Re: [PATCH 2/4] lib/vsprintf: fix OOB write in vbin_printf() when size is zero

Next message: Ryan Roberts: "[PATCH v2 0/3] Fix bugs for realm guest plus BBML2_NOABORT"
Previous message: Luiz Augusto von Dentz: "Re: [PATCH v3 1/2] Bluetooth: SMP: honor local HIGH security when selecting legacy pairing method"
In reply to: Josh Law: "[PATCH 2/4] lib/vsprintf: fix OOB write in vbin_printf() when size is zero"
Next in thread: Steven Rostedt: "Re: [PATCH 2/4] lib/vsprintf: fix OOB write in vbin_printf() when size is zero"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Petr Mladek

Date: Mon Mar 30 2026 - 12:29:21 EST

On Tue 2026-03-24 22:49:38, Josh Law wrote:
> When vbin_printf() is called with size==0, end equals bin_buf and
> the else branch writes end[-1], which is one byte before the buffer.
>
> Guard the write so it only happens when the buffer is non-empty.
>
> Signed-off-by: Josh Law <objecting@xxxxxxxxxxxxx>

Great catch!

There is only one in-tree user and it never passes size=0 so there was
no overflow in the reality. But better be on the safe side.

Reviewed-by: Petr Mladek <pmladek@xxxxxxxx>

Best Regards,
Petr