+ lib-bootconfig-check-bounds-before-writing-in-__xbc_open_brace.patch added to mm-nonmm-unstable branch

+ lib-bootconfig-check-bounds-before-writing-in-__xbc_open_brace.patch added to mm-nonmm-unstable branch

[Andrew Morton]

The patch titled
     Subject: lib/bootconfig: check bounds before writing in __xbc_open_brace()
has been added to the -mm mm-nonmm-unstable branch.  Its filename is
     lib-bootconfig-check-bounds-before-writing-in-__xbc_open_brace.patch

This patch will shortly appear at
     https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patches/lib-bootconfig-check-bounds-before-writing-in-__xbc_open_brace.patch

This patch will later appear in the mm-nonmm-unstable branch at
    git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm

Before you just go and hit "reply", please:
   a) Consider who else should be cc'ed
   b) Prefer to cc a suitable mailing list as well
   c) Ideally: find the original patch on the mailing list and do a
      reply-to-all to that, adding suitable additional cc's

*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***

The -mm tree is included into linux-next via various
branches at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
and is updated there most days

------------------------------------------------------
From: Josh Law <objecting@objecting.org>
Subject: lib/bootconfig: check bounds before writing in __xbc_open_brace()
Date: Thu, 12 Mar 2026 19:11:42 +0000

The bounds check for brace_index happens after the array write.  While the
current call pattern prevents an actual out-of-bounds access (the previous
call would have returned an error), the write-before-check pattern is
fragile and would become a real out-of-bounds write if the error return
were ever not propagated.

Move the bounds check before the array write so the function is
self-contained and safe regardless of caller behavior.

Link: https://lkml.kernel.org/r/20260312191143.28719-3-objecting@objecting.org
Signed-off-by: Josh Law <objecting@objecting.org>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 lib/bootconfig.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/lib/bootconfig.c~lib-bootconfig-check-bounds-before-writing-in-__xbc_open_brace
+++ a/lib/bootconfig.c
@@ -532,9 +532,9 @@ static char *skip_spaces_until_newline(c
 static int __init __xbc_open_brace(char *p)
 {
 	/* Push the last key as open brace */
-	open_brace[brace_index++] = xbc_node_index(last_parent);
 	if (brace_index >= XBC_DEPTH_MAX)
 		return xbc_parse_error("Exceed max depth of braces", p);
+	open_brace[brace_index++] = xbc_node_index(last_parent);
 
 	return 0;
 }
_

Patches currently in -mm which might be from objecting@objecting.org are

lib-maple_tree-fix-swapped-arguments-in-mas_safe_pivot-call.patch
lib-glob-fix-grammar-and-replace-non-inclusive-terminology.patch
lib-glob-add-explicit-include-for-exporth.patch
lib-glob-replace-bitwise-or-with-logical-operation-on-boolean.patch
lib-glob-clean-up-bool-abuse-in-pointer-arithmetic.patch
lib-uuid-fix-typo-reversion-to-revision-in-comment.patch
lib-inflate-fix-memory-leak-in-inflate_fixed-on-inflate_codes-failure.patch
lib-inflate-fix-memory-leak-in-inflate_dynamic-on-inflate_codes-failure.patch
lib-inflate-fix-grammar-in-comment-variable-to-variables.patch
lib-inflate-fix-typo-this-results-to-the-results-in-comment.patch
lib-bug-fix-inconsistent-capitalization-in-bug-message.patch
lib-bug-remove-unnecessary-variable-initializations.patch
lib-idr-fix-ida_find_first_range-missing-ids-across-chunk-boundaries.patch
lib-decompress_bunzip2-fix-32-bit-shift-undefined-behavior.patch
maintainers-add-josh-law-as-reviewer-for-library-code.patch
lib-bootconfig-fix-typo-budy-in-_xbc_exit-comment.patch
lib-ts_bm-fix-integer-overflow-in-pattern-length-calculation.patch
lib-ts_kmp-fix-integer-overflow-in-pattern-length-calculation.patch
lib-bootconfig-fix-off-by-one-in-xbc_verify_tree-unclosed-brace-error.patch
lib-bootconfig-check-bounds-before-writing-in-__xbc_open_brace.patch
lib-bootconfig-fix-snprintf-truncation-check-in-xbc_node_compose_key_after.patch

Re: + lib-bootconfig-check-bounds-before-writing-in-__xbc_open_brace.patch added to mm-nonmm-unstable branch

[Josh Law]

