Re: [PATCH v5 0/2] lib/vsprintf: Fixes size check

[Masami Hiramatsu (Google) <mhiramat@kernel.org>]

On Wed, 25 Mar 2026 22:27:31 +0900
"Masami Hiramatsu (Google)" <mhiramat@kernel.org> wrote:

> Hi,
> 
> Here is the 5th version of patches to fix vsnprintf().
> 
>  - Fix to limit the size of width and precision.
>  - Warn if the return size is over INT_MAX.
> 
> Previous version is here;
> 
> https://lore.kernel.org/all/177440550682.147866.1854734911195480940.stgit@devnote2/
> 
> In this version, negative precision is treated as zero to match the
> previous behavior and check the field/precision passed as string
> literals too[1/2]. Also, update bstr_printf() not to return negative
> value[2/2].
> 

BTW, skip_atoi() is used for converting precision and width,
but this does not check the overflow. This is expected to be
checked by compiler (-Wformat-overflow) but it checks the
width <= INT_MAX, but precision <= LONG_MAX (why?) and clang
does not check precision.

To avoid this issue, below fix is needed, but I'm not sure
this is meaningful check, because with [1/2] change, the
return value is limited anyway, and it's easy to check
during the review process if an obviously abnormal
precision value is passed in the format string.

Thanks,

diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index 69dec9b18428..8846d3a960dc 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -187,10 +187,20 @@ static inline int skip_atoi(const char **s)
 	int i = 0;
 
 	do {
-		i = i*10 + *((*s)++) - '0';
+		int next = *((*s)++) - '0';
+		if (unlikely(i > INT_MAX / 10U ||
+			     (i == INT_MAX / 10U && next > INT_MAX % 10U))) {
+			goto overflow;
+		}
+		i = i*10 + next;
 	} while (isdigit(**s));
 
 	return i;
+
+overflow:
+	while (isdigit(**s))
+		(*s)++;
+	return INT_MAX;
 }
 
 /*



-- 
Masami Hiramatsu (Google) <mhiramat@kernel.org>