From: Suchit Karunakaran suchitkarunakaran@gmail.com
[ Upstream commit 5ac726653a1029a2eccba93bbe59e01fc9725828 ]
strcpy() performs no bounds checking and can lead to buffer overflows if the input string exceeds the destination buffer size. This patch replaces it with strncpy(), and null terminates the input string.
Signed-off-by: Suchit Karunakaran suchitkarunakaran@gmail.com Reviewed-by: Nicolas Schier nicolas.schier@linux.dev Signed-off-by: Masahiro Yamada masahiroy@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org ---
LLM Generated explanations, may be completely bogus:
Based on my analysis of the commit and the code context I was able to examine, here's my assessment:
**Backport Status: YES**
## Extensive Explanation:
This commit should be backported to stable kernel trees for the following reasons:
### 1. **Security Bug Fix** The commit fixes a potential buffer overflow vulnerability in the kconfig lxdialog inputbox code. Looking at the code changes: - The original code uses `strcpy(instr, init)` at line 43 without any bounds checking - `instr` points to `dialog_input_result` which is defined as `char dialog_input_result[MAX_LEN + 1]` (line 11) - From dialog.h, `MAX_LEN` is defined as 2048 (line 25) - If `init` string exceeds 2048 characters, it would overflow the buffer
### 2. **Simple and Contained Fix** The fix is minimal and straightforward: ```c - else - strcpy(instr, init); + else { + strncpy(instr, init, sizeof(dialog_input_result) - 1); + instr[sizeof(dialog_input_result) - 1] = '\0'; + } ``` - Replaces unsafe `strcpy()` with bounded `strncpy()` - Properly null-terminates the string to prevent unterminated string issues - Uses `sizeof(dialog_input_result) - 1` to ensure proper bounds
### 3. **Low Risk of Regression** - The change is localized to a single function in the kconfig tool - It doesn't alter the logic flow, only makes the string copy safer - The kconfig lxdialog is used during kernel configuration, not runtime kernel code - The fix maintains the same functionality while adding safety
### 4. **Meets Stable Criteria** According to stable kernel rules, this commit qualifies because it: - Fixes a real bug (buffer overflow vulnerability) - Is obviously correct and tested (has review from Nicolas Schier) - Is small (only 4 lines changed) - Doesn't add new features or change architecture - Has no functional side effects beyond the security fix
### 5. **Potential Security Impact** While this is in the build tools rather than runtime kernel code, buffer overflows in build tools can still be exploited: - Could be triggered by malicious Kconfig files - Could affect kernel developers or automated build systems - Even build-time vulnerabilities should be fixed in stable trees
The commit is a textbook example of a security fix that should be backported - it's small, focused, fixes a clear vulnerability, and has minimal risk of causing regressions.
scripts/kconfig/lxdialog/inputbox.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/scripts/kconfig/lxdialog/inputbox.c b/scripts/kconfig/lxdialog/inputbox.c index 3c6e24b20f5b..5e4a131724f2 100644 --- a/scripts/kconfig/lxdialog/inputbox.c +++ b/scripts/kconfig/lxdialog/inputbox.c @@ -39,8 +39,10 @@ int dialog_inputbox(const char *title, const char *prompt, int height, int width
if (!init) instr[0] = '\0'; - else - strcpy(instr, init); + else { + strncpy(instr, init, sizeof(dialog_input_result) - 1); + instr[sizeof(dialog_input_result) - 1] = '\0'; + }
do_resize: if (getmaxy(stdscr) <= (height - INPUTBOX_HEIGHT_MIN))