From nobody Mon Apr  6 09:08:19 2026
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6E034258EDB
	for <linux-kernel@vger.kernel.org>; Fri, 20 Mar 2026 03:54:52 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1773978892; cv=none;
 b=Gdo4LgHkzy6JjTPLxM7BN5/oogqsNQQkCFVjHo3AVRMV+agtwngy4CFR5dRNTr3ZTASMQvGyPxFackeG0BcdF/Uv8W1GyLQ9CxEckSAqub3UUDcaC7rBO+UMO+0VEjrjvRh6pWbWuIkBgsUOvmuZqMVA9bqSTlYQbKprprzmW6s=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1773978892; c=relaxed/simple;
	bh=xVQhKHGYtm9kVAgfhiogs6YwALck2l60jwBQHuXmFKI=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=K70OzWCjVx7HpBuH8R//SU/9lkBpNy3hlXLpKD3V32lG67brXpj5p5zDZVUhigWcwD+KjCGOpckNHMvTwJ6X3ixSfdIZXbflNTFfC/YEQTSmKawA+n4vtqmwLD78koIcrdn8K7DDxVAV60cAPIb39qmy6qrWTtbumOIjA0xIFrQ=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=B6q6l1d+; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="B6q6l1d+"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id BC357C4CEF7;
	Fri, 20 Mar 2026 03:54:50 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1773978892;
	bh=xVQhKHGYtm9kVAgfhiogs6YwALck2l60jwBQHuXmFKI=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=B6q6l1d+hlPn6ZYZFpMWnrXD/XVzeQEBuXYsjV14iHe93f8IlyH3Q5O5ok/KM7A76
	 CgdMCaI0kmwZHyL/s+mv5fjPHjioCgEOcEJkbp+Is4GgaKITOkMCq5uYU26aZbPgqp
	 2pK0j7WQc25CI2VDacGtpDBrV+cGZFDBj6VVCaEJG9kA2WBsXhs/eXOd1UZPsEAa0t
	 R3HRrzhrADL2YRWwSmES0io7Y/EIAJxzURdLH5nzl9aTRc5qRBxfBk43ezFuttpd8A
	 sXRM+VpgnSlwHbooOKrpGtPjTYbSWcIHylx2PnZEFPqu9uxcFXP/bGp7SVOCtGgVC+
	 uOqb7bpo7sCEw==
From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
To: Petr Mladek <pmladek@suse.com>,
	Steven Rostedt <rostedt@goodmis.org>,
	Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>,
	Sergey Senozhatsky <senozhatsky@chromium.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	David Laight <david.laight.linux@gmail.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH v2 1/2] lib/vsprintf: Fix to check field_width and precision
Date: Fri, 20 Mar 2026 12:54:48 +0900
Message-ID: <177397888866.33018.11400875989661138560.stgit@devnote2>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <177397887883.33018.9867883986177366222.stgit@devnote2>
References: <177397887883.33018.9867883986177366222.stgit@devnote2>
User-Agent: StGit/0.19
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

From: Masami Hiramatsu (Google) <mhiramat@kernel.org>

Check the field_width and presition correctly. Previously it depends
on the bitfield conversion from int to check out-of-range error.
However, commit 938df695e98d ("vsprintf: associate the format state
with the format pointer") changed those fields to int.
We need to check the out-of-range correctly without bitfield
conversion.

