From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5FCF7257423
	for <linux-kernel@vger.kernel.org>; Wed, 25 Mar 2026 13:42:03 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1774446123; cv=none; b=B6V9udLS9SE6RydnJyKyq+YPmuoqHu98EQwVk3edFj5lycnBzBEq/DX8OwFJCPdZCWTC3VOisj07prrz2KK0SgIcK/H3///hZC1nndo4UpunJpavvP0HXTzTRcIeD7uTlmGVFoWvjkEIn/dDqpu3OpPwkqLF8af+1wHqwqew6UQ=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1774446123; c=relaxed/simple;
	bh=veS/qtAWFs/ebz4Bpj0YtHyYlHTh5GwFMx2LST8nNZk=;
	h=Date:From:To:Cc:Subject:Message-Id:In-Reply-To:References:
	 Mime-Version:Content-Type; b=X8L6f2etwNEPI+qH6i0J4giGNK5O+qjErzug5LEV2/eK0+idjJ3HVh6GGGLnjFcLCR0OHW5YbmTLKh2Y8mEWjMXG+CAKpQ5SeSMINKP5dmH8+4EEUGsaB+WXlhkEGPEUMmMW/nJZ3TPXKfeizfzOsHClPKkLx0QdUSc5Xtv9l10=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=BnEMSfiO; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="BnEMSfiO"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id A0924C4CEF7;
	Wed, 25 Mar 2026 13:42:00 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1774446123;
	bh=veS/qtAWFs/ebz4Bpj0YtHyYlHTh5GwFMx2LST8nNZk=;
	h=Date:From:To:Cc:Subject:In-Reply-To:References:From;
	b=BnEMSfiOOmGuYfz6Y6sFjMIDSSh3YWstZE5QYbf5EGrr/St0rFUBvxOvml3AGpv8b
	 aZ25itQMPdSXC74MiKPaM71z9DQlURF2wyQxF6KU0mpqMKz/eaqZtRYP3iXoJoJwGI
	 v0ekEDDNkburPNw59TFX6C4fHlynkT7iXvaoBM0VWmBaS6gi/PUSfuZwxwgqHWxjIQ
	 MEsMccTAPUMy/2NNOdDsAYb2S6SLsgwdPubIjl/36W/K904QHv3EJcFy2TMiTP7wVu
	 QNNUAd13HtmwMuQweqejIhkcFkYPCic3B9IAW6XA+yxQOLGtu3gGSfcFdKiVFbTlHF
	 d2Shz9E43LllQ==
Date: Wed, 25 Mar 2026 22:41:58 +0900
From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
To: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
Cc: Petr Mladek <pmladek@suse.com>, Steven Rostedt <rostedt@goodmis.org>,
 Andy Shevchenko <andriy.shevchenko@linux.intel.com>, Rasmus Villemoes
 <linux@rasmusvillemoes.dk>, Sergey Senozhatsky <senozhatsky@chromium.org>,
 Andrew Morton <akpm@linux-foundation.org>, David Laight
 <david.laight.linux@gmail.com>, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v5 0/2] lib/vsprintf: Fixes size check
Message-Id: <20260325224158.d5366b99fd0a1eb54ce5e19b@kernel.org>
In-Reply-To: <177444525139.185641.12184379647176430297.stgit@devnote2>
References: <177444525139.185641.12184379647176430297.stgit@devnote2>
X-Mailer: Sylpheed 3.8.0beta1 (GTK+ 2.24.33; x86_64-pc-linux-gnu)
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Wed, 25 Mar 2026 22:27:31 +0900
"Masami Hiramatsu (Google)" <mhiramat@kernel.org> wrote:

> Hi,
> 
> Here is the 5th version of patches to fix vsnprintf().
> 
>  - Fix to limit the size of width and precision.
>  - Warn if the return size is over INT_MAX.
> 
> Previous version is here;
> 
> https://lore.kernel.org/all/177440550682.147866.1854734911195480940.stgit@devnote2/
> 
> In this version, negative precision is treated as zero to match the
> previous behavior and check the field/precision passed as string
> literals too[1/2]. Also, update bstr_printf() not to return negative
> value[2/2].
> 

BTW, skip_atoi() is used for converting precision and width,
but this does not check the overflow. This is expected to be
checked by compiler (-Wformat-overflow) but it checks the
width <= INT_MAX, but precision <= LONG_MAX (why?) and clang
does not check precision.

To avoid this issue, below fix is needed, but I'm not sure
this is meaningful check, because with [1/2] change, the
return value is limited anyway, and it's easy to check
during the review process if an obviously abnormal
precision value is passed in the format string.

Thanks,

diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index 69dec9b18428..8846d3a960dc 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -187,10 +187,20 @@ static inline int skip_atoi(const char **s)
 	int i = 0;
 
 	do {
-		i = i*10 + *((*s)++) - '0';
+		int next = *((*s)++) - '0';
+		if (unlikely(i > INT_MAX / 10U ||
+			     (i == INT_MAX / 10U && next > INT_MAX % 10U))) {
+			goto overflow;
+		}
+		i = i*10 + next;
 	} while (isdigit(**s));
 
 	return i;
+
+overflow:
+	while (isdigit(**s))
+		(*s)++;
+	return INT_MAX;
 }
 
 /*



-- 
Masami Hiramatsu (Google) <mhiramat@kernel.org>