Re: [PATCH v2 2/2] lib/vsprintf: Limit the returning size to INT_MAX

Next message: Oskar Gerlicz Kowalczuk: "[PATCH 4/5] liveupdate: validate handover metadata before using it"
Previous message: Steven Price: "Re: [PATCH v13 27/48] arm64: RMI: Runtime faulting of memory"
In reply to: Masami Hiramatsu (Google): "[PATCH v2 2/2] lib/vsprintf: Limit the returning size to INT_MAX"
Next in thread: Google: "Re: [PATCH v2 2/2] lib/vsprintf: Limit the returning size to INT_MAX"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Petr Mladek

Date: Fri Mar 20 2026 - 13:06:23 EST

On Fri 2026-03-20 12:54:57, Masami Hiramatsu (Google) wrote:
> From: Masami Hiramatsu (Google) <mhiramat@xxxxxxxxxx>
>
> The return value of vsnprintf() can overflow INT_MAX and return
> a minus value. In the @size is checked input overflow, but it does
> not check the output, which is expected required size.
>
> This should never happen but it should be checked and limited.

Great catch!

> --- a/lib/vsprintf.c
> +++ b/lib/vsprintf.c
> @@ -2985,7 +2985,7 @@ int vsnprintf(char *buf, size_t size, const char *fmt_str, va_list args)
> }
>
> /* the trailing null byte doesn't count towards the total */
> - return str-buf;
> + return WARN_ON_ONCE(str - buf > INT_MAX) ? INT_MAX : str - buf;

Is it guaranteed that the pointer arithmetic will be a big enough
unsigned number type?

I would rather do a cast to be on the safe side, for example:

return WARN_ON_ONCE((size_t)(str - buf) > INT_MAX) ? INT_MAX : str - buf;

or even use a variable to make it better readable:

size_t ret_size;

ret_size = str - buf;
if (WARN_ON_ONCE(ret_size > INT_MAX))
ret_size = INT_MAX;
return ret_size;

Best Regards,
Petr