From nobody Mon Apr  6 09:08:56 2026
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id F0E3C231829
	for <linux-kernel@vger.kernel.org>; Fri, 20 Mar 2026 03:55:00 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1773978901; cv=none;
 b=WDkwF3haG4o3n0po9hLssntwvNdASHK5FHloopr+8ZALxgkD6Vj1iNjPejCNaeWKJxFNZxXvvhPwt+Z8lJ0pQ3P/N8MnrP7JUJ32GfW3Lyal5voV0QrVDJwkYv27easPMEpOv6OUkdB4PesnXK2sqWjFWnp4R/8AsUjS3m6qRN4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1773978901; c=relaxed/simple;
	bh=pbS6We/0H3X4JHMXlLctFdPl8NaR6yblGjMZklbbo2U=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=dryCx/gSpgxXLUe6ZjTEQJCnSoix435gl3NgTldE/LsINdtp+a3MvkwSQ8lRu0oOg9enaAVQ6lIkqYOxJQ/LU6lvgP4mSPPCUo7yS6Wz/d6P2ALOaEMvuwN3eWdneQk+J6ZGRKbxkXepQSJmZcUGKuHgfVybkSfqB22fkFpCcm4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=hlRTPrzw; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="hlRTPrzw"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5716EC4CEF7;
	Fri, 20 Mar 2026 03:54:59 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1773978900;
	bh=pbS6We/0H3X4JHMXlLctFdPl8NaR6yblGjMZklbbo2U=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=hlRTPrzwYwzvS1Y/l8P+1NxYYDVardW/87OqyPfDqFqE/bdzn/kb+qDejGhSNKbog
	 OzyLY5qwYtyDxmzOlghyp2XdL634AlBLErCJwMoNnrtea/2ooZOf0sJYZOX7x9fMpV
	 UQTGQyPDiKqV5pdq7Fi4JEyNCSHsceZx6LCq7fKKA1MkaggDRR/egTFkMUP57ZVaGO
	 NRxaeLneK53I+ECbLjv2HnggdXoafBvaqqhSOa1WC1cNWIwVtN6nMlfXTv2Q7+q1mE
	 TVjAjkzEKj0MTb3PJiPKC4VgyAfskeUVJmD/s0TAotkT5cwe5XJVvQzITk+k+Eczfg
	 x6RfUqLu8xNOg==
From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
To: Petr Mladek <pmladek@suse.com>,
	Steven Rostedt <rostedt@goodmis.org>,
	Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>,
	Sergey Senozhatsky <senozhatsky@chromium.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	David Laight <david.laight.linux@gmail.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH v2 2/2] lib/vsprintf: Limit the returning size to INT_MAX
Date: Fri, 20 Mar 2026 12:54:57 +0900
Message-ID: <177397889735.33018.16696041032174901196.stgit@devnote2>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <177397887883.33018.9867883986177366222.stgit@devnote2>
References: <177397887883.33018.9867883986177366222.stgit@devnote2>
User-Agent: StGit/0.19
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

From: Masami Hiramatsu (Google) <mhiramat@kernel.org>

The return value of vsnprintf() can overflow INT_MAX and return
a minus value. In the @size is checked input overflow, but it does
not check the output, which is expected required size.

This should never happen but it should be checked and limited.

Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
---
 lib/vsprintf.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index 32a164e2adf4..ea5e1d22ff8f 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -2985,7 +2985,7 @@ int vsnprintf(char *buf, size_t size, const char *fmt=
_str, va_list args)
 	}
=20
 	/* the trailing null byte doesn't count towards the total */
-	return str-buf;
+	return WARN_ON_ONCE(str - buf > INT_MAX) ? INT_MAX : str - buf;
=20
 }
 EXPORT_SYMBOL(vsnprintf);