lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20260201085624.7fbc4c59@pumpkin>
Date: Sun, 1 Feb 2026 08:56:24 +0000
From: David Laight <david.laight.linux@...il.com>
To: Cheng Li <im.lechain@...il.com>
Cc: Thomas Weißschuh <linux@...ssschuh.net>, Willy
 Tarreau <w@....eu>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/2] tools/nolibc: add support zero pad (0) in printf

On Sun, 1 Feb 2026 08:49:37 +0800
Cheng Li <im.lechain@...il.com> wrote:

> David Laight <david.laight.linux@...il.com> 于2026年1月31日周六 20:32写道:
> >
> > On Sat, 31 Jan 2026 11:18:49 +0100
> > Thomas Weißschuh <linux@...ssschuh.net> wrote:
> >  
> > > Hey Cheng,
> > >
> > > Jan 30, 2026 09:37:51 licheng.li <im.lechain@...il.com>:
> > >  
> > > > From: Cheng Li <im.lechain@...il.com>
> > > >
> > > > This patch correctly implements the '0' flag in __nolibc_printf() to
> > > > allow zero-padding for numeric and pointer outputs.  
> > >
> > > Thanks for (all of) your patches.
> > > I am not sure when exactly I can take a proper look at them.
> > > As we are currently fairly late in the 6.20/7.0 development cycle I would like move your patches into the next one.
> > > We can still discuss the patches and you can send new revisions and patches,
> > > but they won't be picked up until in a few weeks.  
> >
> > Gives me time to re-write them :-)
> >
> > There is still a bug in the 'align left' code as well.
> > snprintf(buf, 21, "%-25s", "abcd") outputs 20 spaces not "abcd" followed by 16.
> > Easiest fix is to move the truncation in the cb() function.  
> 
> Hi David,
> 
> I did a double-check on the `snprintf(buf, 21, "%-25s", "abcd")` case
> with the v4 patch.
> 
> In my testing, the output content is actually correct ("abcd" followed
> by 16 spaces),
> and the return value is 25, which complies with the standard
> (representing the length
> if the buffer were infinite).

I was probably checking a slightly different version where the '-'
just caused the truncated "abcd" be output before the pad.

> 
> **However**, you are right to be concerned about the logic. Upon
> closer inspection,
> I realized there is a potential **buffer overflow risk**.
> 
...
> 
> Therefore, I am perfectly happy to drop my current left-alignment
> patch entirely and
> wait for your refactor, as it provides a much safer architecture."

I've got it 'mostly rewritten', I'll remove your patches for "%-2s" from
the front before I submit them.
I'll put that change in early.

	David

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