]> git.ipfire.org Git - thirdparty/linux.git/commitdiff
projects / thirdparty / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 71876df)
lib/vsprintf: Limit the returning size to INT_MAX
authorMasami Hiramatsu (Google) <mhiramat@kernel.org>
Thu, 26 Mar 2026 12:12:10 +0000 (21:12 +0900)
committerPetr Mladek <pmladek@suse.com>
Tue, 5 May 2026 08:19:15 +0000 (10:19 +0200)
The return value of vsnprintf() and bstr_printf() can overflow INT_MAX
and return a minus value. In the @size is checked input overflow, but
it does not check the output, which is expected required size.

This should never happen but it should be checked and limited.

Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Reviewed-by: Petr Mladek <pmladek@suse.com>
Link: https://patch.msgid.link/177452713020.197965.3164174544083829000.stgit@devnote2
Signed-off-by: Petr Mladek <pmladek@suse.com>
lib/vsprintf.c patch | blob | blame | history

diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index 3c76cc5c7f9ceb8423dcdb5c52997e12dfe1bb13..6b1213d070b4c6cd7f9fe839bb71227a1961b3f5 100644 (file)
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -2856,6 +2856,7 @@ static unsigned long long convert_num_spec(unsigned int val, int size, struct pr
 int vsnprintf(char *buf, size_t size, const char *fmt_str, va_list args)
 {
        char *str, *end;
+       size_t ret_size;
        struct printf_spec spec = {0};
        struct fmt fmt = {
                .str = fmt_str,
@@ -2975,8 +2976,12 @@ out:
        }
 
        /* the trailing null byte doesn't count towards the total */
-       return str-buf;
+       ret_size = str - buf;
 
+       /* Make sure the return value is within the positive integer range */
+       if (WARN_ON_ONCE(ret_size > INT_MAX))
+               ret_size = INT_MAX;
+       return ret_size;
 }
 EXPORT_SYMBOL(vsnprintf);
 
@@ -3280,6 +3285,7 @@ int bstr_printf(char *buf, size_t size, const char *fmt_str, const u32 *bin_buf)
        struct printf_spec spec = {0};
        char *str, *end;
        const char *args = (const char *)bin_buf;
+       size_t ret_size;
 
        if (WARN_ON_ONCE(size > INT_MAX))
                return 0;
@@ -3428,7 +3434,12 @@ out:
 #undef get_arg
 
        /* the trailing null byte doesn't count towards the total */
-       return str - buf;
+       ret_size =  str - buf;
+
+       /* Make sure the return value is within the positive integer range */
+       if (WARN_ON_ONCE(ret_size > INT_MAX))
+               ret_size = INT_MAX;
+       return ret_size;
 }
 EXPORT_SYMBOL_GPL(bstr_printf);
 
A mirror of Linus' kernel repository