From nobody Fri Apr 3 02:56:37 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 957D7283C9D for ; Wed, 25 Mar 2026 02:25:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774405521; cv=none; b=LRCeUVq7LAjLCwSXL9aglDhBtkgTL4g/wrVbTkMW9rIhDaSZfiyrEYhMUq0PYZZTV+6E4QyHjnJCKZFDuexWEwZaToihIfEpjiuR1iyqjSSioCOWeE2ZaBVrv+1QdcNRYKuwqt3fe4GLyLN2e593K7427NS+LnG5HPpYJGXVkko= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774405521; c=relaxed/simple; bh=iJ3IN7uey9T2K52OsS6hJ4VS25X8WEbtlPo3/q03dRs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=mem5q9HdkUYO7H2ezk/W4reKi1D1/kEdK2bwSn8jixExxuz/S0kqOWAGncEZaoPaw3b3TRkxNpRhJ5qnW8MavMvmdraqGYxfWYoehuh2CaRgy1l/7vJkTSrUdQmY/M1ORlGJ593iaxkWDJxqV6c90k/tPWWG+OFsDTFT3nI+maM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=vLrdy7Yx; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="vLrdy7Yx" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 47723C19424; Wed, 25 Mar 2026 02:25:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1774405521; bh=iJ3IN7uey9T2K52OsS6hJ4VS25X8WEbtlPo3/q03dRs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vLrdy7YxferooqZ9iGHxyBcGrbEe7kWBDJ9dOxLFca3lB/a+FDMBE2CH6DbanvJQJ fWBEmuBVsJgBheFPOB9wLu1d53kv8lk6ZEkT5uKAq/KGDSWuOkbsN5jRRxmeh/rCqR lK1bHikn+3+76kXYG92NfDwfiS1hd/baPuGfDOOaO26gfXBj0aIXChlLMLyGjvDfq1 H5/UcSftHaiExwRoeat+E4eUf8Sg7sFKzt+Kdpn5MmnmtWT81h4SCOHCOsQFWk58Yt Hi4eBWrmeBGe2F4K4gxWqkR832EO+R193A36G1zPxdmIwn2ypYem/pWHfND2UxLIs7 CqYwTm3zmDemg== From: "Masami Hiramatsu (Google)" To: Petr Mladek , Steven Rostedt , Andy Shevchenko Cc: Rasmus Villemoes , Sergey Senozhatsky , Andrew Morton , David Laight , linux-kernel@vger.kernel.org Subject: [PATCH v4 1/2] lib/vsprintf: Fix to check field_width and precision Date: Wed, 25 Mar 2026 11:25:16 +0900 Message-ID: <177440551685.147866.4375769344976474036.stgit@devnote2> X-Mailer: git-send-email 2.43.0 In-Reply-To: <177440550682.147866.1854734911195480940.stgit@devnote2> References: <177440550682.147866.1854734911195480940.stgit@devnote2> User-Agent: StGit/0.19 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: Masami Hiramatsu (Google) Check the field_width and presition correctly. Previously it depends on the bitfield conversion from int to check out-of-range error. However, commit 938df695e98d ("vsprintf: associate the format state with the format pointer") changed those fields to int. We need to check the out-of-range correctly without bitfield conversion. Fixes: 938df695e98d ("vsprintf: associate the format state with the format = pointer") Reported-by: David Laight Closes: https://lore.kernel.org/all/20260318151250.40fef0ab@pumpkin/ Signed-off-by: Masami Hiramatsu (Google) Reviewed-by: David Laight --- Changes in v4: - Do clamp() first. - Accept negative precision (this means no precision) . - Change the warning message for width. Changes in v3: - Check and update width and precision before assigning to spec. Changes in v2: - Fix to use logical split. --- lib/vsprintf.c | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/lib/vsprintf.c b/lib/vsprintf.c index 800b8ac49f53..5fa8f69030be 100644 --- a/lib/vsprintf.c +++ b/lib/vsprintf.c @@ -2679,9 +2679,6 @@ struct fmt format_decode(struct fmt fmt, struct print= f_spec *spec) =20 /* we finished early by reading the precision */ if (unlikely(fmt.state =3D=3D FORMAT_STATE_PRECISION)) { - if (spec->precision < 0) - spec->precision =3D 0; - fmt.state =3D FORMAT_STATE_NONE; goto qualifier; } @@ -2802,19 +2799,17 @@ struct fmt format_decode(struct fmt fmt, struct pri= ntf_spec *spec) static void set_field_width(struct printf_spec *spec, int width) { - spec->field_width =3D width; - if (WARN_ONCE(spec->field_width !=3D width, "field width %d too large", w= idth)) { - spec->field_width =3D clamp(width, -FIELD_WIDTH_MAX, FIELD_WIDTH_MAX); - } + spec->field_width =3D clamp(width, -FIELD_WIDTH_MAX, FIELD_WIDTH_MAX); + WARN_ONCE(spec->field_width !