[PATCH v3] lib/bootconfig: guard xbc_node_compose_key

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH v3] lib/bootconfig: guard xbc_node_compose_key_after() buffer size
@ 2026-03-17 18:15 Josh Law
  2026-03-17 20:37 ` Steven Rostedt
  0 siblings, 1 reply; 3+ messages in thread
From: Josh Law @ 2026-03-17 18:15 UTC (permalink / raw)
  To: Masami Hiramatsu, Andrew Morton
  Cc: Steven Rostedt, linux-kernel, linux-trace-kernel

xbc_node_compose_key_after() passes a size_t buffer length to
snprintf(), but snprintf() returns int. Guard against size values above
INT_MAX before the loop so the existing truncation check can continue to
compare ret against (int)size safely.

Add a small WARN_ON_ONCE shim for the tools/bootconfig userspace build
so the same source continues to build there.

Changes since v2:
 - Added a comment explaining the INT_MAX guard.

Changes since v1:
 - Removed casting ret to size_t; with the INT_MAX guard, the existing
   ret >= (int)size check is sufficient, per Steven Rostedt.
 - Link to v1:
   https://lore.kernel.org/all/20260317173703.46092-1-objecting@objecting.org/

Signed-off-by: Josh Law <objecting@objecting.org>
---
 lib/bootconfig.c                            | 8 ++++++++
 tools/bootconfig/include/linux/bootconfig.h | 5 +++++
 2 files changed, 13 insertions(+)

diff --git a/lib/bootconfig.c b/lib/bootconfig.c
index 96cbe6738ffe..2a54b51dec5c 100644
--- a/lib/bootconfig.c
+++ b/lib/bootconfig.c
@@ -313,6 +313,14 @@ int __init xbc_node_compose_key_after(struct xbc_node *root,
 	if (!node && root)
 		return -EINVAL;
 
+	/*
+	 * Bootconfig strings never need multi-GB buffers. Reject sizes
+	 * above INT_MAX so snprintf()'s int return value cannot overflow
+	 * the truncation check below.
+	 */
+	if (WARN_ON_ONCE(size > INT_MAX))
+		return -EINVAL;
+
 	while (--depth >= 0) {
 		node = xbc_nodes + keys[depth];
 		ret = snprintf(buf, size, "%s%s", xbc_node_get_data(node),
diff --git a/tools/bootconfig/include/linux/bootconfig.h b/tools/bootconfig/include/linux/bootconfig.h
index 6784296a0692..48383c10e036 100644
--- a/tools/bootconfig/include/linux/bootconfig.h
+++ b/tools/bootconfig/include/linux/bootconfig.h
@@ -8,6 +8,7 @@
 #include <stdbool.h>
 #include <ctype.h>
 #include <errno.h>
+#include <limits.h>
 #include <string.h>
 
 
@@ -19,6 +20,10 @@
 	((cond) ? printf("Internal warning(%s:%d, %s): %s\n",	\
 			__FILE__, __LINE__, __func__, #cond) : 0)
 
+#ifndef WARN_ON_ONCE
+#define WARN_ON_ONCE(cond)	WARN_ON(cond)
+#endif
+
 #define unlikely(cond)	(cond)
 
 /* Copied from lib/string.c */
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH v3] lib/bootconfig: guard xbc_node_compose_key_after() buffer size
  2026-03-17 18:15 [PATCH v3] lib/bootconfig: guard xbc_node_compose_key_after() buffer size Josh Law
@ 2026-03-17 20:37 ` Steven Rostedt
  2026-03-17 20:43   ` Josh Law
  0 siblings, 1 reply; 3+ messages in thread
From: Steven Rostedt @ 2026-03-17 20:37 UTC (permalink / raw)
  To: Josh Law
  Cc: Masami Hiramatsu, Andrew Morton, linux-kernel, linux-trace-kernel

On Tue, 17 Mar 2026 18:15:56 +0000
Josh Law <objecting@objecting.org> wrote:

> xbc_node_compose_key_after() passes a size_t buffer length to
> snprintf(), but snprintf() returns int. Guard against size values above
> INT_MAX before the loop so the existing truncation check can continue to
> compare ret against (int)size safely.
> 
> Add a small WARN_ON_ONCE shim for the tools/bootconfig userspace build
> so the same source continues to build there.
> 
> Changes since v2:
>  - Added a comment explaining the INT_MAX guard.
> 
> Changes since v1:
>  - Removed casting ret to size_t; with the INT_MAX guard, the existing
>    ret >= (int)size check is sufficient, per Steven Rostedt.
>  - Link to v1:
>    https://lore.kernel.org/all/20260317173703.46092-1-objecting@objecting.org/

The changes need to be below the '---' so that they don't get pulled into
the git commit.

