Mcumgr img_mgmt_impl_upload_inspect() can cause unaligned memory access hard fault. #49066
Labels
area: mcumgr
bug
The issue is a bug, or the PR is fixing a bug
priority: low
Low impact/importance bug
Describe the bug
A firmware update using mcumgr with serial backend can result in a hard fault because of a unaligned
memory access since the new zcbor library is used.
During a firmware update packets are handled in zephyr_smp_handle_reqs(). The data is pulled from a netbuffer structure. This is passed through some layers to img_mgmt_upload(), which parses
the payload with
zcbor_map_decode_bulk()
. In the zcbor_map_decode_key_val the output buffers are set as pointers to members in theimg_mgmt_upload_req
structure. The problem is theimg_data
member in the request structure. This is now azcbor_string
:struct zcbor_string { const uint8_t *value; size_t len; };
. The value can be set to a arbitrary address inside the netbuffer (zcbor_decode.c:value_extract() in the cbor library. See logs for gdb output). This becomes a problem during processing in img_mgmt_impl_upload_inspect(). This value is casted to aimage_header
here. Since this address can be unaligned, this will result in a hard fault in the next line if the processor does not support unaligned memory access!Tested on:
To Reproduce
Build the mcumgr smp_svr sample for a mcu that does not support unaligned memory access and
update with
mcumgr image upload
Expected behavior
Mcumgr should perform a upload of the new firmware image.
Impact
Product cannot be updated.
Logs and console output
The following gdb output shows how
zcbor_map_decode_bulk()
changesthe
req
structure.Note that
img_data.value
is unaligend! During execution ofimg_mgmt_impl_upload_inspect()
this leads to a hard fault:Environment (please complete the following information):
Additional context
rpi_pico.overlay
The text was updated successfully, but these errors were encountered: