lib/bootconfig: check xbc_init_node() return in override path

techyguyperplexable · gregkh · commit d03e8c281fd3 · 2026-03-25T11:10:45.000+01:00
[ Upstream commit bb288d7d869e86d382f35a0e26242c5ccb05ca82 ] The ':=' override path in xbc_parse_kv() calls xbc_init_node() to re-initialize an existing value node but does not check the return value. If xbc_init_node() fails (data offset out of range), parsing silently continues with stale node data. Add the missing error check to match the xbc_add_node() call path which already checks for failure. In practice, a bootconfig using ':=' to override a value near the 32KB data limit could silently retain the old value, meaning a security-relevant boot parameter override (e.g., a trace filter or debug setting) would not take effect as intended. Link: https://lore.kernel.org/all/20260318155847.78065-2-objecting@objecting.org/ Fixes: e5efaeb ("bootconfig: Support mixing a value and subkeys under a key") Signed-off-by: Josh Law <objecting@objecting.org> Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
diff --git a/lib/bootconfig.c b/lib/bootconfig.c
@@ -712,7 +712,8 @@ static int __init xbc_parse_kv(char **k, char *v, int op)
 		if (op == ':') {
 			unsigned short nidx = child->next;
 
-			xbc_init_node(child, v, XBC_VALUE);
+			if (xbc_init_node(child, v, XBC_VALUE) < 0)
+				return xbc_parse_error("Failed to override value", v);
 			child->next = nidx;	/* keep subkeys */
 			goto array;
 		}

Original file line number	Diff line number	Diff line change
`@@ -712,7 +712,8 @@ static int __init xbc_parse_kv(char *k, char v, int op)`
`712`	`712`	`if (op == ':') {`
`713`	`713`	`unsigned short nidx = child->next;`
`714`	`714`
`715`		`- xbc_init_node(child, v, XBC_VALUE);`
	`715`	`+ if (xbc_init_node(child, v, XBC_VALUE) < 0)`
	`716`	`+ return xbc_parse_error("Failed to override value", v);`
`716`	`717`	`child->next = nidx; /* keep subkeys */`
`717`	`718`	`goto array;`
`718`	`719`	`}`