-
-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix lookahead buffer size reported to littlefs2-sys #24
Conversation
lgtm, this is something we should verify on actual hardware, just to be sure and as finding this as a source for issues at a later point might be painful |
Note that this is effectively the same patch that we are already using in nitrokey-3-firmware. |
1a0b649
to
694c6a8
Compare
just the usual inner panic on my side once something touches littlefs2, but you're right, this should be fine. |
I'd be +1 on making this a breaking change, and adding whatever other improvements you can think of (e.g. your "should also change"). |
694c6a8
to
650e8ae
Compare
Updated:
Not tested on hardware yet, also no unit test for the issue yet. But at least the 1.67.0 segfault fix shows us that we are doing something right. :-) I’d like to merge and release this next week as this a rather severe issue. @trussed-dev/nitrokey Please review, test and comment. |
src/fs.rs
Outdated
// lookahead words size (measured in 4 bytes) must be a multiple of 2 so that the actual | ||
// lookahead size is a multiple of 8 bytes | ||
debug_assert!(lookahead_size % 2 == 0); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Forgot about this one, has to be removed as we now use multiples of 8 bytes.
I'm wondering if we should have all the sizes (at least external facing) in bytes, and use compile time checks to enforce multiples, and compile time additions for the "plus one" stuff -- if possible -- as it would make for a cleaner API. |
I don’t think this is possible at the moment because of the limitations with the const generics in stable. We cannot use generic parameters in const operations, so we still need I thought about adding an optional verification method that could be used to validate a |
This can be done by having an associated constant for the const assertion: https://play.rust-lang.org/?version=stable&mode=debug&edition=2021&gist=40f243447104f266f22aa71b3f18c359 |
In this case, it is about accessing an associated constant of a generic parameter. Moving all associated constant into parameters is unrealistic. Lines 25 to 103 in 7b66857
|
I think the tracking issue for this would be: rust-lang/rust#76560 |
ok tested on nrf extensively and not on lpc55, but all adaptations needed are available as PRs:
Soooo, lgtm 👯 |
Nice! Thanks @daringer! I’ve tested it briefly on lpc55 with the NK3CN (provisioning FIDO2, setting a PIN, registration and authentication with a resident key) and everything worked. For me this PR is ready to merge – any objections? |
nope, let's go |
Before we do so, please remove |
Regarding the question on whether this is a breaking change or not, it doesn't really matter as 5d31dc5 is clearly a breaking change, so the next release will need to be a major semver anyway. |
650e8ae
to
9c6be24
Compare
Previously, we reported the lookahead buffer size in bytes but littlefs2-sys expects the lookahead buffer size as a multiple of 8 bytes. This could lead to a buffer overflow causing filesystem corruption. This patch fixes the reported lookahead buffer size. Note that Storage::LOOKAHEAD_WORDS_SIZE allows users to set invalid values (as it is measured in 4 bytes, not in 8 bytes). Invalid values that were previously accepted because of the wrong buffer size calculation can now be rejected by littlefs2-sys. This is a combination of two previous patches: trussed-dev#19 #1 Fixes: trussed-dev#16
This patch replaces the LOOKAHEADWORDS_SIZE in driver::Storage (measured in 4 bytes) with LOOKAHEAD_SIZE (measure in 8 bytes). This makes it impossible to set illegal values.
As we fixed the lookahead buffer overflow, we no longer have to pin the Rust version. Fixes trussed-dev#26 Fixes trussed-dev#28
9c6be24
to
72f323f
Compare
Suggestion: test all applications next time, not only fido-auth. |
Previously, we reported the lookahead buffer size in bytes but littlefs2-sys expects the lookahead buffer size as a multiple of 8 bytes. This could lead to a buffer overflow causing filesystem corruption. This patch fixes the reported lookahead buffer size.
Note that Storage::LOOKAHEAD_WORDS_SIZE allows users to set invalid values (as it is measured in 4 bytes, not in 8 bytes). Invalid values that were previously accepted because of the wrong buffer size calculation can now be rejected by littlefs2-sys.
This is a combination of two previous patches:
#19
Nitrokey#1
Fixes: #16
I’m wondering whether we should treat this as a breaking change or not. On the one hand, this is a bug fix. On the other hand, it may cause code that previously worked (because the size calculation was wrong) to fail. If we consider this to be a breaking change, we should also change
Storage::LOOKAHEAD_BUFFER_SIZE
so that it uses multiples of 8 and it is no longer possible to set invalid values.Also, it would be good to have a test case that demonstrates the bug.
cc @arturkow2000