Add stack size validation in SecureContext_AllocateContext (#1402)

Validate that ulSecureStackSize + securecontextSTACK_SEAL_SIZE does not overflow before calling pvPortMalloc in the ARMv8-M secure context ports. Reported by Jordan Mecom (Block, Inc.)
2026-04-22 14:40:06 +02:00 · 2026-04-16 14:18:23 -07:00 · 2026-04-16 14:18:23 -07:00 · 7c0c890c64
commit 7c0c890c64
parent bdcde9583d
15 changed files with 135 additions and 30 deletions
--- a/portable/ARMv8M/secure/context/secure_context.c
+++ b/portable/ARMv8M/secure/context/secure_context.c
@ -213,8 +213,15 @@ secureportNON_SECURE_CALLABLE void SecureContext_Init( void )
        /* Were we able to get a free context? */
        if( ulSecureContextIndex < secureconfigMAX_SECURE_CONTEXTS )
        {
-            /* Allocate the stack space. */
-            pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE );
+            /* Allocate the stack space if possible. */
+            if( ulSecureStackSize > ( UINT32_MAX - securecontextSTACK_SEAL_SIZE ) )
+            {
+                pucStackMemory = NULL;
+            }
+            else
+            {
+                pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE );
+            }

            if( pucStackMemory != NULL )
            {
--- a/portable/GCC/ARM_CM23/secure/secure_context.c
+++ b/portable/GCC/ARM_CM23/secure/secure_context.c
@ -213,8 +213,15 @@ secureportNON_SECURE_CALLABLE void SecureContext_Init( void )
        /* Were we able to get a free context? */
        if( ulSecureContextIndex < secureconfigMAX_SECURE_CONTEXTS )
        {
-            /* Allocate the stack space. */
-            pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE );
+            /* Allocate the stack space if possible. */
+            if( ulSecureStackSize > ( UINT32_MAX - securecontextSTACK_SEAL_SIZE ) )
+            {
+                pucStackMemory = NULL;
+            }
+            else
+            {
+                pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE );
+            }

            if( pucStackMemory != NULL )
            {
--- a/portable/GCC/ARM_CM33/secure/secure_context.c
+++ b/portable/GCC/ARM_CM33/secure/secure_context.c
@ -213,8 +213,15 @@ secureportNON_SECURE_CALLABLE void SecureContext_Init( void )
        /* Were we able to get a free context? */
        if( ulSecureContextIndex < secureconfigMAX_SECURE_CONTEXTS )
        {
-            /* Allocate the stack space. */
-            pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE );
+            /* Allocate the stack space if possible. */
+            if( ulSecureStackSize > ( UINT32_MAX - securecontextSTACK_SEAL_SIZE ) )
+            {
+                pucStackMemory = NULL;
+            }
+            else
+            {
+                pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE );
+            }

            if( pucStackMemory != NULL )
            {
--- a/portable/GCC/ARM_CM35P/secure/secure_context.c
+++ b/portable/GCC/ARM_CM35P/secure/secure_context.c
@ -213,8 +213,15 @@ secureportNON_SECURE_CALLABLE void SecureContext_Init( void )
        /* Were we able to get a free context? */
        if( ulSecureContextIndex < secureconfigMAX_SECURE_CONTEXTS )
        {
-            /* Allocate the stack space. */
-            pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE );
+            /* Allocate the stack space if possible. */
+            if( ulSecureStackSize > ( UINT32_MAX - securecontextSTACK_SEAL_SIZE ) )
+            {
+                pucStackMemory = NULL;
+            }
+            else
+            {
+                pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE );
+            }

            if( pucStackMemory != NULL )
            {
--- a/portable/GCC/ARM_CM52/secure/secure_context.c
+++ b/portable/GCC/ARM_CM52/secure/secure_context.c
@ -213,8 +213,15 @@ secureportNON_SECURE_CALLABLE void SecureContext_Init( void )
        /* Were we able to get a free context? */
        if( ulSecureContextIndex < secureconfigMAX_SECURE_CONTEXTS )
        {
-            /* Allocate the stack space. */
-            pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE );
+            /* Allocate the stack space if possible. */
+            if( ulSecureStackSize > ( UINT32_MAX - securecontextSTACK_SEAL_SIZE ) )
+            {
+                pucStackMemory = NULL;
+            }
+            else
+            {
+                pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE );
+            }

            if( pucStackMemory != NULL )
            {
--- a/portable/GCC/ARM_CM55/secure/secure_context.c
+++ b/portable/GCC/ARM_CM55/secure/secure_context.c
@ -213,8 +213,15 @@ secureportNON_SECURE_CALLABLE void SecureContext_Init( void )
        /* Were we able to get a free context? */
        if( ulSecureContextIndex < secureconfigMAX_SECURE_CONTEXTS )
        {
-            /* Allocate the stack space. */
-            pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE );
+            /* Allocate the stack space if possible. */
+            if( ulSecureStackSize > ( UINT32_MAX - securecontextSTACK_SEAL_SIZE ) )
+            {
+                pucStackMemory = NULL;
+            }
+            else
+            {
+                pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE );
+            }

            if( pucStackMemory != NULL )
            {
--- a/portable/GCC/ARM_CM85/secure/secure_context.c
+++ b/portable/GCC/ARM_CM85/secure/secure_context.c
@ -213,8 +213,15 @@ secureportNON_SECURE_CALLABLE void SecureContext_Init( void )
        /* Were we able to get a free context? */
        if( ulSecureContextIndex < secureconfigMAX_SECURE_CONTEXTS )
        {
-            /* Allocate the stack space. */
-            pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE );
+            /* Allocate the stack space if possible. */
+            if( ulSecureStackSize > ( UINT32_MAX - securecontextSTACK_SEAL_SIZE ) )
+            {
+                pucStackMemory = NULL;
+            }
+            else
+            {
+                pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE );
+            }

            if( pucStackMemory != NULL )
            {
--- a/portable/GCC/ARM_STAR_MC3/secure/secure_context.c
+++ b/portable/GCC/ARM_STAR_MC3/secure/secure_context.c
@ -213,8 +213,15 @@ secureportNON_SECURE_CALLABLE void SecureContext_Init( void )
        /* Were we able to get a free context? */
        if( ulSecureContextIndex < secureconfigMAX_SECURE_CONTEXTS )
        {
-            /* Allocate the stack space. */
-            pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE );
+            /* Allocate the stack space if possible. */
+            if( ulSecureStackSize > ( UINT32_MAX - securecontextSTACK_SEAL_SIZE ) )
+            {
+                pucStackMemory = NULL;
+            }
+            else
+            {
+                pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE );
+            }

            if( pucStackMemory != NULL )
            {
--- a/portable/IAR/ARM_CM23/secure/secure_context.c
+++ b/portable/IAR/ARM_CM23/secure/secure_context.c
@ -213,8 +213,15 @@ secureportNON_SECURE_CALLABLE void SecureContext_Init( void )
        /* Were we able to get a free context? */
        if( ulSecureContextIndex < secureconfigMAX_SECURE_CONTEXTS )
        {
-            /* Allocate the stack space. */
-            pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE );
+            /* Allocate the stack space if possible. */
+            if( ulSecureStackSize > ( UINT32_MAX - securecontextSTACK_SEAL_SIZE ) )
+            {
+                pucStackMemory = NULL;
+            }
+            else
+            {
+                pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE );
+            }

            if( pucStackMemory != NULL )
            {
--- a/portable/IAR/ARM_CM33/secure/secure_context.c
+++ b/portable/IAR/ARM_CM33/secure/secure_context.c
@ -213,8 +213,15 @@ secureportNON_SECURE_CALLABLE void SecureContext_Init( void )
        /* Were we able to get a free context? */
        if( ulSecureContextIndex < secureconfigMAX_SECURE_CONTEXTS )
        {
-            /* Allocate the stack space. */
-            pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE );
+            /* Allocate the stack space if possible. */
+            if( ulSecureStackSize > ( UINT32_MAX - securecontextSTACK_SEAL_SIZE ) )
+            {
+                pucStackMemory = NULL;
+            }
+            else
+            {
+                pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE );
+            }

