From nobody Wed Apr 1 09:43:19 2026 Received: from sender-of-o57.zoho.eu (sender-of-o57.zoho.eu [136.143.169.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A812139769F for ; Mon, 30 Mar 2026 19:35:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=136.143.169.57 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774899309; cv=pass; b=c6F6ULKmrwzUpcyZuRk7gkifOXmU/6iFhU2X73UsgIpHwSwMDi1+Q9j+xSoPHCbfS0cvWVsuDs5IrC9YQ5lA3bdb5CsPTk9AWv6eigajy67sv+IjVxprPjBNm8eh66qE95PUjwRcWhPcVLm4Dw1PypNblQAfVB5OuxeKUaF8SNE= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774899309; c=relaxed/simple; bh=Zb+DD/8aPIY9FcDPOazctNoof0ZotU7WyO7WyK2XV9A=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=ass7ElSHjLaiIquLAFmZ10ZyRwMrhZkaew6IGi+TWTW9vLKeYiM7ZSIVuxe3LznV15xkjmJ+DSGmTA8HemLUrcnwPF6kdLIf16L0uZxLK/pc0UZ7qH/X/MFeSjVu/FviBShFhgtXLcDJEaGwilw3dKQLeaIv/UXOS1h5Nx9J5f0= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=objecting.org; spf=pass smtp.mailfrom=objecting.org; dkim=pass (1024-bit key) header.d=objecting.org header.i=objecting@objecting.org header.b=dqGURLs5; arc=pass smtp.client-ip=136.143.169.57 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=objecting.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=objecting.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=objecting.org header.i=objecting@objecting.org header.b="dqGURLs5" ARC-Seal: i=1; a=rsa-sha256; t=1774899285; cv=none; d=zohomail.eu; s=zohoarc; b=WfWWPtfsUihi0WRiM7eOxsZPFWJtOtxbSxDAn3oLPg+dKzMkmV9RO6GeL1mu8FOiwB+lF3hVP2ucfjY4vx4l4vUIenj0MJ78GbSDs4aTUqoSlhSX2qb21Eij4el/x9XP0loxIi2FTrq42EFW3zORWqX9SUfZ8kHH3wZ1rA7r9w8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.eu; s=zohoarc; t=1774899285; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=Rwl7GglhzJT2BAuJqF7KW6FMwMdHiz/ULto5LIlyZGk=; b=BSDMS8nEx78wcfzKVoXK8c2qwKCv4fin4gnnS4WizgS2elUMzgMM2MV0P56hMUIK1LuJxaWGQVRYDhr0qOejuZqgTfwD80BsrKXv6rTvNqw7cxe7Sn/q3Bt9KJIXNRC+e81lYku6KOAO0Mwi1itTFlx6LJ9Ei1HarFLKkEZD/EE= ARC-Authentication-Results: i=1; mx.zohomail.eu; dkim=pass header.i=objecting.org; spf=pass smtp.mailfrom=objecting@objecting.org; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1774899285; s=zmail; d=objecting.org; i=objecting@objecting.org; h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-Id:Message-Id:In-Reply-To:References:MIME-Version:Content-Transfer-Encoding:Reply-To; bh=Rwl7GglhzJT2BAuJqF7KW6FMwMdHiz/ULto5LIlyZGk=; b=dqGURLs56rgY6ErgRPZodiblVcQn2wEz/ag77AjbphR+QCiI5ECQBOJyAA2UlhIp Y11tszkHcgViTMycQh/ihp8QbHI+KUplkIJA221C0jybQm1HN5rXwNbuSQSmOlrt2xD nj6JfkGFhojXnO2ccU5fhbEeCZyRGv8n0oGduBTw= Received: by mx.zoho.eu with SMTPS id 1774899283275764.3551340916073; Mon, 30 Mar 2026 21:34:43 +0200 (CEST) From: Josh Law To: akpm@linux-foundation.org, pmladek@suse.com, rostedt@goodmis.org Cc: andriy.shevchenko@linux.intel.com, linux@rasmusvillemoes.dk, senozhatsky@chromium.org, linux-kernel@vger.kernel.org, Josh Law Subject: [PATCH v2 1/2] lib/vsprintf: always advance args in bstr_printf() pointer path Date: Mon, 30 Mar 2026 19:34:39 +0000 Message-Id: <20260330193440.74268-2-objecting@objecting.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260330193440.74268-1-objecting@objecting.org> References: <20260330193440.74268-1-objecting@objecting.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZohoMailClient: External Content-Type: text/plain; charset="utf-8" When the output buffer is full (str >=3D end), bstr_printf() skips advancing the args pointer past the pre-rendered pointer string in bin_buf. This causes all subsequent format specifiers to read from the wrong position, corrupting the rest of the output. Always compute the string length and advance args regardless of whether there is space to copy into the output buffer. Signed-off-by: Josh Law --- lib/vsprintf.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/lib/vsprintf.c b/lib/vsprintf.c index 800b8ac49f53..7898fb998b21 100644 --- a/lib/vsprintf.c +++ b/lib/vsprintf.c @@ -3389,14 +3389,15 @@ int bstr_printf(char *buf, size_t size, const char = *fmt_str, const u32 *bin_buf) break; } /* Pointer dereference was already processed */ + len =3D strlen(args); if (str < end) { - len =3D copy =3D strlen(args); + copy =3D len; if (copy > end - str) copy =3D end - str; memcpy(str, args, copy); - str +=3D len; - args +=3D len + 1; } + str +=3D len; + args +=3D len + 1; } if (process) str =3D pointer(fmt.str, str, end, get_arg(void *), spec); --=20 2.34.1 From nobody Wed Apr 1 09:43:19 2026 Received: from sender-of-o57.zoho.eu (sender-of-o57.zoho.eu [136.143.169.