boot: bootutil: Fix underflow in swap-scratch when trailer is large

When using swap-scratch, the last sector of a slot able to contain
firmware data might also contain part of the trailer (or the whole
trailer, if the latter is small enough). When the trailer is large, a
single sector it might not fit in a single sector and that last firmware
sector might therefore not be the last sector of the slot.

When that happens, and unless the trailer starts exactly at the
beginning of a sector, an underflow could occur when computing the
number of bytes that must be copied from the last firmware sector.
Indeed, when the trailer is large, its size can be larger than that
sector and, depending on the size of the sratch area, 'copy_sz' can at
worst equal to the size of this sector.

If this underflow occurs, 'copy_sz' would end up containing a very large
value, that would probably cause the upgrade to fail and could lead to a
corruption of a large part of the flash memory if no bound check is
performed in the flash driver.

Signed-off-by: Thomas Altenbach <[email protected]>

Author: taltenbach

boot/bootutil/src/swap_scratch.c

@@ -563,6 +563,17 @@ boot_swap_sectors(int idx, uint32_t sz, struct boot_loader_state *state,
     uint8_t image_index;
     int rc;
 
+    image_index = BOOT_CURR_IMG(state);
+
+    rc = flash_area_open(FLASH_AREA_IMAGE_PRIMARY(image_index), &fap_primary_slot);
+    assert (rc == 0);
+
+    rc = flash_area_open(FLASH_AREA_IMAGE_SECONDARY(image_index), &fap_secondary_slot);
+    assert (rc == 0);
+
+    rc = flash_area_open(FLASH_AREA_IMAGE_SCRATCH, &fap_scratch);
+    assert (rc == 0);
+
     /* Calculate offset from start of image area. */
     img_off = boot_img_sector_off(state, BOOT_PRIMARY_SLOT, idx);
 
@@ -594,26 +605,14 @@ boot_swap_sectors(int idx, uint32_t sz, struct boot_loader_state *state,
         }
     }
 
+    /* Check if the currently swapped sector(s) contain the trailer or part of it */
     if ((img_off + sz) >
         boot_img_sector_off(state, BOOT_PRIMARY_SLOT, last_sector)) {
-        copy_sz -= trailer_sz;
+        copy_sz = flash_area_get_size(fap_primary_slot) - img_off - trailer_sz;
     }
 
     bs->use_scratch = (bs->idx == BOOT_STATUS_IDX_0 && copy_sz != sz);
 
-    image_index = BOOT_CURR_IMG(state);
-
-    rc = flash_area_open(FLASH_AREA_IMAGE_PRIMARY(image_index),
-            &fap_primary_slot);
-    assert (rc == 0);
-
-    rc = flash_area_open(FLASH_AREA_IMAGE_SECONDARY(image_index),
-            &fap_secondary_slot);
-    assert (rc == 0);
-
-    rc = flash_area_open(FLASH_AREA_IMAGE_SCRATCH, &fap_scratch);
-    assert (rc == 0);
-
     if (bs->state == BOOT_STATUS_STATE_0) {
         BOOT_LOG_DBG("erasing scratch area");
         rc = boot_erase_region(fap_scratch, 0, flash_area_get_size(fap_scratch));