[RFC PATCH 1/1] lib/vsprintf: Limit the returning size to INT_MAX

Next message: Troy Mitchell: "Re: [PATCH v2] riscv: disable local interrupts and stop other CPUs before reboot/shutdown"
Previous message: Masami Hiramatsu (Google): "[RFC PATCH 0/1] lib/vsnprintf: Limit the returning size to INT_MAX"
In reply to: Masami Hiramatsu (Google): "[RFC PATCH 0/1] lib/vsnprintf: Limit the returning size to INT_MAX"
Next in thread: Steven Rostedt: "Re: [RFC PATCH 1/1] lib/vsprintf: Limit the returning size to INT_MAX"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Masami Hiramatsu (Google)

Date: Tue Mar 17 2026 - 21:21:03 EST

From: Masami Hiramatsu (Google) <mhiramat@xxxxxxxxxx>

There seems a design flaw of vsnprintf() whose return value can
overflow the INT_MAX even on 32bit arch, because the buffer size is
passed by 'size_t' but it returns the printed or required size in 'int'.

The size_t is unsigned long, thus the caller can pass bigger than INT_MAX
as the size of buffer (that is OK). But even the vsnprintf calculates
the required/printed length correctly, if it overflows the INT_MAX,
it can not return the size correctly by int.

This should never happen but it should be checked and limited.

Signed-off-by: Masami Hiramatsu (Google) <mhiramat@xxxxxxxxxx>
---
drivers/firmware/efi/libstub/vsprintf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/firmware/efi/libstub/vsprintf.c b/drivers/firmware/efi/libstub/vsprintf.c
index 71c71c222346..1713cacecc25 100644
--- a/drivers/firmware/efi/libstub/vsprintf.c
+++ b/drivers/firmware/efi/libstub/vsprintf.c
@@ -549,7 +549,7 @@ int vsnprintf(char *buf, size_t size, const char *fmt, va_list ap)
if (size)
buf[min(pos, size-1)] = '\0';

- return pos;
+ return (pos > INT_MAX) ? INT_MAX : pos;
}

int snprintf(char *buf, size_t size, const char *fmt, ...)