Re: [PATCH v5 0/2] lib/vsprintf: Fixes size check
From: Andy Shevchenko
Date: Thu Mar 26 2026 - 06:05:21 EST
On Wed, Mar 25, 2026 at 10:41:58PM +0900, Masami Hiramatsu wrote:
> On Wed, 25 Mar 2026 22:27:31 +0900
> "Masami Hiramatsu (Google)" <mhiramat@xxxxxxxxxx> wrote:
>
> > Hi,
> >
> > Here is the 5th version of patches to fix vsnprintf().
> >
> > - Fix to limit the size of width and precision.
> > - Warn if the return size is over INT_MAX.
> >
> > Previous version is here;
> >
> > https://lore.kernel.org/all/177440550682.147866.1854734911195480940.stgit@devnote2/
> >
> > In this version, negative precision is treated as zero to match the
> > previous behavior and check the field/precision passed as string
> > literals too[1/2]. Also, update bstr_printf() not to return negative
> > value[2/2].
> BTW, skip_atoi() is used for converting precision and width,
> but this does not check the overflow. This is expected to be
> checked by compiler (-Wformat-overflow) but it checks the
> width <= INT_MAX, but precision <= LONG_MAX (why?) and clang
> does not check precision.
>
> To avoid this issue, below fix is needed, but I'm not sure
> this is meaningful check, because with [1/2] change, the
> return value is limited anyway, and it's easy to check
> during the review process if an obviously abnormal
> precision value is passed in the format string.
> diff --git a/lib/vsprintf.c b/lib/vsprintf.c
I you event want to do that, it should use macros from overflow.h,
also see how kstrto*() and memparse() perform such checks. Also
this may slow down the conversion.
--
With Best Regards,
Andy Shevchenko