[PATCH v2 1/7] scripts: modpost: detect and report truncated buf_printf() output

Next message: Alexandre Courbot: "[PATCH v2 2/7] pin_init: always inline the #ident and #project_ident methods"
Previous message: Shin'ichiro Kawasaki: "Re: [PATCH] block: blk-zoned: fix zwplug refcount leak on write error path"
In reply to: Alexandre Courbot: "[PATCH v2 0/7] gpu: drm: nova: enable calling into nova-core"
Next in thread: Nathan Chancellor: "Re: [PATCH v2 1/7] scripts: modpost: detect and report truncated buf_printf() output"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Alexandre Courbot

Date: Wed May 27 2026 - 07:54:07 EST

buf_printf() uses a fixed-size stack buffer. vsnprintf() returns the
number of bytes that *would* have been written to that buffer, which can
be larger than the size of said buffer if the formatted string is too
long.

The problem is that whenever this happens buf_printf() currently passes
this length, unchecked, to buf_write(), which silently reads past the
stack buffer and copies invalid data into the output buffer.

Fix this by detecting vsnprintf() failures and truncations before
appending to the output buffer, and report a fatal error instead of
producing corrupt symbol names.

Signed-off-by: Alexandre Courbot <acourbot@xxxxxxxxxx>
---
scripts/mod/modpost.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
index abbcd3fc1394..0d2f1f09019b 100644
--- a/scripts/mod/modpost.c
+++ b/scripts/mod/modpost.c
@@ -1689,8 +1689,17 @@ void __attribute__((format(printf, 2, 3))) buf_printf(struct buffer *buf,

va_start(ap, fmt);
len = vsnprintf(tmp, SZ, fmt, ap);
- buf_write(buf, tmp, len);
va_end(ap);
+
+ if (len < 0) {
+ perror("vsnprintf failed");
+ exit(1);
+ }
+ if (len >= SZ)
+ fatal("buf_printf output truncated for string %s: %d bytes needed, %d available\n",
+ tmp, len + 1, SZ);
+
+ buf_write(buf, tmp, len);
}

void buf_write(struct buffer *buf, const char *s, int len)

--
2.54.0