+ lib-bootconfig-fix-off-by-one-in-xbc_verify_tree-unclosed-brace-error.patch added to mm-nonmm-unstable branch

All of lore.kernel.org
 help / color / mirror / Atom feed

* + lib-bootconfig-fix-off-by-one-in-xbc_verify_tree-unclosed-brace-error.patch added to mm-nonmm-unstable branch
@ 2026-03-12 20:19 Andrew Morton
  0 siblings, 0 replies; only message in thread
From: Andrew Morton @ 2026-03-12 20:19 UTC (permalink / raw)
  To: mm-commits, mhiramat, akpm, objecting, akpm


The patch titled
     Subject: lib/bootconfig: fix off-by-one in xbc_verify_tree() unclosed brace error
has been added to the -mm mm-nonmm-unstable branch.  Its filename is
     lib-bootconfig-fix-off-by-one-in-xbc_verify_tree-unclosed-brace-error.patch

This patch will shortly appear at
     https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patches/lib-bootconfig-fix-off-by-one-in-xbc_verify_tree-unclosed-brace-error.patch

This patch will later appear in the mm-nonmm-unstable branch at
    git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm

Before you just go and hit "reply", please:
   a) Consider who else should be cc'ed
   b) Prefer to cc a suitable mailing list as well
   c) Ideally: find the original patch on the mailing list and do a
      reply-to-all to that, adding suitable additional cc's

*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***

The -mm tree is included into linux-next via various
branches at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
and is updated there most days

------------------------------------------------------
From: Josh Law <objecting@objecting.org>
Subject: lib/bootconfig: fix off-by-one in xbc_verify_tree() unclosed brace error
Date: Thu, 12 Mar 2026 19:11:41 +0000

Patch series "lib/bootconfig: three bug fixes", v2.

Three fixes for lib/bootconfig.c:

1. Fix off-by-one in xbc_verify_tree() unclosed brace error reporting.

2. Check bounds before writing in __xbc_open_brace() to prevent
   potential out-of-bounds writes.

3. Fix snprintf truncation check in xbc_node_compose_key_after().


This patch (of 3):

__xbc_open_brace() pushes entries with post-increment
(open_brace[brace_index++]), so brace_index always points one past the
last valid entry.  xbc_verify_tree() reads open_brace[brace_index] to
report which brace is unclosed, but this is one past the last pushed entry
and contains stale/zero data, causing the error message to reference the
wrong node.

Use open_brace[brace_index - 1] to correctly identify the unclosed brace. 
brace_index is known to be > 0 here since we are inside the if
(brace_index) guard.

Link: https://lkml.kernel.org/r/20260312191143.28719-1-objecting@objecting.org
Link: https://lkml.kernel.org/r/20260312191143.28719-2-objecting@objecting.org
Signed-off-by: Josh Law <objecting@objecting.org>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 lib/bootconfig.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/lib/bootconfig.c~lib-bootconfig-fix-off-by-one-in-xbc_verify_tree-unclosed-brace-error
+++ a/lib/bootconfig.c
@@ -802,7 +802,7 @@ static int __init xbc_verify_tree(void)
 
 	/* Brace closing */
 	if (brace_index) {
-		n = &xbc_nodes[open_brace[brace_index]];
+		n = &xbc_nodes[open_brace[brace_index - 1]];
 		return xbc_parse_error("Brace is not closed",
 					xbc_node_get_data(n));
 	}
_

Patches currently in -mm which might be from objecting@objecting.org are

lib-maple_tree-fix-swapped-arguments-in-mas_safe_pivot-call.patch
lib-glob-fix-grammar-and-replace-non-inclusive-terminology.patch
lib-glob-add-explicit-include-for-exporth.patch
lib-glob-replace-bitwise-or-with-logical-operation-on-boolean.patch
lib-glob-clean-up-bool-abuse-in-pointer-arithmetic.patch
lib-uuid-fix-typo-reversion-to-revision-in-comment.patch
lib-inflate-fix-memory-leak-in-inflate_fixed-on-inflate_codes-failure.patch
lib-inflate-fix-memory-leak-in-inflate_dynamic-on-inflate_codes-failure.patch
lib-inflate-fix-grammar-in-comment-variable-to-variables.patch
lib-inflate-fix-typo-this-results-to-the-results-in-comment.patch
lib-bug-fix-inconsistent-capitalization-in-bug-message.patch
lib-bug-remove-unnecessary-variable-initializations.patch
lib-idr-fix-ida_find_first_range-missing-ids-across-chunk-boundaries.patch
lib-decompress_bunzip2-fix-32-bit-shift-undefined-behavior.patch
maintainers-add-josh-law-as-reviewer-for-library-code.patch
lib-bootconfig-fix-typo-budy-in-_xbc_exit-comment.patch
lib-ts_bm-fix-integer-overflow-in-pattern-length-calculation.patch
lib-ts_kmp-fix-integer-overflow-in-pattern-length-calculation.patch
lib-bootconfig-fix-off-by-one-in-xbc_verify_tree-unclosed-brace-error.patch
lib-bootconfig-check-bounds-before-writing-in-__xbc_open_brace.patch
lib-bootconfig-fix-snprintf-truncation-check-in-xbc_node_compose_key_after.patch


^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2026-03-12 20:19 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-12 20:19 + lib-bootconfig-fix-off-by-one-in-xbc_verify_tree-unclosed-brace-error.patch added to mm-nonmm-unstable branch Andrew Morton

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.