Fixes: 938df695e98d ("vsprintf: associate the format state with the format =
pointer")
Reported-by: David Laight <david.laight.linux@gmail.com>
Closes: https://lore.kernel.org/all/20260318151250.40fef0ab@pumpkin/
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
---
 Changes in v2:
  - Fix to use logical split.
---
 lib/vsprintf.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index 800b8ac49f53..32a164e2adf4 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -2803,7 +2803,8 @@ static void
 set_field_width(struct printf_spec *spec, int width)
 {
 	spec->field_width =3D width;
-	if (WARN_ONCE(spec->field_width !=3D width, "field width %d too large", w=
idth)) {
+	if (WARN_ONCE(spec->field_width > FIELD_WIDTH_MAX || spec->field_width < =
-FIELD_WIDTH_MAX,
+		      "field width %d too large", width)) {
 		spec->field_width =3D clamp(width, -FIELD_WIDTH_MAX, FIELD_WIDTH_MAX);
 	}
 }
@@ -2812,7 +2813,8 @@ static void
 set_precision(struct printf_spec *spec, int prec)
 {
 	spec->precision =3D prec;
-	if (WARN_ONCE(spec->precision !=3D prec, "precision %d too large", prec))=
 {
+	if (WARN_ONCE(spec->precision > PRECISION_MAX || spec->precision < 0,
+		      "precision %d too large", prec)) {
 		spec->precision =3D clamp(prec, 0, PRECISION_MAX);
 	}
 }
From nobody Mon Apr  6 09:08:19 2026
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id F0E3C231829
	for <linux-kernel@vger.kernel.org>; Fri, 20 Mar 2026 03:55:00 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1773978901; cv=none;
 b=WDkwF3haG4o3n0po9hLssntwvNdASHK5FHloopr+8ZALxgkD6Vj1iNjPejCNaeWKJxFNZxXvvhPwt+Z8lJ0pQ3P/N8MnrP7JUJ32GfW3Lyal5voV0QrVDJwkYv27easPMEpOv6OUkdB4PesnXK2sqWjFWnp4R/8AsUjS3m6qRN4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1773978901; c=relaxed/simple;
	bh=pbS6We/0H3X4JHMXlLctFdPl8NaR6yblGjMZklbbo2U=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=dryCx/gSpgxXLUe6ZjTEQJCnSoix435gl3NgTldE/LsINdtp+a3MvkwSQ8lRu0oOg9enaAVQ6lIkqYOxJQ/LU6lvgP4mSPPCUo7yS6Wz/d6P2ALOaEMvuwN3eWdneQk+J6ZGRKbxkXepQSJmZcUGKuHgfVybkSfqB22fkFpCcm4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=hlRTPrzw; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="hlRTPrzw"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5716EC4CEF7;
	Fri, 20 Mar 2026 03:54:59 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1773978900;
	bh=pbS6We/0H3X4JHMXlLctFdPl8NaR6yblGjMZklbbo2U=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=hlRTPrzwYwzvS1Y/l8P+1NxYYDVardW/87OqyPfDqFqE/bdzn/kb+qDejGhSNKbog
	 OzyLY5qwYtyDxmzOlghyp2XdL634AlBLErCJwMoNnrtea/2ooZOf0sJYZOX7x9fMpV
	 UQTGQyPDiKqV5pdq7Fi4JEyNCSHsceZx6LCq7fKKA1MkaggDRR/egTFkMUP57ZVaGO
	 NRxaeLneK53I+ECbLjv2HnggdXoafBvaqqhSOa1WC1cNWIwVtN6nMlfXTv2Q7+q1mE
	 TVjAjkzEKj0MTb3PJiPKC4VgyAfskeUVJmD/s0TAotkT5cwe5XJVvQzITk+k+Eczfg
	 x6RfUqLu8xNOg==
From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
To: Petr Mladek <pmladek@suse.com>,
	Steven Rostedt <rostedt@goodmis.org>,
	Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>,
	Sergey Senozhatsky <senozhatsky@chromium.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	David Laight <david.laight.linux@gmail.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH v2 2/2] lib/vsprintf: Limit the returning size to INT_MAX
Date: Fri, 20 Mar 2026 12:54:57 +0900
Message-ID: <177397889735.33018.16696041032174901196.stgit@devnote2>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <177397887883.33018.9867883986177366222.stgit@devnote2>
References: <177397887883.33018.9867883986177366222.stgit@devnote2>
User-Agent: StGit/0.19
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

From: Masami Hiramatsu (Google) <mhiramat@kernel.org>

The return value of vsnprintf() can overflow INT_MAX and return
a minus value. In the @size is checked input overflow, but it does
not check the output, which is expected required size.

This should never happen but it should be checked and limited.

Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
---
 lib/vsprintf.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index 32a164e2adf4..ea5e1d22ff8f 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -2985,7 +2985,7 @@ int vsnprintf(char *buf, size_t size, const char *fmt=
_str, va_list args)
 	}
=20
 	/* the trailing null byte doesn't count towards the total */
-	return str-buf;
+	return WARN_ON_ONCE(str - buf > INT_MAX) ? INT_MAX : str - buf;
=20
 }
 EXPORT_SYMBOL(vsnprintf);