fix: guard flash offset+size overflow#442
Draft
MarkAtwood wants to merge 1 commit into
Draft
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens the POSIX flash-file backend (port/posix/posix_flash_file.c) against unsigned 32-bit wraparound in offset + size bounds checks, preventing out-of-range I/O operations from bypassing validation.
Changes:
- Replaced overflow-prone
(offset + size > MAX_OFFSET(context))checks with an overflow-safe two-part guard in 5 APIs. - Applied the fix consistently across Read/Program/Verify/Erase/BlankCheck entry validation.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
181
to
184
| if ( (context == NULL) || | ||
| (offset + size > MAX_OFFSET(context))){ | ||
| (offset > MAX_OFFSET(context)) || | ||
| (size > MAX_OFFSET(context) - offset)){ | ||
| return WH_ERROR_BADARGS; |
Comment on lines
208
to
212
| if ( (context == NULL) || | ||
| (offset + size > MAX_OFFSET(context))){ | ||
| (offset > MAX_OFFSET(context)) || | ||
| (size > MAX_OFFSET(context) - offset)){ | ||
| return WH_ERROR_BADARGS; | ||
| } |
Comment on lines
246
to
250
| if ( (context == NULL) || | ||
| (offset + size > MAX_OFFSET(context))){ | ||
| (offset > MAX_OFFSET(context)) || | ||
| (size > MAX_OFFSET(context) - offset)){ | ||
| return WH_ERROR_BADARGS; | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bug
In
port/posix/posix_flash_file.c, the bounds check inposixFlashFile_Read,_Program,_Erase,_Verify, and_BlankCheck(lines 182, 208, 245, 281, 317 on master) is:offset,size, andpartition_sizeare alluint32_t(posix_flash_file.h:38-40), andMAX_OFFSET(context)ispartition_size * 2, alsouint32_t. The additionoffset + sizeis 32-bit unsigned and wraps at 2^32. A caller passing a largeoffsetwith asizethat makes the sum wrap belowMAX_OFFSETbypasses the check and proceeds intopread/pwrite/erase with an out-of-range offset. These functions are unconditionally compiled (no build guard).Fix
Replace the single overflow-prone comparison with an overflow-safe two-part guard at all 5 sites:
Checking
offset > MAX_OFFSETfirst ensuresMAX_OFFSET - offsetcannot underflow before the second comparison, so both the wrap-around and the offset-alone-out-of-range cases are rejected.Verification
Built the port file on Ubuntu 24.04 with gcc -Wall (BUILD_OK). Ran a harness against the real
posixFlashFile_Readwithpartition_size=0x1000(MAX_OFFSET=0x2000):offset=0xFFFFF000, size=0x2000(true sum 0x100001000, wraps to 0x1000): before the fix the check passed and the function proceeded; after the fix it returnsWH_ERROR_BADARGS.offset=0x3000, size=0x10(offset alone out of range): returnsWH_ERROR_BADARGS(confirms no underflow regression).offset=0, size=8(in bounds): returns OK.Reported by static analysis (Fenrir finding 133).
[fenrir-sweep:held]