[PATCH v3 15/17] lib/bootconfig: validate child node index in xbc_verify_tree()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Josh Law <objecting@objecting.org>
To: Masami Hiramatsu <mhiramat@kernel.org>,
	Andrew Morton <akpm@linux-foundation.org>
Cc: linux-trace-kernel@vger.kernel.org, linux-kernel@vger.kernel.org,
	Josh Law <objecting@objecting.org>
Subject: [PATCH v3 15/17] lib/bootconfig: validate child node index in xbc_verify_tree()
Date: Sat, 14 Mar 2026 22:34:23 +0000	[thread overview]
Message-ID: <20260314223425.142966-16-objecting@objecting.org> (raw)
In-Reply-To: <20260314223425.142966-1-objecting@objecting.org>

xbc_verify_tree() validates that each node's next index is within
bounds, but does not check the child index.  If a parser bug ever
sets an out-of-bounds child value, xbc_node_get_child() would return
a pointer outside the xbc_nodes array.  Add the same bounds check
for the child field.

Signed-off-by: Josh Law <objecting@objecting.org>
---
 lib/bootconfig.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/bootconfig.c b/lib/bootconfig.c
index 0823491221f4..038f56689a48 100644
--- a/lib/bootconfig.c
+++ b/lib/bootconfig.c
@@ -823,6 +823,10 @@ static int __init xbc_verify_tree(void)
 			return xbc_parse_error("No closing brace",
 				xbc_node_get_data(xbc_nodes + i));
 		}
+		if (xbc_nodes[i].child >= xbc_node_num) {
+			return xbc_parse_error("Broken child node",
+				xbc_node_get_data(xbc_nodes + i));
+		}
 	}
 
 	/* Key tree limitation check */
-- 
2.34.1

next prev parent reply	other threads:[~2026-03-14 22:34 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-14 22:34 [PATCH v3 00/17] bootconfig: fixes, cleanups, and modernization Josh Law
2026-03-14 22:34 ` [PATCH v3 01/17] lib/bootconfig: add missing __init annotations to static helpers Josh Law
2026-03-14 22:34 ` [PATCH v3 02/17] lib/bootconfig: fix typo "initiized" in xbc_root_node() kerneldoc Josh Law
2026-03-14 22:34 ` [PATCH v3 03/17] lib/bootconfig: fix typo "uder" in xbc_node_find_next_leaf() Josh Law
2026-03-14 22:34 ` [PATCH v3 04/17] lib/bootconfig: add blank line before xbc_get_info() kerneldoc Josh Law
2026-03-14 22:34 ` [PATCH v3 05/17] lib/bootconfig: fix inconsistent if/else bracing Josh Law
2026-03-14 22:34 ` [PATCH v3 06/17] lib/bootconfig: narrow flag parameter type from uint32_t to uint16_t Josh Law
2026-03-14 22:34 ` [PATCH v3 07/17] lib/bootconfig: fix inconsistent if/else bracing in __xbc_add_key() Josh Law
2026-03-14 22:34 ` [PATCH v3 08/17] lib/bootconfig: fix off-by-one in xbc_verify_tree() next node check Josh Law
2026-03-14 22:34 ` [PATCH v3 09/17] lib/bootconfig: increment xbc_node_num after node init succeeds Josh Law
2026-03-14 22:34 ` [PATCH v3 10/17] lib/bootconfig: drop redundant memset of xbc_nodes Josh Law
2026-03-14 22:34 ` [PATCH v3 11/17] bootconfig: use __packed macro for struct xbc_node Josh Law
2026-03-14 22:34 ` [PATCH v3 12/17] bootconfig: constify xbc_calc_checksum() data parameter Josh Law
2026-03-14 22:34 ` [PATCH v3 13/17] lib/bootconfig: replace linux/kernel.h with specific includes Josh Law
2026-03-14 22:34 ` [PATCH v3 14/17] bootconfig: add __packed definition to tools/bootconfig shim header Josh Law
2026-03-14 22:34 ` Josh Law [this message]
2026-03-14 22:34 ` [PATCH v3 16/17] lib/bootconfig: check xbc_init_node() return in override path Josh Law
2026-03-14 22:34 ` [PATCH v3 17/17] tools/bootconfig: fix fd leak in load_xbc_file() on fstat failure Josh Law
2026-03-16 12:15   ` Markus Elfring
2026-03-16 15:14     ` Josh Law

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:0823491221f dfblob:038f56689a4 )
 OR (
bs:"[PATCH v3 15/17] lib/bootconfig: validate child node index in xbc_verify_tree()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260314223425.142966-16-objecting@objecting.org \
    --to=objecting@objecting.org \
    --cc=akpm@linux-foundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-trace-kernel@vger.kernel.org \
    --cc=mhiramat@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.