[PATCH] soc: aspeed: lpc-snoop: Fix usercopy overflow in snoop_file_read
Karthikeyan KS
karthiproffesional at gmail.com
Fri Apr 24 04:26:08 AEST 2026
snoop_file_read() passes the userspace count directly to
kfifo_to_user() without clamping. The kfifo backing buffer is
2048 bytes (SNOOP_FIFO_SIZE), allocated from kmalloc-2k slab.
A read larger than 2048 bytes triggers a BUG under
CONFIG_HARDENED_USERCOPY:
kernel BUG at mm/usercopy.c:99!
Reproducer:
hexdump /dev/aspeed-lpc-snoop0
Fix by clamping count to SNOOP_FIFO_SIZE before the copy.
Fixes: 3772e5da4454 ("drivers/misc: Aspeed LPC snoop output using misc
chardev")
Cc: stable at vger.kernel.org
Signed-off-by: Karthikeyan KS <karthiproffesional at gmail.com>
---
drivers/soc/aspeed/aspeed-lpc-snoop.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/soc/aspeed/aspeed-lpc-snoop.c
b/drivers/soc/aspeed/aspeed-lpc-snoop.c
index b03310c0830d..5b59e826cc68 100644
--- a/drivers/soc/aspeed/aspeed-lpc-snoop.c
+++ b/drivers/soc/aspeed/aspeed-lpc-snoop.c
@@ -125,6 +125,7 @@ static ssize_t snoop_file_read(struct file *file, char
__user *buffer,
if (ret == -ERESTARTSYS)
return -EINTR;
}
+ count = min(count, (size_t)SNOOP_FIFO_SIZE);
ret = kfifo_to_user(&chan->fifo, buffer, count, &copied);
if (ret)
return ret;
--
2.34.1
--000000000000eee9cc06502542fe
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div dir=3D"ltr"><div style=3D"margin:0px;min-width:0px;pa=
dding:0px 0px 20px;width:auto;font-family:"Google Sans",Roboto,Ro=
botoDraft,Helvetica,Arial,sans-serif;font-size:medium"><div><div id=3D"m_-6=
80033585644009664gmail-:ou" style=3D"direction:ltr;margin:8px 0px 0px;paddi=
ng:0px;font-size:0.875rem;overflow-x:hidden"><div id=3D"m_-6800335856440096=
64gmail-:pb" style=3D"direction:ltr;font-style:normal;font-variant:normal;f=
ont-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-st=
retch:normal;font-size:small;line-height:1.5;font-family:Arial,Helvetica,sa=
ns-serif;overflow:auto hidden"><div id=3D"m_-680033585644009664gmail-avWBGd=
-83"><div dir=3D"ltr"><div style=3D"color:rgb(187,190,191);background-color=
:rgb(18,19,20);font-family:Consolas,"Courier New",monospace;font-=
size:14px;line-height:19px;white-space:pre-wrap"><div>From c50ff07baf2032ca=
12133775c61c50a38e8a2029 Mon Sep 17 00:00:00 2001</div><div>From: Karthikey=
an KS <<a href=3D"mailto:karthiproffesional at gmail.com" target=3D"_blank"=
>karthiproffesional at gmail.com</a>></div><div>Date: Thu, 23 Apr 2026 21:2=
6:08 +0300</div><div>Subject: [PATCH] soc: aspeed: lpc-snoop: Fix usercopy =
overflow in</div><div>=C2=A0snoop_file_read</div><br><div>snoop_file_read()=
passes the userspace count directly to</div><div>kfifo_to_user() without c=
lamping. The kfifo backing buffer is</div><div>2048 bytes (SNOOP_FIFO_SIZE)=
, allocated from kmalloc-2k slab.</div><div>A read larger than 2048 bytes t=
riggers a BUG under</div><div>CONFIG_HARDENED_USERCOPY:</div><br><div>=C2=
=A0 kernel BUG at mm/usercopy.c:99!</div><br><div>Reproducer:</div><div>=C2=
=A0 hexdump /dev/aspeed-lpc-snoop0</div><br><div>Fix by clamping count to S=
NOOP_FIFO_SIZE before the copy.</div><br><div>Fixes: 3772e5da4454 ("dr=
ivers/misc: Aspeed LPC snoop output using misc chardev")</div><div>Cc:=
<a href=3D"mailto:stable at vger.kernel.org" target=3D"_blank">stable at vger.ke=
rnel.org</a></div><div>Signed-off-by: Karthikeyan KS <<a href=3D"mailto:=
karthiproffesional at gmail.com" target=3D"_blank">karthiproffesional at gmail.co=
m</a>></div><div><span style=3D"color:rgb(121,192,255);font-weight:bold"=
>---</span></div><div>=C2=A0drivers/soc/aspeed/aspeed-lpc-snoop.c | 1 +</di=
v><div>=C2=A01 file changed, 1 insertion(+)</div><br><div><span style=3D"co=
lor:rgb(121,192,255)">diff --git a/drivers/soc/aspeed/aspeed-lpc-snoop.c b/=
drivers/soc/aspeed/aspeed-lpc-snoop.c</span></div><div>index b03310c0830d..=
5b59e826cc68 100644</div><div><span style=3D"color:rgb(255,161,152)">--- a/=
drivers/soc/aspeed/aspeed-lpc-snoop.c</span></div><div><span style=3D"color=
:rgb(126,231,135)">+++ b/drivers/soc/aspeed/aspeed-lpc-snoop.c</span></div>=
<div><span style=3D"color:rgb(210,168,255);font-weight:bold">@@ -125,6 +125=
,7 @@</span> static ssize_t snoop_file_read(struct file *file, char __user =
*buffer,</div><div>=C2=A0 =C2=A0 =C2=A0 =C2=A0 if (ret =3D=3D -ERESTARTSYS)=
</div><div>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 return -EINTR;</div><d=
iv>=C2=A0 =C2=A0 }</div><div><span style=3D"color:rgb(126,231,135)">+ =C2=
=A0 count =3D min(count, (size_t)SNOOP_FIFO_SIZE);</span></div><div>=C2=A0 =
=C2=A0 ret =3D kfifo_to_user(&chan->fifo, buffer, count, &copied=
);</div><div>=C2=A0 =C2=A0 if (ret)</div><div>=C2=A0 =C2=A0 =C2=A0 =C2=A0 r=
eturn ret;</div><div><span style=3D"color:rgb(255,161,152)">-- </span></div=
><div>2.34.1</div><div></div><div><br><br></div></div></div><div></div></di=
v></div></div><div id=3D"m_-680033585644009664gmail-avWBGd-84" style=3D"cle=
ar:both"></div></div></div><br></div>
</div>
--000000000000eee9cc06502542fe--
More information about the Linux-aspeed
mailing list