fix(esp_flash): fixed issue of escaping boundary check

Also patched corresponding ROM functions

Author: ginkgm

components/esp_rom/esp32c2/ld/esp32c2.rom.ld

@@ -272,15 +272,15 @@ PROVIDE( esp_flash_chip_driver_initialized = 0x40000430 );
 PROVIDE( esp_flash_read_id = 0x40000434 );
 PROVIDE( esp_flash_get_size = 0x40000438 );
 PROVIDE( esp_flash_erase_chip = 0x4000043c );
-PROVIDE( esp_flash_erase_region = 0x40000440 );
+PROVIDE( rom_esp_flash_erase_region = 0x40000440 );
 PROVIDE( esp_flash_get_chip_write_protect = 0x40000444 );
 PROVIDE( esp_flash_set_chip_write_protect = 0x40000448 );
 PROVIDE( esp_flash_get_protectable_regions = 0x4000044c );
 PROVIDE( esp_flash_get_protected_region = 0x40000450 );
 PROVIDE( esp_flash_set_protected_region = 0x40000454 );
 PROVIDE( esp_flash_read = 0x40000458 );
-PROVIDE( esp_flash_write = 0x4000045c );
-PROVIDE( esp_flash_write_encrypted = 0x40000460 );
+PROVIDE( rom_esp_flash_write = 0x4000045c );
+PROVIDE( rom_esp_flash_write_encrypted = 0x40000460 );
 PROVIDE( esp_flash_read_encrypted = 0x40000464 );
 PROVIDE( esp_flash_get_io_mode = 0x40000468 );
 PROVIDE( esp_flash_set_io_mode = 0x4000046c );

components/esp_rom/esp32c3/ld/esp32c3.rom.ld

@@ -267,8 +267,8 @@ PROVIDE( esp_flash_get_protectable_regions = 0x40000318 );
 PROVIDE( esp_flash_get_protected_region = 0x4000031c );
 PROVIDE( esp_flash_set_protected_region = 0x40000320 );
 PROVIDE( esp_flash_read = 0x40000324 );
-PROVIDE( esp_flash_write = 0x40000328 );
-PROVIDE( esp_flash_write_encrypted = 0x4000032c );
+PROVIDE( rom_esp_flash_write = 0x40000328 );
+PROVIDE( rom_esp_flash_write_encrypted = 0x4000032c );
 PROVIDE( esp_flash_read_encrypted = 0x40000330 );
 PROVIDE( esp_flash_get_io_mode = 0x40000334 );
 PROVIDE( esp_flash_set_io_mode = 0x40000338 );

components/esp_rom/esp32c5/ld/esp32c5.rom.spiflash.ld

@@ -51,15 +51,15 @@ esp_flash_chip_driver_initialized = 0x40000240;
 esp_flash_read_id = 0x40000244;
 esp_flash_get_size = 0x40000248;
 esp_flash_erase_chip = 0x4000024c;
-esp_flash_erase_region = 0x40000250;
+rom_esp_flash_erase_region = 0x40000250;
 esp_flash_get_chip_write_protect = 0x40000254;
 esp_flash_set_chip_write_protect = 0x40000258;
 esp_flash_get_protectable_regions = 0x4000025c;
 esp_flash_get_protected_region = 0x40000260;
 esp_flash_set_protected_region = 0x40000264;
 esp_flash_read = 0x40000268;
-esp_flash_write = 0x4000026c;
-esp_flash_write_encrypted = 0x40000270;
+rom_esp_flash_write = 0x4000026c;
+rom_esp_flash_write_encrypted = 0x40000270;
 esp_flash_read_encrypted = 0x40000274;
 esp_flash_get_io_mode = 0x40000278;
 esp_flash_set_io_mode = 0x4000027c;

