diff options
| author | Josh Law <objecting@objecting.org> | 2026-03-19 08:43:05 +0900 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2026-03-25 11:13:32 +0100 |
| commit | 68c0ae8399bf26e85978d5216f182d18381f0198 (patch) | |
| tree | 2405da322839d4636a530e7c57017ff71736aa17 /lib | |
| parent | bbf791cffb635a6ea89c4297876b0c5fc31f865e (diff) | |
lib/bootconfig: check xbc_init_node() return in override path
[ Upstream commit bb288d7d869e86d382f35a0e26242c5ccb05ca82 ]
The ':=' override path in xbc_parse_kv() calls xbc_init_node() to
re-initialize an existing value node but does not check the return
value. If xbc_init_node() fails (data offset out of range), parsing
silently continues with stale node data.
Add the missing error check to match the xbc_add_node() call path
which already checks for failure.
In practice, a bootconfig using ':=' to override a value near the
32KB data limit could silently retain the old value, meaning a
security-relevant boot parameter override (e.g., a trace filter or
debug setting) would not take effect as intended.
Link: https://lore.kernel.org/all/20260318155847.78065-2-objecting@objecting.org/
Fixes: e5efaeb8a8f5 ("bootconfig: Support mixing a value and subkeys under a key")
Signed-off-by: Josh Law <objecting@objecting.org>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/bootconfig.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/bootconfig.c b/lib/bootconfig.c index 0728c4a95249..5d3802eba52a 100644 --- a/lib/bootconfig.c +++ b/lib/bootconfig.c @@ -712,7 +712,8 @@ static int __init xbc_parse_kv(char **k, char *v, int op) if (op == ':') { unsigned short nidx = child->next; - xbc_init_node(child, v, XBC_VALUE); + if (xbc_init_node(child, v, XBC_VALUE) < 0) + return xbc_parse_error("Failed to override value", v); child->next = nidx; /* keep subkeys */ goto array; } |