[PATCH v3 15/17] lib/bootconfig: validate child node index in xbc_verify_tree()

Next message: Josh Law: "[PATCH v3 14/17] bootconfig: add __packed definition to tools/bootconfig shim header"
Previous message: Josh Law: "[PATCH v3 09/17] lib/bootconfig: increment xbc_node_num after node init succeeds"
In reply to: Josh Law: "[PATCH v3 09/17] lib/bootconfig: increment xbc_node_num after node init succeeds"
Next in thread: Josh Law: "[PATCH v3 14/17] bootconfig: add __packed definition to tools/bootconfig shim header"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Josh Law

Date: Sat Mar 14 2026 - 18:37:41 EST

xbc_verify_tree() validates that each node's next index is within
bounds, but does not check the child index. If a parser bug ever
sets an out-of-bounds child value, xbc_node_get_child() would return
a pointer outside the xbc_nodes array. Add the same bounds check
for the child field.

Signed-off-by: Josh Law <objecting@xxxxxxxxxxxxx>
---
lib/bootconfig.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/lib/bootconfig.c b/lib/bootconfig.c
index 0823491221f4..038f56689a48 100644
--- a/lib/bootconfig.c
+++ b/lib/bootconfig.c
@@ -823,6 +823,10 @@ static int __init xbc_verify_tree(void)
return xbc_parse_error("No closing brace",
xbc_node_get_data(xbc_nodes + i));
}
+ if (xbc_nodes[i].child >= xbc_node_num) {
+ return xbc_parse_error("Broken child node",
+ xbc_node_get_data(xbc_nodes + i));
+ }
}

/* Key tree limitation check */
--
2.34.1