diff options
| author | Josh Law <objecting@objecting.org> | 2026-03-12 19:11:42 +0000 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2026-03-19 16:08:45 +0100 |
| commit | bfbf1f286f6820976f85a13fd563665a5d4c16cf (patch) | |
| tree | 312e0072fc6eacbbd9f9b2b71c10c62102b5874e | |
| parent | 6e736a18cfbd518514c6fb82f2a46082bffd6394 (diff) | |
lib/bootconfig: check bounds before writing in __xbc_open_brace()
commit 560f763baa0f2c9a44da4294c06af071405ac46f upstream.
The bounds check for brace_index happens after the array write.
While the current call pattern prevents an actual out-of-bounds
access (the previous call would have returned an error), the
write-before-check pattern is fragile and would become a real
out-of-bounds write if the error return were ever not propagated.
Move the bounds check before the array write so the function is
self-contained and safe regardless of caller behavior.
Link: https://lore.kernel.org/all/20260312191143.28719-3-objecting@objecting.org/
Fixes: ead1e19ad905 ("lib/bootconfig: Fix a bug of breaking existing tree nodes")
Cc: stable@vger.kernel.org
Signed-off-by: Josh Law <objecting@objecting.org>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | lib/bootconfig.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/bootconfig.c b/lib/bootconfig.c index 31ac39aeac77..0728c4a95249 100644 --- a/lib/bootconfig.c +++ b/lib/bootconfig.c @@ -532,9 +532,9 @@ static char *skip_spaces_until_newline(char *p) static int __init __xbc_open_brace(char *p) { /* Push the last key as open brace */ - open_brace[brace_index++] = xbc_node_index(last_parent); if (brace_index >= XBC_DEPTH_MAX) return xbc_parse_error("Exceed max depth of braces", p); + open_brace[brace_index++] = xbc_node_index(last_parent); return 0; } |