From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
To: Petr Mladek <pmladek@suse.com>,
	Steven Rostedt <rostedt@goodmis.org>,
	Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>,
	Sergey Senozhatsky <senozhatsky@chromium.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	David Laight <david.laight.linux@gmail.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH v6 2/2] lib/vsprintf: Limit the returning size to INT_MAX
Date: Thu, 26 Mar 2026 21:12:10 +0900	[thread overview]
Message-ID: <177452713020.197965.3164174544083829000.stgit@devnote2> (raw)
In-Reply-To: <177452711082.197965.4952719534268072174.stgit@devnote2>

From: Masami Hiramatsu (Google) <mhiramat@kernel.org>

The return value of vsnprintf() and bstr_printf() can overflow INT_MAX
and return a minus value. In the @size is checked input overflow, but
it does not check the output, which is expected required size.

This should never happen but it should be checked and limited.

Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
---
 Changes in v5:
  - Fix bstr_printf() too.
 Changes in v4:
  - Add Petr's reviewed-by. (Thanks!)
 Changes in v3:
  - Use local variable for better readability.
---
 lib/vsprintf.c |   15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index 10a1b21c8920..d0aa6b34f0e4 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -2856,6 +2856,7 @@ static unsigned long long convert_num_spec(unsigned int val, int size, struct pr
 int vsnprintf(char *buf, size_t size, const char *fmt_str, va_list args)
 {
 	char *str, *end;
+	size_t ret_size;
 	struct printf_spec spec = {0};
 	struct fmt fmt = {
 		.str = fmt_str,
@@ -2975,8 +2976,12 @@ int vsnprintf(char *buf, size_t size, const char *fmt_str, va_list args)
 	}
 
 	/* the trailing null byte doesn't count towards the total */
-	return str-buf;
+	ret_size = str - buf;
 
+	/* Make sure the return value is within the positive integer range */
+	if (WARN_ON_ONCE(ret_size > INT_MAX))
+		ret_size = INT_MAX;
+	return ret_size;
 }
 EXPORT_SYMBOL(vsnprintf);
 
@@ -3280,6 +3285,7 @@ int bstr_printf(char *buf, size_t size, const char *fmt_str, const u32 *bin_buf)
 	struct printf_spec spec = {0};
 	char *str, *end;
 	const char *args = (const char *)bin_buf;
+	size_t ret_size;
 
 	if (WARN_ON_ONCE(size > INT_MAX))
 		return 0;
@@ -3428,7 +3434,12 @@ int bstr_printf(char *buf, size_t size, const char *fmt_str, const u32 *bin_buf)
 #undef get_arg
 
 	/* the trailing null byte doesn't count towards the total */
-	return str - buf;
+	ret_size =  str - buf;
+
+	/* Make sure the return value is within the positive integer range */
+	if (WARN_ON_ONCE(ret_size > INT_MAX))
+		ret_size = INT_MAX;
+	return ret_size;
 }
 EXPORT_SYMBOL_GPL(bstr_printf);
 

next prev parent reply	other threads:[~2026-03-26 12:12 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-26 12:11 [PATCH v6 0/2] lib/vsprintf: Fixes size check Masami Hiramatsu (Google)
2026-03-26 12:12 ` [PATCH v6 1/2] lib/vsprintf: Fix to check field_width and precision Masami Hiramatsu (Google)
2026-03-26 12:12 ` Masami Hiramatsu (Google) [this message]
2026-05-04 15:08 ` [PATCH v6 0/2] lib/vsprintf: Fixes size check Petr Mladek
2026-05-05  8:37 ` Petr Mladek
2026-05-07  7:37   ` Masami Hiramatsu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=177452713020.197965.3164174544083829000.stgit@devnote2 \
    --to=mhiramat@kernel.org \
    --cc=akpm@linux-foundation.org \
    --cc=andriy.shevchenko@linux.intel.com \
    --cc=david.laight.linux@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux@rasmusvillemoes.dk \
    --cc=pmladek@suse.com \
    --cc=rostedt@goodmis.org \
    --cc=senozhatsky@chromium.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.