Valid node indices are 0 to xbc_node_num-1, so a next value equal to xbc_node_num is out of bounds. Use >= instead of > to catch this.
A malformed or corrupt bootconfig could pass tree verification with an out-of-bounds next index. On subsequent tree traversal at boot time, xbc_node_get_next() would return a pointer past the allocated xbc_nodes array, causing an out-of-bounds read of kernel memory. Signed-off-by: Josh Law <[email protected]> --- lib/bootconfig.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/bootconfig.c b/lib/bootconfig.c index d69ec95d6062..ca668ead1db6 100644 --- a/lib/bootconfig.c +++ b/lib/bootconfig.c @@ -816,7 +816,7 @@ static int __init xbc_verify_tree(void) } for (i = 0; i < xbc_node_num; i++) { - if (xbc_nodes[i].next > xbc_node_num) { + if (xbc_nodes[i].next >= xbc_node_num) { return xbc_parse_error("No closing brace", xbc_node_get_data(xbc_nodes + i)); } -- 2.34.1
