From nobody Fri Apr 3 01:22:40 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 46E7A3D8911 for ; Wed, 25 Mar 2026 13:27:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774445266; cv=none; b=oUSBqaWQJH4QtwJ+0w5G3cm7TNNtVBSx95L32THgC99eMKltgs3otRehbfp6CNTzjynZxcP2uufMMWSKA/zIZ8lzTqd8MVj9xbcNdUXscn1ayl2I4t4+weq3F8GW6nrhbyVkuQ9AU2wPyaHw+gtgFFYGMntrfRR/63RoXDvU5Po= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774445266; c=relaxed/simple; bh=J4OiHlqWZuTOmkYDnhIsBdTv2F4XMyOi4LT7s07bKSE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=n8iTH0+o5sfOMoB9f+cm6fuZ2BgzmSSAL7PXjtzsLwiEmxfuMa5lA4Di52fO+dcExxBS8q6o1IJcLRKOwbqlhWsL4yNoQld8U5FA+EJesnr8bg9mW9r2yweT0b6rO5WH5lQyJfyx4L55GaQpnIj/xsrchIGATUMCNKc0YkGk5iM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=fLv5DMv4; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="fLv5DMv4" Received: by smtp.kernel.org (Postfix) with ESMTPSA id CC487C4CEF7; Wed, 25 Mar 2026 13:27:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1774445265; bh=J4OiHlqWZuTOmkYDnhIsBdTv2F4XMyOi4LT7s07bKSE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=fLv5DMv4B1XUS1w3qul93XGNM78guHOv57JOf0zMinxXNQnoF/kjdUfRhq81zzFyi WnZbOzFgO+dGgS1GQI4dZQvNmODw7IxFQ2en+8Ahk18pEA602QO/7YbeuuN0IHecZo 4tI+382QPnQrgm5rOu1oPCcAMW6rvGSdQwf2RA6SaKzYhFTe3pXFO74qsBO1Zu3um+ FJKUbDNo8pu/L3R+6b092ulGnXzk0Ctm9HdTS4EYCzv1wV0J1UNoOiTfXjgzFJvv+r 0QPCM357fSc0Qfo1Rccn7WP0icKgwkJyHeB0Yg2dqK8oQQbLcekMnyszjmpsuIkgde GK41tte93Ap8w== From: "Masami Hiramatsu (Google)" To: Petr Mladek , Steven Rostedt , Andy Shevchenko Cc: Rasmus Villemoes , Sergey Senozhatsky , Andrew Morton , David Laight , linux-kernel@vger.kernel.org Subject: [PATCH v5 1/2] lib/vsprintf: Fix to check field_width and precision Date: Wed, 25 Mar 2026 22:27:41 +0900 Message-ID: <177444526111.185641.13236217811424905684.stgit@devnote2> X-Mailer: git-send-email 2.43.0 In-Reply-To: <177444525139.185641.12184379647176430297.stgit@devnote2> References: <177444525139.185641.12184379647176430297.stgit@devnote2> User-Agent: StGit/0.19 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: Masami Hiramatsu (Google) Check the field_width and presition correctly. Previously it depends on the bitfield conversion from int to check out-of-range error. However, commit 938df695e98d ("vsprintf: associate the format state with the format pointer") changed those fields to int. We need to check the out-of-range correctly without bitfield conversion. Fixes: 938df695e98d ("vsprintf: associate the format state with the format = pointer") Reported-by: David Laight Closes: https://lore.kernel.org/all/20260318151250.40fef0ab@pumpkin/ Signed-off-by: Masami Hiramatsu (Google) --- Changes in v5: - Drop negative precision support. - The field and precision passed as string literals are also checked. Changes in v4: - Do clamp() first. - Accept negative precision (this means no precision) . - Change the warning message for width. Changes in v3: - Check and update width and precision before assigning to spec. Changes in v2: - Fix to use logical split. --- lib/vsprintf.c | 39 +++++++++++++++++---------------------- 1 file changed, 17 insertions(+), 22 deletions(-) diff --git a/lib/vsprintf.c b/lib/vsprintf.c index 800b8ac49f53..2f6b7179f581 100644 --- a/lib/vsprintf.c +++ b/lib/vsprintf.c @@ -2640,6 +2640,21 @@ static unsigned char spec_flag(unsigned char c) return (c < sizeof(spec_flag_array)) ? spec_flag_array[c] : 0; } =20 +static void +set_field_width(struct printf_spec *spec, int width) +{ + spec->field_width =3D clamp(width, -FIELD_WIDTH_MAX, FIELD_WIDTH_MAX); + WARN_ONCE(spec->field_width !