tests: fs: nvs: Add undetected bad ATE length + offset test

Tamper an ATE to simulate an ATE CRC-8 undetected error. Write 4 items of various data size, with the item zephyrproject-rtos#1 simulating a CRC-8 undetected error on the item offset and size. The offset is decreased to overflow on the preceding item #0. The data size is increased to overflow on item 2 and part of item 3. Thanks to the data CRC-32, reading item zephyrproject-rtos#1 returns an error. After running the garbage collector, the faulty item 1 has been copied with parts of items #0, zephyrproject-rtos#2 and zephyrproject-rtos#3 data. The other items are healthy and the NVS is still working. Signed-off-by: Adrien Ricciardi <[email protected]>
RICCIARDI-Adrien · Jun 24, 2024 · bd026a3 · bd026a3
1 parent 3dbe3cf
commit bd026a3
Showing 1 changed file with 30 additions and 0 deletions.
diff --git a/tests/subsys/fs/nvs/src/main.c b/tests/subsys/fs/nvs/src/main.c
@@ -988,6 +988,20 @@ static void test_nvs_undetected_bad_ate_offset_callback(struct nvs_ate *ate,
  ate->len = items[1].size + sizeof(uint32_t);
 }
 
+/*
+ * The length of the data is wrong and overflows on the next items data,
+ * and the offset is also wrong and overflows on the previous item data
+ */
+static void test_nvs_undetected_bad_ate_length_and_offset_callback(struct nvs_ate *ate,
+ struct bad_ate_item_t *items)
+{
+ /* Take data CRCs into account */
+ ate->offset = (items[0].size + sizeof(uint32_t)) / 2;
+ ate->len = items[1].size + sizeof(uint32_t) + /* This item data */
+ items[2].size + sizeof(uint32_t) + /* The following item data */
+ (items[3].size / 2); /* Half of the next item data */
+}
+
 static void test_nvs_undetected_bad_ate_main(struct nvs_fixture *fixture,
  bad_ate_item_callback_t callback_corrupt_ate) {
  /* Make the first 2 items data size multiple of 4 bytes, so there is no need
@@ -1138,3 +1152,19 @@ ZTEST_F(nvs, test_nvs_undetected_bad_ate_offset)
  test_nvs_undetected_bad_ate_main(fixture, test_nvs_undetected_bad_ate_offset_callback);
 #endif
 }
+
+/*
+ * Tamper an ATE length and offset fields value to simulate an ATE CRC-8 undetected error.
+ * Write 4 items of various data size, with the item #1 simulating a CRC-8 undetected error
+ * on the item data size. The data offset is decreased to overflow on item 0.
+ * Thanks to the data CRC-32, reading such item returns an error.
+ * After running the garbage collector, the faulty item 1 has been copied with parts of the
+ * preceding item data. The other items are healthy and the NVS is still working.
+ */
+ZTEST_F(nvs, test_nvs_undetected_bad_ate_length_and_offset)
+{
+#if defined(CONFIG_NVS_DATA_CRC) && !defined(CONFIG_NVS_LOOKUP_CACHE)
+ test_nvs_undetected_bad_ate_main(fixture,
+ test_nvs_undetected_bad_ate_length_and_offset_callback);
+#endif
+}