Re: [PATCH v3 1/2] lib/vsprintf: Fix to check field_width and precision

From: David Laight

Date: Mon Mar 23 2026 - 10:24:26 EST

On Mon, 23 Mar 2026 15:27:31 +0200
Andy Shevchenko <andriy.shevchenko@xxxxxxxxxxxxxxx> wrote:

> On Sat, Mar 21, 2026 at 11:41:12PM +0900, Masami Hiramatsu (Google) wrote:
>
> > Check the field_width and presition correctly. Previously it depends
> > on the bitfield conversion from int to check out-of-range error.
> > However, commit 938df695e98d ("vsprintf: associate the format state
> > with the format pointer") changed those fields to int.
> > We need to check the out-of-range correctly without bitfield
> > conversion.
>
> ...
>
> > static void
> > set_field_width(struct printf_spec *spec, int width)
> > {
> > - spec->field_width = width;
> > - if (WARN_ONCE(spec->field_width != width, "field width %d too large", width)) {
> > - spec->field_width = clamp(width, -FIELD_WIDTH_MAX, FIELD_WIDTH_MAX);
> > + if (WARN_ONCE(width > FIELD_WIDTH_MAX || width < -FIELD_WIDTH_MAX,
> > + "field width %d too large", width)) {
> > + width = clamp(width, -FIELD_WIDTH_MAX, FIELD_WIDTH_MAX);
> > }
> > + spec->field_width = width;
> > }
> >
> > static void
> > set_precision(struct printf_spec *spec, int prec)
> > {
> > - spec->precision = prec;
> > - if (WARN_ONCE(spec->precision != prec, "precision %d too large", prec)) {
> > - spec->precision = clamp(prec, 0, PRECISION_MAX);
> > + if (WARN_ONCE(prec > PRECISION_MAX || prec < 0,
> > + "precision %d too large", prec)) {
> > + prec = clamp(prec, 0, PRECISION_MAX);
> > }
> > + spec->precision = prec;
> > }
>
> Looking at this, perhaps
>
> #define clamp_WARN_*(...)
> ...

When I looked at this I did wonder whether the compiler would manage to
only do the comparisons once.
Even if it doesn't the separate WARN is more readable.

Or maybe:
spec->field_width = clamp(width, -FIELD_WIDTH_MAX, FIELD_WIDTH_MAX);
WARN_ON(spec->field_width != width, "field width %d too large", width);

I'd be more worried about the bloat and system panic for all the systems
with panic_on_warn set (the default for many distos).
(And, like panic_on_oops, it doesn't give time for the error to get into
the system logs.)

I've also just fixed nolibc's handling of %*.*s (which is in 'next' since
I only wrote it recently), the above is actually broken.
Negative 'precision' (all values) are fine, they just request the default.

So the patch needs a big fat NACK...

David

>
> Potential users besides these two:
>
> arch/powerpc/platforms/pseries/papr-sysparm.c-39-
> drivers/gpu/drm/drm_color_mgmt.c-142-
> drivers/gpu/drm/i915/display/intel_backlight.c-48-
> drivers/media/i2c/vgxy61.c-952-
>