Re: [PATCH 2/4] lib/vsprintf: fix OOB write in vbin_printf() when size is zero

Next message: Josh Law: "Re: [PATCH 2/4] lib/vsprintf: fix OOB write in vbin_printf() when size is zero"
Previous message: Danilo Krummrich: "Re: [PATCH 05/12] PCI: use generic driver_override infrastructure"
In reply to: Petr Mladek: "Re: [PATCH 2/4] lib/vsprintf: fix OOB write in vbin_printf() when size is zero"
Next in thread: Josh Law: "Re: [PATCH 2/4] lib/vsprintf: fix OOB write in vbin_printf() when size is zero"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Steven Rostedt

Date: Mon Mar 30 2026 - 12:32:00 EST

On Tue, 24 Mar 2026 22:49:38 +0000
Josh Law <objecting@xxxxxxxxxxxxx> wrote:

> When vbin_printf() is called with size==0, end equals bin_buf and
> the else branch writes end[-1], which is one byte before the buffer.
>
> Guard the write so it only happens when the buffer is non-empty.
>
> Signed-off-by: Josh Law <objecting@xxxxxxxxxxxxx>
> ---
> lib/vsprintf.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/lib/vsprintf.c b/lib/vsprintf.c
> index 7898fb998b21..72fbfe181076 100644
> --- a/lib/vsprintf.c
> +++ b/lib/vsprintf.c
> @@ -3234,7 +3234,7 @@ int vbin_printf(u32 *bin_buf, size_t size, const char *fmt_str, va_list args)
> spec);
> if (str + 1 < end)
> *str++ = '\0';
> - else
> + else if (end > (char *)bin_buf)
> end[-1] = '\0'; /* Must be nul terminated */

instead of doing a comparison, couldn't we just check size?

else if (size) /* do nothing if size is zero */

I'm guessing this would be slightly more efficient in the assembly.

-- Steve

> }
> /* skip all alphanumeric pointer suffixes */