Re: [RFC PATCH 1/1] lib/vsprintf: Limit the returning size to INT_MAX

Next message: Jason Andryuk: "[PATCH v2] hvc/xen: Check console connection flag"
Previous message: kernel test robot: "Re: [PATCH] dmaengine: tegra210-adma: Add error logging on failure paths"
In reply to: Google: "Re: [RFC PATCH 1/1] lib/vsprintf: Limit the returning size to INT_MAX"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Google

Date: Wed Mar 18 2026 - 19:50:54 EST

On Wed, 18 Mar 2026 10:19:56 +0900
"Masami Hiramatsu (Google)" <mhiramat@xxxxxxxxxx> wrote:

> From: Masami Hiramatsu (Google) <mhiramat@xxxxxxxxxx>
>
> There seems a design flaw of vsnprintf() whose return value can
> overflow the INT_MAX even on 32bit arch, because the buffer size is
> passed by 'size_t' but it returns the printed or required size in 'int'.
>
> The size_t is unsigned long, thus the caller can pass bigger than INT_MAX
> as the size of buffer (that is OK). But even the vsnprintf calculates
> the required/printed length correctly, if it overflows the INT_MAX,
> it can not return the size correctly by int.
>
> This should never happen but it should be checked and limited.
>
> Signed-off-by: Masami Hiramatsu (Google) <mhiramat@xxxxxxxxxx>
> ---
> drivers/firmware/efi/libstub/vsprintf.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/firmware/efi/libstub/vsprintf.c b/drivers/firmware/efi/libstub/vsprintf.c
> index 71c71c222346..1713cacecc25 100644
> --- a/drivers/firmware/efi/libstub/vsprintf.c
> +++ b/drivers/firmware/efi/libstub/vsprintf.c

Ooops, I saw a wrong code. Nevermind.

> @@ -549,7 +549,7 @@ int vsnprintf(char *buf, size_t size, const char *fmt, va_list ap)
> if (size)
> buf[min(pos, size-1)] = '\0';
>
> - return pos;
> + return (pos > INT_MAX) ? INT_MAX : pos;
> }
>
> int snprintf(char *buf, size_t size, const char *fmt, ...)
>

--
Masami Hiramatsu (Google) <mhiramat@xxxxxxxxxx>