Description
Describe the bug
Incomplete arithmetic is_in_flash_area_bounds allowed combination of offset and length, to any Flash Map function that has been using it, to read/write outside of designated flash area, in case when combination of len and offset would overflow.
zephyr/subsys/storage/flash_map/flash_map_priv.h
Lines 33 to 37 in 5615e46
To Reproduce
Reproduction is not required; if you take a look at the code above you will notice that off is only checked to be non-negative and if sum of off and len is below or equal to fa_size; the size_t type of len causes the sum operands to be cast to size_t, which is unsigned int (assuming that off_t is smaller or equal type to size_t). This means that it is enough if (off + len) mod(max(size_t)) <= fa_size for the off and len to be accepted as valid.
Expected behavior
Proper checking of off and len not allowing to overflow integer arithmetic.
Impact
Probable reads/writes out of designated flash area.
Environment (please complete the following information):
- OS: Any
- Toolchain Any
- Commit SHA 5615e46, present since v1.11.0