[PATCH] kconfig: fix buffer overflow in conf_get_default_confname()
Tom Rini
trini at konsulko.com
Fri Feb 27 00:41:12 CET 2026
On Fri, Feb 27, 2026 at 12:05:13AM +0300, Anton Moryakov wrote:
> Use snprintf() instead of sprintf() when building the full config path
> to prevent potential buffer overflow.
>
> The function previously used sprintf() to concatenate SRCTREE environment
> variable with the expanded config name into a fixed-size buffer
> fullname[PATH_MAX+1]. Since getenv() can return arbitrarily long strings,
> this could lead to writing beyond the buffer boundary (CWE-120).
>
> Changes:
> - Replace sprintf() with snprintf() with proper size checking
> - Add validation of snprintf() return value to detect truncation
> - Emit conf_warning() if the resulting path exceeds PATH_MAX
> - Return the unprefixed name as fallback on error, preserving behavior
>
> This fixes the static analyzer warning:
> confdata.c:119: buffer overflow via getenv() tainted input
>
> Reported-by: static analyzer Svace
> Signed-off-by: Anton Moryakov <ant.v.moryakov at gmail.com>
> ---
> scripts/kconfig/confdata.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
In this case I think we would be better served by resyncing with the
linux kernel which has:
commit b6f7e9f7050b9f8e5fe60d86e05c0740295a54bf
Author: Masahiro Yamada <yamada.masahiro at socionext.com>
Date: Mon May 27 23:37:22 2019 +0900
kconfig: require the argument of --defconfig
And removes this particular code.
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260226/386abbf1/attachment.sig>
More information about the U-Boot
mailing list