[PATCH] vsprintf: fix possible NULL pointer deref in vsnprintf()

From: Sergey Shtylyov
Date: Thu Jan 05 2023 - 16:16:54 EST

Next message: Fedor Pchelkin: "kernel BUG in __ip_make_skb()"
Previous message: Ian Rogers: "Re: [PATCH v5 1/6] perf vendor events arm64: Add topdown L1 metrics for neoverse-n2"
Next in thread: Petr Mladek: "Re: [PATCH] vsprintf: fix possible NULL pointer deref in vsnprintf()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In vsnprintf() etc, C99 allows the 'buf' argument to be NULL when the
'size' argument equals 0. Let us treat NULL passed as if the 'buf'
argument pointed to a 0-sized buffer, so that we can avoid a NULL pointer
dereference and still return the # of characters that would be written if
'buf' pointed to a valid buffer...

Found by Linux Verification Center (linuxtesting.org) with the SVACE static
analysis tool.

Signed-off-by: Sergey Shtylyov <s.shtylyov@xxxxxx>

---
This patch is against the 'master' branch of the PRINTK Group's repo...

lib/vsprintf.c | 9 +++++++++
1 file changed, 9 insertions(+)

Index: linux/lib/vsprintf.c
===================================================================
--- linux.orig/lib/vsprintf.c
+++ linux/lib/vsprintf.c
@@ -2738,6 +2738,15 @@ int vsnprintf(char *buf, size_t size, co
if (WARN_ON_ONCE(size > INT_MAX))
return 0;

+ /*
+ * C99 allows @buf to be NULL when @size is 0. We treat such NULL as if
+ * @buf pointed to 0-sized buffer, so we can both avoid a NULL pointer
+ * dereference and still return # of characters that would be written
+ * if @buf pointed to a valid buffer...
+ */
+ if (!buf)
+ size = 0;
+
str = buf;
end = buf + size;

Next message: Fedor Pchelkin: "kernel BUG in __ip_make_skb()"
Previous message: Ian Rogers: "Re: [PATCH v5 1/6] perf vendor events arm64: Add topdown L1 metrics for neoverse-n2"
Next in thread: Petr Mladek: "Re: [PATCH] vsprintf: fix possible NULL pointer deref in vsnprintf()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]