On Sat, 14 Mar 2026 23:01:47 +0000
Josh Law <objecting@objecting.org> wrote:
> Move the xbc_node_num increment to after xbc_init_node() so a failed
> init does not leave a partially initialized node counted in the array.
>
> If xbc_init_node() fails on a data offset at the boundary of a
> maximum-size bootconfig, the pre-incremented count causes subsequent
> tree verification and traversal to consider the uninitialized node as
> valid, potentially leading to an out-of-bounds read or unpredictable
> boot behavior.
In that case, it returns a parse error(-ENOMEM) and the parsing stops.
This seems a hardening not a fix unless actual example you can show.
Thank you,
>
> Signed-off-by: Josh Law <objecting@objecting.org>
> ---
> lib/bootconfig.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/lib/bootconfig.c b/lib/bootconfig.c
> index 56fbedc9e725..06e8a79ab472 100644
> --- a/lib/bootconfig.c
> +++ b/lib/bootconfig.c
> @@ -429,9 +429,10 @@ static struct xbc_node * __init xbc_add_node(char *data, uint16_t flag)
> if (xbc_node_num == XBC_NODE_MAX)
> return NULL;
>
> - node = &xbc_nodes[xbc_node_num++];
> + node = &xbc_nodes[xbc_node_num];
> if (xbc_init_node(node, data, flag) < 0)
> return NULL;
> + xbc_node_num++;
>
> return node;
> }
> --
> 2.34.1
>
--
Masami Hiramatsu (Google) <mhiramat@kernel.org>