Linux kernel -stable discussions
 help / color / mirror / Atom feed
From: Sasha Levin <sashal@kernel.org>
To: patches@lists.linux.dev, stable@vger.kernel.org
Cc: Shankari Anand <shankari.ak0208@gmail.com>,
	Masahiro Yamada <masahiroy@kernel.org>,
	Randy Dunlap <rdunlap@infradead.org>,
	Nicolas Schier <n.schier@avm.de>, Sasha Levin <sashal@kernel.org>,
	nicolas.schier@linux.dev, thorsten.blum@linux.dev,
	linux-kbuild@vger.kernel.org
Subject: [PATCH AUTOSEL 6.16-5.4] kconfig: nconf: Ensure null termination where strncpy is used
Date: Sat,  9 Aug 2025 20:20:59 -0400	[thread overview]
Message-ID: <20250810002104.1545396-10-sashal@kernel.org> (raw)
In-Reply-To: <20250810002104.1545396-1-sashal@kernel.org>

From: Shankari Anand <shankari.ak0208@gmail.com>

[ Upstream commit f468992936894c9ce3b1659cf38c230d33b77a16 ]

strncpy() does not guarantee null-termination if the source string is
longer than the destination buffer.

Ensure the buffer is explicitly null-terminated to prevent potential
string overflows or undefined behavior.

Signed-off-by: Shankari Anand <shankari.ak0208@gmail.com>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Acked-by: Randy Dunlap <rdunlap@infradead.org>
Tested-by: Randy Dunlap <rdunlap@infradead.org>
Tested-by: Nicolas Schier <n.schier@avm.de>
Acked-by: Nicolas Schier <n.schier@avm.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

LLM Generated explanations, may be completely bogus:

**Backport Status: YES**

This commit is a clear security/safety fix that should be backported to
stable kernel trees. Here's my detailed analysis:

## Code Changes Analysis

The commit adds explicit null termination after `strncpy()` calls in two
locations:

1. **scripts/kconfig/nconf.c** (line ~596):
   - After copying with `strncpy(k_menu_items[index].str, tmp_str,
     sizeof(k_menu_items[index].str))`
   - Adds: `k_menu_items[index].str[sizeof(k_menu_items[index].str) - 1]
     = '\0';`

2. **scripts/kconfig/nconf.gui.c** (line ~361):
   - After copying with `strncpy(result, init, *result_len)`
   - Adds: `result[*result_len - 1] = '\0';`

## Why This Should Be Backported

1. **Bug Fix**: This fixes a genuine security issue where `strncpy()`
   does not guarantee null-termination if the source string equals or
   exceeds the destination buffer size. This can lead to:
   - Buffer overruns when the string is later used
   - Information disclosure (reading past buffer boundaries)
   - Potential crashes or undefined behavior

2. **Small and Contained**: The fix is minimal - just two single-line
   additions that ensure null termination. No architectural changes or
   new features.

3. **Low Risk**: The changes are straightforward defensive programming
   practices that cannot introduce regressions. They only ensure strings
   are properly terminated.

4. **Security Impact**: String handling bugs are a common source of
   security vulnerabilities. While kconfig tools are build-time
   utilities (not runtime kernel code), they process user-provided
   configuration data and should handle strings safely.

5. **Meets Stable Criteria**:
   - Fixes a real bug (improper string termination)
   - Minimal change (2 lines added)
   - Obviously correct (standard C string safety practice)
   - No new functionality

6. **Testing**: The commit has been tested by multiple developers (Randy
   Dunlap, Nicolas Schier) and acked by them, indicating confidence in
   the fix.

