On Sat, 14 Mar 2026 23:01:46 +0000
Josh Law <objecting@objecting.org> wrote:
> Valid node indices are 0 to xbc_node_num-1, so a next value equal to
> xbc_node_num is out of bounds. Use >= instead of > to catch this.
>
> A malformed or corrupt bootconfig could pass tree verification with
> an out-of-bounds next index. On subsequent tree traversal at boot
> time, xbc_node_get_next() would return a pointer past the allocated
> xbc_nodes array, causing an out-of-bounds read of kernel memory.
>
Thanks, but How? Do you have any actual config example?
Unless that, I would like to treat this as a minor fix.
Thanks,
> Signed-off-by: Josh Law <objecting@objecting.org>
> ---
> lib/bootconfig.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/lib/bootconfig.c b/lib/bootconfig.c
> index 58d6ae297280..56fbedc9e725 100644
> --- a/lib/bootconfig.c
> +++ b/lib/bootconfig.c
> @@ -816,7 +816,7 @@ static int __init xbc_verify_tree(void)
> }
>
> for (i = 0; i < xbc_node_num; i++) {
> - if (xbc_nodes[i].next > xbc_node_num) {
> + if (xbc_nodes[i].next >= xbc_node_num) {
> return xbc_parse_error("No closing brace",
> xbc_node_get_data(xbc_nodes + i));
> }
> --
> 2.34.1
>
--
Masami Hiramatsu (Google) <mhiramat@kernel.org>