Re: [PATCH v4 09/17] lib/bootconfig: increment xbc_node_num after node init succeeds

Next message: Google: "Re: [PATCH v4 17/17] tools/bootconfig: fix fd leak in load_xbc_file() on fstat failure"
Previous message: Baolu Lu: "Re: [PATCH 2/8] iommu/vt-d: Add entry_sync support for PASID entry updates"
In reply to: Josh Law: "[PATCH v4 09/17] lib/bootconfig: increment xbc_node_num after node init succeeds"
Next in thread: Josh Law: "[PATCH v4 05/17] lib/bootconfig: fix inconsistent if/else bracing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Google

Date: Sun Mar 15 2026 - 04:16:34 EST

On Sat, 14 Mar 2026 23:01:47 +0000
Josh Law <objecting@xxxxxxxxxxxxx> wrote:

> Move the xbc_node_num increment to after xbc_init_node() so a failed
> init does not leave a partially initialized node counted in the array.
>
> If xbc_init_node() fails on a data offset at the boundary of a
> maximum-size bootconfig, the pre-incremented count causes subsequent
> tree verification and traversal to consider the uninitialized node as
> valid, potentially leading to an out-of-bounds read or unpredictable
> boot behavior.

In that case, it returns a parse error(-ENOMEM) and the parsing stops.
This seems a hardening not a fix unless actual example you can show.

Thank you,

>
> Signed-off-by: Josh Law <objecting@xxxxxxxxxxxxx>
> ---
> lib/bootconfig.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/lib/bootconfig.c b/lib/bootconfig.c
> index 56fbedc9e725..06e8a79ab472 100644
> --- a/lib/bootconfig.c
> +++ b/lib/bootconfig.c
> @@ -429,9 +429,10 @@ static struct xbc_node * __init xbc_add_node(char *data, uint16_t flag)
> if (xbc_node_num == XBC_NODE_MAX)
> return NULL;
>
> - node = &xbc_nodes[xbc_node_num++];
> + node = &xbc_nodes[xbc_node_num];
> if (xbc_init_node(node, data, flag) < 0)
> return NULL;
> + xbc_node_num++;
>
> return node;
> }
> --
> 2.34.1
>

--
Masami Hiramatsu (Google) <mhiramat@xxxxxxxxxx>