-
Notifications
You must be signed in to change notification settings - Fork 680
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
If the image header is corrupt, bootutil_img_hash() can take a VERY long time #2025
Comments
Rather than failing if |
I'm a little surprised this doesn't just fail with the first flash read past the end of the partition. Does the driver not reject the flash operations that are out of bound? I believe that was the assumption in how this was written. |
It didn't even occur to me that the non-library flash-driver code should return a failure code for writing outside the flash-area. I assumed that the library code would do that. It seems that I based my flash-area code on some of the examples where the out-of-bounds check is not explicit, done by some board-specific library code (cypress, mbed, zephyr), rather than those examples that do have explicit checks (esp32, nuttx) It is easy enough to add the appropriate check to my implementation of flash_area_xxxx() operations and return an error for out-of-bounds access. |
In fact, I am more surprised that UPDATE: Nothing in the library code calls I do like the idea of
Perhaps My provided patch is poor, in that it reads |
+1 to adding the check that size in the image header doesn't exceed flash area size in mcuboot, rather than relying on the flash driver to detect the out of bounds access. I ran into this when porting mcuboot to a custom platform, except I had an assertion check rather than just an error return in the flash driver, since I assumed mcuboot wouldn't try to read/write/erase outside of the defined flash areas. |
While testing repeated firmware updates, cycling between two versions, with a random power cycler, the system failed after about 3000 update operations.
The problem was in
image_validate.c
functionbootutil_img_hash()
, when the image header in flash was corrupt. The intention is that this will be detected by the checksum algorithm.However, in this case, the field
hdr->ih_img_size
was a very large number, about 102 MB, rather than less than 1 MB (the size of the flash area). Instead of taking about 3 s to verify the checksum in this test system, it would have taken 5 minutes or more. In the worst case,if ih_img_size
were all-1s (4 GB), it would take about 3.5 hours to verify the checksum.A simple fix is to check that the size of the image being validated (and the protected TLVs, etc) is less than the size of the flash-area. This means that the checksum algorithm will take a reasonable duration (not more than the worst-case for that size flash area), rather than an arbitrary duration.
MCUboot version: branch v2.1.0, git d4394c2
The image header became corrupt when the power-cycle happened while the application was writing the new version header to flash, but before the flash device completed the operation. The application does verify the new image version in flash before rebooting, but did not have time to do that before the power-cycle.
The text was updated successfully, but these errors were encountered: