lib/bootconfig: increment xbc_node_num after node init succeeds

Move the xbc_node_num increment to after xbc_init_node() so a failed init does not leave a partially initialized node counted in the array. If xbc_init_node() fails on a data offset at the boundary of a maximum-size bootconfig, the pre-incremented count causes subsequent tree verification and traversal to consider the uninitialized node as valid, potentially leading to an out-of-bounds read or unpredictable boot behavior. Link: https://lore.kernel.org/all/20260318155919.78168-5-objecting@objecting.org/ Signed-off-by: Josh Law <objecting@objecting.org> Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
author: Josh Law <objecting@objecting.org> 2026-03-19 02:43:24 +0300
committer: Masami Hiramatsu (Google) <mhiramat@kernel.org> 2026-03-19 02:43:24 +0300
commit: ae9bf4d3835fb1cd3f79ea74e96e6ab6cfe8f415 (patch)
tree: ee643fd544822f896492339ed1db392c233fafd8
parent: 1c04fa80118cc20a943b9ec5b861a824fa90db1c (diff)
download: linux-ae9bf4d3835fb1cd3f79ea74e96e6ab6cfe8f415.tar.xz
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/bootconfig.c b/lib/bootconfig.c
index 885886212248..c02b11a1b501 100644
--- a/lib/bootconfig.c
+++ b/lib/bootconfig.c
@@ -429,9 +429,10 @@ static struct xbc_node * __init xbc_add_node(char *data, uint16_t flag)
 	if (xbc_node_num == XBC_NODE_MAX)
 		return NULL;
 
-	node = &xbc_nodes[xbc_node_num++];
+	node = &xbc_nodes[xbc_node_num];
 	if (xbc_init_node(node, data, flag) < 0)
 		return NULL;
+	xbc_node_num++;
 
 	return node;
 }
author	Josh Law <objecting@objecting.org>	2026-03-19 02:43:24 +0300
committer	Masami Hiramatsu (Google) <mhiramat@kernel.org>	2026-03-19 02:43:24 +0300
commit	ae9bf4d3835fb1cd3f79ea74e96e6ab6cfe8f415 (patch)
tree	ee643fd544822f896492339ed1db392c233fafd8
parent	1c04fa80118cc20a943b9ec5b861a824fa90db1c (diff)
download	linux-ae9bf4d3835fb1cd3f79ea74e96e6ab6cfe8f415.tar.xz