[PATCH] common: cli_hush: fix console_buffer overflow on boot retry

[PATCH] common: cli_hush: fix console_buffer overflow on boot retry

[Ngo Luong Thanh Tra]

Add const_strcpy() macro to linux/build_bug.h that enforces at
compile time that the destination is a writable char array (not char *
or const char *), the source is a string literal, and the source fits
in the destination including the NUL terminator.

Fix the console_buffer extern declaration in console.h to include the
array size so sizeof(console_buffer) is valid at call sites.

Replace unbounded strcpy() in cli_hush.c with const_strcpy().

Fixes: 657e19f8f2dd ("cli_hush: support running bootcmd on boot retry")

Changes in v4:
- Rebased on top of current master (as requested by Tom Rini)

Changes in v3:
- Reject const char * destinations in const_strcpy() (Simon Glass)

Signed-off-by: Ngo Luong Thanh Tra <S4210155@student.rmit.edu.au>
---

 common/cli_hush.c         |  3 ++-
 include/console.h         |  3 ++-
 include/linux/build_bug.h | 24 ++++++++++++++++++++++++
 3 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/common/cli_hush.c b/common/cli_hush.c
index fe8fe93bd54..d7a584fea3f 100644
--- a/common/cli_hush.c
+++ b/common/cli_hush.c
@@ -84,6 +84,7 @@
 #include <cli_hush.h>
 #include <command.h>        /* find_cmd */
 #include <vsprintf.h>
+#include <linux/build_bug.h>
 #endif
 #ifndef __U_BOOT__
 #include <ctype.h>     /* isalpha, isdigit */
@@ -1027,7 +1028,7 @@ static void get_user_input(struct in_str *i)
 #  ifdef CONFIG_RESET_TO_RETRY
 	  do_reset(NULL, 0, 0, NULL);
 #  elif IS_ENABLED(CONFIG_RETRY_BOOTCMD)
-	strcpy(console_buffer, "run bootcmd\n");
+	const_strcpy(console_buffer, "run bootcmd\n");
 # else
 #	error "This only works with CONFIG_RESET_TO_RETRY or CONFIG_BOOT_RETRY_COMMAND enabled"
 #  endif
diff --git a/include/console.h b/include/console.h
index 8d0d7bb8a4c..97ccf5e5f6a 100644
--- a/include/console.h
+++ b/include/console.h
@@ -10,8 +10,9 @@
 #include <stdbool.h>
 #include <stdio_dev.h>
 #include <linux/errno.h>
+#include <config.h>
 
-extern char console_buffer[];
+extern char console_buffer[CONFIG_SYS_CBSIZE + 1];
 
 /* common/console.c */
 int console_init_f(void);	/* Before relocation; uses the serial  stuff */
diff --git a/include/linux/build_bug.h b/include/linux/build_bug.h
index 20c2dc7f4bd..93f9e50a1c6 100644
--- a/include/linux/build_bug.h
+++ b/include/linux/build_bug.h
@@ -76,4 +76,28 @@
 #define static_assert(expr, ...) __static_assert(expr, ##__VA_ARGS__, #expr)
 #define __static_assert(expr, msg, ...) _Static_assert(expr, msg)
 
+/**
+ * const_strcpy - Copy a string literal to a char array with compile-time checks
+ * @d: destination char array (must be a char array, not a pointer)
+ * @s: source string literal
+ *
+ * Enforces at compile time that:
+ * (a) @d is a char array, not a pointer
+ * (b) @s is a string literal (adjacent string concatenation trick)
+ * (c) @s fits in @d including the NUL terminator
+ *
+ * Uses __builtin_strcpy() so the compiler can optimize the copy into
+ * immediate stores rather than emitting a function call.
+ *
+ * Note: @s is used twice in the macro expansion but this is intentional
+ * and safe: the ("" s "") trick enforces at compile time that @s is a
+ * string literal, and string literals have no side effects.
+ */
+#define const_strcpy(d, s) ({						\
+	BUILD_BUG_ON(__builtin_types_compatible_p(typeof(d), char *));	\
+	BUILD_BUG_ON(__builtin_types_compatible_p(typeof(d), const char *));	\
+	BUILD_BUG_ON(sizeof(d) < sizeof("" s ""));			\
+	__builtin_strcpy(d, s);						\
+})
+
 #endif	/* _LINUX_BUILD_BUG_H */
-- 
2.53.0

base-commit: e3405917a1806971d9e72a94186b299f05581e1a
branch: cli-hush-patman-dryrun

Re: [PATCH] common: cli_hush: fix console_buffer overflow on boot retry

[Rasmus Villemoes]