components/esp_rom/esp32c6/ld/esp32c6.rom.spiflash.ld

@@ -50,15 +50,15 @@ esp_flash_chip_driver_initialized = 0x4000022c;
 esp_flash_read_id = 0x40000230;
 esp_flash_get_size = 0x40000234;
 esp_flash_erase_chip = 0x40000238;
-esp_flash_erase_region = 0x4000023c;
+rom_esp_flash_erase_region = 0x4000023c;
 esp_flash_get_chip_write_protect = 0x40000240;
 esp_flash_set_chip_write_protect = 0x40000244;
 esp_flash_get_protectable_regions = 0x40000248;
 esp_flash_get_protected_region = 0x4000024c;
 esp_flash_set_protected_region = 0x40000250;
 esp_flash_read = 0x40000254;
-esp_flash_write = 0x40000258;
-esp_flash_write_encrypted = 0x4000025c;
+rom_esp_flash_write = 0x40000258;
+rom_esp_flash_write_encrypted = 0x4000025c;
 esp_flash_read_encrypted = 0x40000260;
 esp_flash_get_io_mode = 0x40000264;
 esp_flash_set_io_mode = 0x40000268;

components/esp_rom/esp32c61/ld/esp32c61.rom.spiflash.ld

@@ -51,15 +51,15 @@ esp_flash_chip_driver_initialized = 0x40000240;
 esp_flash_read_id = 0x40000244;
 esp_flash_get_size = 0x40000248;
 esp_flash_erase_chip = 0x4000024c;
-esp_flash_erase_region = 0x40000250;
+rom_esp_flash_erase_region = 0x40000250;
 esp_flash_get_chip_write_protect = 0x40000254;
 esp_flash_set_chip_write_protect = 0x40000258;
 esp_flash_get_protectable_regions = 0x4000025c;
 esp_flash_get_protected_region = 0x40000260;
 esp_flash_set_protected_region = 0x40000264;
 esp_flash_read = 0x40000268;
-esp_flash_write = 0x4000026c;
-esp_flash_write_encrypted = 0x40000270;
+rom_esp_flash_write = 0x4000026c;
+rom_esp_flash_write_encrypted = 0x40000270;
 esp_flash_read_encrypted = 0x40000274;
 esp_flash_get_io_mode = 0x40000278;
 esp_flash_set_io_mode = 0x4000027c;

components/esp_rom/esp32h2/ld/esp32h2.rom.spiflash.ld

@@ -50,15 +50,15 @@ esp_flash_chip_driver_initialized = 0x40000224;
 esp_flash_read_id = 0x40000228;
 esp_flash_get_size = 0x4000022c;
 esp_flash_erase_chip = 0x40000230;
-esp_flash_erase_region = 0x40000234;
+rom_esp_flash_erase_region = 0x40000234;
 esp_flash_get_chip_write_protect = 0x40000238;
 esp_flash_set_chip_write_protect = 0x4000023c;
 esp_flash_get_protectable_regions = 0x40000240;
 esp_flash_get_protected_region = 0x40000244;
 esp_flash_set_protected_region = 0x40000248;
 esp_flash_read = 0x4000024c;
-esp_flash_write = 0x40000250;
-esp_flash_write_encrypted = 0x40000254;
+rom_esp_flash_write = 0x40000250;
+rom_esp_flash_write_encrypted = 0x40000254;
 esp_flash_read_encrypted = 0x40000258;
 esp_flash_get_io_mode = 0x4000025c;
 esp_flash_set_io_mode = 0x40000260;

components/esp_rom/esp32h21/ld/esp32h21.rom.spiflash.ld

@@ -51,15 +51,15 @@ esp_flash_chip_driver_initialized = 0x40000224;
 esp_flash_read_id = 0x40000228;
 esp_flash_get_size = 0x4000022c;
 esp_flash_erase_chip = 0x40000230;
-esp_flash_erase_region = 0x40000234;
+rom_esp_flash_erase_region = 0x40000234;
 esp_flash_get_chip_write_protect = 0x40000238;
 esp_flash_set_chip_write_protect = 0x4000023c;
 esp_flash_get_protectable_regions = 0x40000240;
 esp_flash_get_protected_region = 0x40000244;
 esp_flash_set_protected_region = 0x40000248;
 esp_flash_read = 0x4000024c;
-esp_flash_write = 0x40000250;
-esp_flash_write_encrypted = 0x40000254;
+rom_esp_flash_write = 0x40000250;
+rom_esp_flash_write_encrypted = 0x40000254;
 esp_flash_read_encrypted = 0x40000258;
 esp_flash_get_io_mode = 0x4000025c;
 esp_flash_set_io_mode = 0x40000260;

