lib/bootconfig: check xbc_init_node() return in override path

techyguyperplexable · mhiramat · commit bb288d7d869e · 2026-03-19T08:43:05.000+09:00
The ':=' override path in xbc_parse_kv() calls xbc_init_node() to re-initialize an existing value node but does not check the return value. If xbc_init_node() fails (data offset out of range), parsing silently continues with stale node data. Add the missing error check to match the xbc_add_node() call path which already checks for failure. In practice, a bootconfig using ':=' to override a value near the 32KB data limit could silently retain the old value, meaning a security-relevant boot parameter override (e.g., a trace filter or debug setting) would not take effect as intended. Link: https://lore.kernel.org/all/20260318155847.78065-2-objecting@objecting.org/ Fixes: e5efaeb ("bootconfig: Support mixing a value and subkeys under a key") Signed-off-by: Josh Law <objecting@objecting.org> Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
diff --git a/lib/bootconfig.c b/lib/bootconfig.c
@@ -723,7 +723,8 @@ static int __init xbc_parse_kv(char **k, char *v, int op)
 		if (op == ':') {
 			unsigned short nidx = child->next;
 
-			xbc_init_node(child, v, XBC_VALUE);
+			if (xbc_init_node(child, v, XBC_VALUE) < 0)
+				return xbc_parse_error("Failed to override value", v);
 			child->next = nidx;	/* keep subkeys */
 			goto array;
 		}

Original file line number	Diff line number	Diff line change
`@@ -723,7 +723,8 @@ static int __init xbc_parse_kv(char *k, char v, int op)`
`723`	`723`	`if (op == ':') {`
`724`	`724`	`unsigned short nidx = child->next;`
`725`	`725`
`726`		`- xbc_init_node(child, v, XBC_VALUE);`
	`726`	`+ if (xbc_init_node(child, v, XBC_VALUE) < 0)`
	`727`	`+ return xbc_parse_error("Failed to override value", v);`
`727`	`728`	`child->next = nidx; /* keep subkeys */`
`728`	`729`	`goto array;`
`729`	`730`	`}`