=3D width, "field width %d out of range", + width); +} + +static void +set_precision(struct printf_spec *spec, int prec) +{ + spec->precision =3D clamp(prec, 0, PRECISION_MAX); + WARN_ONCE(spec->precision < prec, "precision %d too large", prec); +} + /* * Helper function to decode printf style format. * Each call decode a token from the format and return the @@ -2710,7 +2725,7 @@ struct fmt format_decode(struct fmt fmt, struct print= f_spec *spec) spec->field_width =3D -1; =20 if (isdigit(*fmt.str)) - spec->field_width =3D skip_atoi(&fmt.str); + set_field_width(spec, skip_atoi(&fmt.str)); else if (unlikely(*fmt.str =3D=3D '*')) { /* it's the next argument */ fmt.state =3D FORMAT_STATE_WIDTH; @@ -2724,9 +2739,7 @@ struct fmt format_decode(struct fmt fmt, struct print= f_spec *spec) if (unlikely(*fmt.str =3D=3D '.')) { fmt.str++; if (isdigit(*fmt.str)) { - spec->precision =3D skip_atoi(&fmt.str); - if (spec->precision < 0) - spec->precision =3D 0; + set_precision(spec, skip_atoi(&fmt.str)); } else if (*fmt.str =3D=3D '*') { /* it's the next argument */ fmt.state =3D FORMAT_STATE_PRECISION; @@ -2799,24 +2812,6 @@ struct fmt format_decode(struct fmt fmt, struct prin= tf_spec *spec) return fmt; } =20 -static void -set_field_width(struct printf_spec *spec, int width) -{ - spec->field_width =3D width; - if (WARN_ONCE(spec->field_width !=3D width, "field width %d too large", w= idth)) { - spec->field_width =3D clamp(width, -FIELD_WIDTH_MAX, FIELD_WIDTH_MAX); - } -} - -static void -set_precision(struct printf_spec *spec, int prec) -{ - spec->precision =3D prec; - if (WARN_ONCE(spec->precision !=3D prec, "precision %d too large", prec))= { - spec->precision =3D clamp(prec, 0, PRECISION_MAX); - } -} - /* * Turn a 1/2/4-byte value into a 64-bit one for printing: truncate * as necessary and deal with signedness. From nobody Fri Apr 3 01:22:40 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6548730EF8F for ; Wed, 25 Mar 2026 13:27:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774445276; cv=none; b=OU4XA8v5/mQkCYHW5DWKHPsn6BGpbgkkT0gWhrpwC3/C474roXqLGNCI8r3lebIZN5FNlMeoTNKh5IrV488bdhYPftH4DbSOSdwNr2Kvk/UVTbQ0ORq/zBcnSjQva4914FWa+csED6GxW/cFiyTxcADmwxeVI73kOus5sEML5W0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774445276; c=relaxed/simple; bh=BBxzzkxMTmP+iLsf1M+FE7ie2lV9X0l6E4sxyncTgf0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=qTuhuPRFSIETMmPLY4aB80BJTMefxEZY+Sl89bCmzDj74w2EVurInC+lc97njV1JfqCeAiUoo1opQ0yqlKrO0+QrrdmqVpdxYFl1VToP7NNXTGbuGByC6QpL78BYTrTWSAd3RpbuF1ZI9KTGjmf2NjJF8YczmJv+nPXc3dIoQss= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=KlwqkByM; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="KlwqkByM" Received: by smtp.kernel.org (Postfix) with ESMTPSA id EDC3EC4CEF7; Wed, 25 Mar 2026 