The defensive null-termination pattern after `strncpy()` is a well-
established best practice in C programming to prevent string-related
bugs. This type of fix is exactly what stable kernels should include to
improve reliability and security without introducing new risks.

 scripts/kconfig/nconf.c     | 2 ++
 scripts/kconfig/nconf.gui.c | 1 +
 2 files changed, 3 insertions(+)

diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c
index c0b2dabf6c89..ae1fe5f60327 100644
--- a/scripts/kconfig/nconf.c
+++ b/scripts/kconfig/nconf.c
@@ -593,6 +593,8 @@ static void item_add_str(const char *fmt, ...)
 		tmp_str,
 		sizeof(k_menu_items[index].str));
 
+	k_menu_items[index].str[sizeof(k_menu_items[index].str) - 1] = '\0';
+
 	free_item(curses_menu_items[index]);
 	curses_menu_items[index] = new_item(
 			k_menu_items[index].str,
diff --git a/scripts/kconfig/nconf.gui.c b/scripts/kconfig/nconf.gui.c
index 4bfdf8ac2a9a..7206437e784a 100644
--- a/scripts/kconfig/nconf.gui.c
+++ b/scripts/kconfig/nconf.gui.c
@@ -359,6 +359,7 @@ int dialog_inputbox(WINDOW *main_window,
 	x = (columns-win_cols)/2;
 
 	strncpy(result, init, *result_len);
+	result[*result_len - 1] = '\0';
 
 	/* create the windows */
 	win = newwin(win_lines, win_cols, y, x);
-- 
2.39.5


  parent reply	other threads:[~2025-08-10  0:21 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-08-10  0:20 [PATCH AUTOSEL 6.16-5.4] kconfig: gconf: avoid hardcoding model2 in on_treeview2_cursor_changed() Sasha Levin
2025-08-10  0:20 ` [PATCH AUTOSEL 6.16-6.15] kheaders: rebuild kheaders_data.tar.xz when a file is modified within a minute Sasha Levin
2025-08-10  0:20 ` [PATCH AUTOSEL 6.16-5.4] kconfig: lxdialog: fix 'space' to (de)select options Sasha Levin
2025-08-10  0:20 ` [PATCH AUTOSEL 6.16-5.4] scsi: aacraid: Stop using PCI_IRQ_AFFINITY Sasha Levin
2025-08-10  0:20 ` [PATCH AUTOSEL 6.16-5.4] kconfig: gconf: fix potential memory leak in renderer_edited() Sasha Levin
2025-08-10  0:20 ` [PATCH AUTOSEL 6.16-5.15] scsi: target: core: Generate correct identifiers for PR OUT transport IDs Sasha Levin
2025-08-10  0:20 ` [PATCH AUTOSEL 6.16-5.4] ipmi: Fix strcpy source and destination the same Sasha Levin
2025-08-10  0:20 ` [PATCH AUTOSEL 6.16-5.4] scsi: Fix sas_user_scan() to handle wildcard and multi-channel scans Sasha Levin
2025-08-10  0:20 ` [PATCH AUTOSEL 6.16-6.1] vfio/mlx5: fix possible overflow in tracking max message size Sasha Levin
2025-08-10  0:20 ` Sasha Levin [this message]
2025-08-10  0:21 ` [PATCH AUTOSEL 6.16-5.4] kconfig: lxdialog: replace strcpy() with strncpy() in inputbox.c Sasha Levin
2025-08-10  0:21 ` [PATCH AUTOSEL 6.16-5.15] vfio/type1: conditional rescheduling while pinning Sasha Levin
2025-08-10  0:21 ` [PATCH AUTOSEL 6.16-5.4] ipmi: Use dev_warn_ratelimited() for incorrect message warnings Sasha Levin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250810002104.1545396-10-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=linux-kbuild@vger.kernel.org \
    --cc=masahiroy@kernel.org \
    --cc=n.schier@avm.de \
    --cc=nicolas.schier@linux.dev \
    --cc=patches@lists.linux.dev \
    --cc=rdunlap@infradead.org \
    --cc=shankari.ak0208@gmail.com \
    --cc=stable@vger.kernel.org \
    --cc=thorsten.blum@linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox