[PATCH v8 03/13] lib/bootconfig: fix off-by-one in xbc_verify_tree() next node check

Next message: Conor Dooley: "[PATCH net-next v4 10/13] net: macb: timer adjust mode is not supported"
Previous message: Conor Dooley: "[PATCH net-next v4 07/13] net: macb: warn on pclk use as a tsu_clk fallback"
In reply to: Josh Law: "[PATCH v8 13/13] lib/bootconfig: change xbc_node_index() return type to uint16_t"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Josh Law

Date: Wed Mar 18 2026 - 13:33:49 EST

Valid node indices are 0 to xbc_node_num-1, so a next value equal to
xbc_node_num is out of bounds. Use >= instead of > to catch this.

A malformed or corrupt bootconfig could pass tree verification with
an out-of-bounds next index. On subsequent tree traversal at boot
time, xbc_node_get_next() would return a pointer past the allocated
xbc_nodes array, causing an out-of-bounds read of kernel memory.

Signed-off-by: Josh Law <objecting@xxxxxxxxxxxxx>
---
lib/bootconfig.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/bootconfig.c b/lib/bootconfig.c
index d69ec95d6062..ca668ead1db6 100644
--- a/lib/bootconfig.c
+++ b/lib/bootconfig.c
@@ -816,7 +816,7 @@ static int __init xbc_verify_tree(void)
}

for (i = 0; i < xbc_node_num; i++) {
- if (xbc_nodes[i].next > xbc_node_num) {
+ if (xbc_nodes[i].next >= xbc_node_num) {
return xbc_parse_error("No closing brace",
xbc_node_get_data(xbc_nodes + i));
}
--
2.34.1