lib/bootconfig: validate child node index in xbc_verify_tree()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

xbc_verify_tree() validates that each node's next index is within
bounds, but does not check the child index. Add the same bounds
check for the child field.

Without this check, a corrupt bootconfig that passes next-index
validation could still trigger an out-of-bounds memory access via an
invalid child index when xbc_node_get_child() is called during tree
traversal at boot time.

Link: https://lore.kernel.org/all/20260318155919.78168-9-objecting@objecting.org/

Signed-off-by: Josh Law <objecting@objecting.org>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>

authored by

Josh Law and committed by

Masami Hiramatsu (Google) 2 months ago 909bb3a6 2564fa0b

1 changed file

expand all

lib

bootconfig.c

lib/bootconfig.c

··· 824 824 return xbc_parse_error("No closing brace", 825 825 xbc_node_get_data(xbc_nodes + i)); 826 826 } 827 + if (xbc_nodes[i].child >= xbc_node_num) { 828 + return xbc_parse_error("Broken child node", 829 + xbc_node_get_data(xbc_nodes + i)); 830 + } 827 831 } 828 832 829 833 /* Key tree limitation check */

Configure Feed

Configure Feed