From 59a129f22f096d992496111c498b3ea97e637115 Mon Sep 17 00:00:00 2001 From: Andrew Leech Date: Fri, 5 Mar 2021 09:46:14 +1100 Subject: [PATCH] stm32/storage: Prevent attempts to read/write invalid block addresses. A corrupt filesystem may lead to a request for a block which is out of range of the block device limits. Return an error instead of passing the request down to the lower layer. --- ports/stm32/storage.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/ports/stm32/storage.c b/ports/stm32/storage.c index 6581860ff3..a71c4a3ea7 100644 --- a/ports/stm32/storage.c +++ b/ports/stm32/storage.c @@ -340,8 +340,12 @@ STATIC mp_obj_t pyb_flash_readblocks(size_t n_args, const mp_obj_t *args) { else if (self != &pyb_flash_obj) { // Extended block read on a sub-section of the flash storage uint32_t offset = mp_obj_get_int(args[3]); - block_num += self->start / PYB_FLASH_NATIVE_BLOCK_SIZE; - ret = MICROPY_HW_BDEV_READBLOCKS_EXT(bufinfo.buf, block_num, offset, bufinfo.len); + if ((block_num * PYB_FLASH_NATIVE_BLOCK_SIZE) >= self->len) { + ret = -MP_EFAULT; // Bad address + } else { + block_num += self->start / PYB_FLASH_NATIVE_BLOCK_SIZE; + ret = MICROPY_HW_BDEV_READBLOCKS_EXT(bufinfo.buf, block_num, offset, bufinfo.len); + } } #endif return MP_OBJ_NEW_SMALL_INT(ret); @@ -363,8 +367,12 @@ STATIC mp_obj_t pyb_flash_writeblocks(size_t n_args, const mp_obj_t *args) { else if (self != &pyb_flash_obj) { // Extended block write on a sub-section of the flash storage uint32_t offset = mp_obj_get_int(args[3]); - block_num += self->start / PYB_FLASH_NATIVE_BLOCK_SIZE; - ret = MICROPY_HW_BDEV_WRITEBLOCKS_EXT(bufinfo.buf, block_num, offset, bufinfo.len); + if ((block_num * PYB_FLASH_NATIVE_BLOCK_SIZE) >= self->len) { + ret = -MP_EFAULT; // Bad address + } else { + block_num += self->start / PYB_FLASH_NATIVE_BLOCK_SIZE; + ret = MICROPY_HW_BDEV_WRITEBLOCKS_EXT(bufinfo.buf, block_num, offset, bufinfo.len); + } } #endif return MP_OBJ_NEW_SMALL_INT(ret);