components/esp_rom/esp32h4/ld/esp32h4.rom.spiflash.ld

@@ -34,15 +34,15 @@ esp_flash_chip_driver_initialized = 0x4000020c;
 esp_flash_read_id = 0x40000210;
 esp_flash_get_size = 0x40000214;
 esp_flash_erase_chip = 0x40000218;
-esp_flash_erase_region = 0x4000021c;
+rom_esp_flash_erase_region = 0x4000021c;
 esp_flash_get_chip_write_protect = 0x40000220;
 esp_flash_set_chip_write_protect = 0x40000224;
 esp_flash_get_protectable_regions = 0x40000228;
 esp_flash_get_protected_region = 0x4000022c;
 esp_flash_set_protected_region = 0x40000230;
 esp_flash_read = 0x40000234;
-esp_flash_write = 0x40000238;
-esp_flash_write_encrypted = 0x4000023c;
+rom_esp_flash_write = 0x40000238;
+rom_esp_flash_write_encrypted = 0x4000023c;
 esp_flash_read_encrypted = 0x40000240;
 esp_flash_get_io_mode = 0x40000244;
 esp_flash_set_io_mode = 0x40000248;

components/esp_rom/esp32s3/ld/esp32s3.rom.ld

@@ -318,8 +318,8 @@ PROVIDE( esp_flash_get_protectable_regions = 0x40001110 );
 PROVIDE( esp_flash_get_protected_region = 0x4000111c );
 PROVIDE( esp_flash_set_protected_region = 0x40001128 );
 PROVIDE( esp_flash_read = 0x40001134 );
-PROVIDE( esp_flash_write = 0x40001140 );
-PROVIDE( esp_flash_write_encrypted = 0x4000114c );
+PROVIDE( rom_esp_flash_write = 0x40001140 );
+PROVIDE( rom_esp_flash_write_encrypted = 0x4000114c );
 PROVIDE( esp_flash_read_encrypted = 0x40001158 );
 PROVIDE( esp_flash_get_io_mode = 0x40001164 );
 PROVIDE( esp_flash_set_io_mode = 0x40001170 );

components/spi_flash/esp_flash_api.c

@@ -557,9 +557,6 @@ esp_err_t esp_flash_get_physical_size(esp_flash_t *chip, uint32_t *flash_size)
 
 #ifndef CONFIG_SPI_FLASH_ROM_IMPL
 
-/* Return true if regions 'a' and 'b' overlap at all, based on their start offsets and lengths. */
-inline static IRAM_ATTR bool regions_overlap(uint32_t a_start, uint32_t a_len,uint32_t b_start, uint32_t b_len);
-
 esp_err_t esp_flash_get_size(esp_flash_t *chip, uint32_t *out_size)
 {
     esp_err_t err = rom_spiflash_api_funcs->chip_check(&chip);
@@ -590,7 +587,21 @@ esp_err_t esp_flash_erase_chip(esp_flash_t *chip)
     err = esp_flash_erase_region(chip, 0, size);
     return err;
 }
+#endif // !CONFIG_SPI_FLASH_ROM_IMPL
+
+#ifndef CONFIG_SPI_FLASH_ROM_IMPL
+inline static IRAM_ATTR bool regions_overlap(uint32_t a_start, uint32_t a_len,uint32_t b_start, uint32_t b_len)
+{
+    uint32_t a_end = a_start + a_len;
+    uint32_t b_end = b_start + b_len;
+    return (a_end > b_start && b_end > a_start);
+}
 
