Skip to content

fix: validate cache page index in spiffs_cache_page_free#304

Open
Eun0us wants to merge 1 commit intopellepl:masterfrom
Eun0us:fix/cache-shift-ub
Open

fix: validate cache page index in spiffs_cache_page_free#304
Eun0us wants to merge 1 commit intopellepl:masterfrom
Eun0us:fix/cache-shift-ub

Conversation

@Eun0us
Copy link
Contributor

@Eun0us Eun0us commented Feb 10, 2026

Summary

When a SPIFFS filesystem image is malformed, cp->ix can contain an invalid value (e.g. negative). This leads to undefined behavior in the expression 1 << ix when ix is negative or >= 32 (C standard §6.5.7).

This adds a bounds check at the start of spiffs_cache_page_free() to return SPIFFS_ERR_INTERNAL for out-of-range indices, preventing the UB shift.

How it was found

Found via fuzzing with esp-fuzzer and -fsanitize=undefined:

src/spiffs_cache.c:54:36: runtime error: shift exponent -2 is negative
    #0 spiffs_cache_page_free src/spiffs_cache.c:54:36
    #1 spiffs_cache_drop_page src/spiffs_cache.c:116:5

Test plan

  • Verified fix prevents the UBSan error with malformed filesystem image
  • Normal cache operations unaffected (valid indices pass the check)

@Eun0us
fix: validate cache page index before bit-shift in spiffs_cache_page_…
b01eaa6 
…free

When a SPIFFS filesystem image is malformed, cp->ix can contain an
invalid value (e.g. negative). This leads to undefined behavior in
the expression `1 << ix` when ix is negative or >= 32.

Add a bounds check at the start of spiffs_cache_page_free() to
return SPIFFS_ERR_INTERNAL for out-of-range indices.

Found via https://github.com/Eun0us/esp-fuzzer
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Eun0us