lib/bootconfig: check bounds before writing in __xbc_open_brace()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The bounds check for brace_index happens after the array write.
While the current call pattern prevents an actual out-of-bounds
access (the previous call would have returned an error), the
write-before-check pattern is fragile and would become a real
out-of-bounds write if the error return were ever not propagated.

Move the bounds check before the array write so the function is
self-contained and safe regardless of caller behavior.

Link: https://lore.kernel.org/all/20260312191143.28719-3-objecting@objecting.org/

Fixes: ead1e19ad905 ("lib/bootconfig: Fix a bug of breaking existing tree nodes")
Cc: stable@vger.kernel.org
Signed-off-by: Josh Law <objecting@objecting.org>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>

authored by

Josh Law and committed by

Masami Hiramatsu (Google) 2 months ago 560f763b 39ebc8d7

+1 -1

1 changed file

expand all

lib

bootconfig.c

+1 -1

lib/bootconfig.c

··· 532 532 static int __init __xbc_open_brace(char *p) 533 533 { 534 534 /* Push the last key as open brace */ 535 - open_brace[brace_index++] = xbc_node_index(last_parent); 536 535 if (brace_index >= XBC_DEPTH_MAX) 537 536 return xbc_parse_error("Exceed max depth of braces", p); 537 + open_brace[brace_index++] = xbc_node_index(last_parent); 538 538 539 539 return 0; 540 540 }

Configure Feed

Configure Feed