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 00FA239B4A3 for ; Mon, 30 Mar 2026 19:35:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=136.143.169.57 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774899312; cv=pass; b=ZQe2/m2oTQshvioI43viEvTGoV8wM0TuCoKK1PIf9jX0ErBc2FWjvIOk+RhT7ErPNgEZ2a1PzZvmTdy67kNiqetOeG3vkBbI7pvRSQBQG8IcjSFX0wM9vX3d3714j4kQTNKIEVnU2oS2HnTlVFAxnwOHt/5bTfAOzDC6OuY0/Yc= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774899312; c=relaxed/simple; bh=aI5vUHdL1ENw5XGw7p+kdyPRUOLQ2Fc/T29p8Qh20AM=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=fNs/MVmPoWzGNwrtKD77NwpzzyTgsPC5Z2NtLIujtCdRqV7GNzkXVzlntARNWL4LTVoyKPc1fFKVTTyVZ7QcBwUfndOCnibk6gtUDfucI17Y+G1A1nF/fd8t8Szj2gvJQ6UaAEb3fsFFdahM3LiYUwdxulMjdADcEQ8ZCrj2yhs= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=objecting.org; spf=pass smtp.mailfrom=objecting.org; dkim=pass (1024-bit key) header.d=objecting.org header.i=objecting@objecting.org header.b=cV+GQKgn; arc=pass smtp.client-ip=136.143.169.57 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=objecting.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=objecting.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=objecting.org header.i=objecting@objecting.org header.b="cV+GQKgn" ARC-Seal: i=1; a=rsa-sha256; t=1774899286; cv=none; d=zohomail.eu; s=zohoarc; b=Dj1S2rljQWskILdzHOkEiKY+ap67fC9cZ7W8n+F9rfLMQhay4ES9z3eGX02dk+TETPr2vW+TXj+hh5uLOdZyLupSqYj4pnGHQPDeV+4eBiruF2bODcZGZ1TlLPXyNv+P5lXi8xsLgeptYT/qDrhX8RZZGZWOp0NlhCXpmi6cZ7M= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.eu; s=zohoarc; t=1774899286; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=2nKHFUd7VPSneLqWO05aDHWS2vFzryefe4AdhPLHVYY=; b=Ha8XAmQHyBlaHIWt2fPVbR6ygynw5ObYNgpTXCwDxab1aBM02KvNxQ1ZSM3n5bnJJEEw8BJ0K3dsJDfnU96y/JkuJQC/1lfLis/R2wUYS3khZDolmlpJYv+AzoPyNKnJ9wQvp24PiqUeT3ejK2sE+qPUJ29jBb3Quqjvef8X8zg= ARC-Authentication-Results: i=1; mx.zohomail.eu; dkim=pass header.i=objecting.org; spf=pass smtp.mailfrom=objecting@objecting.org; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1774899286; s=zmail; d=objecting.org; i=objecting@objecting.org; h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-Id:Message-Id:In-Reply-To:References:MIME-Version:Content-Transfer-Encoding:Reply-To; bh=2nKHFUd7VPSneLqWO05aDHWS2vFzryefe4AdhPLHVYY=; b=cV+GQKgnA90r7zOP0exiGIl/ybL6Raws5mHZsJnahGnOqR5rZ0k/m4qHXoOb77hz fGyFkQVf1yVPQebnUxJ7Kl40HsCHKCBtjIaw7uAoWYTdPtmXxC1WV3WMVyXmS1rCAiC tcLLaQ/IhltQU4U2IRyZglLEHoZXpTqh56rIzMGY= Received: by mx.zoho.eu with SMTPS id 1774899284409743.8206785587967; Mon, 30 Mar 2026 21:34:44 +0200 (CEST) From: Josh Law To: akpm@linux-foundation.org, pmladek@suse.com, rostedt@goodmis.org Cc: andriy.shevchenko@linux.intel.com, linux@rasmusvillemoes.dk, senozhatsky@chromium.org, linux-kernel@vger.kernel.org, Josh Law Subject: [PATCH v2 2/2] lib/vsprintf: fix OOB write in vbin_printf() when size is zero Date: Mon, 30 Mar 2026 19:34:40 +0000 Message-Id: <20260330193440.74268-3-objecting@objecting.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260330193440.74268-1-objecting@objecting.org> References: <20260330193440.74268-1-objecting@objecting.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZohoMailClient: External Content-Type: text/plain; charset="utf-8" When vbin_printf() is called with size=3D=3D0, end equals bin_buf and the else branch writes end[-1], which is one byte before the buffer. Guard the write so it only happens when the buffer is non-empty. Signed-off-by: Josh Law --- lib/vsprintf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/vsprintf.c b/lib/vsprintf.c index 7898fb998b21..b879babaf8c2 100644 --- a/lib/vsprintf.c +++ b/lib/vsprintf.c @@ -3234,7 +3234,7 @@ int vbin_printf(u32 *bin_buf, size_t size, const char= *fmt_str, va_list args) spec); if (str + 1 < end) *str++ =3D '\0'; - else + else if (size) /* do nothing if size is zero */ end[-1] =3D '\0'; /* Must be nul terminated */ } /* skip all alphanumeric pointer suffixes */ --=20 2.34.1