lib/bootconfig: check xbc_init_node() return in override path

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The ':=' override path in xbc_parse_kv() calls xbc_init_node() to
re-initialize an existing value node but does not check the return
value. If xbc_init_node() fails (data offset out of range), parsing
silently continues with stale node data.

Add the missing error check to match the xbc_add_node() call path
which already checks for failure.

In practice, a bootconfig using ':=' to override a value near the
32KB data limit could silently retain the old value, meaning a
security-relevant boot parameter override (e.g., a trace filter or
debug setting) would not take effect as intended.

Link: https://lore.kernel.org/all/20260318155847.78065-2-objecting@objecting.org/

Fixes: e5efaeb8a8f5 ("bootconfig: Support mixing a value and subkeys under a key")
Signed-off-by: Josh Law <objecting@objecting.org>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>

authored by

Josh Law and committed by

Masami Hiramatsu (Google) 4 weeks ago bb288d7d f338e773

+2 -1

1 changed file

expand all

lib

bootconfig.c

+2 -1

lib/bootconfig.c

··· 723 723 if (op == ':') { 724 724 unsigned short nidx = child->next; 725 725 726 - xbc_init_node(child, v, XBC_VALUE); 726 + if (xbc_init_node(child, v, XBC_VALUE) < 0) 727 + return xbc_parse_error("Failed to override value", v); 727 728 child->next = nidx; /* keep subkeys */ 728 729 goto array; 729 730 }