+/* ROM and patch information
+ * Latest: Fixed region check escape
+ * V2: Fixed size == 0 bug.
+ * V1 (ESP_ROM_HAS_ERASE_0_REGION_BUG): Added to ROM
+ */
 esp_err_t esp_flash_erase_region(esp_flash_t *chip, uint32_t start, uint32_t len)
 {
     esp_err_t err = rom_spiflash_api_funcs->chip_check(&chip);
@@ -606,7 +617,7 @@ esp_err_t esp_flash_erase_region(esp_flash_t *chip, uint32_t start, uint32_t len
     if (sector_size == 0 || (block_erase_size % sector_size) != 0) {
         return ESP_ERR_FLASH_NOT_INITIALISED;
     }
-    if (start > chip->size || start + len > chip->size) {
+    if (start > chip->size || len > chip->size - start) {
         return ESP_ERR_INVALID_ARG;
     }
     if ((start % chip->chip_drv->sector_size) != 0 || (len % chip->chip_drv->sector_size) != 0) {
@@ -701,26 +712,45 @@ esp_err_t esp_flash_erase_region(esp_flash_t *chip, uint32_t start, uint32_t len
 
     return rom_spiflash_api_funcs->flash_end_flush_cache(chip, err, bus_acquired, start, len);
 }
-
-#endif // !CONFIG_SPI_FLASH_ROM_IMPL
-
-#if defined(CONFIG_SPI_FLASH_ROM_IMPL) && ESP_ROM_HAS_ERASE_0_REGION_BUG
-
-/* ROM esp_flash_erase_region implementation doesn't handle 0 erase size correctly.
+#else //!CONFIG_SPI_FLASH_ROM_IMPL
+extern esp_err_t rom_esp_flash_erase_region(esp_flash_t *chip, uint32_t start, uint32_t len);
+#   if ESP_ROM_HAS_ERASE_0_REGION_BUG
+// Usel ROM impl v1 but workaround ESP_ROM_HAS_ERASE_0_REGION_BUG and region check escape.
+/* ROM V1 esp_flash_erase_region implementation doesn't handle 0 erase size correctly.
  * Check the size and call ROM function instead of overriding it completely.
- * The behavior is slightly different from esp_flash_erase_region above, thought:
+ * The behavior is slightly different from latest esp_flash_erase_region above, thought:
  * here the check for 0 size is done first, but in esp_flash_erase_region the check is
  * done after the other arguments are checked.
  */
-extern esp_err_t rom_esp_flash_erase_region(esp_flash_t *chip, uint32_t start, uint32_t len);
 esp_err_t esp_flash_erase_region(esp_flash_t *chip, uint32_t start, uint32_t len)
 {
+    esp_err_t err = rom_spiflash_api_funcs->chip_check(&chip);
+    if (err != ESP_OK) {
+        return err;
+    }
     if (len == 0) {
         return ESP_OK;
     }
+    if (len > chip->size - start) {
+        return ESP_ERR_INVALID_ARG;
+    }
+    return rom_esp_flash_erase_region(chip, start, len);
+}
+#   else
+// Usel ROM impl v2 but workaround region check escape.
+esp_err_t IRAM_ATTR esp_flash_erase_region(esp_flash_t *chip, uint32_t start, uint32_t len)
+{
+    esp_err_t err = rom_spiflash_api_funcs->chip_check(&chip);
+    if (err != ESP_OK) {
+        return err;
+    }
+    if (len > chip->size - start) {
+        return ESP_ERR_INVALID_ARG;
+    }
     return rom_esp_flash_erase_region(chip, start, len);
 }
-#endif // defined(CONFIG_SPI_FLASH_ROM_IMPL) && ESP_ROM_HAS_ERASE_0_REGION_BUG
+#   endif // ESP_ROM_HAS_ERASE_0_REGION_BUG
+#endif // !CONFIG_SPI_FLASH_ROM_IMPL
 
