On Sat, 14 Mar 2026 23:01:47 +0000 Josh Law <[email protected]> wrote:
> Move the xbc_node_num increment to after xbc_init_node() so a failed > init does not leave a partially initialized node counted in the array. > > If xbc_init_node() fails on a data offset at the boundary of a > maximum-size bootconfig, the pre-incremented count causes subsequent > tree verification and traversal to consider the uninitialized node as > valid, potentially leading to an out-of-bounds read or unpredictable > boot behavior. In that case, it returns a parse error(-ENOMEM) and the parsing stops. This seems a hardening not a fix unless actual example you can show. Thank you, > > Signed-off-by: Josh Law <[email protected]> > --- > lib/bootconfig.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/lib/bootconfig.c b/lib/bootconfig.c > index 56fbedc9e725..06e8a79ab472 100644 > --- a/lib/bootconfig.c > +++ b/lib/bootconfig.c > @@ -429,9 +429,10 @@ static struct xbc_node * __init xbc_add_node(char *data, > uint16_t flag) > if (xbc_node_num == XBC_NODE_MAX) > return NULL; > > - node = &xbc_nodes[xbc_node_num++]; > + node = &xbc_nodes[xbc_node_num]; > if (xbc_init_node(node, data, flag) < 0) > return NULL; > + xbc_node_num++; > > return node; > } > -- > 2.34.1 > -- Masami Hiramatsu (Google) <[email protected]>
