From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailtransmit04.runbox.com (mailtransmit04.runbox.com [185.226.149.37])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 90AD3399006
	for <linux-kernel@vger.kernel.org>; Mon,  2 Mar 2026 10:18:55 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.226.149.37
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1772446746; cv=none; b=I/AJSuWh9fTsi/pHZE9RP7liUaafUJcurDFkVRlz8wAheDLhnRv5Y/wMQ/etfXeZsZRg5fz3DHHMKUV2JjWrDstPsRU5dWZxhWOHoqXiiOdqtmPsWKtvJOcSDpHZBiM/nKJxZe7FRjJIDv+PBm5wRffKuhNB69DQNpWIKB0pNzM=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1772446746; c=relaxed/simple;
	bh=yHpYWV1+rraIHu3lmbs4y5KQwoC7AkTkEii1/8vTzfs=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version; b=ZP5rQAYRqbVl6BI0Actj2YGCXArrK+kFHgio2MyhYkAUj/8/cwOjxM7noDmNLxCjzW0IdPVLSF7AqTLY7stq+gW3tOPuX3SnBQbuIlgS0r45LjiZcQJcCPYS8nzPQRPnO+nMwZkqISZPmLossJJg1Mqt/VzH6sNCRcMV6/QfH3o=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=runbox.com; dkim=pass (2048-bit key) header.d=runbox.com header.i=@runbox.com header.b=kIiHHCOP; arc=none smtp.client-ip=185.226.149.37
Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=runbox.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=runbox.com header.i=@runbox.com header.b="kIiHHCOP"
Received: from mailtransmit03.runbox ([10.9.9.163] helo=aibo.runbox.com)
	by mailtransmit04.runbox.com with esmtps  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.93)
	(envelope-from <david.laight.linux_spam@runbox.com>)
	id 1vx0MX-00384q-5n; Mon, 02 Mar 2026 11:18:53 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=runbox.com;
	 s=selector2; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To
	:Message-Id:Date:Subject:Cc:To:From;
	bh=cdMNrkGLFoBG9RhI7QFWdlWy3pp01bXEMox52yDwV5M=; b=kIiHHCOPsheqrz86vqjc6zuXav
	E5MLPVeJlRWTpq3KlkEeU/4riZJdLbJn1GEVZmACrSRfNZu5joaMPK9v/wPLbTEoqUIRQLNpoURwI
	Vhj3c6qSmhtSqbRsh0wNWP+OLNFMI4MNoCxaL/S72VHCGDK7PVxEYxGEvW0oVs9/LXt3CeboqKPo+
	gwyJs60C5OAV5BALcPnvLWP+mYh85wmBsrV4CuTm3hEMJnAeNbz0MNu6HC4DvlccK7IEJU44vkxYn
	4EFHhgYkAgyjjePYtIwB0W+d/vECMalE6DD7uyVkqW4vz4Evx7pn5n67eW3n8FBWQ8Minc4H4DG5r
	NF98DBUA==;
Received: from [10.9.9.72] (helo=submission01.runbox)
	by mailtransmit03.runbox with esmtp (Exim 4.86_2)
	(envelope-from <david.laight.linux_spam@runbox.com>)
	id 1vx0MW-0002yp-SI; Mon, 02 Mar 2026 11:18:53 +0100
Received: by submission01.runbox with esmtpsa  [Authenticated ID (1493616)]  (TLS1.2:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
	(Exim 4.93)
	id 1vx0M9-006y7o-Uw; Mon, 02 Mar 2026 11:18:30 +0100
From: david.laight.linux@gmail.com
To: Willy Tarreau <w@1wt.eu>,
	=?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= <linux@weissschuh.net>,
	linux-kernel@vger.kernel.org,
	Cheng Li <lechain@gmail.com>
Cc: David Laight <david.laight.linux@gmail.com>
Subject: [PATCH v4 next 06/23] selftests/nolibc: Check that snprintf() doesn't write beyond the buffer end
Date: Mon,  2 Mar 2026 10:17:58 +0000
Message-Id: <20260302101815.3043-7-david.laight.linux@gmail.com>
X-Mailer: git-send-email 2.39.5
In-Reply-To: <20260302101815.3043-1-david.laight.linux@gmail.com>
References: <20260302101815.3043-1-david.laight.linux@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

From: David Laight <david.laight.linux@gmail.com>

Fill buf[] with known data and check the vsnprintf() doesn't write
beyond the specified buffer length.

Would have picked up the bug in field padding.

Signed-off-by: David Laight <david.laight.linux@gmail.com>
---

v4: split out from patch 3

 tools/testing/selftests/nolibc/nolibc-test.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/tools/testing/selftests/nolibc/nolibc-test.c b/tools/testing/selftests/nolibc/nolibc-test.c
index dc60ac0d1a05..420f2d25e8cf 100644
--- a/tools/testing/selftests/nolibc/nolibc-test.c
+++ b/tools/testing/selftests/nolibc/nolibc-test.c
@@ -1671,6 +1671,10 @@ static int expect_vfprintf(int llen, const char *expected, const char *fmt, ...)
 	va_list args;
 	ssize_t w, expected_len;
 
+	/* Fill and terminate buf[] to check for overlong/absent writes */
+	memset(buf, 0xa5, sizeof(buf) - 1);
+	buf[sizeof(buf) - 1] = 0;
+
 	va_start(args, fmt);
 	/* Limit buffer length to test truncation */
 	w = vsnprintf(buf, VFPRINTF_LEN + 1, fmt, args);
@@ -1702,6 +1706,15 @@ static int expect_vfprintf(int llen, const char *expected, const char *fmt, ...)
 		return 1;
 	}
 
+	/* Check for any overwrites after the actual data. */
+	while (++cmp_len < sizeof(buf) - 1) {
+		if ((unsigned char)buf[cmp_len] != 0xa5) {
+			llen += printf(" overwrote buf[%d] with 0x%x", cmp_len, buf[cmp_len]);
+			result(llen, FAIL);
+			return 1;
+		}
+	}
+
 	result(llen, OK);
 	return 0;
 }
-- 
2.39.5