12 Mar 2026 20:19:23 Andrew Morton <akpm@linux-foundation.org>:

>
> The patch titled
>      Subject: lib/bootconfig: check bounds before writing in __xbc_open_brace()
> has been added to the -mm mm-nonmm-unstable branch.  Its filename is
>      lib-bootconfig-check-bounds-before-writing-in-__xbc_open_brace.patch
>
> This patch will shortly appear at
>      https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patches/lib-bootconfig-check-bounds-before-writing-in-__xbc_open_brace.patch
>
> This patch will later appear in the mm-nonmm-unstable branch at
>     git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
>
> Before you just go and hit "reply", please:
>    a) Consider who else should be cc'ed
>    b) Prefer to cc a suitable mailing list as well
>    c) Ideally: find the original patch on the mailing list and do a
>       reply-to-all to that, adding suitable additional cc's
>
> *** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
>
> The -mm tree is included into linux-next via various
> branches at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
> and is updated there most days
>
> ------------------------------------------------------
> From: Josh Law <objecting@objecting.org>
> Subject: lib/bootconfig: check bounds before writing in __xbc_open_brace()
> Date: Thu, 12 Mar 2026 19:11:42 +0000
>
> The bounds check for brace_index happens after the array write.  While the
> current call pattern prevents an actual out-of-bounds access (the previous
> call would have returned an error), the write-before-check pattern is
> fragile and would become a real out-of-bounds write if the error return
> were ever not propagated.
>
> Move the bounds check before the array write so the function is
> self-contained and safe regardless of caller behavior.
>
> Link: https://lkml.kernel.org/r/20260312191143.28719-3-objecting@objecting.org
> Signed-off-by: Josh Law <objecting@objecting.org>
> Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
> Cc: Masami Hiramatsu <mhiramat@kernel.org>
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> ---
>
> lib/bootconfig.c |    2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> --- a/lib/bootconfig.c~lib-bootconfig-check-bounds-before-writing-in-__xbc_open_brace
> +++ a/lib/bootconfig.c
> @@ -532,9 +532,9 @@ static char *skip_spaces_until_newline(c
> static int __init __xbc_open_brace(char *p)
> {
>     /* Push the last key as open brace */
> -   open_brace[brace_index++] = xbc_node_index(last_parent);
>     if (brace_index >= XBC_DEPTH_MAX)
>         return xbc_parse_error("Exceed max depth of braces", p);
> +   open_brace[brace_index++] = xbc_node_index(last_parent);
>
>     return 0;
> }
> _
>
> Patches currently in -mm which might be from objecting@objecting.org are
>
> lib-maple_tree-fix-swapped-arguments-in-mas_safe_pivot-call.patch
> lib-glob-fix-grammar-and-replace-non-inclusive-terminology.patch
> lib-glob-add-explicit-include-for-exporth.patch
> lib-glob-replace-bitwise-or-with-logical-operation-on-boolean.patch
> lib-glob-clean-up-bool-abuse-in-pointer-arithmetic.patch
> lib-uuid-fix-typo-reversion-to-revision-in-comment.patch
> lib-inflate-fix-memory-leak-in-inflate_fixed-on-inflate_codes-failure.patch
> lib-inflate-fix-memory-leak-in-inflate_dynamic-on-inflate_codes-failure.patch
> lib-inflate-fix-grammar-in-comment-variable-to-variables.patch
> lib-inflate-fix-typo-this-results-to-the-results-in-comment.patch
> lib-bug-fix-inconsistent-capitalization-in-bug-message.patch
> lib-bug-remove-unnecessary-variable-initializations.patch
> lib-idr-fix-ida_find_first_range-missing-ids-across-chunk-boundaries.patch
> lib-decompress_bunzip2-fix-32-bit-shift-undefined-behavior.patch
> maintainers-add-josh-law-as-reviewer-for-library-code.patch
> lib-bootconfig-fix-typo-budy-in-_xbc_exit-comment.patch
> lib-ts_bm-fix-integer-overflow-in-pattern-length-calculation.patch
> lib-ts_kmp-fix-integer-overflow-in-pattern-length-calculation.patch
> lib-bootconfig-fix-off-by-one-in-xbc_verify_tree-unclosed-brace-error.patch
> lib-bootconfig-check-bounds-before-writing-in-__xbc_open_brace.patch
> lib-bootconfig-fix-snprintf-truncation-check-in-xbc_node_compose_key_after.patch

Hi Andrew, before you complain about the other patches, "email" situation,



Tomorrow I'll properly setup objecting@objecting.org to be able to send emails, to mitigate this, thanks for the understanding

V/R



Josh Law

Re: + lib-bootconfig-check-bounds-before-writing-in-__xbc_open_brace.patch added to mm-nonmm-unstable branch

[Josh Law]

