From: Josh Law <objecting@objecting.org>
Date: Wed, 18 Mar 2026 23:43:24 +0000 (+0900)
Subject: lib/bootconfig: fix off-by-one in xbc_verify_tree() next node check
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1c04fa80118cc20a943b9ec5b861a824fa90db1c;p=thirdparty%2Fkernel%2Flinux.git

lib/bootconfig: fix off-by-one in xbc_verify_tree() next node check

Valid node indices are 0 to xbc_node_num-1, so a next value equal to
xbc_node_num is out of bounds.  Use >= instead of > to catch this.

A malformed or corrupt bootconfig could pass tree verification with
an out-of-bounds next index.  On subsequent tree traversal at boot
time, xbc_node_get_next() would return a pointer past the allocated
xbc_nodes array, causing an out-of-bounds read of kernel memory.

Link: https://lore.kernel.org/all/20260318155919.78168-4-objecting@objecting.org/

Signed-off-by: Josh Law <objecting@objecting.org>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
---

diff --git a/lib/bootconfig.c b/lib/bootconfig.c
index ee2f072831aa4..8858862122487 100644
--- a/lib/bootconfig.c
+++ b/lib/bootconfig.c
@@ -817,7 +817,7 @@ static int __init xbc_verify_tree(void)
 	}
 
 	for (i = 0; i < xbc_node_num; i++) {
-		if (xbc_nodes[i].next > xbc_node_num) {
+		if (xbc_nodes[i].next >= xbc_node_num) {
 			return xbc_parse_error("No closing brace",
 				xbc_node_get_data(xbc_nodes + i));
 		}