From: Josh Law <objecting@objecting.org>
Date: Wed, 18 Mar 2026 15:59:14 +0000 (+0000)
Subject: lib/bootconfig: validate child node index in xbc_verify_tree()
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=909bb3a6c53faf86e96694ed09e7f32cad11ba2e;p=thirdparty%2Fkernel%2Flinux.git

lib/bootconfig: validate child node index in xbc_verify_tree()

xbc_verify_tree() validates that each node's next index is within
bounds, but does not check the child index.  Add the same bounds
check for the child field.

Without this check, a corrupt bootconfig that passes next-index
validation could still trigger an out-of-bounds memory access via an
invalid child index when xbc_node_get_child() is called during tree
traversal at boot time.

Link: https://lore.kernel.org/all/20260318155919.78168-9-objecting@objecting.org/

Signed-off-by: Josh Law <objecting@objecting.org>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
---

diff --git a/lib/bootconfig.c b/lib/bootconfig.c
index 0663b74ad1311..8c50e942d7479 100644
--- a/lib/bootconfig.c
+++ b/lib/bootconfig.c
@@ -824,6 +824,10 @@ static int __init xbc_verify_tree(void)
 			return xbc_parse_error("No closing brace",
 				xbc_node_get_data(xbc_nodes + i));
 		}
+		if (xbc_nodes[i].child >= xbc_node_num) {
+			return xbc_parse_error("Broken child node",
+				xbc_node_get_data(xbc_nodes + i));
+		}
 	}
 
 	/* Key tree limitation check */