Skip to content
Permalink
Browse files

core: load_elf_from_store(): check stack size

Inside load_elf_from_store(), the ta_head structure is retrieved from
un-authenticated area, and contains the stack size. The stack size could
either already be 0, or could be large enough so it becomes 0 when rounded
up to STACK_ALIGNMENT. This could result in vm_map() returning a virtual
address for a 0-size memory block or other issues.

Check the rounded-up stack_size value before using it.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [2.7]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
  • Loading branch information...
jforissier committed Feb 5, 2019
1 parent 062765e commit b17e2e44441a6b8233d5e2bdccdac4ec23a0e819
Showing with 5 additions and 0 deletions.
  1. +5 −0 core/arch/arm/kernel/user_ta.c
@@ -746,6 +746,11 @@ static TEE_Result load_elf_from_store(const TEE_UUID *uuid,
/* Ensure proper alignment of stack */
size_t stack_sz = ROUNDUP(ta_head->stack_size,
STACK_ALIGNMENT);

if (!stack_sz) {
res = TEE_ERROR_OUT_OF_MEMORY;
goto out;
}
utc->mobj_stack = alloc_ta_mem(stack_sz);
if (!utc->mobj_stack) {
res = TEE_ERROR_OUT_OF_MEMORY;

0 comments on commit b17e2e4

Please sign in to comment.
You can’t perform that action at this time.