Skip to content

Flash Map: Bounds checking not immune to integer overflow #89349

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
de-nordic opened this issue Apr 30, 2025 · 0 comments · May be fixed by #89351
Open

Flash Map: Bounds checking not immune to integer overflow #89349

de-nordic opened this issue Apr 30, 2025 · 0 comments · May be fixed by #89351
Assignees
@de-nordic
Labels
area: Flash bug The issue is a bug, or the PR is fixing a bug

Comments

@de-nordic
Copy link
Collaborator

Describe the bug
Incomplete arithmetic is_in_flash_area_bounds allowed combination of offset and length, to any Flash Map function that has been using it, to read/write outside of designated flash area, in case when combination of len and offset would overflow.

zephyr/subsys/storage/flash_map/flash_map_priv.h

Lines 33 to 37 in 5615e46

static inline bool is_in_flash_area_bounds(const struct flash_area *fa,
off_t off, size_t len)
{
return (off >= 0) && ((off + len) <= fa->fa_size);
}

To Reproduce
Reproduction is not required; if you take a look at the code above you will notice that off is only checked to be non-negative and if sum of off and len is below or equal to fa_size; the size_t type of len causes the sum operands to be cast to size_t, which is unsigned int (assuming that off_t is smaller or equal type to size_t). This means that it is enough if (off + len) mod(max(size_t)) <= fa_size for the off and len to be accepted as valid.

Expected behavior
Proper checking of off and len not allowing to overflow integer arithmetic.

Impact
Probable reads/writes out of designated flash area.

Environment (please complete the following information):

  • OS: Any
  • Toolchain Any
  • Commit SHA 5615e46, present since v1.11.0
@de-nordic de-nordic added the bug The issue is a bug, or the PR is fixing a bug label Apr 30, 2025
@de-nordic de-nordic self-assigned this Apr 30, 2025
de-nordic added a commit to de-nordic/zephyr that referenced this issue Apr 30, 2025
@de-nordic
storage/flash_map: Fix is_in_flash_area_bounds
42020d6 
Prevent possible overflow in is_in_flash_area_bounds while
validating offset and length of an operation.

Fixes zephyrproject-rtos#89349

Signed-off-by: Dominik Ermel <[email protected]>
@de-nordic de-nordic linked a pull request Apr 30, 2025 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@de-nordic de-nordic

Labels
area: Flash bug The issue is a bug, or the PR is fixing a bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix operation bounds check for Flash Map API de-nordic/zephyr
2 participants
@henrikbrixandersen @de-nordic