Skip to content

stream_flash: stream_flash_erase_page does not check whether requested offset is in range of stream flash owned area #79800

New issue
New issue
Closed
Bug
#79830
Closed
stream_flash: stream_flash_erase_page does not check whether requested offset is in range of stream flash owned area#79800
Bug
#79830
Assignees
de-nordic
Labels
backport v3.7-branchRequest backport to the v3.7-branchbugThe issue is a bug, or the PR is fixing a bugpriority: mediumMedium impact/importance bug
@de-nordic

Description

@de-nordic
de-nordic
opened on Oct 14, 2024

Describe the bug
Stream Flash API provides stream_flash_erase_page function that, aside from other issues #67407, has a problem where it does not check whether requested, for erase, offset is within area designated for the stream flash the function is called on.
Only performed check is whether currently requested offset has already been erased as exactly being offset of last erased page.

Above means that selecting any valid offset of page, that is not stored in stream flash ctx as erased, on the entire device allows to erase that offset, regardless whether that offset belongs to stream flash designated area or not.

To Reproduce
I have been able to emulate incorrect behavior by setting up stream flash on storage partition and performing erase of application by erasing its CONFIG_ROM_START_OFFSET, by doing sequence of operations:

struct stream_flash_ctx ctx = { 0 };
int rc = stream_flash_init(&ctx,
                FIXED_PARTITION_DEVICE(PART),
                dummy_buf, ARRAY_SIZE(dummy_buf),
                FIXED_PARTITION_OFFSET(PART),
                FIXED_PARTITION_SIZE(PART),
                NULL);
 
rc = flash_erase(FIXED_PARTITION_DEVICE(PART, 

assert(rc == 0);
printf("Stream flash starts at 0x%lx offset of %p\n", ctx->offset, ctx->fdev);
printf("Erasing offset 0 of device %p\n", ctx->dev);
rc = stream_flash_erase_page(&ctx, 0);
printf("Stream flash starts at 0x%zx offset of %p\n", ctx.offset, ctx.fdev);
printf("Erasing code at 0x%x of device %p\n", CONFIG_ROM_START_OFFSET, ctx.fdev);
rc = stream_flash_erase_page(&ctx, CONFIG_ROM_START_OFFSET);
assert(rc == 0);
printf("You should not see this but if you do, try rebooting device to see that it no longer boots\n");

the code above, has bricked device.

Expected behavior
Stream flash should only allow erasing what belongs to it.

Impact
Possible brick of device, data destruction.

Environment (please complete the following information):

  • OS: Linux
  • Toolchain Zephyr sdk 0.16.x
  • Commit SHA 1ec5ce0

Additional context
Not reported in field, probably because this is not used so much by users in outside of tree code, nevertheless it is quite a bug.
Marking as medium due to unpredictable destructive potential due to possible mistake in user code.

The problem exists since 2.3.0

Metadata

Metadata

Assignees

Labels

backport v3.7-branchRequest backport to the v3.7-branchbugThe issue is a bug, or the PR is fixing a bugpriority: mediumMedium impact/importance bug

Type

Bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions