[PATCH v3 0/2] lib/vsprintf: Fixes size check

[PATCH v3 0/2] lib/vsprintf: Fixes size check

[Masami Hiramatsu (Google)]

Hi,

Here is the 3rd version of patches to fix vsnprintf().

 - Fix to limit the size of width and precision.
 - Warn if the return size is over INT_MAX.

Previous version is here;

https://lore.kernel.org/all/177397887883.33018.9867883986177366222.stgit@devnote2/

In this version, check and update witdth and precision before assigning to spec
data structure [1/2] and use a local variable to be better readability [2/2].

Recently we discussed snprintf() usage in bootconfig and found snprintf()
design has a problem[1]. It returns the required or printed size in 'int'
but the maxlen is passed by 'size_t'. The maxlen is already limited by
INT_MAX, but if the expected print size becomes bigger than INT_MAX,
it can return negative value. We also found width and precision size check
does not work.

[1] https://lore.kernel.org/all/20260317121507.30735331@gandalf.local.home/

Thank you,

---

Masami Hiramatsu (Google) (2):
      lib/vsprintf: Fix to check field_width and precision
      lib/vsprintf: Limit the returning size to INT_MAX


 lib/vsprintf.c |   21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

--
Masami Hiramatsu (Google) <mhiramat@kernel.org>

[PATCH v3 1/2] lib/vsprintf: Fix to check field_width and precision

[Masami Hiramatsu (Google)]

From: Masami Hiramatsu (Google) <mhiramat@kernel.org>

Check the field_width and presition correctly. Previously it depends
on the bitfield conversion from int to check out-of-range error.
However, commit 938df695e98d ("vsprintf: associate the format state
with the format pointer") changed those fields to int.
We need to check the out-of-range correctly without bitfield
conversion.

Fixes: 938df695e98d ("vsprintf: associate the format state with the format pointer")
Reported-by: David Laight <david.laight.linux@gmail.com>
Closes: https://lore.kernel.org/all/20260318151250.40fef0ab@pumpkin/
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
---
 Changes in v3:
  - Check and update width and precision before assigning to spec.
 Changes in v2:
  - Fix to use logical split.
---
 lib/vsprintf.c |   14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index 800b8ac49f53..ce9cbe071ab2 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -2802,19 +2802,21 @@ struct fmt format_decode(struct fmt fmt, struct printf_spec *spec)
 static void
 set_field_width(struct printf_spec *spec, int width)
 {
-	spec->field_width = width;
-	if (WARN_ONCE(spec->field_width != width, "field width %d too large", width)) {
-		spec->field_width = clamp(width, -FIELD_WIDTH_MAX, FIELD_WIDTH_MAX);
+	if (WARN_ONCE(width > FIELD_WIDTH_MAX || width < -FIELD_WIDTH_MAX,
+		      "field width %d too large", width)) {
+		width = clamp(width, -FIELD_WIDTH_MAX, FIELD_WIDTH_MAX);
 	}
+	spec->field_width = width;
 }
 
 static void
 set_precision(struct printf_spec *spec, int prec)
 {
-	spec->precision = prec;
-	if (WARN_ONCE(spec->precision != prec, "precision %d too large", prec)) {
-		spec->precision = clamp(prec, 0, PRECISION_MAX);
+	if (WARN_ONCE(prec > PRECISION_MAX || prec < 0,
+		      "precision %d too large", prec)) {
+		prec = clamp(prec, 0, PRECISION_MAX);
 	}
+	spec->precision = prec;
 }
 
 /*

Re: [PATCH v3 1/2] lib/vsprintf: Fix to check field_width and precision

[Andy Shevchenko]

On Sat, Mar 21, 2026 at 11:41:12PM +0900, Masami Hiramatsu (Google) wrote:

> Check the field_width and presition correctly. Previously it depends
> on the bitfield conversion from int to check out-of-range error.
> However, commit 938df695e98d ("vsprintf: associate the format state
> with the format pointer") changed those fields to int.
> We need to check the out-of-range correctly without bitfield
> conversion.

...

>  static void
>  set_field_width(struct printf_spec *spec, int width)
>  {
> -	spec->field_width = width;
> -	if (WARN_ONCE(spec->field_width != width, "field width %d too large", width)) {
> -		spec->field_width = clamp(width, -FIELD_WIDTH_MAX, FIELD_WIDTH_MAX);
> +	if (WARN_ONCE(width > FIELD_WIDTH_MAX || width < -FIELD_WIDTH_MAX,
> +		      "field width %d too large", width)) {
> +		width = clamp(width, -FIELD_WIDTH_MAX, FIELD_WIDTH_MAX);
>  	}
> +	spec->field_width = width;
>  }
>  
>  static void
>  set_precision(struct printf_spec *spec, int prec)
>  {
> -	spec->precision = prec;
> -	if (WARN_ONCE(spec->precision != prec, "precision %d too large", prec)) {
> -		spec->precision = clamp(prec, 0, PRECISION_MAX);
> +	if (WARN_ONCE(prec > PRECISION_MAX || prec < 0,
> +		      "precision %d too large", prec)) {
> +		prec = clamp(prec, 0, PRECISION_MAX);
>  	}
> +	spec->precision = prec;
>  }

Looking at this, perhaps

#define clamp_WARN_*(...)
	...

Potential users besides these two:

arch/powerpc/platforms/pseries/papr-sysparm.c-39-
drivers/gpu/drm/drm_color_mgmt.c-142-
drivers/gpu/drm/i915/display/intel_backlight.c-48-
drivers/media/i2c/vgxy61.c-952-

-- 
With Best Regards,
Andy Shevchenko

Re: [PATCH v3 1/2] lib/vsprintf: Fix to check field_width and precision

[David Laight]

On Mon, 23 Mar 2026 15:27:31 +0200
Andy Shevchenko <andriy.shevchenko@linux.intel.com> wrote:

> On Sat, Mar 21, 2026 at 11:41:12PM +0900, Masami Hiramatsu (Google) wrote:
> 
> > Check the field_width and presition correctly. Previously it depends
> > on the bitfield conversion from int to check out-of-range error.
> > However, commit 938df695e98d ("vsprintf: associate the format state
> > with the format pointer") changed those fields to int.
> > We need to check the out-of-range correctly without bitfield
> > conversion.  
> 
> ...
> 
> >  static void
> >  set_field_width(struct printf_spec *spec, int width)
> >  {
> > -	spec->field_width = width;
> > -	if (WARN_ONCE(spec->field_width != width, "field width %d too large", width)) {
> > -		spec->field_width = clamp(width, -FIELD_WIDTH_MAX, FIELD_WIDTH_MAX);
> > +	if (WARN_ONCE(width > FIELD_WIDTH_MAX || width < -FIELD_WIDTH_MAX,
> > +		      "field width %d too large", width)) {
> > +		width = clamp(width, -FIELD_WIDTH_MAX, FIELD_WIDTH_MAX);
> >  	}
> > +	spec->field_width = width;
> >  }
> >  
> >  static void
> >  set_precision(struct printf_spec *spec, int prec)
> >  {
> > -	spec->precision = prec;
> > -	if (WARN_ONCE(spec->precision != prec, "precision %d too large", prec)) {
> > -		spec->precision = clamp(prec, 0, PRECISION_MAX);
> > +	if (WARN_ONCE(prec > PRECISION_MAX || prec < 0,
> > +		      "precision %d too large", prec)) {
> > +		prec = clamp(prec, 0, PRECISION_MAX);
> >  	}
> > +	spec->precision = prec;
> >  }  
> 
> Looking at this, perhaps
> 
> #define clamp_WARN_*(...)
> 	...

When I looked at this I did wonder whether the compiler would manage to
only do the comparisons once.
Even if it doesn't the separate WARN is more readable.

Or maybe:
	spec->field_width = clamp(width, -FIELD_WIDTH_MAX, FIELD_WIDTH_MAX);
	WARN_ON(spec->field_width != width, "field width %d too large", width);

I'd be more worried about the bloat and system panic for all the systems
with panic_on_warn set (the default for many distos).
(And, like panic_on_oops, it doesn't give time for the error to get into
the system logs.)

I've also just fixed nolibc's handling of %*.*s (which is in 'next' since
I only wrote it recently), the above is actually broken.
Negative 'precision' (all values) are fine, they just request the default.

So the patch needs a big fat NACK...

	David


> 
> Potential users besides these two:
> 
> arch/powerpc/platforms/pseries/papr-sysparm.c-39-
> drivers/gpu/drm/drm_color_mgmt.c-142-
> drivers/gpu/drm/i915/display/intel_backlight.c-48-
> drivers/media/i2c/vgxy61.c-952-
> 

Re: [PATCH v3 1/2] lib/vsprintf: Fix to check field_width and precision

[Petr Mladek]

On Mon 2026-03-23 13:59:05, David Laight wrote:
> On Mon, 23 Mar 2026 15:27:31 +0200
> Andy Shevchenko <andriy.shevchenko@linux.intel.com> wrote:
> 
> > On Sat, Mar 21, 2026 at 11:41:12PM +0900, Masami Hiramatsu (Google) wrote:
> > 
> > > Check the field_width and presition correctly. Previously it depends
> > > on the bitfield conversion from int to check out-of-range error.
> > > However, commit 938df695e98d ("vsprintf: associate the format state
> > > with the format pointer") changed those fields to int.
> > > We need to check the out-of-range correctly without bitfield
> > > conversion.  
> > 
> > ...
> > 
> > >  static void
> > >  set_field_width(struct printf_spec *spec, int width)
> > >  {
> > > -	spec->field_width = width;
> > > -	if (WARN_ONCE(spec->field_width != width, "field width %d too large", width)) {
> > > -		spec->field_width = clamp(width, -FIELD_WIDTH_MAX, FIELD_WIDTH_MAX);
> > > +	if (WARN_ONCE(width > FIELD_WIDTH_MAX || width < -FIELD_WIDTH_MAX,
> > > +		      "field width %d too large", width)) {
> > > +		width = clamp(width, -FIELD_WIDTH_MAX, FIELD_WIDTH_MAX);
> > >  	}
> > > +	spec->field_width = width;
> > >  }
> > >  
> > >  static void
> > >  set_precision(struct printf_spec *spec, int prec)
> > >  {
> > > -	spec->precision = prec;
> > > -	if (WARN_ONCE(spec->precision != prec, "precision %d too large", prec)) {
> > > -		spec->precision = clamp(prec, 0, PRECISION_MAX);
> > > +	if (WARN_ONCE(prec > PRECISION_MAX || prec < 0,
> > > +		      "precision %d too large", prec)) {
> > > +		prec = clamp(prec, 0, PRECISION_MAX);
> > >  	}
> > > +	spec->precision = prec;
> > >  }  
> > 
> > Looking at this, perhaps
> > 
> > #define clamp_WARN_*(...)
> > 	...

It would make sense. But I do not want to force Masami to do so.


> When I looked at this I did wonder whether the compiler would manage to
> only do the comparisons once.

I believe that compilers would optimize this.

> Even if it doesn't the separate WARN is more readable.
> 
> Or maybe:
> 	spec->field_width = clamp(width, -FIELD_WIDTH_MAX, FIELD_WIDTH_MAX);
> 	WARN_ON(spec->field_width != width, "field width %d too large", width);

But this is fine as well.

> I'd be more worried about the bloat and system panic for all the systems
> with panic_on_warn set (the default for many distos).
> (And, like panic_on_oops, it doesn't give time for the error to get into
> the system logs.)

The WARN_ONCE() has been added by the commit 4d72ba014b4b09 ("lib/vsprintf.c:
warn about too large precisions and field widths"). The motivation was
that it was used also by some %p? modifiers, e.g. for the bitfield size, where
a clamped value might cause more confusion.

I do not want to open a bike shedding whether it is important enough
or not. I agree that it likely is not a reason to panic but it was
there 10 years so I could live with it.

That said, I always thought about introducing a macro which would
print a message+backtrace but it would not panic, e.g. SOFT_WARN()
or INFO() or MSG_AND_BT(level, msg, ...). But it seems to be
out of scope of this patchset.

> I've also just fixed nolibc's handling of %*.*s (which is in 'next' since
> I only wrote it recently), the above is actually broken.
> Negative 'precision' (all values) are fine, they just request the default.

Great catch! We should clamp the precision to (0, PRECISION_MAX). But we
should warn only when it is outside of (-PRECISION_MAX, PRECISION_MAX).

> So the patch needs a big fat NACK...

What is an acceptable solution then, please?

Frankly, I would like to stay on earth. This started as a simple fix
of a regression added a year ago. For me, any solution which
restores the year old behavior is good enough.

We might need to find another volunteer to implement a better
solution, e.g. the new non-panicing MSG_AND_BT() macro.

Alternatively, we could remove the WARN_ONCE() completely.
It looks acceptable for me. But Rasmus would need to agree as well.

Best Regards,
Petr

Re: [PATCH v3 1/2] lib/vsprintf: Fix to check field_width and precision

[David Laight]

On Tue, 24 Mar 2026 17:45:49 +0100
Petr Mladek <pmladek@suse.com> wrote:

> On Mon 2026-03-23 13:59:05, David Laight wrote:
...
> > I've also just fixed nolibc's handling of %*.*s (which is in 'next' since
> > I only wrote it recently), the above is actually broken.
> > Negative 'precision' (all values) are fine, they just request the default.  
> 
> Great catch! We should clamp the precision to (0, PRECISION_MAX). But we
> should warn only when it is outside of (-PRECISION_MAX, PRECISION_MAX).

No, you are going to clamp it needs to be to (-1, PRECISION_MAX);
but max(precision, PRECISION_MAX) if fine now the value is being saved
in an int.
And there is no need to warn about changing negative values - they
all mean exactly the same thing.
There isn't actually any need to worry about large precision values
for %s - they request truncation, precision only increases the output
for numbers.

> 
> > So the patch needs a big fat NACK...  
> 
> What is an acceptable solution then, please?

You could do:
	spec->precision = clamp(prec, -1, PRECISION_MAX);
	if (spec->precision < prec)
		WARN(...);

	David

> 
> Frankly, I would like to stay on earth. This started as a simple fix
> of a regression added a year ago. For me, any solution which
> restores the year old behavior is good enough.
> 
> We might need to find another volunteer to implement a better
> solution, e.g. the new non-panicing MSG_AND_BT() macro.
> 
> Alternatively, we could remove the WARN_ONCE() completely.
> It looks acceptable for me. But Rasmus would need to agree as well.
> 
> Best Regards,
> Petr

Re: [PATCH v3 1/2] lib/vsprintf: Fix to check field_width and precision

[Masami Hiramatsu]

On Tue, 24 Mar 2026 17:24:33 +0000
David Laight <david.laight.linux@gmail.com> wrote:

> On Tue, 24 Mar 2026 17:45:49 +0100
> Petr Mladek <pmladek@suse.com> wrote:
> 
> > On Mon 2026-03-23 13:59:05, David Laight wrote:
> ...
> > > I've also just fixed nolibc's handling of %*.*s (which is in 'next' since
> > > I only wrote it recently), the above is actually broken.
> > > Negative 'precision' (all values) are fine, they just request the default.  
> > 
> > Great catch! We should clamp the precision to (0, PRECISION_MAX). But we
> > should warn only when it is outside of (-PRECISION_MAX, PRECISION_MAX).
> 
> No, you are going to clamp it needs to be to (-1, PRECISION_MAX);
> but max(precision, PRECISION_MAX) if fine now the value is being saved
> in an int.
> And there is no need to warn about changing negative values - they
> all mean exactly the same thing.

Ah, indeed.

"A negative precision is taken as if the precision were omitted."

> There isn't actually any need to worry about large precision values
> for %s - they request truncation, precision only increases the output
> for numbers.
> 
> > 
> > > So the patch needs a big fat NACK...  
> > 
> > What is an acceptable solution then, please?
> 
> You could do:
> 	spec->precision = clamp(prec, -1, PRECISION_MAX);
> 	if (spec->precision < prec)
> 		WARN(...);
> 
> 	David

Ah, that looks good to me. Let me update it.

Thanks,

> 
> > 
> > Frankly, I would like to stay on earth. This started as a simple fix
> > of a regression added a year ago. For me, any solution which
> > restores the year old behavior is good enough.
> > 
> > We might need to find another volunteer to implement a better
> > solution, e.g. the new non-panicing MSG_AND_BT() macro.
> > 
> > Alternatively, we could remove the WARN_ONCE() completely.
> > It looks acceptable for me. But Rasmus would need to agree as well.
> > 
> > Best Regards,
> > Petr
> 


-- 
Masami Hiramatsu (Google) <mhiramat@kernel.org>

Re: [PATCH v3 1/2] lib/vsprintf: Fix to check field_width and precision

[Masami Hiramatsu]

On Wed, 25 Mar 2026 09:33:20 +0900
Masami Hiramatsu (Google) <mhiramat@kernel.org> wrote:

> On Tue, 24 Mar 2026 17:24:33 +0000
> David Laight <david.laight.linux@gmail.com> wrote:
> 
> > On Tue, 24 Mar 2026 17:45:49 +0100
> > Petr Mladek <pmladek@suse.com> wrote:
> > 
> > > On Mon 2026-03-23 13:59:05, David Laight wrote:
> > ...
> > > > I've also just fixed nolibc's handling of %*.*s (which is in 'next' since
> > > > I only wrote it recently), the above is actually broken.
> > > > Negative 'precision' (all values) are fine, they just request the default.  
> > > 
> > > Great catch! We should clamp the precision to (0, PRECISION_MAX). But we
> > > should warn only when it is outside of (-PRECISION_MAX, PRECISION_MAX).
> > 
> > No, you are going to clamp it needs to be to (-1, PRECISION_MAX);
> > but max(precision, PRECISION_MAX) if fine now the value is being saved
> > in an int.
> > And there is no need to warn about changing negative values - they
> > all mean exactly the same thing.
> 
> Ah, indeed.
> 
> "A negative precision is taken as if the precision were omitted."

Hmm, and format_decode() does not accept -1 precision. We need
another patch to fix it.

	spec->precision = -1;
	if (unlikely(*fmt.str == '.')) {
		fmt.str++;
		if (isdigit(*fmt.str)) {  <---- isdigit() accepts '0'-'9', not '-'.
			spec->precision = skip_atoi(&fmt.str); <--- this only returns positive value.
			if (spec->precision < 0)
				spec->precision = 0;
		} else if (*fmt.str == '*') {

Thanks,

-- 
Masami Hiramatsu (Google) <mhiramat@kernel.org>

Re: [PATCH v3 1/2] lib/vsprintf: Fix to check field_width and precision

[David Laight]

On Wed, 25 Mar 2026 10:17:04 +0900
Masami Hiramatsu (Google) <mhiramat@kernel.org> wrote:

> On Wed, 25 Mar 2026 09:33:20 +0900
> Masami Hiramatsu (Google) <mhiramat@kernel.org> wrote:
> 
> > On Tue, 24 Mar 2026 17:24:33 +0000
> > David Laight <david.laight.linux@gmail.com> wrote:
> >   
> > > On Tue, 24 Mar 2026 17:45:49 +0100
> > > Petr Mladek <pmladek@suse.com> wrote:
> > >   
> > > > On Mon 2026-03-23 13:59:05, David Laight wrote:  
> > > ...  
> > > > > I've also just fixed nolibc's handling of %*.*s (which is in 'next' since
> > > > > I only wrote it recently), the above is actually broken.
> > > > > Negative 'precision' (all values) are fine, they just request the default.    
> > > > 
> > > > Great catch! We should clamp the precision to (0, PRECISION_MAX). But we
> > > > should warn only when it is outside of (-PRECISION_MAX, PRECISION_MAX).  
> > > 
> > > No, you are going to clamp it needs to be to (-1, PRECISION_MAX);
> > > but max(precision, PRECISION_MAX) if fine now the value is being saved
> > > in an int.
> > > And there is no need to warn about changing negative values - they
> > > all mean exactly the same thing.  
> > 
> > Ah, indeed.
> > 
> > "A negative precision is taken as if the precision were omitted."  
> 
> Hmm, and format_decode() does not accept -1 precision. We need
> another patch to fix it.
> 
> 	spec->precision = -1;
> 	if (unlikely(*fmt.str == '.')) {
> 		fmt.str++;
> 		if (isdigit(*fmt.str)) {  <---- isdigit() accepts '0'-'9', not '-'.
> 			spec->precision = skip_atoi(&fmt.str); <--- this only returns positive value.
> 			if (spec->precision < 0)
> 				spec->precision = 0;

That is fine, you aren't allowed a negative value there - just for "%.*d".

	David

> 		} else if (*fmt.str == '*') {
> 
> Thanks,
> 

Re: [PATCH v3 1/2] lib/vsprintf: Fix to check field_width and precision

[Masami Hiramatsu]

On Mon, 23 Mar 2026 15:27:31 +0200
Andy Shevchenko <andriy.shevchenko@linux.intel.com> wrote:

> On Sat, Mar 21, 2026 at 11:41:12PM +0900, Masami Hiramatsu (Google) wrote:
> 
> > Check the field_width and presition correctly. Previously it depends
> > on the bitfield conversion from int to check out-of-range error.
> > However, commit 938df695e98d ("vsprintf: associate the format state
> > with the format pointer") changed those fields to int.
> > We need to check the out-of-range correctly without bitfield
> > conversion.
> 
> ...
> 
> >  static void
> >  set_field_width(struct printf_spec *spec, int width)
> >  {
> > -	spec->field_width = width;
> > -	if (WARN_ONCE(spec->field_width != width, "field width %d too large", width)) {
> > -		spec->field_width = clamp(width, -FIELD_WIDTH_MAX, FIELD_WIDTH_MAX);
> > +	if (WARN_ONCE(width > FIELD_WIDTH_MAX || width < -FIELD_WIDTH_MAX,
> > +		      "field width %d too large", width)) {
> > +		width = clamp(width, -FIELD_WIDTH_MAX, FIELD_WIDTH_MAX);
> >  	}
> > +	spec->field_width = width;
> >  }
> >  
> >  static void
> >  set_precision(struct printf_spec *spec, int prec)
> >  {
> > -	spec->precision = prec;
> > -	if (WARN_ONCE(spec->precision != prec, "precision %d too large", prec)) {
> > -		spec->precision = clamp(prec, 0, PRECISION_MAX);
> > +	if (WARN_ONCE(prec > PRECISION_MAX || prec < 0,
> > +		      "precision %d too large", prec)) {
> > +		prec = clamp(prec, 0, PRECISION_MAX);
> >  	}
> > +	spec->precision = prec;
> >  }
> 
> Looking at this, perhaps
> 
> #define clamp_WARN_*(...)
> 	...
> 
> Potential users besides these two:
> 
> arch/powerpc/platforms/pseries/papr-sysparm.c-39-
> drivers/gpu/drm/drm_color_mgmt.c-142-
> drivers/gpu/drm/i915/display/intel_backlight.c-48-
> drivers/media/i2c/vgxy61.c-952-

Hmm, that will be an improvement, not a fix. I would like to
keep this as small as possible so that we can cleanly apply it
to stable trees, and introduce such new macro to for-next.

Thank you,

> 
> -- 
> With Best Regards,
> Andy Shevchenko
> 
> 


-- 
Masami Hiramatsu (Google) <mhiramat@kernel.org>

[PATCH v3 2/2] lib/vsprintf: Limit the returning size to INT_MAX

[Masami Hiramatsu (Google)]

From: Masami Hiramatsu (Google) <mhiramat@kernel.org>

The return value of vsnprintf() can overflow INT_MAX and return
a minus value. In the @size is checked input overflow, but it does
not check the output, which is expected required size.

This should never happen but it should be checked and limited.

Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
---
 Changes in v3:
  - Use local variable for better readability.
---
 lib/vsprintf.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index ce9cbe071ab2..396021a50355 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -2866,6 +2866,7 @@ static unsigned long long convert_num_spec(unsigned int val, int size, struct pr
 int vsnprintf(char *buf, size_t size, const char *fmt_str, va_list args)
 {
 	char *str, *end;
+	size_t ret_size;
 	struct printf_spec spec = {0};
 	struct fmt fmt = {
 		.str = fmt_str,
@@ -2985,8 +2986,12 @@ int vsnprintf(char *buf, size_t size, const char *fmt_str, va_list args)
 	}
 
 	/* the trailing null byte doesn't count towards the total */
-	return str-buf;
+	ret_size = str - buf;
 
+	/* Make sure the return value is within the positive integer range */
+	if (WARN_ON_ONCE(ret_size > INT_MAX))
+		ret_size = INT_MAX;
+	return ret_size;
 }
 EXPORT_SYMBOL(vsnprintf);
 

Re: [PATCH v3 2/2] lib/vsprintf: Limit the returning size to INT_MAX

[Petr Mladek]

On Sat 2026-03-21 23:41:21, Masami Hiramatsu (Google) wrote:
> From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
> 
> The return value of vsnprintf() can overflow INT_MAX and return
> a minus value. In the @size is checked input overflow, but it does
> not check the output, which is expected required size.
> 
> This should never happen but it should be checked and limited.
> 
> Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>

It looks good to me. And the WARN_ON_ONCE() looks acceptable to me.
It is already used for checking the input size parameter in
vsnprintf(), and bstr_printf().

Reviewed-by: Petr Mladek <pmladek@suse.com>

Best Regards,
Petr