From 632b6d8fc7c475ec1e6d874de53391c19eaec48b Mon Sep 17 00:00:00 2001 From: Michael Cardell Widerkrantz Date: Fri, 25 Apr 2025 15:16:41 +0200 Subject: [PATCH] fw: Limit flash offsets to be within sane limits MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Limit flash offsets passed to syscalls. Be sure to check the limits before doing any form of calculation with the passed values. Co-authored-by: Mikael Ă…gren --- hw/application_fpga/fw/tk1/preload_app.c | 10 +++++++++- hw/application_fpga/fw/tk1/storage.c | 22 +++++++++++++++++++++- 2 files changed, 30 insertions(+), 2 deletions(-) diff --git a/hw/application_fpga/fw/tk1/preload_app.c b/hw/application_fpga/fw/tk1/preload_app.c index 499bbe5..fd11237 100644 --- a/hw/application_fpga/fw/tk1/preload_app.c +++ b/hw/application_fpga/fw/tk1/preload_app.c @@ -67,7 +67,15 @@ int preload_store(struct partition_table *part_table, uint32_t offset, return -1; } - if ((offset + size) > SIZE_PRE_LOADED_APP || size > 4096) { + if (offset > SIZE_PRE_LOADED_APP) { + return -2; + } + + if (size > 4096) { + return -2; + } + + if ((offset + size) > SIZE_PRE_LOADED_APP) { /* Writing outside of area */ return -2; } diff --git a/hw/application_fpga/fw/tk1/storage.c b/hw/application_fpga/fw/tk1/storage.c index a8f5c4e..5ce91c0 100644 --- a/hw/application_fpga/fw/tk1/storage.c +++ b/hw/application_fpga/fw/tk1/storage.c @@ -176,6 +176,10 @@ int storage_erase_sector(struct partition_table *part_table, uint32_t offset, return -3; } + if (offset > SIZE_STORAGE_AREA) { + return -2; + } + /* Cannot only erase entire sectors */ if (offset % 4096 != 0) { return -2; @@ -227,7 +231,15 @@ int storage_write_data(struct partition_table *part_table, uint32_t offset, return -3; } - if ((offset + size) > SIZE_STORAGE_AREA || size > 4096) { + if (offset > SIZE_STORAGE_AREA) { + return -2; + } + + if (size > 4096) { + return -2; + } + + if ((offset + size) > SIZE_STORAGE_AREA) { /* Writing outside of area */ return -2; } @@ -263,6 +275,14 @@ int storage_read_data(struct partition_table *part_table, uint32_t offset, return -3; } + if (offset > SIZE_STORAGE_AREA) { + return -2; + } + + if (size > 4096) { + return -2; + } + if ((offset + size) > SIZE_STORAGE_AREA) { /* Reading outside of area */ return -2;