Re: [PATCH v4 08/17] lib/bootconfig: fix off-by-one in xbc_verify_tree() next node check

Next message: Florian Westphal: "Re: [PATCH] hash: add fast paths for common key sizes and new fast hash functions"
Previous message: Google: "Re: [PATCH v4 11/17] bootconfig: use __packed macro for struct xbc_node"
In reply to: Josh Law: "[PATCH v4 08/17] lib/bootconfig: fix off-by-one in xbc_verify_tree() next node check"
Next in thread: Josh Law: "[PATCH v4 04/17] lib/bootconfig: add blank line before xbc_get_info() kerneldoc"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Google

Date: Sun Mar 15 2026 - 04:19:54 EST

On Sat, 14 Mar 2026 23:01:46 +0000
Josh Law <objecting@xxxxxxxxxxxxx> wrote:

> Valid node indices are 0 to xbc_node_num-1, so a next value equal to
> xbc_node_num is out of bounds. Use >= instead of > to catch this.
>
> A malformed or corrupt bootconfig could pass tree verification with
> an out-of-bounds next index. On subsequent tree traversal at boot
> time, xbc_node_get_next() would return a pointer past the allocated
> xbc_nodes array, causing an out-of-bounds read of kernel memory.
>

Thanks, but How? Do you have any actual config example?
Unless that, I would like to treat this as a minor fix.

Thanks,

> Signed-off-by: Josh Law <objecting@xxxxxxxxxxxxx>
> ---
> lib/bootconfig.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/lib/bootconfig.c b/lib/bootconfig.c
> index 58d6ae297280..56fbedc9e725 100644
> --- a/lib/bootconfig.c
> +++ b/lib/bootconfig.c
> @@ -816,7 +816,7 @@ static int __init xbc_verify_tree(void)
> }
>
> for (i = 0; i < xbc_node_num; i++) {
> - if (xbc_nodes[i].next > xbc_node_num) {
> + if (xbc_nodes[i].next >= xbc_node_num) {
> return xbc_parse_error("No closing brace",
> xbc_node_get_data(xbc_nodes + i));
> }
> --
> 2.34.1
>

--
Masami Hiramatsu (Google) <mhiramat@xxxxxxxxxx>