Re: [PATCH] soc: aspeed: lpc-snoop: Fix usercopy overflow in snoop_file_read
From: Andrew Jeffery
Date: Mon May 18 2026 - 07:33:03 EST
On Fri, 2026-04-24 at 00:30 +0530, karthikeyan K S wrote:
> From c50ff07baf2032ca12133775c61c50a38e8a2029 Mon Sep 17 00:00:00 2001
> From: Karthikeyan KS <karthiproffesional@xxxxxxxxx>
> Date: Thu, 23 Apr 2026 21:26:08 +0300
> Subject: [PATCH] soc: aspeed: lpc-snoop: Fix usercopy overflow in
> snoop_file_read
>
> snoop_file_read() passes the userspace count directly to
> kfifo_to_user() without clamping. The kfifo backing buffer is
> 2048 bytes (SNOOP_FIFO_SIZE), allocated from kmalloc-2k slab.
> A read larger than 2048 bytes triggers a BUG under
> CONFIG_HARDENED_USERCOPY:
>
> kernel BUG at mm/usercopy.c:99!
>
> Reproducer:
> hexdump /dev/aspeed-lpc-snoop0
Can you provide more details on how you achieved this result?
__kfifo_to_user() clamps the provided value to the content of the fifo
and has done in its current form since 2e956fb32056 ("kfifo: replace
the old non generic API").
>
> Fix by clamping count to SNOOP_FIFO_SIZE before the copy.
>
> Fixes: 3772e5da4454 ("drivers/misc: Aspeed LPC snoop output using misc
> chardev")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Karthikeyan KS <karthiproffesional@xxxxxxxxx>
> ---
> drivers/soc/aspeed/aspeed-lpc-snoop.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/soc/aspeed/aspeed-lpc-snoop.c
> b/drivers/soc/aspeed/aspeed-lpc-snoop.c
> index b03310c0830d..5b59e826cc68 100644
> --- a/drivers/soc/aspeed/aspeed-lpc-snoop.c
> +++ b/drivers/soc/aspeed/aspeed-lpc-snoop.c
> @@ -125,6 +125,7 @@ static ssize_t snoop_file_read(struct file *file, char
> __user *buffer,
> if (ret == -ERESTARTSYS)
> return -EINTR;
> }
> + count = min(count, (size_t)SNOOP_FIFO_SIZE);
> ret = kfifo_to_user(&chan->fifo, buffer, count, &copied);
> if (ret)
> return ret;