13:27:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1774445276; bh=BBxzzkxMTmP+iLsf1M+FE7ie2lV9X0l6E4sxyncTgf0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=KlwqkByMJZXoPMpqDiWc0bSbz8vrxQxVGpl7auAv8BphZ43QWWDGtkhHaOl8R11Uo A91SxGijTtyLeRTrpvhIiIjbFyK3pVOZHxXZxj9zh9+51uoH6v3633rvBTdQh4KqqK s25ThNXrlWMMWwizD7FJvAKPGviLErQLes8684Uqs7pAv9BKWlDLPzyjJpKaVM8g+Y swTGmaFtiCP5G9oip7BMx5cUOXRDlkahASFxY+fO+ErWDJmRdmHoqb2Xw6NXHx9345 fAiPSLBAj4Dh9X+Lrmars7Flx9OaBy1zaCQoI86AFDJzLFidRyWt+ZmymMASf+SGkL KBnGljk39u28A== From: "Masami Hiramatsu (Google)" To: Petr Mladek , Steven Rostedt , Andy Shevchenko Cc: Rasmus Villemoes , Sergey Senozhatsky , Andrew Morton , David Laight , linux-kernel@vger.kernel.org Subject: [PATCH v5 2/2] lib/vsprintf: Limit the returning size to INT_MAX Date: Wed, 25 Mar 2026 22:27:51 +0900 Message-ID: <177444527112.185641.7354813978127876075.stgit@devnote2> X-Mailer: git-send-email 2.43.0 In-Reply-To: <177444525139.185641.12184379647176430297.stgit@devnote2> References: <177444525139.185641.12184379647176430297.stgit@devnote2> User-Agent: StGit/0.19 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: Masami Hiramatsu (Google) The return value of vsnprintf() and bstr_printf() can overflow INT_MAX and return a minus value. In the @size is checked input overflow, but it does not check the output, which is expected required size. This should never happen but it should be checked and limited. Signed-off-by: Masami Hiramatsu (Google) --- Changes in v5: - Fix bstr_printf() too. Changes in v4: - Add Petr's reviewed-by. (Thanks!) Changes in v3: - Use local variable for better readability. --- lib/vsprintf.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/lib/vsprintf.c b/lib/vsprintf.c index 2f6b7179f581..69dec9b18428 100644 --- a/lib/vsprintf.c +++ b/lib/vsprintf.c @@ -2859,6 +2859,7 @@ static unsigned long long convert_num_spec(unsigned i= nt val, int size, struct pr int vsnprintf(char *buf, size_t size, const char *fmt_str, va_list args) { char *str, *end; + size_t ret_size; struct printf_spec spec =3D {0}; struct fmt fmt =3D { .str =3D fmt_str, @@ -2978,8 +2979,12 @@ int vsnprintf(char *buf, size_t size, const char *fm= t_str, va_list args) } =20 /* the trailing null byte doesn't count towards the total */ - return str-buf; + ret_size =3D str - buf; =20 + /* Make sure the return value is within the positive integer range */ + if (WARN_ON_ONCE(ret_size > INT_MAX)) + ret_size =3D INT_MAX; + return ret_size; } EXPORT_SYMBOL(vsnprintf); =20 @@ -3283,6 +3288,7 @@ int bstr_printf(char *buf, size_t size, const char *f= mt_str, const u32 *bin_buf) struct printf_spec spec =3D {0}; char *str, *end; const char *args =3D (const char *)bin_buf; + size_t ret_size; =20 if (WARN_ON_ONCE(size > INT_MAX)) return 0; @@ -3431,7 +3437,12 @@ int bstr_printf(char *buf, size_t size, const char *= fmt_str, const u32 *bin_buf) #undef get_arg =20 /* the trailing null byte doesn't count towards the total */ - return str - buf; + ret_size =3D str - buf; + + /* Make sure the return value is within the positive integer range */ + if (WARN_ON_ONCE(ret_size > INT_MAX)) + ret_size =3D INT_MAX; + return ret_size; } EXPORT_SYMBOL_GPL(bstr_printf);