[PATCH] soc: aspeed: lpc-snoop: Fix usercopy overflow in snoop_file_read

Next message: Josh Poimboeuf: "Re: [PATCH 32/48] objtool: Add is_cold_func() helper"
Previous message: Sean Christopherson: "Re: [PATCH 06/11] KVM: x86: Move kvm_&lt;reg&gt;_{read,write}() definitions to x86.h"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: root

Date: Thu Apr 23 2026 - 15:21:22 EST

From: Karthikeyan KS <karthiproffesional@xxxxxxxxx>

snoop_file_read() passes the userspace count directly to
kfifo_to_user() without clamping. The kfifo backing buffer is
2048 bytes (SNOOP_FIFO_SIZE), allocated from kmalloc-2k slab.
A read larger than 2048 bytes triggers a BUG under
CONFIG_HARDENED_USERCOPY:

kernel BUG at mm/usercopy.c:99!

Reproducer:
hexdump /dev/aspeed-lpc-snoop0

Fix by clamping count to SNOOP_FIFO_SIZE before the copy.

Fixes: 3772e5da4454 ("drivers/misc: Aspeed LPC snoop output using misc chardev")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Karthikeyan KS <karthiproffesional@xxxxxxxxx>
---
drivers/soc/aspeed/aspeed-lpc-snoop.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/drivers/soc/aspeed/aspeed-lpc-snoop.c b/drivers/soc/aspeed/aspeed-lpc-snoop.c
index b03310c0830d..5b59e826cc68 100644
--- a/drivers/soc/aspeed/aspeed-lpc-snoop.c
+++ b/drivers/soc/aspeed/aspeed-lpc-snoop.c
@@ -125,6 +125,7 @@ static ssize_t snoop_file_read(struct file *file, char __user *buffer,
if (ret == -ERESTARTSYS)
return -EINTR;
}
+ count = min(count, (size_t)SNOOP_FIFO_SIZE);
ret = kfifo_to_user(&chan->fifo, buffer, count, &copied);
if (ret)
return ret;
--
2.34.1