boot - don't interpet end of image as trailer.

This fix handles the case where the image is so big that there is not room for a trailer. In this case, the boot loader always boots into slot 0.
2016-12-21 14:31:21 -08:00 · 2016-12-21 14:31:21 -08:00 · 920fc16b89
parent fd7eb5cc5e
commit 920fc16b89
5 changed files with 116 additions and 1 deletions
--- a/boot/bootutil/src/loader.c
+++ b/boot/bootutil/src/loader.c
@ -286,23 +286,51 @@ boot_write_sz(void)
    return elem_sz;
 }

+static uint32_t
+boot_total_img_size(int slot)
+{
+    const struct image_header *hdr;
+
+    hdr = &boot_data.imgs[slot].hdr;
+    return hdr->ih_hdr_size + hdr->ih_img_size + hdr->ih_tlv_size;
+}
+
 static int
 boot_slots_compatible(void)
 {
    const struct flash_area *sector0;
    const struct flash_area *sector1;
+    uint32_t slot_size;
    int i;

    /* Ensure both image slots have identical sector layouts. */
    if (boot_data.imgs[0].num_sectors != boot_data.imgs[1].num_sectors) {
        return 0;
    }
+
+    slot_size = 0;
    for (i = 0; i < boot_data.imgs[0].num_sectors; i++) {
        sector0 = boot_data.imgs[0].sectors + i;
        sector1 = boot_data.imgs[1].sectors + i;
        if (sector0->fa_size != sector1->fa_size) {
            return 0;
        }
+
+        slot_size += sector0->fa_size;
+    }
+
+    /* Ensure images are small enough that they leave room for the image
+     * trailers.
+     */
+    if (slot_size <
+        boot_total_img_size(0) + boot_trailer_sz(boot_data.write_sz)) {
+
+        return 0;
+    }
+    if (slot_size <
+        boot_total_img_size(1) + boot_trailer_sz(boot_data.write_sz)) {
+
+        return 0;
    }

    return 1;
--- a/boot/bootutil/test/src/boot_test.c
+++ b/boot/bootutil/test/src/boot_test.c
@ -53,6 +53,7 @@ TEST_CASE_DECL(boot_test_revert)
 TEST_CASE_DECL(boot_test_revert_continue)
 TEST_CASE_DECL(boot_test_permanent)
 TEST_CASE_DECL(boot_test_permanent_continue)
+TEST_CASE_DECL(boot_test_img_too_big);

 TEST_SUITE(boot_test_main)
 {
@ -75,6 +76,7 @@ TEST_SUITE(boot_test_main)
    boot_test_revert_continue();
    boot_test_permanent();
    boot_test_permanent_continue();
+    boot_test_img_too_big();
 }

 int
--- a/boot/bootutil/test/src/boot_test.h
+++ b/boot/bootutil/test/src/boot_test.h
@ -60,6 +60,7 @@ extern struct boot_test_img_addrs boot_test_img_addrs[];

 uint8_t boot_test_util_byte_at(int img_msb, uint32_t image_offset);
 uint8_t boot_test_util_flash_align(void);
+uint32_t boot_test_util_slot_size(int slot);
 void boot_test_util_init_flash(void);
 void boot_test_util_copy_area(int from_area_idx, int to_area_idx);
 void boot_test_util_swap_areas(int area_idx1, int area_idx2);
--- a/boot/bootutil/test/src/boot_test_utils.c
+++ b/boot/bootutil/test/src/boot_test_utils.c
@ -60,12 +60,36 @@ uint8_t
 boot_test_util_flash_align(void)
 {
    const struct flash_area *fap;
+    uint8_t align;
    int rc;

    rc = flash_area_open(FLASH_AREA_IMAGE_0, &fap);
    TEST_ASSERT_FATAL(rc == 0);

-    return flash_area_align(fap);
+    align = flash_area_align(fap);
+
+    flash_area_close(fap);
+
+    return align;
+}
+
+uint32_t
+boot_test_util_slot_size(int slot)
+{
+    const struct flash_area *fap;
+    uint32_t size;
+    int area_id;
+    int rc;
+
+    area_id = flash_area_id_from_image_slot(slot);
+    rc = flash_area_open(area_id, &fap);
+    TEST_ASSERT_FATAL(rc == 0);
+
+    size = fap->fa_size;
+
+    flash_area_close(fap);
+
+    return size;
 }

 void
--- a/boot/bootutil/test/src/testcases/boot_test_img_too_big.c
+++ b/boot/bootutil/test/src/testcases/boot_test_img_too_big.c
@ -0,0 +1,60 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+#include "boot_test.h"
+
+TEST_CASE(boot_test_img_too_big)
+{
+    uint32_t slot_size;
+
+    struct image_header hdr0 = {
+        .ih_magic = IMAGE_MAGIC,
+        .ih_tlv_size = 4 + 32,
+        .ih_hdr_size = BOOT_TEST_HEADER_SIZE,
+        .ih_img_size = 5 * 1024,
+        .ih_flags = IMAGE_F_SHA256,
+        .ih_ver = { 0, 5, 21, 432 },
+    };
+
+    struct image_header hdr1 = {
+        .ih_magic = IMAGE_MAGIC,
+        .ih_tlv_size = 4 + 32,
+        .ih_hdr_size = BOOT_TEST_HEADER_SIZE,
+        .ih_img_size = 0,
+        .ih_flags = IMAGE_F_SHA256,
+        .ih_ver = { 1, 2, 3, 432 },
+    };
+
+    boot_test_util_init_flash();
+
+    /* Make image in slot 1 so large that there is no room for an image
+     * trailer.
+     */
+    slot_size = boot_test_util_slot_size(1);
+    hdr1.ih_img_size = slot_size - 10;
+
+    boot_test_util_write_image(&hdr0, 0);
+    boot_test_util_write_hash(&hdr0, 0);
+    boot_test_util_write_image(&hdr1, 1);
+    boot_test_util_write_hash(&hdr1, 1);
+
+    /* Ensure the boot loader does not interpret the end of the image as a
+     * trailer.
+     */
+    boot_test_util_verify_all(BOOT_SWAP_TYPE_NONE, &hdr0, &hdr1);
+}