12 Mar 2026 20:21:56 Josh Law <hlcj1234567@gmail.com>:

> 12 Mar 2026 20:19:23 Andrew Morton <akpm@linux-foundation.org>:
>
>>
>> The patch titled
>>      Subject: lib/bootconfig: check bounds before writing in __xbc_open_brace()
>> has been added to the -mm mm-nonmm-unstable branch.  Its filename is
>>      lib-bootconfig-check-bounds-before-writing-in-__xbc_open_brace.patch
>>
>> This patch will shortly appear at
>>      https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patches/lib-bootconfig-check-bounds-before-writing-in-__xbc_open_brace.patch
>>
>> This patch will later appear in the mm-nonmm-unstable branch at
>>     git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
>>
>> Before you just go and hit "reply", please:
>>    a) Consider who else should be cc'ed
>>    b) Prefer to cc a suitable mailing list as well
>>    c) Ideally: find the original patch on the mailing list and do a
>>       reply-to-all to that, adding suitable additional cc's
>>
>> *** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
>>
>> The -mm tree is included into linux-next via various
>> branches at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
>> and is updated there most days
>>
>> ------------------------------------------------------
>> From: Josh Law <objecting@objecting.org>
>> Subject: lib/bootconfig: check bounds before writing in __xbc_open_brace()
>> Date: Thu, 12 Mar 2026 19:11:42 +0000
>>
>> The bounds check for brace_index happens after the array write.  While the
>> current call pattern prevents an actual out-of-bounds access (the previous
>> call would have returned an error), the write-before-check pattern is
>> fragile and would become a real out-of-bounds write if the error return
>> were ever not propagated.
>>
>> Move the bounds check before the array write so the function is
>> self-contained and safe regardless of caller behavior.
>>
>> Link: https://lkml.kernel.org/r/20260312191143.28719-3-objecting@objecting.org
>> Signed-off-by: Josh Law <objecting@objecting.org>
>> Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
>> Cc: Masami Hiramatsu <mhiramat@kernel.org>
>> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
>> ---
>>
>> lib/bootconfig.c |    2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> --- a/lib/bootconfig.c~lib-bootconfig-check-bounds-before-writing-in-__xbc_open_brace
>> +++ a/lib/bootconfig.c
>> @@ -532,9 +532,9 @@ static char *skip_spaces_until_newline(c
>> static int __init __xbc_open_brace(char *p)
>> {
>>     /* Push the last key as open brace */
>> -   open_brace[brace_index++] = xbc_node_index(last_parent);
>>     if (brace_index >= XBC_DEPTH_MAX)
>>         return xbc_parse_error("Exceed max depth of braces", p);
>> +   open_brace[brace_index++] = xbc_node_index(last_parent);
>>
>>     return 0;
>> }
>> _
>>
>> Patches currently in -mm which might be from objecting@objecting.org are
>>
>> lib-maple_tree-fix-swapped-arguments-in-mas_safe_pivot-call.patch
>> lib-glob-fix-grammar-and-replace-non-inclusive-terminology.patch
>> lib-glob-add-explicit-include-for-exporth.patch
>> lib-glob-replace-bitwise-or-with-logical-operation-on-boolean.patch
>> lib-glob-clean-up-bool-abuse-in-pointer-arithmetic.patch
>> lib-uuid-fix-typo-reversion-to-revision-in-comment.patch
>> lib-inflate-fix-memory-leak-in-inflate_fixed-on-inflate_codes-failure.patch
>> lib-inflate-fix-memory-leak-in-inflate_dynamic-on-inflate_codes-failure.patch
>> lib-inflate-fix-grammar-in-comment-variable-to-variables.patch
>> lib-inflate-fix-typo-this-results-to-the-results-in-comment.patch
>> lib-bug-fix-inconsistent-capitalization-in-bug-message.patch
>> lib-bug-remove-unnecessary-variable-initializations.patch
>> lib-idr-fix-ida_find_first_range-missing-ids-across-chunk-boundaries.patch
>> lib-decompress_bunzip2-fix-32-bit-shift-undefined-behavior.patch
>> maintainers-add-josh-law-as-reviewer-for-library-code.patch
>> lib-bootconfig-fix-typo-budy-in-_xbc_exit-comment.patch
>> lib-ts_bm-fix-integer-overflow-in-pattern-length-calculation.patch
>> lib-ts_kmp-fix-integer-overflow-in-pattern-length-calculation.patch
>> lib-bootconfig-fix-off-by-one-in-xbc_verify_tree-unclosed-brace-error.patch
>> lib-bootconfig-check-bounds-before-writing-in-__xbc_open_brace.patch
>> lib-bootconfig-fix-snprintf-truncation-check-in-xbc_node_compose_key_after.patch
>
> Hi Andrew, before you complain about the other patches, "email" situation,
>
>
>
> Tomorrow I'll properly setup objecting@objecting.org to be able to send emails, to mitigate this, thanks for the understanding
>
> V/R
>
>
>
> Josh Law

Also btw there indeed are other patches


---- uuid ----
https://lore.kernel.org/all/20260312184113.23564-1-objecting@objecting.org/


----maple_tree------
https://lore.kernel.org/all/20260312184054.23481-1-objecting@objecting.org/
https://lore.kernel.org/all/20260312184054.23481-2-objecting@objecting.org/



------ldr----
https://lore.kernel.org/all/20260312181948.20020-1-objecting@objecting.org/
https://lore.kernel.org/all/20260312181948.20020-2-objecting@objecting.org/
https://lore.kernel.org/all/20260312181948.20020-3-objecting@objecting.org/


(Yeah I was working loads today, I got a new server and I decided to help lib some more)

#libforever

V/R