bootutil: Fix boot_scramble_region escaping flash area

de-nordic · nvlsianpu · commit a0065f8fa35f · 2025-06-17T17:52:26.000+02:00
Incorrect range check fix.

Signed-off-by: Dominik Ermel &lt;dominik.ermel@nordicsemi.no&gt;
diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c
@@ -1274,7 +1274,7 @@ boot_scramble_region(const struct flash_area *fa, uint32_t off, uint32_t size, b
             end_offset = ALIGN_DOWN((off + size), write_block);
         }
 
-        while (true) {
+        while (off != end_offset) {
             /* Write over the area to scramble data that is there */
             rc = flash_area_write(fa, off, buf, write_block);
             if (rc != 0) {
@@ -1291,12 +1291,12 @@ boot_scramble_region(const struct flash_area *fa, uint32_t off, uint32_t size, b
 
                 off -= write_block;
             } else {
-                if (end_offset < off) {
+                off += write_block;
+
+                if (end_offset <= off) {
                     /* Reached the end offset in range and already scrambled it */
                     break;
                 }
-
-                off += write_block;
             }
         }
     }
diff --git a/docs/release-notes.d/fix-boot-scramble-region.md b/docs/release-notes.d/fix-boot-scramble-region.md
@@ -0,0 +1,3 @@
+ - Fixed issue in boot_scramble_regions, where incorrect boundary
+   check would cause function to attempt to write pass a designated
+   flash area.

Original file line number	Diff line number	Diff line change
`@@ -1274,7 +1274,7 @@ boot_scramble_region(const struct flash_area *fa, uint32_t off, uint32_t size, b`
`1274`	`1274`	`end_offset = ALIGN_DOWN((off + size), write_block);`
`1275`	`1275`	`}`
`1276`	`1276`
`1277`		`- while (true) {`
	`1277`	`+ while (off != end_offset) {`
`1278`	`1278`	`/* Write over the area to scramble data that is there */`
`1279`	`1279`	`rc = flash_area_write(fa, off, buf, write_block);`
`1280`	`1280`	`if (rc != 0) {`
`@@ -1291,12 +1291,12 @@ boot_scramble_region(const struct flash_area *fa, uint32_t off, uint32_t size, b`
`1291`	`1291`
`1292`	`1292`	`off -= write_block;`
`1293`	`1293`	`} else {`
`1294`		`- if (end_offset < off) {`
	`1294`	`+ off += write_block;`
	`1295`	`+`
	`1296`	`+ if (end_offset <= off) {`
`1295`	`1297`	`/* Reached the end offset in range and already scrambled it */`
`1296`	`1298`	`break;`
`1297`	`1299`	`}`
`1298`		`-`
`1299`		`- off += write_block;`
`1300`	`1300`	`}`
`1301`	`1301`	`}`
`1302`	`1302`	`}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+ - Fixed issue in boot_scramble_regions, where incorrect boundary`
	`2`	`+ check would cause function to attempt to write pass a designated`
	`3`	`+ flash area.`