On Sat, 14 Mar 2026 23:01:46 +0000 Josh Law <[email protected]> wrote:
> Valid node indices are 0 to xbc_node_num-1, so a next value equal to > xbc_node_num is out of bounds. Use >= instead of > to catch this. > > A malformed or corrupt bootconfig could pass tree verification with > an out-of-bounds next index. On subsequent tree traversal at boot > time, xbc_node_get_next() would return a pointer past the allocated > xbc_nodes array, causing an out-of-bounds read of kernel memory. > Thanks, but How? Do you have any actual config example? Unless that, I would like to treat this as a minor fix. Thanks, > Signed-off-by: Josh Law <[email protected]> > --- > lib/bootconfig.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/lib/bootconfig.c b/lib/bootconfig.c > index 58d6ae297280..56fbedc9e725 100644 > --- a/lib/bootconfig.c > +++ b/lib/bootconfig.c > @@ -816,7 +816,7 @@ static int __init xbc_verify_tree(void) > } > > for (i = 0; i < xbc_node_num; i++) { > - if (xbc_nodes[i].next > xbc_node_num) { > + if (xbc_nodes[i].next >= xbc_node_num) { > return xbc_parse_error("No closing brace", > xbc_node_get_data(xbc_nodes + i)); > } > -- > 2.34.1 > -- Masami Hiramatsu (Google) <[email protected]>
