Re: [PATCH 0/4] lib/vsprintf: assorted bug fixes

Next message: Krzysztof Kozlowski: "[PATCH v3 3/8] dt-bindings: display/msm: dsi-controller-main: Add Eliza SoC"
Previous message: Lorenzo Stoakes (Oracle): "Re: [LSF/MM/BPF TOPIC] Per-process page size"
In reply to: Petr Mladek: "Re: [PATCH 1/4] lib/vsprintf: always advance args in bstr_printf() pointer path"
Next in thread: Josh Law: "Re: [PATCH 0/4] lib/vsprintf: assorted bug fixes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andy Shevchenko

Date: Wed Mar 25 2026 - 08:45:02 EST

On Tue, Mar 24, 2026 at 10:49:36PM +0000, Josh Law wrote:
> Four small fixes found during an audit of lib/vsprintf.c:
>
> 1. bstr_printf() fails to advance the args pointer past a
> pre-rendered pointer string when the output buffer is full,
> corrupting all subsequent output.
>
> 2. vbin_printf() writes end[-1] unconditionally when NUL-terminating
> a pointer string, which is an OOB write when size is zero.
>
> 3. vsscanf() uses s16 for field_width but assigns from skip_atoi()
> which returns int, silently truncating large widths to negative
> and aborting parsing.
>
> 4. format_decode() is missing a (u8) cast on the second lookup into
> the format_state table, allowing a negative array index on
> signed-char platforms.

These all needs a good review. And I think binary printf() might have
a bit different rules on how to propagate the pointer in the buffer.
To me these might fix something or might break something or do nothing
(like in patch 4) due to lack of expertise in the area.

So, I am skeptical about accepting that series, sorry. But I leave it
to others to decide, not giving any tag here.

--
With Best Regards,
Andy Shevchenko