mirror of
https://github.com/torvalds/linux.git
synced 2026-04-18 14:53:58 -04:00
lib/bootconfig: fix off-by-one in xbc_verify_tree() next node check
Valid node indices are 0 to xbc_node_num-1, so a next value equal to xbc_node_num is out of bounds. Use >= instead of > to catch this. A malformed or corrupt bootconfig could pass tree verification with an out-of-bounds next index. On subsequent tree traversal at boot time, xbc_node_get_next() would return a pointer past the allocated xbc_nodes array, causing an out-of-bounds read of kernel memory. Link: https://lore.kernel.org/all/20260318155919.78168-4-objecting@objecting.org/ Signed-off-by: Josh Law <objecting@objecting.org> Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
This commit is contained in:
Josh Law
committed by
Masami Hiramatsu (Google)
Masami Hiramatsu (Google)
parent
bf45f7c591
commit
1c04fa8011
@@ -817,7 +817,7 @@ static int __init xbc_verify_tree(void)
|
||||
}
|
||||
|
||||
for (i = 0; i < xbc_node_num; i++) {
|
||||
if (xbc_nodes[i].next > xbc_node_num) {
|
||||
if (xbc_nodes[i].next >= xbc_node_num) {
|
||||
return xbc_parse_error("No closing brace",
|
||||
xbc_node_get_data(xbc_nodes + i));
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user