-
Notifications
You must be signed in to change notification settings - Fork 7.8k
Description
Describe the bug
Stream Flash API provides stream_flash_erase_page
function that, aside from other issues #67407, has a problem where it does not check whether requested, for erase, offset is within area designated for the stream flash the function is called on.
Only performed check is whether currently requested offset has already been erased as exactly being offset of last erased page.
Above means that selecting any valid offset of page, that is not stored in stream flash ctx as erased, on the entire device allows to erase that offset, regardless whether that offset belongs to stream flash designated area or not.
To Reproduce
I have been able to emulate incorrect behavior by setting up stream flash on storage partition and performing erase of application by erasing its CONFIG_ROM_START_OFFSET, by doing sequence of operations:
struct stream_flash_ctx ctx = { 0 };
int rc = stream_flash_init(&ctx,
FIXED_PARTITION_DEVICE(PART),
dummy_buf, ARRAY_SIZE(dummy_buf),
FIXED_PARTITION_OFFSET(PART),
FIXED_PARTITION_SIZE(PART),
NULL);
rc = flash_erase(FIXED_PARTITION_DEVICE(PART,
assert(rc == 0);
printf("Stream flash starts at 0x%lx offset of %p\n", ctx->offset, ctx->fdev);
printf("Erasing offset 0 of device %p\n", ctx->dev);
rc = stream_flash_erase_page(&ctx, 0);
printf("Stream flash starts at 0x%zx offset of %p\n", ctx.offset, ctx.fdev);
printf("Erasing code at 0x%x of device %p\n", CONFIG_ROM_START_OFFSET, ctx.fdev);
rc = stream_flash_erase_page(&ctx, CONFIG_ROM_START_OFFSET);
assert(rc == 0);
printf("You should not see this but if you do, try rebooting device to see that it no longer boots\n");
the code above, has bricked device.
Expected behavior
Stream flash should only allow erasing what belongs to it.
Impact
Possible brick of device, data destruction.
Environment (please complete the following information):
- OS: Linux
- Toolchain Zephyr sdk 0.16.x
- Commit SHA 1ec5ce0
Additional context
Not reported in field, probably because this is not used so much by users in outside of tree code, nevertheless it is quite a bug.
Marking as medium due to unpredictable destructive potential due to possible mistake in user code.
The problem exists since 2.3.0