Previously, Arduino Core attempted to read from flash memory without proper consideration for the 4-byte alignment requirement when calculating the hash for the signature verification. This did not present an issue when uncompressed binaries are checked as all compiled binaries are 4-aligned (unconfirmed, just an educated guess), and signature verification appears to work well in these cases.
When uploading a compressed binary (based on this) the gzip algorithm makes no attempt to produce a 4-aligned file. The rest of the signing results in a valid signed binary regardless, however when calculating the hash for the verification process there is a ~75% chance that the hash will include some bytes from the signature, thus compromising the whole signature verification process.
editorial note: ESP.flashRead for u8 arrays (aka byte arrays) was already updated to properly handle both aligned and unaligned target buffer and / or length, while u32 expects that its arguments are already aligned. Since array pointer in Updater is already aligned, this properly handles unaligned size case.
- check in cont_run() and cont_suspend() whether a1 is out of bounds
- in case a1 is broken, postmortem will still report proper context in
proper stack boundaries
additionally
- as suggested in #9069, change stack smashing to a single line that
does not mention any Exceptions
- reduce overall stack dump length when there are know garbage values i.e. cont stackguard
- decoder.py addr search regexp would no longer skip stack lines with '<'
- fix decoder.py parsing so it notices both stack smashing and alloc errors
Adds the two missing error states when beginning an Update. There were debugging logs for this but the error state was not set which would lead to confusion
* Generate TZ.h from zoneinfo
Using tzdata pypi package that ships zoneinfo blobs
Can't use raw data package from IANA, need it built first
Minor tweaks to Espurna script that generated .md
More data than the original, not limited to ZONE/...
Zoneinfo source can be overwritten using path args, if needed
(but, probably not needed, since it would always be preferable to pull the latest version)
Also, allow to override certain names and tz strings independent
of tzdata values (resolves#9007)
* Resolve HWDT Reset with core_esp8266_vm
With the newer GCC compiler (after tag 3.0.2), example virtualmem was crashing with a HWDT reset.
Reordered some SPI register set lines in spi_init().
New ordering was based on ::begin in SPI.cpp
This change may resolve issues describe in
https://github.com/esp8266/Arduino/discussions/9010
* Added memory barrier to changes
spi_ctrl appears to need setting before other SPI registers
* A new approach for erasing WiFi Settings
Add support for hardware reset function call - simulates EXT_RST via HWDT.
Add reset selection to `ESP.eraseConfig()` for calling hardware reset
after erasing the WiFi Settings.
Update ArduinoOTA to use `ESP.eraseConfig(true)`
Externalized `ArduinoOTA.eraseConfigAndReset()`
Add OTA examples to illustrate using erase config changes.
* style
fixed confused example
* improve wording
* Add new state to retry eraseConfigAndReset
* Removed unreachable error test from examples.
Removed continuous retry of "eraseConfig" and allow the script to
assign an error handling option for "eraseConfig" failure.
Update example to use error handling option.
* In eboot for function ets_wdt_enable() added missing arguments
* Update comments and example
* Wording
* Rebuilt eboot.elf with current tools from ./get.py
* Requested changes.
* cleanup comments
* Update hardware_reset
Avoid using "[[noreturn]]" - not accepted for a .c file function
Updated to use __attribute__((noreturn)) to handle both .cpp and .c
file functions.
* Fixes occasional UMM_POISON failure
Bug introduced with PR fix#8914.
When a reallocated pointer could not grow in place, a replacement
allocation was created. Then UMM_POISON was written to the wrong block.
* Fix umm_poison data corruption on realloc when memory move is used.
Bug introduced with PR fix#8914
* refactored to resolve unused error in some build contexts
Fixes to recent changes to Postmortem to cover large jump offsets, use relaxed jump (J.L) in __wrap_system_restart_local.
Also add check that epc1 is a valid code address before reading.
A popular method of handling an unrecoverable state is to reboot. The SDK does this in many places by printing a cryptic debug message followed by something equivalent to while(true){}, which compiles down to loop: j loop, creating a Soft WDT reset.
The umm_poison logic runs outside the UMM_CRITICAL_* umbrella. When interrupt routines do alloc calls, it is possible to interrupt an in-progress allocation just before the poison is set, with a new alloc request resulting in a false "poison check fail" against the in-progress allocation. The SDK does mallocs from ISRs.
SmartConfig can illustrate this issue, see
https://github.com/esp8266/Arduino/issues/3494#issue-247919259
Other Sketches built with Debug: "Serial," that use the SDK's Promiscuous callbacks are also likely to encounter problems.
The SDK support for "Promiscuous Receive" allocates memory from an ISR context, occasionally interrupting the poison wrapper code before it finishes setting the poison fences resulting in a false poison failed event.
No need to issue a MEMW instrunction per load from each cache line.
Only once after the last load is sufficient.
MEMW ensures that all previous load, store, acquire, release, prefetch,
and cache instructions perform before performing any subsequent load,
store, acquire, release, prefetch, or cache instructions.
-- MEMW (Memory Wait), 6. Instruction Descriptions,
Xtensa ISA Reference Manual (p.409)
* For SDK v3.0+, early system calls that were called from user_rf_pre_init
(SDK v2.2) need to now be called from user_pre_init.
Moved user_rf_pre_init() call to the end of user_pre_init() so we
can still perform early calls like: system_phy_set_rfoption(rf_mode),
system_phy_set_powerup_option(2), etc.
* Update comment
* Improve "spoof_init_data" enable/disable logic.
Out of an overabundance of caution, limit logic change to the
experimental SDK v3.0.5.
* Update documentation
Describe how to improve Exception Decoder results.
Updated build option details.
* Added d-a-v's code. And updated description and debug macro.
* Update doc
Updated platform.txt - positioned -Os such that it can be overridden by `build.opt`.
Add suggestion of using `-Og` which may improve the Decoder's line number correlation
with the problem in the source code.
Untested adjustments to platformio-build.py
* Fixed code formatting
* Fixed example
Previously `-O3` in the example had no effect. It was overridden by later flags.
Reording the `-Os` allowed changing optimization to work. Somehow this triggered
a new warning "Stream.h:50:7: warning: 'f.Stream::_startMillis' may be used
uninitialized in this function". Replaced `-O3` with `-Og`.
* Proposed "Debug port" menu change
Preserves a pathway for `build.opt` override.
* Update boards.txt.py and docs - WIP
* Improve organization of optimization content.
Use "Debug Optimization" for menu name.
The menu item defines the initial optimization.
platform.txt - optimization parameter can be overridden by build.opt.
* Add fallback value for build.debug_optim to platform.txt
* update text and undo changes to platformio-build.py
* tweak text
* Added ':orphan:' mark to a06-global-build-options.rst
* Update doc. Added link in page index to 'Improving Exception Decoder Results'
* Update text to reference PR#8868 improvements for leaf function.
The assignment done in FLASH_MAP_SETUP_CONFIG_ATTR did not apply the attribute to __flashdesc,
and made it impossible to override it with FLASH_MAP_SETUP_CONFIG.
* divide by 0 reporting to point back at the divide function caller
* stack offset adjustments to be independent of __wrap_system_restart_local()'s stack frame size.
* simplify ctors and operator=, use a common code paths instead of special handling here and there
* fix u8->u32 casts, copy before using u8 data
* do not use raw_address() internally
Recurrent scheduled functions will always be running in background.
esp_delay()'s interval (intvl_ms) is internally kept to its highest value allowing to honor recurrent scheduled functions requirements.
It transparently allows to keep with the arduino and nonos-sdk trivial programming way and still use background services or drivers running regularly.
Missing stdbool.h for 'bool' in features .h, at least one user is arduinoWebSockets
Adds minimal headers sanity-check script to verify that C builds work as expected
Also noticed and removed default argument from crc32() in internal .h that may be used in .c
(not sure how extern C & default worked simultaniously, but at least in our .cpp Gcc somehow figured out it is a no overload solution)
* PHY status API for W5500 & ENC28J60 drivers
* move linkStatus() from ArduinoEthernet:: to LwipIntfDev::
* LwipIntfDev: include PHY status into ::connected()
Remove nonos-sdk-v2.2.0-28-g89920dc aka 3v0, since we have a real v3
Remove 3.0.0...3.0.4 to reduce overhead in maintaining a bunch or binary patches
Update our docs and menu opts to mention 'experimental' status
Old versions still remains in git history, so anyone wanting to play around with 3.0.x could still make use of that work
* fix panic not printing
* improve panic to accept 0 lineno
* always present detailed error message
* Added back lost edit
* For SDK v3.0+, adjust conditional build to remove duplicate call
to flashinit from user_init.
* Reslove flash address issues with SDK v3.0.0
Fix EEPROM vs RF_CAL flash address conflict. The EEPROM address and
RF_CAL address were the same.
Add support for Flash size: "Mapping defined by Hardware and Sketch"
Change at_partition_table static from dynamic to static.
* Cleanup and improve comments
* Improve flash size and partition error reporting/indication
Changed set_pll() to mmu_set_pll() and made available for debug builds
and other settings where required.
Provide more checks and feedback in the debug builds and
trim code for production.
* Now supports FLASH_MAP_SUPPORT with SDKs v3.0
RF_CAL and system_parameter always occupy the last 5
sectors of flash memory.
* cleanup and refactoring
comment cleanup
* Add more build issolation when including flash_hal.h
* Improve details for autoconfig fail.
* requested changes
## WPA2 Enterprise connections
References - merged PRs:
* https://github.com/esp8266/Arduino/pull/8529
* https://github.com/esp8266/Arduino/pull/8566 - these occurred with connect/disconnect with WPA-Enterprise
* https://github.com/esp8266/Arduino/pull/8736#issue-1470774550
The NON-OS SDK 3.0.x has breaking changes to the [`pvPortMalloc`](bf890b22e5/include/mem.h (L42)) function. They added a new `bool` argument for selecting a heap.
```cpp
void *pvPortMalloc (size_t sz, const char *, unsigned, bool);
```
To avoid breaking the build, I added a new thin wrapper function `sdk3_pvPortMalloc` to `heap.cpp`.
Edited new SDK LIBs to call `pvPortMalloc`'s replacement `sdk3_pvPortMalloc`.
They also added `pvPortZallocIram` and `pvPortCallocIram`, which are not a problem to support. Support added to `heap.cpp`.
Issues with WPA2 Enterprise in new SDKs:
* v3.0.0 and v3.0.1 - have the same memory leak and duplicate free bugs from before
* v3.0.2 through v3.0.5 - have the same memory leak; however, _no_ duplicate free crash.
* memory leak can be seen by cycling through setup, connect, disconnect, and clear setup - repeatedly.
Updated `wpa2_eap_patch.cpp` and binary patch scripts to handle v3.0.0 through v3.0.5.
Patched SDKs v3.0.0 through v3.0.5
## Duplicate Non-32-bit exception handler
Issue: At v3.0.0 and above `libmain.a` supplies a built-in exception handler (`load_non_32_wide_handler`) for non-32-bit access. Our non-32-bit access handler (`non32xfer_exception_handler`) overrides it.
Solution: Add "weak" attribute to symbol `load_non_32_wide_handler`. Adjust the build to default to the SDK's built-in non-32-bit handler. If there is a need to use our non-32-bit handler, make the selection from the Arduino IDE Tools menu `Non-32-Bit Access: "Byte/Word access to IRAM/PROGMEM (very slow)"`.
With SDKs v3.0.0 and above a "non-32-bit exception handler" is always present.
Previously, File::readString used a C-style string as an intermediate
buffer via the String += operator. This treats a NUL byte as a
terminator, making this function work incorrectly if the File contains
binary data.
This commit switches the function to use String::concat, which doesn't
treat NUL bytes any differently (and is a bit faster, because it doesn't
need to use strlen).
