lib/bootconfig: check xbc_init_node() return in override path

[ Upstream commit bb288d7d869e86d382f35a0e26242c5ccb05ca82 ]

The ':=' override path in xbc_parse_kv() calls xbc_init_node() to
re-initialize an existing value node but does not check the return
value. If xbc_init_node() fails (data offset out of range), parsing
silently continues with stale node data.

Add the missing error check to match the xbc_add_node() call path
which already checks for failure.

In practice, a bootconfig using ':=' to override a value near the
32KB data limit could silently retain the old value, meaning a
security-relevant boot parameter override (e.g., a trace filter or
debug setting) would not take effect as intended.

Link: https://lore.kernel.org/all/20260318155847.78065-2-objecting@objecting.org/
Fixes: e5efaeb8a8f5 ("bootconfig: Support mixing a value and subkeys under a key")
Signed-off-by: Josh Law <objecting@objecting.org>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/lib/bootconfig.c b/lib/bootconfig.c
index 0728c4a95249b22d33c2a51a4aa9e7a5999b3383..5d3802eba52a3b89fcea78a5406330222684cc7a 100644 (file)
--- a/lib/bootconfig.c
+++ b/lib/bootconfig.c
@@ -712,7 +712,8 @@ static int __init xbc_parse_kv(char **k, char *v, int op)
                if (op == ':') {
                        unsigned short nidx = child->next;
 
-                       xbc_init_node(child, v, XBC_VALUE);
+                       if (xbc_init_node(child, v, XBC_VALUE) < 0)
+                               return xbc_parse_error("Failed to override value", v);
                        child->next = nidx;     /* keep subkeys */
                        goto array;
                }