            if( pucStackMemory != NULL )
            {
--- a/portable/IAR/ARM_CM35P/secure/secure_context.c
+++ b/portable/IAR/ARM_CM35P/secure/secure_context.c
@ -213,8 +213,15 @@ secureportNON_SECURE_CALLABLE void SecureContext_Init( void )
        /* Were we able to get a free context? */
        if( ulSecureContextIndex < secureconfigMAX_SECURE_CONTEXTS )
        {
-            /* Allocate the stack space. */
-            pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE );
+            /* Allocate the stack space if possible. */
+            if( ulSecureStackSize > ( UINT32_MAX - securecontextSTACK_SEAL_SIZE ) )
+            {
+                pucStackMemory = NULL;
+            }
+            else
+            {
+                pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE );
+            }

            if( pucStackMemory != NULL )
            {
--- a/portable/IAR/ARM_CM52/secure/secure_context.c
+++ b/portable/IAR/ARM_CM52/secure/secure_context.c
@ -213,8 +213,15 @@ secureportNON_SECURE_CALLABLE void SecureContext_Init( void )
        /* Were we able to get a free context? */
        if( ulSecureContextIndex < secureconfigMAX_SECURE_CONTEXTS )
        {
-            /* Allocate the stack space. */
-            pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE );
+            /* Allocate the stack space if possible. */
+            if( ulSecureStackSize > ( UINT32_MAX - securecontextSTACK_SEAL_SIZE ) )
+            {
+                pucStackMemory = NULL;
+            }
+            else
+            {
+                pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE );
+            }

            if( pucStackMemory != NULL )
            {
--- a/portable/IAR/ARM_CM55/secure/secure_context.c
+++ b/portable/IAR/ARM_CM55/secure/secure_context.c
@ -213,8 +213,15 @@ secureportNON_SECURE_CALLABLE void SecureContext_Init( void )
        /* Were we able to get a free context? */
        if( ulSecureContextIndex < secureconfigMAX_SECURE_CONTEXTS )
        {
-            /* Allocate the stack space. */
-            pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE );
+            /* Allocate the stack space if possible. */
+            if( ulSecureStackSize > ( UINT32_MAX - securecontextSTACK_SEAL_SIZE ) )
+            {
+                pucStackMemory = NULL;
+            }
+            else
+            {
+                pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE );
+            }

            if( pucStackMemory != NULL )
            {
--- a/portable/IAR/ARM_CM85/secure/secure_context.c
+++ b/portable/IAR/ARM_CM85/secure/secure_context.c
@ -213,8 +213,15 @@ secureportNON_SECURE_CALLABLE void SecureContext_Init( void )
        /* Were we able to get a free context? */
        if( ulSecureContextIndex < secureconfigMAX_SECURE_CONTEXTS )
        {
-            /* Allocate the stack space. */
-            pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE );
+            /* Allocate the stack space if possible. */
+            if( ulSecureStackSize > ( UINT32_MAX - securecontextSTACK_SEAL_SIZE ) )
+            {
+                pucStackMemory = NULL;
+            }
+            else
+            {
+                pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE );
+            }

            if( pucStackMemory != NULL )
            {
--- a/portable/IAR/ARM_STAR_MC3/secure/secure_context.c
+++ b/portable/IAR/ARM_STAR_MC3/secure/secure_context.c
@ -213,8 +213,15 @@ secureportNON_SECURE_CALLABLE void SecureContext_Init( void )
        /* Were we able to get a free context? */
        if( ulSecureContextIndex < secureconfigMAX_SECURE_CONTEXTS )
        {
-            /* Allocate the stack space. */
-            pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE );
+            /* Allocate the stack space if possible. */
+            if( ulSecureStackSize > ( UINT32_MAX - securecontextSTACK_SEAL_SIZE ) )
+            {
+                pucStackMemory = NULL;
+            }
+            else
+            {
+                pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE );
+            }

            if( pucStackMemory != NULL )
            {