Re: [PATCH] iio: dac: ad3552r-hs: fix out-of-bound write in ad3552r_hs_write_data_source

On Wed, Dec 17, 2025 at 02:47:17PM +0800, 林妙倩 wrote:

Hi,

I don’t have the actual hardware, so I built a similar demo module to mirror the bug and ran it in QEMU. With KASAN enabled, the PoC triggers BUG: KASAN: stack-out-of-bounds.

Pattern of the bug:

• A fixed 64-byte stack buffer is filled using count.
• If count > 64, the code still does buf[count] = '\0', causing an

out-of-bounds write on the stack.

PoC (what it does):

• Opens the device node.
• Writes 128 bytes of A to it.
• This overflows the 64-byte stack buffer and KASAN reports the stack OOB.

If you have the real device, you may run the similar PoC on your driver to validate—just ensure KASAN is enabled to see the report. I also tested the straightforward fix buf[ret] = '\0'; with that change, the issue no longer reproduces. Below are the trace, the demo module, and the PoC for reference.

Thanks for the additional information, I think it would be good to have a summary of it in the commit message of the fix.