 #ifndef CONFIG_SPI_FLASH_ROM_IMPL
 
@@ -925,7 +955,10 @@ esp_err_t esp_flash_read(esp_flash_t *chip, void *buffer, uint32_t address, uint
     COUNTER_STOP(read);
     return err;
 }
+#endif  //!CONFIG_SPI_FLASH_ROM_IMPL
 
+#ifndef CONFIG_SPI_FLASH_ROM_IMPL
+//This checking is available only when !CONFIG_SPI_FLASH_ROM_IMPL
 #if CONFIG_SPI_FLASH_WARN_SETTING_ZERO_TO_ONE
 static esp_err_t s_check_setting_zero_to_one(esp_flash_t *chip, uint32_t verify_address, uint32_t remain_verify_len, const uint32_t *to_write_buf, bool is_encrypted)
 {
@@ -965,6 +998,7 @@ static esp_err_t s_check_setting_zero_to_one(esp_flash_t *chip, uint32_t verify_
 }
 #endif  //#if CONFIG_SPI_FLASH_WARN_SETTING_ZERO_TO_ONE
 
+//This checking is available only when !CONFIG_SPI_FLASH_ROM_IMPL
 #if CONFIG_SPI_FLASH_VERIFY_WRITE
 static esp_err_t s_verify_write(esp_flash_t *chip, uint32_t verify_address, uint32_t remain_verify_len, const uint32_t *expected_buf, bool is_encrypted)
 {
@@ -1003,6 +1037,13 @@ static esp_err_t s_verify_write(esp_flash_t *chip, uint32_t verify_address, uint
 }
 #endif //#if CONFIG_SPI_FLASH_VERIFY_WRITE
 
+/* ROM and patch information
+ * Latest:
+    - Provide debugging utils (CONFIG_SPI_FLASH_WARN_SETTING_ZERO_TO_ONE, CONFIG_SPI_FLASH_VERIFY_WRITE)
+    - Fixed region check escape
+ * V1: added to ROM
+ */
+//When use the ROM impl, can't use these debugging utils.
 esp_err_t esp_flash_write(esp_flash_t *chip, const void *buffer, uint32_t address, uint32_t length)
 {
     esp_err_t ret = ESP_FAIL;
@@ -1014,7 +1055,7 @@ esp_err_t esp_flash_write(esp_flash_t *chip, const void *buffer, uint32_t addres
     esp_err_t err = rom_spiflash_api_funcs->chip_check(&chip);
     VERIFY_CHIP_OP(write);
     CHECK_WRITE_ADDRESS(chip, address, length);
-    if (buffer == NULL || address > chip->size || address+length > chip->size) {
+    if (buffer == NULL || address > chip->size || length > chip->size - address) {
         return ESP_ERR_INVALID_ARG;
     }
     if (length == 0) {
@@ -1124,14 +1165,23 @@ esp_err_t esp_flash_write(esp_flash_t *chip, const void *buffer, uint32_t addres
 
     return err;
 }
-
-inline static bool regions_overlap(uint32_t a_start, uint32_t a_len,uint32_t b_start, uint32_t b_len)
+#else
+extern esp_err_t rom_esp_flash_write(esp_flash_t *chip, const void *buffer, uint32_t address, uint32_t length);
+// Usel ROM impl v1 but workaround region check escape.
+esp_err_t IRAM_ATTR esp_flash_write(esp_flash_t *chip, const void *buffer, uint32_t address, uint32_t length)
 {
-    uint32_t a_end = a_start + a_len;
-    uint32_t b_end = b_start + b_len;
-    return (a_end > b_start && b_end > a_start);
+    esp_err_t err = rom_spiflash_api_funcs->chip_check(&chip);
+    if (err != ESP_OK) {
+        return err;
+    }
+    if (length > chip->size - address) {
+        return ESP_ERR_INVALID_ARG;
+    }
+    return rom_esp_flash_write(chip, buffer, address, length);
 }
+#endif //!CONFIG_SPI_FLASH_ROM_IMPL
 
+#ifndef CONFIG_SPI_FLASH_ROM_IMPL
 esp_err_t esp_flash_read_encrypted(esp_flash_t *chip, uint32_t address, void *out_buffer, uint32_t length)
 {
     esp_err_t err = rom_spiflash_api_funcs->chip_check(&chip);
@@ -1198,9 +1248,8 @@ esp_err_t esp_flash_set_io_mode(esp_flash_t* chip, bool qe)
 }
 #endif //CONFIG_SPI_FLASH_ROM_IMPL
 
-#if !CONFIG_SPI_FLASH_ROM_IMPL || ESP_ROM_HAS_ENCRYPTED_WRITES_USING_LEGACY_DRV
-// use `esp_flash_write_encrypted` ROM version not in C3 and S3
-
+#if !(CONFIG_SPI_FLASH_ROM_IMPL && !ESP_ROM_HAS_ENCRYPTED_WRITES_USING_LEGACY_DRV)
+// use `esp_flash_write_encrypted` ROM version on chips later than C3 and S3
 FORCE_INLINE_ATTR esp_err_t s_encryption_write_lock(esp_flash_t *chip) {
 #if CONFIG_IDF_TARGET_ESP32S2
     esp_crypto_dma_lock_acquire();
@@ -1216,6 +1265,14 @@ FORCE_INLINE_ATTR esp_err_t s_encryption_write_unlock(esp_flash_t *chip) {
     return err;
 }
 
+/* ROM and patch information
+ * Latest:
+    - Provide debugging utils (CONFIG_SPI_FLASH_WARN_SETTING_ZERO_TO_ONE, CONFIG_SPI_FLASH_VERIFY_WRITE)
+    - Fixed region check escape
+ * V2: Bug fixed
+ * V1 (ESP_ROM_HAS_ENCRYPTED_WRITES_USING_LEGACY_DRV): added to ROM but has bug
+ */
+//When use the ROM impl, can't use these debugging utils.
 esp_err_t esp_flash_write_encrypted(esp_flash_t *chip, uint32_t address, const void *buffer, uint32_t length)
 {
     esp_err_t ret = ESP_FAIL;
@@ -1232,7 +1289,7 @@ esp_err_t esp_flash_write_encrypted(esp_flash_t *chip, uint32_t address, const v
     }
     CHECK_WRITE_ADDRESS(chip, address, length);
 
-    if (buffer == NULL || address + length > chip->size) {
+    if (buffer == NULL || address > chip->size || length > chip->size - address) {
         return ESP_ERR_INVALID_ARG;
     }
 
@@ -1435,8 +1492,21 @@ esp_err_t esp_flash_write_encrypted(esp_flash_t *chip, uint32_t address, const v
 
     return err;
 }
-
-#endif // !CONFIG_SPI_FLASH_ROM_IMPL || ESP_ROM_HAS_ENCRYPTED_WRITES_USING_LEGACY_DRV
+#else
+extern esp_err_t rom_esp_flash_write_encrypted(esp_flash_t *chip, uint32_t address, const void *buffer, uint32_t length);
+// Usel ROM impl v2 but workaround region check escape.
+esp_err_t IRAM_ATTR esp_flash_write_encrypted(esp_flash_t *chip, uint32_t address, const void *buffer, uint32_t length)
+{
+    esp_err_t err = rom_spiflash_api_funcs->chip_check(&chip);
+    if (err != ESP_OK) {
+        return err;
+    }
+    if (length > chip->size - address) {
+        return ESP_ERR_INVALID_ARG;
+    }
+    return rom_esp_flash_write_encrypted(chip, address, buffer, length);
+}
+#endif // !(CONFIG_SPI_FLASH_ROM_IMPL && !ESP_ROM_HAS_ENCRYPTED_WRITES_USING_LEGACY_DRV)
 
 //init suspend mode cmd, uses internal.
 esp_err_t esp_flash_suspend_cmd_init(esp_flash_t* chip)