> 
> Signed-off-by: Josh Law <objecting@objecting.org>
> ---

  <here>

>  lib/bootconfig.c                            | 8 ++++++++
>  tools/bootconfig/include/linux/bootconfig.h | 5 +++++
>  2 files changed, 13 insertions(+)
> 
> diff --git a/lib/bootconfig.c b/lib/bootconfig.c
> index 96cbe6738ffe..2a54b51dec5c 100644
> --- a/lib/bootconfig.c
> +++ b/lib/bootconfig.c
> @@ -313,6 +313,14 @@ int __init xbc_node_compose_key_after(struct xbc_node *root,
>  	if (!node && root)
>  		return -EINVAL;
>  
> +	/*
> +	 * Bootconfig strings never need multi-GB buffers. Reject sizes
> +	 * above INT_MAX so snprintf()'s int return value cannot overflow
> +	 * the truncation check below.
> +	 */
> +	if (WARN_ON_ONCE(size > INT_MAX))
> +		return -EINVAL;
> +
>  	while (--depth >= 0) {
>  		node = xbc_nodes + keys[depth];
>  		ret = snprintf(buf, size, "%s%s", xbc_node_get_data(node),
> diff --git a/tools/bootconfig/include/linux/bootconfig.h b/tools/bootconfig/include/linux/bootconfig.h
> index 6784296a0692..48383c10e036 100644
> --- a/tools/bootconfig/include/linux/bootconfig.h
> +++ b/tools/bootconfig/include/linux/bootconfig.h
> @@ -8,6 +8,7 @@
>  #include <stdbool.h>
>  #include <ctype.h>
>  #include <errno.h>
> +#include <limits.h>
>  #include <string.h>
>  
>  
> @@ -19,6 +20,10 @@
>  	((cond) ? printf("Internal warning(%s:%d, %s): %s\n",	\
>  			__FILE__, __LINE__, __func__, #cond) : 0)
>  
> +#ifndef WARN_ON_ONCE
> +#define WARN_ON_ONCE(cond)	WARN_ON(cond)
> +#endif
> +
>  #define unlikely(cond)	(cond)
>  
>  /* Copied from lib/string.c */

Other than that.

Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>

-- Steve

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH v3] lib/bootconfig: guard xbc_node_compose_key_after() buffer size
  2026-03-17 20:37 ` Steven Rostedt
@ 2026-03-17 20:43   ` Josh Law
  0 siblings, 0 replies; 3+ messages in thread
From: Josh Law @ 2026-03-17 20:43 UTC (permalink / raw)
  To: Steven Rostedt
  Cc: Masami Hiramatsu, Andrew Morton, linux-kernel, linux-trace-kernel



On 17 March 2026 20:37:38 GMT, Steven Rostedt <rostedt@goodmis.org> wrote:
>On Tue, 17 Mar 2026 18:15:56 +0000
>Josh Law <objecting@objecting.org> wrote:
>
>> xbc_node_compose_key_after() passes a size_t buffer length to
>> snprintf(), but snprintf() returns int. Guard against size values above
>> INT_MAX before the loop so the existing truncation check can continue to
>> compare ret against (int)size safely.
>> 
>> Add a small WARN_ON_ONCE shim for the tools/bootconfig userspace build
>> so the same source continues to build there.
>> 
>> Changes since v2:
>>  - Added a comment explaining the INT_MAX guard.
>> 
>> Changes since v1:
>>  - Removed casting ret to size_t; with the INT_MAX guard, the existing
>>    ret >= (int)size check is sufficient, per Steven Rostedt.
>>  - Link to v1:
>>    https://lore.kernel.org/all/20260317173703.46092-1-objecting@objecting.org/
>
>The changes need to be below the '---' so that they don't get pulled into
>the git commit.
>
>> 
>> Signed-off-by: Josh Law <objecting@objecting.org>
>> ---
>
>  <here>
>
>>  lib/bootconfig.c                            | 8 ++++++++
>>  tools/bootconfig/include/linux/bootconfig.h | 5 +++++
>>  2 files changed, 13 insertions(+)
>> 
>> diff --git a/lib/bootconfig.c b/lib/bootconfig.c
>> index 96cbe6738ffe..2a54b51dec5c 100644
>> --- a/lib/bootconfig.c
>> +++ b/lib/bootconfig.c
>> @@ -313,6 +313,14 @@ int __init xbc_node_compose_key_after(struct xbc_node *root,
>>  	if (!node && root)
>>  		return -EINVAL;
>>  
>> +	/*
>> +	 * Bootconfig strings never need multi-GB buffers. Reject sizes
>> +	 * above INT_MAX so snprintf()'s int return value cannot overflow
>> +	 * the truncation check below.
>> +	 */
>> +	if (WARN_ON_ONCE(size > INT_MAX))
>> +		return -EINVAL;
>> +
>>  	while (--depth >= 0) {
>>  		node = xbc_nodes + keys[depth];
>>  		ret = snprintf(buf, size, "%s%s", xbc_node_get_data(node),
>> diff --git a/tools/bootconfig/include/linux/bootconfig.h b/tools/bootconfig/include/linux/bootconfig.h
>> index 6784296a0692..48383c10e036 100644
>> --- a/tools/bootconfig/include/linux/bootconfig.h
>> +++ b/tools/bootconfig/include/linux/bootconfig.h
>> @@ -8,6 +8,7 @@
>>  #include <stdbool.h>
>>  #include <ctype.h>
>>  #include <errno.h>
>> +#include <limits.h>
>>  #include <string.h>
>>  
>>  
>> @@ -19,6 +20,10 @@
>>  	((cond) ? printf("Internal warning(%s:%d, %s): %s\n",	\
>>  			__FILE__, __LINE__, __func__, #cond) : 0)
>>  
>> +#ifndef WARN_ON_ONCE
>> +#define WARN_ON_ONCE(cond)	WARN_ON(cond)
>> +#endif
>> +
>>  #define unlikely(cond)	(cond)
>>  
>>  /* Copied from lib/string.c */
>
>Other than that.
>
>Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
>
>-- Steve


I'll be convenient,  I'll make a V4 just fixing that, You can just recommend the reviewed by tag, thanks a lot


V/R


Josh Law

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-03-17 20:44 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-17 18:15 [PATCH v3] lib/bootconfig: guard xbc_node_compose_key_after() buffer size Josh Law
2026-03-17 20:37 ` Steven Rostedt
2026-03-17 20:43   ` Josh Law

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox