[PATCH v4 0/4] Fix use-after-free and make format overflow more difficult

[PATCH v4 0/4] Fix use-after-free and make format overflow more difficult

[Akihiko Odaki]

nvme-ns has a use-after-free of a formatted string, so fix it by
embedding a fixed-length buffer to the object. Embedding a buffer lets
me avoid a chore to add a function to call g_free().

But I don't want to worry about a buffer overflow, so let the compiler
check that the buffer won't overflow; C is so restrictive that it cannot
enforce the existence of g_free(). Compilers can check the length of
formatted string on the other hand.

Then GCC started complaining about buffer overflow, so let's treat them.
Fortunately, the potential buffer overflows it detected are not
user-facing or very subtle. Treating them by growing buffers can improve
robustness with practically no cost.

Signed-off-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
---
Changes in v4:
- Patch "tests: Avoid sprintf() with '%.6f'" now has an improved title
  ("tests: Clean up double comparisons to avoid compiler warning") and
  message written by Markus Armbruster.
- Link to v3: https://lore.kernel.org/qemu-devel/20260304-nvme-v3-0-bbb1b7fd2d0b@rsg.ci.i.u-tokyo.ac.jp

Changes in v3:
- Changed to avoid sprintf() with "%.6f" in tests.
- Replaced the message of patch "vfio/pci: Grow buffer in
  vfio_pci_host_match()" with a improved version by Alex Williamson.
- Link to v2: https://lore.kernel.org/qemu-devel/20260302-nvme-v2-0-37ad8b5788c3@rsg.ci.i.u-tokyo.ac.jp

Changes in v2:
- Rebased.
- Changed to use g_strdup_printf() in patch
  "contrib/elf2dmp: Grow PDB URL buffer".
- Link to v1: https://lore.kernel.org/qemu-devel/20260125-nvme-v1-0-0658c31fade9@rsg.ci.i.u-tokyo.ac.jp

---
Akihiko Odaki (4):
      contrib/elf2dmp: Grow PDB URL buffer
      vfio/pci: Grow buffer in vfio_pci_host_match()
      tests: Clean up double comparisons to avoid compiler warning
      meson: Add -Wformat-overflow=2

 meson.build                              |  1 +
 contrib/elf2dmp/main.c                   | 32 +++++++++++++++-----------------
 hw/vfio/pci.c                            |  2 +-
 tests/unit/test-qobject-input-visitor.c  |  8 ++------
 tests/unit/test-qobject-output-visitor.c |  7 ++-----
 5 files changed, 21 insertions(+), 29 deletions(-)
---
base-commit: afe653676dc6dfd49f0390239ff90b2f0052c2b8
change-id: 20260125-nvme-b4661e0a409e

Best regards,
--  
Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>

[PATCH v4 1/4] contrib/elf2dmp: Grow PDB URL buffer

[Akihiko Odaki]

The buffers used to construct a PDB URL overflow when the "age" property
is greater than 0xf, so grow it. This also simplifies the logic of the
URL construction to use one buffer instead of two to avoid the chore to
synchronize the sizes of two buffers.

Signed-off-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
---
 contrib/elf2dmp/main.c | 32 +++++++++++++++-----------------
 1 file changed, 15 insertions(+), 17 deletions(-)

diff --git a/contrib/elf2dmp/main.c b/contrib/elf2dmp/main.c
index d046a72ae67f..a62abadcc049 100644
--- a/contrib/elf2dmp/main.c
+++ b/contrib/elf2dmp/main.c
@@ -494,18 +494,6 @@ static bool pe_check_pdb_name(uint64_t base, void *start_addr,
     return !strcmp(pdb_name, PDB_NAME);
 }
 
-static void pe_get_pdb_symstore_hash(OMFSignatureRSDS *rsds, char *hash)
-{
-    sprintf(hash, "%.08x%.04x%.04x%.02x%.02x", rsds->guid.a, rsds->guid.b,
-            rsds->guid.c, rsds->guid.d[0], rsds->guid.d[1]);
-    hash += 20;
-    for (unsigned int i = 0; i < 6; i++, hash += 2) {
-        sprintf(hash, "%.02x", rsds->guid.e[i]);
-    }
-
-    sprintf(hash, "%.01x", rsds->age);
-}
-
 int main(int argc, char *argv[])
 {
     int err = 1;
@@ -517,9 +505,7 @@ int main(int argc, char *argv[])
     uint64_t KernBase;
     void *nt_start_addr = NULL;
     WinDumpHeader64 header;
-    char pdb_hash[34];
-    char pdb_url[] = SYM_URL_BASE PDB_NAME
-        "/0123456789ABCDEF0123456789ABCDEFx/" PDB_NAME;
+    g_autofree char *pdb_url = NULL;
     struct pdb_reader pdb;
     uint64_t KdDebuggerDataBlock;
     KDDEBUGGER_DATA64 *kdbg;
@@ -583,9 +569,21 @@ int main(int argc, char *argv[])
     printf("KernBase = 0x%016"PRIx64", signature is \'%.2s\'\n", KernBase,
             (char *)nt_start_addr);
 
-    pe_get_pdb_symstore_hash(&rsds, pdb_hash);
+    pdb_url = g_strdup_printf("%s"
+                              "%.08x%.04x%.04x"
+                              "%.02x%.02x"
+                              "%.02x%.02x"
+                              "%.02x%.02x"
+                              "%.02x%.02x%.01x"
+                              "%s",
+                              SYM_URL_BASE PDB_NAME "/",
+                              rsds.guid.a, rsds.guid.b, rsds.guid.c,
+                              rsds.guid.d[0], rsds.guid.d[1],
+                              rsds.guid.e[0], rsds.guid.e[1],
+                              rsds.guid.e[2], rsds.guid.e[3],
+                              rsds.guid.e[4], rsds.guid.e[5], rsds.age,
+                              "/" PDB_NAME);
 
-    sprintf(pdb_url, "%s%s/%s/%s", SYM_URL_BASE, PDB_NAME, pdb_hash, PDB_NAME);
     printf("PDB URL is %s\n", pdb_url);
 
     if (!download_url(PDB_NAME, pdb_url)) {

-- 
2.53.0

[PATCH v4 2/4] vfio/pci: Grow buffer in vfio_pci_host_match()

[Akihiko Odaki]

Each field of PCIHostDeviceAddress is an unsigned int, therefore
while a valid address is limited to 13 characters, an invalid
address could exceed the specified format, up to:

        ffffffff:ffffffff:ffffffff.ffffffff<NUL>

This requires 36 characters with the terminator.

Signed-off-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Reviewed-by: Alex Williamson <alex.williamson@nvidia.com>
---
 hw/vfio/pci.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c
index c89f3fbea348..94c174a773fb 100644
--- a/hw/vfio/pci.c
+++ b/hw/vfio/pci.c
@@ -2739,7 +2739,7 @@ void vfio_pci_post_reset(VFIOPCIDevice *vdev)
 
 bool vfio_pci_host_match(PCIHostDeviceAddress *addr, const char *name)
 {
-    char tmp[13];
+    char tmp[36];
 
     sprintf(tmp, "%04x:%02x:%02x.%1x", addr->domain,
             addr->bus, addr->slot, addr->function);

-- 
2.53.0

[PATCH v4 3/4] tests: Clean up double comparisons to avoid compiler warning

[Akihiko Odaki]

To enable -Wformat-overflow=2, we need to clean up a couple of false
positives:

[2/5] Compiling C object tests/unit/test-qobject-output-visitor.p/test-qobject-output-visitor.c.o
FAILED: tests/unit/test-qobject-output-visitor.p/test-qobject-output-visitor.c.o
cc -Itests/unit/test-qobject-output-visitor.p -Itests/unit -I../tests/unit -I. -Iqapi -Itrace -Iui -Iui/shader -Itests -Itests/include -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/include/sysprof-6 -fdiagnostics-color=auto -Wall -Winvalid-pch -Werror -std=gnu11 -O2 -g -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -fno-strict-aliasing -fno-common -fwrapv -ftrivial-auto-var-init=zero -fzero-call-used-regs=used-gpr -fsanitize=address -fstack-protector-strong -fsanitize=undefined -Wempty-body -Wendif-labels -Wexpansion-to-defined -Wformat-overflow=2 -Wformat-security -Wformat-y2k -Wignored-qualifiers -Wimplicit-fallthrough=2 -Winit-self -Wmissing-format-attribute -Wmissing-prototypes -Wnested-externs -Wold-style-declaration -Wold-style-definition -Wredundant-decls -Wshadow=local -Wstrict-prototypes -Wtype-limits -Wundef -Wvla -Wwrite-strings -Wno-missing-include-dirs -Wno-psabi -Wno-shift-negative-value -isystem /home/me/q/var/qemu/linux-headers -isyst!
 em linux-headers -iquote . -iquote /home/me/q/var/qemu -iquote /home/me/q/var/qemu/include -iquote /home/me/q/var/qemu/host/include/aarch64 -iquote /home/me/q/var/qemu/host/include/generic -iquote /home/me/q/var/qemu/tcg/aarch64 -pthread -fPIE -MD -MQ tests/unit/test-qobject-output-visitor.p/test-qobject-output-visitor.c.o -MF tests/unit/test-qobject-output-visitor.p/test-qobject-output-visitor.c.o.d -o tests/unit/test-qobject-output-visitor.p/test-qobject-output-visitor.c.o -c ../tests/unit/test-qobject-output-visitor.c
../tests/unit/test-qobject-output-visitor.c: In function ‘test_visitor_out_list_struct’:
../tests/unit/test-qobject-output-visitor.c:577:28: error: ‘%.6f’ directive writing between 3 and 317 bytes into a region of size 32 [-Werror=format-overflow=]
  577 |         sprintf(expected, "%.6f", (double)i / 3);
      |                            ^~~~
../tests/unit/test-qobject-output-visitor.c:577:27: note: assuming directive output of 8 bytes
  577 |         sprintf(expected, "%.6f", (double)i / 3);
      |                           ^~~~~~
In file included from /usr/include/stdio.h:970,
                 from /home/me/q/var/qemu/include/qemu/osdep.h:114,
                 from ../tests/unit/test-qobject-output-visitor.c:13:
In function ‘sprintf’,
    inlined from ‘test_visitor_out_list_struct’ at ../tests/unit/test-qobject-output-visitor.c:577:9:
/usr/include/bits/stdio2.h:30:10: note: ‘__builtin___sprintf_chk’ output between 4 and 318 bytes into a destination of size 32
   30 |   return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1,
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   31 |                                   __glibc_objsize (__s), __fmt,
      |                                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   32 |                                   __va_arg_pack ());
      |                                   ~~~~~~~~~~~~~~~~~
../tests/unit/test-qobject-output-visitor.c: In function ‘test_visitor_out_list_struct’:
../tests/unit/test-qobject-output-visitor.c:578:26: error: ‘%.6f’ directive writing between 3 and 317 bytes into a region of size 32 [-Werror=format-overflow=]
  578 |         sprintf(actual, "%.6f", qnum_get_double(qvalue));
      |                          ^~~~
../tests/unit/test-qobject-output-visitor.c:578:25: note: assuming directive output of 8 bytes
  578 |         sprintf(actual, "%.6f", qnum_get_double(qvalue));
      |                         ^~~~~~
In function ‘sprintf’,
    inlined from ‘test_visitor_out_list_struct’ at ../tests/unit/test-qobject-output-visitor.c:578:9:
/usr/include/bits/stdio2.h:30:10: note: ‘__builtin___sprintf_chk’ output between 4 and 318 bytes into a destination of size 32
   30 |   return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1,
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   31 |                                   __glibc_objsize (__s), __fmt,
      |                                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   32 |                                   __va_arg_pack ());
      |                                   ~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors

These buffers cannot actually overflow because the doubles are
between 0 and 31.0/3 inclusive.

However, formatting doubles just to compare them is silly.  Compare
them directly instead.  To avoid potential rounding trouble, change
the numbers tested to be representable exactly in double.

Signed-off-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
---
 tests/unit/test-qobject-input-visitor.c  | 8 ++------
 tests/unit/test-qobject-output-visitor.c | 7 ++-----
 2 files changed, 4 insertions(+), 11 deletions(-)

diff --git a/tests/unit/test-qobject-input-visitor.c b/tests/unit/test-qobject-input-visitor.c
index 84bdcdf702e0..beee11db4e47 100644
--- a/tests/unit/test-qobject-input-visitor.c
+++ b/tests/unit/test-qobject-input-visitor.c
@@ -500,7 +500,7 @@ static void test_visitor_in_list_struct(TestInputVisitorData *data,
     g_string_append_printf(json, "'number': [");
     sep = "";
     for (i = 0; i < 32; i++) {
-        g_string_append_printf(json, "%s%f", sep, (double)i / 3);
+        g_string_append_printf(json, "%s%f", sep, (double)i / FLT_RADIX);
         sep = ", ";
     }
     g_string_append_printf(json, "], ");
@@ -583,11 +583,7 @@ static void test_visitor_in_list_struct(TestInputVisitorData *data,
 
     i = 0;
     for (num_list = arrs->number; num_list; num_list = num_list->next) {
-        char expected[32], actual[32];
-
-        sprintf(expected, "%.6f", (double)i / 3);
-        sprintf(actual, "%.6f", num_list->value);
-        g_assert_cmpstr(expected, ==, actual);
+        g_assert_cmpfloat(num_list->value, ==, (double)i / FLT_RADIX);
         i++;
     }
 
diff --git a/tests/unit/test-qobject-output-visitor.c b/tests/unit/test-qobject-output-visitor.c
index 407ab9ed505a..3c47b28f6638 100644
--- a/tests/unit/test-qobject-output-visitor.c
+++ b/tests/unit/test-qobject-output-visitor.c
@@ -538,7 +538,7 @@ static void test_visitor_out_list_struct(TestOutputVisitorData *data,
     }
 
     for (i = 31; i >= 0; i--) {
-        QAPI_LIST_PREPEND(arrs->number, (double)i / 3);
+        QAPI_LIST_PREPEND(arrs->number, (double)i / FLT_RADIX);
     }
 
     for (i = 31; i >= 0; i--) {
@@ -571,12 +571,9 @@ static void test_visitor_out_list_struct(TestOutputVisitorData *data,
     i = 0;
     QLIST_FOREACH_ENTRY(qlist, e) {
         QNum *qvalue = qobject_to(QNum, qlist_entry_obj(e));
-        char expected[32], actual[32];
 
         g_assert(qvalue);
-        sprintf(expected, "%.6f", (double)i / 3);
-        sprintf(actual, "%.6f", qnum_get_double(qvalue));
-        g_assert_cmpstr(actual, ==, expected);
+        g_assert_cmpfloat(qnum_get_double(qvalue), ==, (double)i / FLT_RADIX);
         i++;
     }
 

-- 
2.53.0

[PATCH v4 4/4] meson: Add -Wformat-overflow=2

[Akihiko Odaki]

https://gcc.gnu.org/onlinedocs/gcc-15.2.0/gcc/Warning-Options.html
> Level 2 warns also about calls that might overflow the destination
> buffer given an argument of sufficient length or magnitude. At level
> 2, unknown numeric arguments are assumed to have the minimum
> representable value for signed types with a precision greater than 1,
> and the maximum representable value otherwise. Unknown string
> arguments whose length cannot be assumed to be bounded either by the
> directive’s precision, or by a finite set of string literals they may
> evaluate to, or the character array they may point to, are assumed to
> be 1 character long.

Signed-off-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
---
 meson.build | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meson.build b/meson.build
index 414c8ea7e280..cf50bc492f9c 100644
--- a/meson.build
+++ b/meson.build
@@ -692,6 +692,7 @@ warn_flags = [
   '-Wempty-body',
   '-Wendif-labels',
   '-Wexpansion-to-defined',
+  '-Wformat-overflow=2',
   '-Wformat-security',
   '-Wformat-y2k',
   '-Wignored-qualifiers',

-- 
2.53.0

Re: [PATCH v4 3/4] tests: Clean up double comparisons to avoid compiler warning

[Markus Armbruster]

Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp> writes:

> To enable -Wformat-overflow=2, we need to clean up a couple of false
> positives:
>
> [2/5] Compiling C object tests/unit/test-qobject-output-visitor.p/test-qobject-output-visitor.c.o
> FAILED: tests/unit/test-qobject-output-visitor.p/test-qobject-output-visitor.c.o
> cc -Itests/unit/test-qobject-output-visitor.p -Itests/unit -I../tests/unit -I. -Iqapi -Itrace -Iui -Iui/shader -Itests -Itests/include -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/include/sysprof-6 -fdiagnostics-color=auto -Wall -Winvalid-pch -Werror -std=gnu11 -O2 -g -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -fno-strict-aliasing -fno-common -fwrapv -ftrivial-auto-var-init=zero -fzero-call-used-regs=used-gpr -fsanitize=address -fstack-protector-strong -fsanitize=undefined -Wempty-body -Wendif-labels -Wexpansion-to-defined -Wformat-overflow=2 -Wformat-security -Wformat-y2k -Wignored-qualifiers -Wimplicit-fallthrough=2 -Winit-self -Wmissing-format-attribute -Wmissing-prototypes -Wnested-externs -Wold-style-declaration -Wold-style-definition -Wredundant-decls -Wshadow=local -Wstrict-prototypes -Wtype-limits -Wundef -Wvla -Wwrite-strings -Wno-missing-include-dirs -Wno-psabi -Wno-shift-negative-value -isystem /home/me/q/var/qemu/linux-headers -isystem linux-headers -iquote . -iquote /home/me/q/var/qemu -iquote /home/me/q/var/qemu/include -iquote /home/me/q/var/qemu/host/include/aarch64 -iquote /home/me/q/var/qemu/host/include/generic -iquote /home/me/q/var/qemu/tcg/aarch64 -pthread -fPIE -MD -MQ tests/unit/test-qobject-output-visitor.p/test-qobject-output-visitor.c.o -MF tests/unit/test-qobject-output-visitor.p/test-qobject-output-visitor.c.o.d -o tests/unit/test-qobject-output-visitor.p/test-qobject-output-visitor.c.o -c ../tests/unit/test-qobject-output-visitor.c

I'd omit the three lines above for brevity's sake.

> ../tests/unit/test-qobject-output-visitor.c: In function ‘test_visitor_out_list_struct’:
> ../tests/unit/test-qobject-output-visitor.c:577:28: error: ‘%.6f’ directive writing between 3 and 317 bytes into a region of size 32 [-Werror=format-overflow=]

I'd also omit the remainder of the report.

>   577 |         sprintf(expected, "%.6f", (double)i / 3);
>       |                            ^~~~
> ../tests/unit/test-qobject-output-visitor.c:577:27: note: assuming directive output of 8 bytes
>   577 |         sprintf(expected, "%.6f", (double)i / 3);
>       |                           ^~~~~~
> In file included from /usr/include/stdio.h:970,
>                  from /home/me/q/var/qemu/include/qemu/osdep.h:114,
>                  from ../tests/unit/test-qobject-output-visitor.c:13:
> In function ‘sprintf’,
>     inlined from ‘test_visitor_out_list_struct’ at ../tests/unit/test-qobject-output-visitor.c:577:9:
> /usr/include/bits/stdio2.h:30:10: note: ‘__builtin___sprintf_chk’ output between 4 and 318 bytes into a destination of size 32
>    30 |   return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1,
>       |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>    31 |                                   __glibc_objsize (__s), __fmt,
>       |                                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>    32 |                                   __va_arg_pack ());
>       |                                   ~~~~~~~~~~~~~~~~~
> ../tests/unit/test-qobject-output-visitor.c: In function ‘test_visitor_out_list_struct’:
> ../tests/unit/test-qobject-output-visitor.c:578:26: error: ‘%.6f’ directive writing between 3 and 317 bytes into a region of size 32 [-Werror=format-overflow=]

I'd similarly abridge this second warning.

>   578 |         sprintf(actual, "%.6f", qnum_get_double(qvalue));
>       |                          ^~~~
> ../tests/unit/test-qobject-output-visitor.c:578:25: note: assuming directive output of 8 bytes
>   578 |         sprintf(actual, "%.6f", qnum_get_double(qvalue));
>       |                         ^~~~~~
> In function ‘sprintf’,
>     inlined from ‘test_visitor_out_list_struct’ at ../tests/unit/test-qobject-output-visitor.c:578:9:
> /usr/include/bits/stdio2.h:30:10: note: ‘__builtin___sprintf_chk’ output between 4 and 318 bytes into a destination of size 32
>    30 |   return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1,
>       |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>    31 |                                   __glibc_objsize (__s), __fmt,
>       |                                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>    32 |                                   __va_arg_pack ());
>       |                                   ~~~~~~~~~~~~~~~~~
> cc1: all warnings being treated as errors
>
> These buffers cannot actually overflow because the doubles are
> between 0 and 31.0/3 inclusive.
>
> However, formatting doubles just to compare them is silly.  Compare
> them directly instead.  To avoid potential rounding trouble, change
> the numbers tested to be representable exactly in double.
>
> Signed-off-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
> Reviewed-by: Markus Armbruster <armbru@redhat.com>

Thanks!

Re: [PATCH v4 1/4] contrib/elf2dmp: Grow PDB URL buffer

[Peter Maydell]

On Thu, 5 Mar 2026 at 06:18, Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp> wrote:
>
> The buffers used to construct a PDB URL overflow when the "age" property
> is greater than 0xf, so grow it. This also simplifies the logic of the
> URL construction to use one buffer instead of two to avoid the chore to
> synchronize the sizes of two buffers.
>
> Signed-off-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
> ---
>  contrib/elf2dmp/main.c | 32 +++++++++++++++-----------------
>  1 file changed, 15 insertions(+), 17 deletions(-)
>
> diff --git a/contrib/elf2dmp/main.c b/contrib/elf2dmp/main.c
> index d046a72ae67f..a62abadcc049 100644
> --- a/contrib/elf2dmp/main.c
> +++ b/contrib/elf2dmp/main.c
> @@ -494,18 +494,6 @@ static bool pe_check_pdb_name(uint64_t base, void *start_addr,
>      return !strcmp(pdb_name, PDB_NAME);
>  }
>
> -static void pe_get_pdb_symstore_hash(OMFSignatureRSDS *rsds, char *hash)
> -{
> -    sprintf(hash, "%.08x%.04x%.04x%.02x%.02x", rsds->guid.a, rsds->guid.b,
> -            rsds->guid.c, rsds->guid.d[0], rsds->guid.d[1]);
> -    hash += 20;
> -    for (unsigned int i = 0; i < 6; i++, hash += 2) {
> -        sprintf(hash, "%.02x", rsds->guid.e[i]);
> -    }
> -
> -    sprintf(hash, "%.01x", rsds->age);
> -}
> -
>  int main(int argc, char *argv[])
>  {
>      int err = 1;
> @@ -517,9 +505,7 @@ int main(int argc, char *argv[])
>      uint64_t KernBase;
>      void *nt_start_addr = NULL;
>      WinDumpHeader64 header;
> -    char pdb_hash[34];
> -    char pdb_url[] = SYM_URL_BASE PDB_NAME
> -        "/0123456789ABCDEF0123456789ABCDEFx/" PDB_NAME;
> +    g_autofree char *pdb_url = NULL;
>      struct pdb_reader pdb;
>      uint64_t KdDebuggerDataBlock;
>      KDDEBUGGER_DATA64 *kdbg;
> @@ -583,9 +569,21 @@ int main(int argc, char *argv[])
>      printf("KernBase = 0x%016"PRIx64", signature is \'%.2s\'\n", KernBase,
>              (char *)nt_start_addr);
>
> -    pe_get_pdb_symstore_hash(&rsds, pdb_hash);
> +    pdb_url = g_strdup_printf("%s"
> +                              "%.08x%.04x%.04x"
> +                              "%.02x%.02x"
> +                              "%.02x%.02x"
> +                              "%.02x%.02x"
> +                              "%.02x%.02x%.01x"
> +                              "%s",
> +                              SYM_URL_BASE PDB_NAME "/",
> +                              rsds.guid.a, rsds.guid.b, rsds.guid.c,
> +                              rsds.guid.d[0], rsds.guid.d[1],
> +                              rsds.guid.e[0], rsds.guid.e[1],
> +                              rsds.guid.e[2], rsds.guid.e[3],
> +                              rsds.guid.e[4], rsds.guid.e[5], rsds.age,
> +                              "/" PDB_NAME);

This is definitely better. I think it would be slightly
easier to read if we put the "/" characters in the
format string rather than string-concatenating them into
the arguments, but either way

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>

thanks
-- PMM

Re: [PATCH v4 4/4] meson: Add -Wformat-overflow=2

[Peter Maydell]

On Thu, 5 Mar 2026 at 06:19, Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp> wrote:
>
> https://gcc.gnu.org/onlinedocs/gcc-15.2.0/gcc/Warning-Options.html
> > Level 2 warns also about calls that might overflow the destination
> > buffer given an argument of sufficient length or magnitude. At level
> > 2, unknown numeric arguments are assumed to have the minimum
> > representable value for signed types with a precision greater than 1,
> > and the maximum representable value otherwise. Unknown string
> > arguments whose length cannot be assumed to be bounded either by the
> > directive’s precision, or by a finite set of string literals they may
> > evaluate to, or the character array they may point to, are assumed to
> > be 1 character long.
>
> Signed-off-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
> ---
>  meson.build | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/meson.build b/meson.build
> index 414c8ea7e280..cf50bc492f9c 100644
> --- a/meson.build
> +++ b/meson.build
> @@ -692,6 +692,7 @@ warn_flags = [
>    '-Wempty-body',
>    '-Wendif-labels',
>    '-Wexpansion-to-defined',
> +  '-Wformat-overflow=2',
>    '-Wformat-security',
>    '-Wformat-y2k',
>    '-Wignored-qualifiers',

I can build with both gcc and clang with this extra warning enabled
without it falling over on anything else, so

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>

thanks
-- PMM

Re: [PATCH v4 0/4] Fix use-after-free and make format overflow more difficult

[Philippe Mathieu-Daudé]

On 5/3/26 07:16, Akihiko Odaki wrote:

> Akihiko Odaki (4):
>        contrib/elf2dmp: Grow PDB URL buffer
>        vfio/pci: Grow buffer in vfio_pci_host_match()
>        tests: Clean up double comparisons to avoid compiler warning
>        meson: Add -Wformat-overflow=2

Queued, thanks.