From: Josh Law <objecting@objecting.org>
Date: Wed, 18 Mar 2026 23:43:24 +0000 (+0900)
Subject: lib/bootconfig: increment xbc_node_num after node init succeeds
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ae9bf4d3835fb1cd3f79ea74e96e6ab6cfe8f415;p=thirdparty%2Fkernel%2Flinux.git

lib/bootconfig: increment xbc_node_num after node init succeeds

Move the xbc_node_num increment to after xbc_init_node() so a failed
init does not leave a partially initialized node counted in the array.

If xbc_init_node() fails on a data offset at the boundary of a
maximum-size bootconfig, the pre-incremented count causes subsequent
tree verification and traversal to consider the uninitialized node as
valid, potentially leading to an out-of-bounds read or unpredictable
boot behavior.

Link: https://lore.kernel.org/all/20260318155919.78168-5-objecting@objecting.org/

Signed-off-by: Josh Law <objecting@objecting.org>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
---

diff --git a/lib/bootconfig.c b/lib/bootconfig.c
index 8858862122487..c02b11a1b5019 100644
--- a/lib/bootconfig.c
+++ b/lib/bootconfig.c
@@ -429,9 +429,10 @@ static struct xbc_node * __init xbc_add_node(char *data, uint16_t flag)
 	if (xbc_node_num == XBC_NODE_MAX)
 		return NULL;
 
-	node = &xbc_nodes[xbc_node_num++];
+	node = &xbc_nodes[xbc_node_num];
 	if (xbc_init_node(node, data, flag) < 0)
 		return NULL;
+	xbc_node_num++;
 
 	return node;
 }