0/McVFjE3BIW/57+sm8XwHvkgcchJe84EloM21ORN3PBMQZhVqsoo
	r8D3+t2RoAJ4on75Ki3Vk5iaH/qz4jZy0OXEmmzslOvrXqS2+1hUeo0azSpXsRwPoZJdiDaVD0f
	hulAxDepoExhoQMi9+LYcEBqWIAbgkt1zmpCDvUV9ttYGifnzaZok20mqtojW+KB1rCcs59vQJ7
	g9Ti8ROwGXF284qGJ3h0Nh+8MVt4CcLQ7kwCx8G4R/2rizad1P2sQeowRV3DXBuy42NLFfMges4
	fRWvMwNXGwnwKdDZtYIkh1I9Y=
X-Google-Smtp-Source: 
 AGHT+IEaSwwcYPYAXXYX2+w2EfGHMP4tkbOgZMmoW9pA20X6ClwZzMF/KCy891gVYWM2tLnEvyClKg==
X-Received: by 2002:a17:903:354b:b0:2a0:af76:f8cf with SMTP id
 d9443c01a7336-2a3ee425182mr27341895ad.2.1767796562140;
        Wed, 07 Jan 2026 06:36:02 -0800 (PST)
Received: from localhost.localdomain ([202.120.237.35])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2a3e3cc7912sm54058345ad.67.2026.01.07.06.35.57
        (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);
        Wed, 07 Jan 2026 06:36:01 -0800 (PST)
From: Miaoqian Lin <linmq006@gmail.com>
To: Lars-Peter Clausen <lars@metafoo.de>,
	Michael Hennerich <Michael.Hennerich@analog.com>,
	Jonathan Cameron <jic23@kernel.org>,
	David Lechner <dlechner@baylibre.com>,
	=?UTF-8?q?Nuno=20S=C3=A1?= <nuno.sa@analog.com>,
	Andy Shevchenko <andy@kernel.org>,
	Angelo Dureghello <adureghello@baylibre.com>,
	linux-iio@vger.kernel.org,
	linux-kernel@vger.kernel.org
Cc: linmq006@gmail.com,
	stable@vger.kernel.org
Subject: [PATCH v2] iio: dac: ad3552r-hs: fix out-of-bound write in
 ad3552r_hs_write_data_source
Date: Wed,  7 Jan 2026 22:35:50 +0800
Message-Id: <20260107143550.34324-1-linmq006@gmail.com>
X-Mailer: git-send-email 2.39.5 (Apple Git-154)
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

When simple_write_to_buffer() succeeds, it returns the number of bytes
actually copied to the buffer. The code incorrectly uses 'count'
as the index for null termination instead of the actual bytes copied.
If count exceeds the buffer size, this leads to out-of-bounds write.
Add a check for the count and use the return value as the index.

The bug was validated using a demo module that mirrors the original
code and was tested under QEMU.

Pattern of the bug:
- A fixed 64-byte stack buffer is filled using count.
- If count > 64, the code still does buf[count] =3D '\0', causing an
- out-of-bounds write on the stack.

Steps for reproduce:
- Opens the device node.
- Writes 128 bytes of A to it.
- This overflows the 64-byte stack buffer and KASAN reports the OOB.

Found via static analysis. This is similar to the
commit da9374819eb3 ("iio: backend: fix out-of-bound write")

Fixes: b1c5d68ea66e ("iio: dac: ad3552r-hs: add support for internal ramp")
Cc: stable@vger.kernel.org
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Reviewed-by: Nuno S=C3=A1 <nuno.sa@analog.com>
---
changes in v2:
- update commit message
- v1 link: https://lore.kernel.org/all/20251027150713.59067-1-linmq006@gmai=
l.com/
---
 drivers/iio/dac/ad3552r-hs.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/iio/dac/ad3552r-hs.c b/drivers/iio/dac/ad3552r-hs.c
index 41b96b48ba98..a9578afa7015 100644
--- a/drivers/iio/dac/ad3552r-hs.c
+++ b/drivers/iio/dac/ad3552r-hs.c
@@ -549,12 +549,15 @@ static ssize_t ad3552r_hs_write_data_source(struct fi=
le *f,
=20
 	guard(mutex)(&st->lock);
=20
+	if (count >=3D sizeof(buf))
+		return -ENOSPC;
+
 	ret =3D simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, userbuf,
 				     count);
 	if (ret < 0)
 		return ret;
=20
-	buf[count] =3D '\0';
+	buf[ret] =3D '\0';
=20
 	ret =3D match_string(dbgfs_attr_source, ARRAY_SIZE(dbgfs_attr_source),
 			   buf);
--=20
2.39.5 (Apple Git-154)