lib/bootconfig: validate child node index in xbc_verify_tree()

xbc_verify_tree() validates that each node's next index is within
bounds, but does not check the child index.  Add the same bounds
check for the child field.

Without this check, a corrupt bootconfig that passes next-index
validation could still trigger an out-of-bounds memory access via an
invalid child index when xbc_node_get_child() is called during tree
traversal at boot time.

Link: https://lore.kernel.org/all/20260318155919.78168-9-objecting@objecting.org/
Signed-off-by: Josh Law <objecting@objecting.org>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>

diff --git a/lib/bootconfig.c b/lib/bootconfig.c
index 0663b74ad131103d18e3c267fee737a83c273e1a..8c50e942d7479cff40fe9618dfcc3d5150afb5ba 100644 (file)
--- a/lib/bootconfig.c
+++ b/lib/bootconfig.c
@@ -824,6 +824,10 @@ static int __init xbc_verify_tree(void)
                        return xbc_parse_error("No closing brace",
                                xbc_node_get_data(xbc_nodes + i));
                }
+               if (xbc_nodes[i].child >= xbc_node_num) {
+                       return xbc_parse_error("Broken child node",
+                               xbc_node_get_data(xbc_nodes + i));
+               }
        }
 
        /* Key tree limitation check */