=3D width, "field width %d out of range", + width); } =20 static void set_precision(struct printf_spec *spec, int prec) { - spec->precision =3D prec; - if (WARN_ONCE(spec->precision !=3D prec, "precision %d too large", prec))= { - spec->precision =3D clamp(prec, 0, PRECISION_MAX); - } + /* We allow negative precision, but treat it as if there was no precision= . */ + spec->precision =3D clamp(prec, -1, PRECISION_MAX); + WARN_ONCE(spec->precision < prec, "precision %d too large", prec); } =20 /* From nobody Fri Apr 3 02:56:37 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8D11E283FDC for ; Wed, 25 Mar 2026 02:25:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774405531; cv=none; b=FuKEtcINqHmXtFBD7wSggU5U/7YdqTXFCF4XctSVctmbCV2x66s3htuCPlTtA3gxBDzTJfuczkEjX/aHxZg3+Xl2XnuHaK5pkxnWA9K+R/+ZsGgu5YUvyBke+naxb2mEc543PrIfUfu/64LtU0HAaZZLPLKcdM5t6m/ojTqAnbU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774405531; c=relaxed/simple; bh=uz5D5b80YPp8bzw7RmSxG89HuGky1Nfz3IO8KHic5qc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=MzRawCR2+8Ng8KBW5xXzhMR4KQRAVbBTwU7sI1sEU0lqfYStqf22M7V/uFN05zf8GOdDTlXjNZSSjDCbMUaROtPWw4U6K1e8O6+a2bkMaVl0GqrqiiNl/NJ2apPuK0V6xMMC/+qE2uvgFWtoajvbUuOHgymB+05OHS+qb5NJvKA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=qYRfcBDE; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="qYRfcBDE" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 50141C2BC87; Wed, 25 Mar 2026 02:25:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1774405531; bh=uz5D5b80YPp8bzw7RmSxG89HuGky1Nfz3IO8KHic5qc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=qYRfcBDEHIK2AYyQfmw20lh627VG7h7u4ReI7flivXXz3nnxvh8FrBpOokrZNjOGB HuUV7uzjM4rCa2tghnh/8oeY5xU+F/Neu88uh7cKyLIfTRXJBhsHgc6CybropSBCmP +bbhdDaJDZN/hJEIubrHMKPqER9MxM7TJ//RWMHeVVUVfaJilDRWOWF2Tv/JemUugS TiTDb0Jm48Wby9iDbNa4tBFdco++zSGRrGgTH1Q09Oq2EvTnl7hgN33VMn8aTiKHFe KwR1v6jC03CQuuL7X6zFSJhZBkZ0ZLmOOc7K2AjhDqk3nrh2TV4e1PU7K8mXxNXSoe emUY+DfZFOZMA== From: "Masami Hiramatsu (Google)" To: Petr Mladek , Steven Rostedt , Andy Shevchenko Cc: Rasmus Villemoes , Sergey Senozhatsky , Andrew Morton , David Laight , linux-kernel@vger.kernel.org Subject: [PATCH v4 2/2] lib/vsprintf: Limit the returning size to INT_MAX Date: Wed, 25 Mar 2026 11:25:26 +0900 Message-ID: <177440552668.147866.13742904698273436360.stgit@devnote2> X-Mailer: git-send-email 2.43.0 In-Reply-To: <177440550682.147866.1854734911195480940.stgit@devnote2> References: <177440550682.147866.1854734911195480940.stgit@devnote2> User-Agent: StGit/0.19 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: Masami Hiramatsu (Google) The return value of vsnprintf() can overflow INT_MAX and return a minus value. In the @size is checked input overflow, but it does not check the output, which is expected required size. This should never happen but it should be checked and limited. Signed-off-by: Masami Hiramatsu (Google) Reviewed-by: Petr Mladek --- Changes in v4: - Add Petr's reviewed-by. (Thanks!) Changes in v3: - Use local variable for better readability. --- lib/vsprintf.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/vsprintf.c b/lib/vsprintf.c index 5fa8f69030be..351b6f8e4796 100644 --- a/lib/vsprintf.c +++ b/lib/vsprintf.c @@ -2859,6 +2859,7 @@ static unsigned long long convert_num_spec(unsigned i= nt val, int size, struct pr int vsnprintf(char *buf, size_t size, const char *fmt_str, va_list args) { char *str, *end; + size_t ret_size; struct printf_spec spec =3D {0}; struct fmt fmt =3D { .str =3D fmt_str, @@ -2978,8 +2979,12 @@ int vsnprintf(char *buf, size_t size, const char *fm= t_str, va_list args) } =20 /* the trailing null byte doesn't count towards the total */ - return str-buf; + ret_size =3D str - buf; =20 + /* Make sure the return value is within the positive integer range */ + if (WARN_ON_ONCE(ret_size > INT_MAX)) + ret_size =3D INT_MAX; + return ret_size; } EXPORT_SYMBOL(vsnprintf);