On Tue, Apr 21 2026, Ngo Luong Thanh Tra <ngotra27101996@gmail.com> wrote:

> Add const_strcpy() macro to linux/build_bug.h that enforces at
> compile time that the destination is a writable char array (not char *
> or const char *), the source is a string literal, and the source fits
> in the destination including the NUL terminator.
>
> Fix the console_buffer extern declaration in console.h to include the
> array size so sizeof(console_buffer) is valid at call sites.
>
> Replace unbounded strcpy() in cli_hush.c with const_strcpy().
>
> Fixes: 657e19f8f2dd ("cli_hush: support running bootcmd on boot retry")
>
> Changes in v4:
> - Rebased on top of current master (as requested by Tom Rini)
>
> Changes in v3:
> - Reject const char * destinations in const_strcpy() (Simon Glass)
>
> Signed-off-by: Ngo Luong Thanh Tra <S4210155@student.rmit.edu.au>
> ---


Hi Ngo

Please address the feedback I gave in
https://lore.kernel.org/u-boot/87zf3co6pz.fsf@prevas.dk/.

Also, two things on creating patches:

When you create a new version of a patch (or patch series), please use
"git format-patch -vX" where X is the version number. For the next one
that would be "-v5". Then git will use the subject prefix "[PATCH v5]"
instead of merely "[PATCH]", making it easier to distinguish the
different ones in one's inbox or on lore.kernel.org/u-boot.

Second, the informative "Changes in vX:" stuff should go below the ---,
as it is not part of the commit message and should not be part of the
permanent git history once the patch is accepted.

Rasmus

Re: [PATCH] common: cli_hush: fix console_buffer overflow on boot retry

[Simon Glass]

Hi,

On Tue, 21 Apr 2026 at 20:06, Rasmus Villemoes <ravi@prevas.dk> wrote:
>
> On Tue, Apr 21 2026, Ngo Luong Thanh Tra <ngotra27101996@gmail.com> wrote:
>
> > Add const_strcpy() macro to linux/build_bug.h that enforces at
> > compile time that the destination is a writable char array (not char *
> > or const char *), the source is a string literal, and the source fits
> > in the destination including the NUL terminator.
> >
> > Fix the console_buffer extern declaration in console.h to include the
> > array size so sizeof(console_buffer) is valid at call sites.
> >
> > Replace unbounded strcpy() in cli_hush.c with const_strcpy().
> >
> > Fixes: 657e19f8f2dd ("cli_hush: support running bootcmd on boot retry")
> >
> > Changes in v4:
> > - Rebased on top of current master (as requested by Tom Rini)
> >
> > Changes in v3:
> > - Reject const char * destinations in const_strcpy() (Simon Glass)
> >
> > Signed-off-by: Ngo Luong Thanh Tra <S4210155@student.rmit.edu.au>
> > ---
>
>
> Hi Ngo
>
> Please address the feedback I gave in
> https://lore.kernel.org/u-boot/87zf3co6pz.fsf@prevas.dk/.
>
> Also, two things on creating patches:
>
> When you create a new version of a patch (or patch series), please use
> "git format-patch -vX" where X is the version number. For the next one
> that would be "-v5". Then git will use the subject prefix "[PATCH v5]"
> instead of merely "[PATCH]", making it easier to distinguish the
> different ones in one's inbox or on lore.kernel.org/u-boot.
>
> Second, the informative "Changes in vX:" stuff should go below the ---,
> as it is not part of the commit message and should not be part of the
> permanent git history once the patch is accepted.

You can also use patman which lets you add a 'Series-version: 5' line
in the commit and handles putting the change log in the right place.

Regards,
Simon

[PATCH] common: cli_hush: fix console_buffer overflow on boot retry

[Ngo Luong Thanh Tra]

Add const_strcpy() macro to linux/build_bug.h that enforces at
compile time that the destination is a writable char array (not char *
or const char *), the source is a string literal, and the source fits
in the destination including the NUL terminator.

Fix the console_buffer extern declaration in console.h to include the
array size so sizeof(console_buffer) is valid at call sites.

Replace unbounded strcpy() in cli_hush.c with const_strcpy().

