[PATCH AUTOSEL 6.16-5.4] kconfig: lxdialog: replace strcpy() with strncpy() in inputbox.c

[Sasha Levin <sashal@kernel.org>]

From: Suchit Karunakaran <suchitkarunakaran@gmail.com>

[ Upstream commit 5ac726653a1029a2eccba93bbe59e01fc9725828 ]

strcpy() performs no bounds checking and can lead to buffer overflows if
the input string exceeds the destination buffer size. This patch replaces
it with strncpy(), and null terminates the input string.

Signed-off-by: Suchit Karunakaran <suchitkarunakaran@gmail.com>
Reviewed-by: Nicolas Schier <nicolas.schier@linux.dev>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

LLM Generated explanations, may be completely bogus:

Based on my analysis of the commit and the code context I was able to
examine, here's my assessment:

**Backport Status: YES**

## Extensive Explanation:

This commit should be backported to stable kernel trees for the
following reasons:

### 1. **Security Bug Fix**
The commit fixes a potential buffer overflow vulnerability in the
kconfig lxdialog inputbox code. Looking at the code changes:
- The original code uses `strcpy(instr, init)` at line 43 without any
  bounds checking
- `instr` points to `dialog_input_result` which is defined as `char
  dialog_input_result[MAX_LEN + 1]` (line 11)
- From dialog.h, `MAX_LEN` is defined as 2048 (line 25)
- If `init` string exceeds 2048 characters, it would overflow the buffer

### 2. **Simple and Contained Fix**
The fix is minimal and straightforward:
```c
- else
- strcpy(instr, init);
+       else {
+               strncpy(instr, init, sizeof(dialog_input_result) - 1);
+               instr[sizeof(dialog_input_result) - 1] = '\0';
+       }
```
- Replaces unsafe `strcpy()` with bounded `strncpy()`
- Properly null-terminates the string to prevent unterminated string
  issues
- Uses `sizeof(dialog_input_result) - 1` to ensure proper bounds

### 3. **Low Risk of Regression**
- The change is localized to a single function in the kconfig tool
- It doesn't alter the logic flow, only makes the string copy safer
- The kconfig lxdialog is used during kernel configuration, not runtime
  kernel code
- The fix maintains the same functionality while adding safety

### 4. **Meets Stable Criteria**
According to stable kernel rules, this commit qualifies because it:
- Fixes a real bug (buffer overflow vulnerability)
- Is obviously correct and tested (has review from Nicolas Schier)
- Is small (only 4 lines changed)
- Doesn't add new features or change architecture
- Has no functional side effects beyond the security fix

### 5. **Potential Security Impact**
While this is in the build tools rather than runtime kernel code, buffer
overflows in build tools can still be exploited:
- Could be triggered by malicious Kconfig files
- Could affect kernel developers or automated build systems
- Even build-time vulnerabilities should be fixed in stable trees

The commit is a textbook example of a security fix that should be
backported - it's small, focused, fixes a clear vulnerability, and has
minimal risk of causing regressions.

 scripts/kconfig/lxdialog/inputbox.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/scripts/kconfig/lxdialog/inputbox.c b/scripts/kconfig/lxdialog/inputbox.c
index 3c6e24b20f5b..5e4a131724f2 100644
--- a/scripts/kconfig/lxdialog/inputbox.c
+++ b/scripts/kconfig/lxdialog/inputbox.c
@@ -39,8 +39,10 @@ int dialog_inputbox(const char *title, const char *prompt, int height, int width
 
 	if (!init)
 		instr[0] = '\0';
-	else
-		strcpy(instr, init);
+	else {
+		strncpy(instr, init, sizeof(dialog_input_result) - 1);
+		instr[sizeof(dialog_input_result) - 1] = '\0';
+	}
 
 do_resize:
 	if (getmaxy(stdscr) <= (height - INPUTBOX_HEIGHT_MIN))
-- 
2.39.5