[PATCH v4 08/17] lib/bootconfig: fix off-by-one in xbc_verify_tree() next node check

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Josh Law <objecting@objecting.org>
To: Masami Hiramatsu <mhiramat@kernel.org>,
	Andrew Morton <akpm@linux-foundation.org>
Cc: linux-trace-kernel@vger.kernel.org, linux-kernel@vger.kernel.org,
	Josh Law <objecting@objecting.org>
Subject: [PATCH v4 08/17] lib/bootconfig: fix off-by-one in xbc_verify_tree() next node check
Date: Sat, 14 Mar 2026 23:01:46 +0000	[thread overview]
Message-ID: <20260314230155.155777-9-objecting@objecting.org> (raw)
In-Reply-To: <20260314230155.155777-1-objecting@objecting.org>

Valid node indices are 0 to xbc_node_num-1, so a next value equal to
xbc_node_num is out of bounds.  Use >= instead of > to catch this.

A malformed or corrupt bootconfig could pass tree verification with
an out-of-bounds next index.  On subsequent tree traversal at boot
time, xbc_node_get_next() would return a pointer past the allocated
xbc_nodes array, causing an out-of-bounds read of kernel memory.

Signed-off-by: Josh Law <objecting@objecting.org>
---
 lib/bootconfig.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/bootconfig.c b/lib/bootconfig.c
index 58d6ae297280..56fbedc9e725 100644
--- a/lib/bootconfig.c
+++ b/lib/bootconfig.c
@@ -816,7 +816,7 @@ static int __init xbc_verify_tree(void)
 	}
 
 	for (i = 0; i < xbc_node_num; i++) {
-		if (xbc_nodes[i].next > xbc_node_num) {
+		if (xbc_nodes[i].next >= xbc_node_num) {
 			return xbc_parse_error("No closing brace",
 				xbc_node_get_data(xbc_nodes + i));
 		}
-- 
2.34.1

next prev parent reply	other threads:[~2026-03-14 23:02 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-14 23:01 [PATCH v4 00/17] bootconfig: fixes, cleanups, and modernization Josh Law
2026-03-14 23:01 ` [PATCH v4 01/17] lib/bootconfig: add missing __init annotations to static helpers Josh Law
2026-03-14 23:01 ` [PATCH v4 02/17] lib/bootconfig: fix typo "initiized" in xbc_root_node() kerneldoc Josh Law
2026-03-15  8:17   ` Masami Hiramatsu
2026-03-14 23:01 ` [PATCH v4 03/17] lib/bootconfig: fix typo "uder" in xbc_node_find_next_leaf() Josh Law
2026-03-14 23:01 ` [PATCH v4 04/17] lib/bootconfig: add blank line before xbc_get_info() kerneldoc Josh Law
2026-03-14 23:01 ` [PATCH v4 05/17] lib/bootconfig: fix inconsistent if/else bracing Josh Law
2026-03-14 23:01 ` [PATCH v4 06/17] lib/bootconfig: narrow flag parameter type from uint32_t to uint16_t Josh Law
2026-03-14 23:01 ` [PATCH v4 07/17] lib/bootconfig: fix inconsistent if/else bracing in __xbc_add_key() Josh Law
2026-03-15  8:20   ` Masami Hiramatsu
2026-03-14 23:01 ` Josh Law [this message]
2026-03-15  8:19   ` [PATCH v4 08/17] lib/bootconfig: fix off-by-one in xbc_verify_tree() next node check Masami Hiramatsu
2026-03-14 23:01 ` [PATCH v4 09/17] lib/bootconfig: increment xbc_node_num after node init succeeds Josh Law
2026-03-15  8:16   ` Masami Hiramatsu
2026-03-14 23:01 ` [PATCH v4 10/17] lib/bootconfig: drop redundant memset of xbc_nodes Josh Law
2026-03-14 23:01 ` [PATCH v4 11/17] bootconfig: use __packed macro for struct xbc_node Josh Law
2026-03-15  8:18   ` Masami Hiramatsu
2026-03-14 23:01 ` [PATCH v4 12/17] bootconfig: constify xbc_calc_checksum() data parameter Josh Law
2026-03-14 23:01 ` [PATCH v4 13/17] lib/bootconfig: replace linux/kernel.h with specific includes Josh Law
2026-03-14 23:01 ` [PATCH v4 14/17] bootconfig: add __packed definition to tools/bootconfig shim header Josh Law
2026-03-15  8:18   ` Masami Hiramatsu
2026-03-14 23:01 ` [PATCH v4 15/17] lib/bootconfig: validate child node index in xbc_verify_tree() Josh Law
2026-03-14 23:01 ` [PATCH v4 16/17] lib/bootconfig: check xbc_init_node() return in override path Josh Law
2026-03-15  8:29   ` Masami Hiramatsu
2026-03-14 23:01 ` [PATCH v4 17/17] tools/bootconfig: fix fd leak in load_xbc_file() on fstat failure Josh Law
2026-03-15  8:16   ` Masami Hiramatsu
2026-03-15  8:30 ` [PATCH v4 00/17] bootconfig: fixes, cleanups, and modernization Masami Hiramatsu

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:58d6ae29728 dfblob:56fbedc9e72 )
 OR (
bs:"[PATCH v4 08/17] lib/bootconfig: fix off-by-one in xbc_verify_tree() next node check" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260314230155.155777-9-objecting@objecting.org \
    --to=objecting@objecting.org \
    --cc=akpm@linux-foundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-trace-kernel@vger.kernel.org \
    --cc=mhiramat@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.