[PATCH v7 08/15] lib/bootconfig: validate child node index in xbc_verify_tree()

Next message: Josh Law: "[PATCH v7 05/15] lib/bootconfig: drop redundant memset of xbc_nodes"
Previous message: Josh Law: "[PATCH v7 03/15] lib/bootconfig: fix off-by-one in xbc_verify_tree() next node check"
In reply to: Josh Law: "[PATCH v7 03/15] lib/bootconfig: fix off-by-one in xbc_verify_tree() next node check"
Next in thread: Josh Law: "[PATCH v7 05/15] lib/bootconfig: drop redundant memset of xbc_nodes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Josh Law

Date: Tue Mar 17 2026 - 12:18:15 EST

xbc_verify_tree() validates that each node's next index is within
bounds, but does not check the child index. Add the same bounds
check for the child field.

Without this check, a corrupt bootconfig that passes next-index
validation could still trigger an out-of-bounds memory access via an
invalid child index when xbc_node_get_child() is called during tree
traversal at boot time.

Signed-off-by: Josh Law <objecting@xxxxxxxxxxxxx>
---
lib/bootconfig.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/lib/bootconfig.c b/lib/bootconfig.c
index d7e2395b7e83..1adf592cc038 100644
--- a/lib/bootconfig.c
+++ b/lib/bootconfig.c
@@ -823,6 +823,10 @@ static int __init xbc_verify_tree(void)
return xbc_parse_error("No closing brace",
xbc_node_get_data(xbc_nodes + i));
}
+ if (xbc_nodes[i].child >= xbc_node_num) {
+ return xbc_parse_error("Broken child node",
+ xbc_node_get_data(xbc_nodes + i));
+ }
}

/* Key tree limitation check */
--
2.34.1