[PATCH] soc: aspeed: lpc-snoop: Fix usercopy overflow in snoop_file_read

[root]

From: Karthikeyan KS <karthiproffesional at gmail.com>

snoop_file_read() passes the userspace count directly to
kfifo_to_user() without clamping. The kfifo backing buffer is
2048 bytes (SNOOP_FIFO_SIZE), allocated from kmalloc-2k slab.
A read larger than 2048 bytes triggers a BUG under
CONFIG_HARDENED_USERCOPY:

  kernel BUG at mm/usercopy.c:99!

Reproducer:
  hexdump /dev/aspeed-lpc-snoop0

Fix by clamping count to SNOOP_FIFO_SIZE before the copy.

Fixes: 3772e5da4454 ("drivers/misc: Aspeed LPC snoop output using misc chardev")
Cc: stable at vger.kernel.org
Signed-off-by: Karthikeyan KS <karthiproffesional at gmail.com>
---
 drivers/soc/aspeed/aspeed-lpc-snoop.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/soc/aspeed/aspeed-lpc-snoop.c b/drivers/soc/aspeed/aspeed-lpc-snoop.c
index b03310c0830d..5b59e826cc68 100644
--- a/drivers/soc/aspeed/aspeed-lpc-snoop.c
+++ b/drivers/soc/aspeed/aspeed-lpc-snoop.c
@@ -125,6 +125,7 @@ static ssize_t snoop_file_read(struct file *file, char __user *buffer,
        if (ret == -ERESTARTSYS)
            return -EINTR;
    }
+   count = min(count, (size_t)SNOOP_FIFO_SIZE);
    ret = kfifo_to_user(&chan->fifo, buffer, count, &copied);
    if (ret)
        return ret;
-- 
2.34.1