Skip to content
Browse files

core: load_elf_from_store(): check stack size

Inside load_elf_from_store(), the ta_head structure is retrieved from
un-authenticated area, and contains the stack size. The stack size could
either already be 0, or could be large enough so it becomes 0 when rounded
up to STACK_ALIGNMENT. This could result in vm_map() returning a virtual
address for a 0-size memory block or other issues.

Check the rounded-up stack_size value before using it.

Signed-off-by: Jerome Forissier <>
Reported-by: Bastien Simondi <> [2.7]
Reviewed-by: Jens Wiklander <>
Reviewed-by: Joakim Bech <>
  • Loading branch information...
jforissier committed Feb 5, 2019
1 parent 062765e commit b17e2e44441a6b8233d5e2bdccdac4ec23a0e819
Showing with 5 additions and 0 deletions.
  1. +5 −0 core/arch/arm/kernel/user_ta.c
@@ -746,6 +746,11 @@ static TEE_Result load_elf_from_store(const TEE_UUID *uuid,
/* Ensure proper alignment of stack */
size_t stack_sz = ROUNDUP(ta_head->stack_size,

if (!stack_sz) {
goto out;
utc->mobj_stack = alloc_ta_mem(stack_sz);
if (!utc->mobj_stack) {

0 comments on commit b17e2e4

Please sign in to comment.
You can’t perform that action at this time.