lib/bootconfig: fix off-by-one in xbc_verify_tree() next node check

Valid node indices are 0 to xbc_node_num-1, so a next value equal to
xbc_node_num is out of bounds.  Use >= instead of > to catch this.

A malformed or corrupt bootconfig could pass tree verification with
an out-of-bounds next index.  On subsequent tree traversal at boot
time, xbc_node_get_next() would return a pointer past the allocated
xbc_nodes array, causing an out-of-bounds read of kernel memory.

Link: https://lore.kernel.org/all/20260318155919.78168-4-objecting@objecting.org/
Signed-off-by: Josh Law <objecting@objecting.org>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>

diff --git a/lib/bootconfig.c b/lib/bootconfig.c
index ee2f072831aa4b4f7a66a75bd58817127d6b94d1..8858862122487cf14a0edafa1922f5a6d46cdce5 100644 (file)
--- a/lib/bootconfig.c
+++ b/lib/bootconfig.c
@@ -817,7 +817,7 @@ static int __init xbc_verify_tree(void)
        }
 
        for (i = 0; i < xbc_node_num; i++) {
-               if (xbc_nodes[i].next > xbc_node_num) {
+               if (xbc_nodes[i].next >= xbc_node_num) {
                        return xbc_parse_error("No closing brace",
                                xbc_node_get_data(xbc_nodes + i));
                }