From 39ebc8d7f561e1b64eca87353ef9b18e2825e591 Mon Sep 17 00:00:00 2001 From: Josh Law Date: Thu, 12 Mar 2026 19:11:41 +0000 Subject: lib/bootconfig: fix off-by-one in xbc_verify_tree() unclosed brace error __xbc_open_brace() pushes entries with post-increment (open_brace[brace_index++]), so brace_index always points one past the last valid entry. xbc_verify_tree() reads open_brace[brace_index] to report which brace is unclosed, but this is one past the last pushed entry and contains stale/zero data, causing the error message to reference the wrong node. Use open_brace[brace_index - 1] to correctly identify the unclosed brace. brace_index is known to be > 0 here since we are inside the if (brace_index) guard. Link: https://lore.kernel.org/all/20260312191143.28719-2-objecting@objecting.org/ Fixes: ead1e19ad905 ("lib/bootconfig: Fix a bug of breaking existing tree nodes") Cc: stable@vger.kernel.org Signed-off-by: Josh Law Reviewed-by: Steven Rostedt (Google) Signed-off-by: Masami Hiramatsu (Google) --- lib/bootconfig.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/bootconfig.c b/lib/bootconfig.c index 449369a60846..ce25714351d5 100644 --- a/lib/bootconfig.c +++ b/lib/bootconfig.c @@ -802,7 +802,7 @@ static int __init xbc_verify_tree(void) /* Brace closing */ if (brace_index) { - n = &xbc_nodes[open_brace[brace_index]]; + n = &xbc_nodes[open_brace[brace_index - 1]]; return xbc_parse_error("Brace is not closed", xbc_node_get_data(n)); } -- cgit v1.2.3 From 560f763baa0f2c9a44da4294c06af071405ac46f Mon Sep 17 00:00:00 2001 From: Josh Law Date: Thu, 12 Mar 2026 19:11:42 +0000 Subject: lib/bootconfig: check bounds before writing in __xbc_open_brace() The bounds check for brace_index happens after the array write. While the current call pattern prevents an actual out-of-bounds access (the previous call would have returned an error), the write-before-check pattern is fragile and would become a real out-of-bounds write if the error return were ever not propagated. Move the bounds check before the array write so the function is self-contained and safe regardless of caller behavior. Link: https://lore.kernel.org/all/20260312191143.28719-3-objecting@objecting.org/ Fixes: ead1e19ad905 ("lib/bootconfig: Fix a bug of breaking existing tree nodes") Cc: stable@vger.kernel.org Signed-off-by: Josh Law Signed-off-by: Masami Hiramatsu (Google) --- lib/bootconfig.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/bootconfig.c b/lib/bootconfig.c index ce25714351d5..9c3d59fb96ed 100644 --- a/lib/bootconfig.c +++ b/lib/bootconfig.c @@ -532,9 +532,9 @@ static char *skip_spaces_until_newline(char *p) static int __init __xbc_open_brace(char *p) { /* Push the last key as open brace */ - open_brace[brace_index++] = xbc_node_index(last_parent); if (brace_index >= XBC_DEPTH_MAX) return xbc_parse_error("Exceed max depth of braces", p); + open_brace[brace_index++] = xbc_node_index(last_parent); return 0; } -- cgit v1.2.3 From 1120a36bb1e9b9e22de75ecb4ef0b998f73a97f1 Mon Sep 17 00:00:00 2001 From: Josh Law Date: Thu, 12 Mar 2026 19:11:43 +0000 Subject: lib/bootconfig: fix snprintf truncation check in xbc_node_compose_key_after() snprintf() returns the number of characters that would have been written excluding the NUL terminator. Output is truncated when the return value is >= the buffer size, not just > the buffer size. When ret == size, the current code takes the non-truncated path, advancing buf by ret and reducing size to 0. This is wrong because the output was actually truncated (the last character was replaced by NUL). Fix by using >= so the truncation path is taken correctly. Link: https://lore.kernel.org/all/20260312191143.28719-4-objecting@objecting.org/ Fixes: 76db5a27a827 ("bootconfig: Add Extra Boot Config support") Cc: stable@vger.kernel.org Signed-off-by: Josh Law Signed-off-by: Masami Hiramatsu (Google) --- lib/bootconfig.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/bootconfig.c b/lib/bootconfig.c index 9c3d59fb96ed..2da049216fe0 100644 --- a/lib/bootconfig.c +++ b/lib/bootconfig.c @@ -316,7 +316,7 @@ int __init xbc_node_compose_key_after(struct xbc_node *root, depth ? "." : ""); if (ret < 0) return ret; - if (ret > size) { + if (ret >= size) { size = 0; } else { size -= ret; -- cgit v1.2.3 From d5b66179b0e27c14a9033c4356937506577485e3 Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Mon, 16 Mar 2026 21:49:25 -0700 Subject: lib/crypto: powerpc: Add powerpc/aesp8-ppc.S to clean-files Make the generated file powerpc/aesp8-ppc.S be removed by 'make clean'. Fixes: 7cf2082e74ce ("lib/crypto: powerpc/aes: Migrate POWER8 optimized code into library") Acked-by: Ard Biesheuvel Link: https://lore.kernel.org/r/20260317044925.104184-1-ebiggers@kernel.org Signed-off-by: Eric Biggers --- lib/crypto/Makefile | 3 +++ 1 file changed, 3 insertions(+) (limited to 'lib') diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index 725eef05b758..dc7a56f7287d 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -55,6 +55,9 @@ libaes-$(CONFIG_SPARC) += sparc/aes_asm.o libaes-$(CONFIG_X86) += x86/aes-aesni.o endif # CONFIG_CRYPTO_LIB_AES_ARCH +# clean-files must be defined unconditionally +clean-files += powerpc/aesp8-ppc.S + ################################################################################ obj-$(CONFIG_CRYPTO_LIB_AESCFB) += libaescfb.o -- cgit v1.2.3