Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

stream_flash: stream_flash_erase_page does not check whether requested offset is in range of stream flash owned area #79800

Closed
de-nordic opened this issue Oct 14, 2024 · 0 comments · Fixed by #79830
Closed

stream_flash: stream_flash_erase_page does not check whether requested offset is in range of stream flash owned area #79800

de-nordic opened this issue Oct 14, 2024 · 0 comments · Fixed by #79830
Assignees
@de-nordic
Labels
backport v3.7-branch Request backport to the v3.7-branch bug The issue is a bug, or the PR is fixing a bug priority: medium Medium impact/importance bug

Comments

@de-nordic
Copy link
Collaborator

de-nordic commented Oct 14, 2024
edited
Loading

Describe the bug
Stream Flash API provides stream_flash_erase_page function that, aside from other issues #67407, has a problem where it does not check whether requested, for erase, offset is within area designated for the stream flash the function is called on.
Only performed check is whether currently requested offset has already been erased as exactly being offset of last erased page.

Above means that selecting any valid offset of page, that is not stored in stream flash ctx as erased, on the entire device allows to erase that offset, regardless whether that offset belongs to stream flash designated area or not.

To Reproduce
I have been able to emulate incorrect behavior by setting up stream flash on storage partition and performing erase of application by erasing its CONFIG_ROM_START_OFFSET, by doing sequence of operations:

struct stream_flash_ctx ctx = { 0 };
int rc = stream_flash_init(&ctx,
                FIXED_PARTITION_DEVICE(PART),
                dummy_buf, ARRAY_SIZE(dummy_buf),
                FIXED_PARTITION_OFFSET(PART),
                FIXED_PARTITION_SIZE(PART),
                NULL);
 
rc = flash_erase(FIXED_PARTITION_DEVICE(PART, 

assert(rc == 0);
printf("Stream flash starts at 0x%lx offset of %p\n", ctx->offset, ctx->fdev);
printf("Erasing offset 0 of device %p\n", ctx->dev);
rc = stream_flash_erase_page(&ctx, 0);
printf("Stream flash starts at 0x%zx offset of %p\n", ctx.offset, ctx.fdev);
printf("Erasing code at 0x%x of device %p\n", CONFIG_ROM_START_OFFSET, ctx.fdev);
rc = stream_flash_erase_page(&ctx, CONFIG_ROM_START_OFFSET);
assert(rc == 0);
printf("You should not see this but if you do, try rebooting device to see that it no longer boots\n");

the code above, has bricked device.

Expected behavior
Stream flash should only allow erasing what belongs to it.

Impact
Possible brick of device, data destruction.

Environment (please complete the following information):

  • OS: Linux
  • Toolchain Zephyr sdk 0.16.x
  • Commit SHA 1ec5ce0

Additional context
Not reported in field, probably because this is not used so much by users in outside of tree code, nevertheless it is quite a bug.
Marking as medium due to unpredictable destructive potential due to possible mistake in user code.

The problem exists since 2.3.0
@de-nordic de-nordic added the bug The issue is a bug, or the PR is fixing a bug label Oct 14, 2024
@de-nordic de-nordic self-assigned this Oct 14, 2024
@de-nordic de-nordic added priority: medium Medium impact/importance bug backport v3.6-branch backport v3.7-branch Request backport to the v3.7-branch labels Oct 14, 2024
de-nordic added a commit to de-nordic/zephyr that referenced this issue Oct 15, 2024
@de-nordic
storage/stream_flash: Fix range check in stream_flash_erase_page
d097896 
Added check where stream_flash_erase_page checks if requested
offset is actually within stream flash designated area.

Fixes zephyrproject-rtos#79800

Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
@de-nordic de-nordic mentioned this issue Oct 15, 2024
Merged
@de-nordic de-nordic changed the title stream_flash: stream_flash_erase_page does not check whether requested offset is in reange of stream flash owned area stream_flash: stream_flash_erase_page does not check whether requested offset is in range of stream flash owned area Oct 15, 2024
dleach02 pushed a commit that referenced this issue Oct 25, 2024
@de-nordic @dleach02
storage/stream_flash: Fix range check in stream_flash_erase_page
8714c17 
Added check where stream_flash_erase_page checks if requested
offset is actually within stream flash designated area.

Fixes #79800

Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
zephyrbot pushed a commit that referenced this issue Oct 25, 2024
@de-nordic @github-actions
storage/stream_flash: Fix range check in stream_flash_erase_page
5983709 
Added check where stream_flash_erase_page checks if requested
offset is actually within stream flash designated area.

Fixes #79800

Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
(cherry picked from commit 8714c17)
de-nordic added a commit that referenced this issue Oct 30, 2024
@de-nordic
storage/stream_flash: Fix range check in stream_flash_erase_page
72aea10 
Added check where stream_flash_erase_page checks if requested
offset is actually within stream flash designated area.

Fixes #79800

Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
(cherry picked from commit 8714c17)
@aescolar aescolar mentioned this issue Oct 30, 2024
Merged
de-nordic added a commit that referenced this issue Oct 30, 2024
@de-nordic
storage/stream_flash: Fix range check in stream_flash_erase_page
f173c1e 
Added check where stream_flash_erase_page checks if requested
offset is actually within stream flash designated area.

Fixes #79800

Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
(cherry picked from commit 8714c17)
This was referenced Oct 30, 2024
Merged
Merged
henrikbrixandersen pushed a commit that referenced this issue Nov 6, 2024
@de-nordic @henrikbrixandersen
storage/stream_flash: Fix range check in stream_flash_erase_page
03bc6e0 
Added check where stream_flash_erase_page checks if requested
offset is actually within stream flash designated area.

Fixes #79800

Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
(cherry picked from commit 8714c17)
nashif pushed a commit that referenced this issue Nov 8, 2024
@de-nordic @nashif
storage/stream_flash: Fix range check in stream_flash_erase_page
219d034 
Added check where stream_flash_erase_page checks if requested
offset is actually within stream flash designated area.

Fixes #79800

Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
(cherry picked from commit 8714c17)
nashif pushed a commit that referenced this issue Dec 16, 2024
@de-nordic @nashif
storage/stream_flash: Fix range check in stream_flash_erase_page
256c9a4 
Added check where stream_flash_erase_page checks if requested
offset is actually within stream flash designated area.

Fixes #79800

Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
(cherry picked from commit 8714c17)
nashif pushed a commit that referenced this issue Dec 16, 2024
@de-nordic @nashif
storage/stream_flash: Fix range check in stream_flash_erase_page
7c1f30d 
Added check where stream_flash_erase_page checks if requested
offset is actually within stream flash designated area.

Fixes #79800

Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
(cherry picked from commit 8714c17)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@de-nordic de-nordic

Labels
backport v3.7-branch Request backport to the v3.7-branch bug The issue is a bug, or the PR is fixing a bug priority: medium Medium impact/importance bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add stream_flash_erase_page range check de-nordic/zephyr
1 participant
@de-nordic