boot: bootutil: Fix invalid last sector computation for swap-scratch

taltenbach · nordicjm · commit fbd2267e75bb · 2025-03-05T07:33:43.000Z
At the beginning of a swap-scratch upgrade, the index of the last sector
in the primary slot that need to be swapped is computed using the
'find_last_sector_idx' routine. However, if the primary slot is composed
of larger sectors than the secondary slots, this routine could return a
wrong sector index for the primary slot. The index might even be outside
the primary slot, which would lead to (at best) a simple failure of the
upgrade and at worst a corruption of the flash memory bricking the
device.

This commit fixes the issue by ensuring 'find_last_sector_idx' always
returns a valid sector index for the primary slot.

Signed-off-by: Thomas Altenbach &lt;thomas.altenbach@legrand.com&gt;
diff --git a/boot/bootutil/src/swap_scratch.c b/boot/bootutil/src/swap_scratch.c
@@ -464,13 +464,15 @@ boot_copy_sz(const struct boot_loader_state *state, int last_sector_idx,
 static int
 find_last_sector_idx(const struct boot_loader_state *state, uint32_t copy_size)
 {
-    int last_sector_idx;
+    int last_sector_idx_primary;
+    int last_sector_idx_secondary;
     uint32_t primary_slot_size;
     uint32_t secondary_slot_size;
 
     primary_slot_size = 0;
     secondary_slot_size = 0;
-    last_sector_idx = 0;
+    last_sector_idx_primary = 0;
+    last_sector_idx_secondary = 0;
 
     /*
      * Knowing the size of the largest image between both slots, here we
@@ -483,23 +485,24 @@ find_last_sector_idx(const struct boot_loader_state *state, uint32_t copy_size)
             (primary_slot_size < secondary_slot_size)) {
            primary_slot_size += boot_img_sector_size(state,
                                                      BOOT_PRIMARY_SLOT,
-                                                     last_sector_idx);
+                                                     last_sector_idx_primary);
+            ++last_sector_idx_primary;
         }
         if ((secondary_slot_size < copy_size) ||
             (secondary_slot_size < primary_slot_size)) {
            secondary_slot_size += boot_img_sector_size(state,
                                                        BOOT_SECONDARY_SLOT,
-                                                       last_sector_idx);
+                                                       last_sector_idx_secondary);
+            ++last_sector_idx_secondary;
         }
         if (primary_slot_size >= copy_size &&
                 secondary_slot_size >= copy_size &&
                 primary_slot_size == secondary_slot_size) {
             break;
         }
-        last_sector_idx++;
     }
 
-    return last_sector_idx;
+    return last_sector_idx_primary - 1;
 }
 
 /**