Fixes: 657e19f8f2dd ("cli_hush: support running bootcmd on boot retry")

Changes in v3:
- Reject const char * destinations in const_strcpy() (Simon Glass)

Signed-off-by: Ngo Luong Thanh Tra <S4210155@student.rmit.edu.au>
Made-with: Cursor
---

 common/cli_hush.c         |  3 ++-
 include/console.h         |  3 ++-
 include/linux/build_bug.h | 24 ++++++++++++++++++++++++
 3 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/common/cli_hush.c b/common/cli_hush.c
index 7bd6943d3ed..048577cb40a 100644
--- a/common/cli_hush.c
+++ b/common/cli_hush.c
@@ -84,6 +84,7 @@
 #include <cli_hush.h>
 #include <command.h>        /* find_cmd */
 #include <asm/global_data.h>
+#include <linux/build_bug.h>
 #endif
 #ifndef __U_BOOT__
 #include <ctype.h>     /* isalpha, isdigit */
@@ -1029,7 +1030,7 @@ static void get_user_input(struct in_str *i)
 #  ifdef CONFIG_RESET_TO_RETRY
 	  do_reset(NULL, 0, 0, NULL);
 #  elif IS_ENABLED(CONFIG_RETRY_BOOTCMD)
-	strcpy(console_buffer, "run bootcmd\n");
+	const_strcpy(console_buffer, "run bootcmd\n");
 # else
 #	error "This only works with CONFIG_RESET_TO_RETRY or CONFIG_BOOT_RETRY_COMMAND enabled"
 #  endif
diff --git a/include/console.h b/include/console.h
index 8d0d7bb8a4c..97ccf5e5f6a 100644
--- a/include/console.h
+++ b/include/console.h
@@ -10,8 +10,9 @@
 #include <stdbool.h>
 #include <stdio_dev.h>
 #include <linux/errno.h>
+#include <config.h>
 
-extern char console_buffer[];
+extern char console_buffer[CONFIG_SYS_CBSIZE + 1];
 
 /* common/console.c */
 int console_init_f(void);	/* Before relocation; uses the serial  stuff */
diff --git a/include/linux/build_bug.h b/include/linux/build_bug.h
index 20c2dc7f4bd..93f9e50a1c6 100644
--- a/include/linux/build_bug.h
+++ b/include/linux/build_bug.h
@@ -76,4 +76,28 @@
 #define static_assert(expr, ...) __static_assert(expr, ##__VA_ARGS__, #expr)
 #define __static_assert(expr, msg, ...) _Static_assert(expr, msg)
 
+/**
+ * const_strcpy - Copy a string literal to a char array with compile-time checks
+ * @d: destination char array (must be a char array, not a pointer)
+ * @s: source string literal
+ *
+ * Enforces at compile time that:
+ * (a) @d is a char array, not a pointer
+ * (b) @s is a string literal (adjacent string concatenation trick)
+ * (c) @s fits in @d including the NUL terminator
+ *
+ * Uses __builtin_strcpy() so the compiler can optimize the copy into
+ * immediate stores rather than emitting a function call.
+ *
+ * Note: @s is used twice in the macro expansion but this is intentional
+ * and safe: the ("" s "") trick enforces at compile time that @s is a
+ * string literal, and string literals have no side effects.
+ */
+#define const_strcpy(d, s) ({						\
+	BUILD_BUG_ON(__builtin_types_compatible_p(typeof(d), char *));	\
+	BUILD_BUG_ON(__builtin_types_compatible_p(typeof(d), const char *));	\
+	BUILD_BUG_ON(sizeof(d) < sizeof("" s ""));			\
+	__builtin_strcpy(d, s);						\
+})
+
 #endif	/* _LINUX_BUILD_BUG_H */
-- 
2.53.0

base-commit: 47e064f13171f15817aa1b22b04e309964b15c2c
branch: cli-hush-patman-dryrun

Re: [PATCH] common: cli_hush: fix console_buffer overflow on boot retry

[Tom Rini]

[-- Attachment #1: Type: text/plain, Size: 1046 bytes --]

On Mon, Apr 06, 2026 at 09:30:27AM +0700, Ngo Luong Thanh Tra wrote:

> Add const_strcpy() macro to linux/build_bug.h that enforces at
> compile time that the destination is a writable char array (not char *
> or const char *), the source is a string literal, and the source fits
> in the destination including the NUL terminator.
> 
> Fix the console_buffer extern declaration in console.h to include the
> array size so sizeof(console_buffer) is valid at call sites.
> 
> Replace unbounded strcpy() in cli_hush.c with const_strcpy().
> 
> Fixes: 657e19f8f2dd ("cli_hush: support running bootcmd on boot retry")
> 
> Changes in v3:
> - Reject const char * destinations in const_strcpy() (Simon Glass)
> 
> Signed-off-by: Ngo Luong Thanh Tra <S4210155@student.rmit.edu.au>

Can you please rebase on top of current master?

> Made-with: Cursor

Please see
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/coding-assistants.rst
and rework this tag as well, thanks.

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]