From: Shankari Anand shankari.ak0208@gmail.com
[ Upstream commit f468992936894c9ce3b1659cf38c230d33b77a16 ]
strncpy() does not guarantee null-termination if the source string is longer than the destination buffer.
Ensure the buffer is explicitly null-terminated to prevent potential string overflows or undefined behavior.
Signed-off-by: Shankari Anand shankari.ak0208@gmail.com Signed-off-by: Masahiro Yamada masahiroy@kernel.org Acked-by: Randy Dunlap rdunlap@infradead.org Tested-by: Randy Dunlap rdunlap@infradead.org Tested-by: Nicolas Schier n.schier@avm.de Acked-by: Nicolas Schier n.schier@avm.de Signed-off-by: Sasha Levin sashal@kernel.org ---
LLM Generated explanations, may be completely bogus:
**Backport Status: YES**
This commit is a clear security/safety fix that should be backported to stable kernel trees. Here's my detailed analysis:
## Code Changes Analysis
The commit adds explicit null termination after `strncpy()` calls in two locations:
1. **scripts/kconfig/nconf.c** (line ~596): - After copying with `strncpy(k_menu_items[index].str, tmp_str, sizeof(k_menu_items[index].str))` - Adds: `k_menu_items[index].str[sizeof(k_menu_items[index].str) - 1] = '\0';`
2. **scripts/kconfig/nconf.gui.c** (line ~361): - After copying with `strncpy(result, init, *result_len)` - Adds: `result[*result_len - 1] = '\0';`
## Why This Should Be Backported
1. **Bug Fix**: This fixes a genuine security issue where `strncpy()` does not guarantee null-termination if the source string equals or exceeds the destination buffer size. This can lead to: - Buffer overruns when the string is later used - Information disclosure (reading past buffer boundaries) - Potential crashes or undefined behavior
2. **Small and Contained**: The fix is minimal - just two single-line additions that ensure null termination. No architectural changes or new features.
3. **Low Risk**: The changes are straightforward defensive programming practices that cannot introduce regressions. They only ensure strings are properly terminated.
4. **Security Impact**: String handling bugs are a common source of security vulnerabilities. While kconfig tools are build-time utilities (not runtime kernel code), they process user-provided configuration data and should handle strings safely.
5. **Meets Stable Criteria**: - Fixes a real bug (improper string termination) - Minimal change (2 lines added) - Obviously correct (standard C string safety practice) - No new functionality
6. **Testing**: The commit has been tested by multiple developers (Randy Dunlap, Nicolas Schier) and acked by them, indicating confidence in the fix.
The defensive null-termination pattern after `strncpy()` is a well- established best practice in C programming to prevent string-related bugs. This type of fix is exactly what stable kernels should include to improve reliability and security without introducing new risks.
scripts/kconfig/nconf.c | 2 ++ scripts/kconfig/nconf.gui.c | 1 + 2 files changed, 3 insertions(+)
diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c index c0b2dabf6c89..ae1fe5f60327 100644 --- a/scripts/kconfig/nconf.c +++ b/scripts/kconfig/nconf.c @@ -593,6 +593,8 @@ static void item_add_str(const char *fmt, ...) tmp_str, sizeof(k_menu_items[index].str));
+ k_menu_items[index].str[sizeof(k_menu_items[index].str) - 1] = '\0'; + free_item(curses_menu_items[index]); curses_menu_items[index] = new_item( k_menu_items[index].str, diff --git a/scripts/kconfig/nconf.gui.c b/scripts/kconfig/nconf.gui.c index 4bfdf8ac2a9a..7206437e784a 100644 --- a/scripts/kconfig/nconf.gui.c +++ b/scripts/kconfig/nconf.gui.c @@ -359,6 +359,7 @@ int dialog_inputbox(WINDOW *main_window, x = (columns-win_cols)/2;
strncpy(result, init, *result_len); + result[*result_len - 1] = '\0';
/* create the windows */ win = newwin(win_lines, win_cols, y, x);