From 7c0c890c64ce73010b1bd1fc3880ddb14d3e2105 Mon Sep 17 00:00:00 2001 From: Patrick Zhang Date: Thu, 16 Apr 2026 14:18:23 -0700 Subject: [PATCH] Add stack size validation in SecureContext_AllocateContext (#1402) Validate that ulSecureStackSize + securecontextSTACK_SEAL_SIZE does not overflow before calling pvPortMalloc in the ARMv8-M secure context ports. Reported by Jordan Mecom (Block, Inc.) --- portable/ARMv8M/secure/context/secure_context.c | 11 +++++++++-- portable/GCC/ARM_CM23/secure/secure_context.c | 11 +++++++++-- portable/GCC/ARM_CM33/secure/secure_context.c | 11 +++++++++-- portable/GCC/ARM_CM35P/secure/secure_context.c | 11 +++++++++-- portable/GCC/ARM_CM52/secure/secure_context.c | 11 +++++++++-- portable/GCC/ARM_CM55/secure/secure_context.c | 11 +++++++++-- portable/GCC/ARM_CM85/secure/secure_context.c | 11 +++++++++-- portable/GCC/ARM_STAR_MC3/secure/secure_context.c | 11 +++++++++-- portable/IAR/ARM_CM23/secure/secure_context.c | 11 +++++++++-- portable/IAR/ARM_CM33/secure/secure_context.c | 11 +++++++++-- portable/IAR/ARM_CM35P/secure/secure_context.c | 11 +++++++++-- portable/IAR/ARM_CM52/secure/secure_context.c | 11 +++++++++-- portable/IAR/ARM_CM55/secure/secure_context.c | 11 +++++++++-- portable/IAR/ARM_CM85/secure/secure_context.c | 11 +++++++++-- portable/IAR/ARM_STAR_MC3/secure/secure_context.c | 11 +++++++++-- 15 files changed, 135 insertions(+), 30 deletions(-) diff --git a/portable/ARMv8M/secure/context/secure_context.c b/portable/ARMv8M/secure/context/secure_context.c index 3aa335e63..a91e5e891 100644 --- a/portable/ARMv8M/secure/context/secure_context.c +++ b/portable/ARMv8M/secure/context/secure_context.c @@ -213,8 +213,15 @@ secureportNON_SECURE_CALLABLE void SecureContext_Init( void ) /* Were we able to get a free context? */ if( ulSecureContextIndex < secureconfigMAX_SECURE_CONTEXTS ) { - /* Allocate the stack space. */ - pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE ); + /* Allocate the stack space if possible. */ + if( ulSecureStackSize > ( UINT32_MAX - securecontextSTACK_SEAL_SIZE ) ) + { + pucStackMemory = NULL; + } + else + { + pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE ); + } if( pucStackMemory != NULL ) { diff --git a/portable/GCC/ARM_CM23/secure/secure_context.c b/portable/GCC/ARM_CM23/secure/secure_context.c index 3aa335e63..a91e5e891 100644 --- a/portable/GCC/ARM_CM23/secure/secure_context.c +++ b/portable/GCC/ARM_CM23/secure/secure_context.c @@ -213,8 +213,15 @@ secureportNON_SECURE_CALLABLE void SecureContext_Init( void ) /* Were we able to get a free context? */ if( ulSecureContextIndex < secureconfigMAX_SECURE_CONTEXTS ) { - /* Allocate the stack space. */ - pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE ); + /* Allocate the stack space if possible. */ + if( ulSecureStackSize > ( UINT32_MAX - securecontextSTACK_SEAL_SIZE ) ) + { + pucStackMemory = NULL; + } + else + { + pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE ); + } if( pucStackMemory != NULL ) { diff --git a/portable/GCC/ARM_CM33/secure/secure_context.c b/portable/GCC/ARM_CM33/secure/secure_context.c index 3aa335e63..a91e5e891 100644 --- a/portable/GCC/ARM_CM33/secure/secure_context.c +++ b/portable/GCC/ARM_CM33/secure/secure_context.c @@ -213,8 +213,15 @@ secureportNON_SECURE_CALLABLE void SecureContext_Init( void ) /* Were we able to get a free context? */ if( ulSecureContextIndex < secureconfigMAX_SECURE_CONTEXTS ) { - /* Allocate the stack space. */ - pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE ); + /* Allocate the stack space if possible. */ + if( ulSecureStackSize > ( UINT32_MAX - securecontextSTACK_SEAL_SIZE ) ) + { + pucStackMemory = NULL; + } + else + { + pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE ); + } if( pucStackMemory != NULL ) { diff --git a/portable/GCC/ARM_CM35P/secure/secure_context.c b/portable/GCC/ARM_CM35P/secure/secure_context.c index 3aa335e63..a91e5e891 100644 --- a/portable/GCC/ARM_CM35P/secure/secure_context.c +++ b/portable/GCC/ARM_CM35P/secure/secure_context.c @@ -213,8 +213,15 @@ secureportNON_SECURE_CALLABLE void SecureContext_Init( void ) /* Were we able to get a free context? */ if( ulSecureContextIndex < secureconfigMAX_SECURE_CONTEXTS ) { - /* Allocate the stack space. */ - pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE ); + /* Allocate the stack space if possible. */ + if( ulSecureStackSize > ( UINT32_MAX - securecontextSTACK_SEAL_SIZE ) ) + { + pucStackMemory = NULL; + } + else + { + pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE ); + } if( pucStackMemory != NULL ) { diff --git a/portable/GCC/ARM_CM52/secure/secure_context.c b/portable/GCC/ARM_CM52/secure/secure_context.c index 3aa335e63..a91e5e891 100644 --- a/portable/GCC/ARM_CM52/secure/secure_context.c +++ b/portable/GCC/ARM_CM52/secure/secure_context.c @@ -213,8 +213,15 @@ secureportNON_SECURE_CALLABLE void SecureContext_Init( void ) /* Were we able to get a free context? */ if( ulSecureContextIndex < secureconfigMAX_SECURE_CONTEXTS ) { - /* Allocate the stack space. */ - pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE ); + /* Allocate the stack space if possible. */ + if( ulSecureStackSize > ( UINT32_MAX - securecontextSTACK_SEAL_SIZE ) ) + { + pucStackMemory = NULL; + } + else + { + pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE ); + } if( pucStackMemory != NULL ) { diff --git a/portable/GCC/ARM_CM55/secure/secure_context.c b/portable/GCC/ARM_CM55/secure/secure_context.c index 3aa335e63..a91e5e891 100644 --- a/portable/GCC/ARM_CM55/secure/secure_context.c +++ b/portable/GCC/ARM_CM55/secure/secure_context.c @@ -213,8 +213,15 @@ secureportNON_SECURE_CALLABLE void SecureContext_Init( void ) /* Were we able to get a free context? */ if( ulSecureContextIndex < secureconfigMAX_SECURE_CONTEXTS ) { - /* Allocate the stack space. */ - pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE ); + /* Allocate the stack space if possible. */ + if( ulSecureStackSize > ( UINT32_MAX - securecontextSTACK_SEAL_SIZE ) ) + { + pucStackMemory = NULL; + } + else + { + pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE ); + } if( pucStackMemory != NULL ) { diff --git a/portable/GCC/ARM_CM85/secure/secure_context.c b/portable/GCC/ARM_CM85/secure/secure_context.c index 3aa335e63..a91e5e891 100644 --- a/portable/GCC/ARM_CM85/secure/secure_context.c +++ b/portable/GCC/ARM_CM85/secure/secure_context.c @@ -213,8 +213,15 @@ secureportNON_SECURE_CALLABLE void SecureContext_Init( void ) /* Were we able to get a free context? */ if( ulSecureContextIndex < secureconfigMAX_SECURE_CONTEXTS ) { - /* Allocate the stack space. */ - pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE ); + /* Allocate the stack space if possible. */ + if( ulSecureStackSize > ( UINT32_MAX - securecontextSTACK_SEAL_SIZE ) ) + { + pucStackMemory = NULL; + } + else + { + pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE ); + } if( pucStackMemory != NULL ) { diff --git a/portable/GCC/ARM_STAR_MC3/secure/secure_context.c b/portable/GCC/ARM_STAR_MC3/secure/secure_context.c index 3aa335e63..a91e5e891 100644 --- a/portable/GCC/ARM_STAR_MC3/secure/secure_context.c +++ b/portable/GCC/ARM_STAR_MC3/secure/secure_context.c @@ -213,8 +213,15 @@ secureportNON_SECURE_CALLABLE void SecureContext_Init( void ) /* Were we able to get a free context? */ if( ulSecureContextIndex < secureconfigMAX_SECURE_CONTEXTS ) { - /* Allocate the stack space. */ - pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE ); + /* Allocate the stack space if possible. */ + if( ulSecureStackSize > ( UINT32_MAX - securecontextSTACK_SEAL_SIZE ) ) + { + pucStackMemory = NULL; + } + else + { + pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE ); + } if( pucStackMemory != NULL ) { diff --git a/portable/IAR/ARM_CM23/secure/secure_context.c b/portable/IAR/ARM_CM23/secure/secure_context.c index 3aa335e63..a91e5e891 100644 --- a/portable/IAR/ARM_CM23/secure/secure_context.c +++ b/portable/IAR/ARM_CM23/secure/secure_context.c @@ -213,8 +213,15 @@ secureportNON_SECURE_CALLABLE void SecureContext_Init( void ) /* Were we able to get a free context? */ if( ulSecureContextIndex < secureconfigMAX_SECURE_CONTEXTS ) { - /* Allocate the stack space. */ - pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE ); + /* Allocate the stack space if possible. */ + if( ulSecureStackSize > ( UINT32_MAX - securecontextSTACK_SEAL_SIZE ) ) + { + pucStackMemory = NULL; + } + else + { + pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE ); + } if( pucStackMemory != NULL ) { diff --git a/portable/IAR/ARM_CM33/secure/secure_context.c b/portable/IAR/ARM_CM33/secure/secure_context.c index 3aa335e63..a91e5e891 100644 --- a/portable/IAR/ARM_CM33/secure/secure_context.c +++ b/portable/IAR/ARM_CM33/secure/secure_context.c @@ -213,8 +213,15 @@ secureportNON_SECURE_CALLABLE void SecureContext_Init( void ) /* Were we able to get a free context? */ if( ulSecureContextIndex < secureconfigMAX_SECURE_CONTEXTS ) { - /* Allocate the stack space. */ - pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE ); + /* Allocate the stack space if possible. */ + if( ulSecureStackSize > ( UINT32_MAX - securecontextSTACK_SEAL_SIZE ) ) + { + pucStackMemory = NULL; + } + else + { + pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE ); + } if( pucStackMemory != NULL ) { diff --git a/portable/IAR/ARM_CM35P/secure/secure_context.c b/portable/IAR/ARM_CM35P/secure/secure_context.c index 3aa335e63..a91e5e891 100644 --- a/portable/IAR/ARM_CM35P/secure/secure_context.c +++ b/portable/IAR/ARM_CM35P/secure/secure_context.c @@ -213,8 +213,15 @@ secureportNON_SECURE_CALLABLE void SecureContext_Init( void ) /* Were we able to get a free context? */ if( ulSecureContextIndex < secureconfigMAX_SECURE_CONTEXTS ) { - /* Allocate the stack space. */ - pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE ); + /* Allocate the stack space if possible. */ + if( ulSecureStackSize > ( UINT32_MAX - securecontextSTACK_SEAL_SIZE ) ) + { + pucStackMemory = NULL; + } + else + { + pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE ); + } if( pucStackMemory != NULL ) { diff --git a/portable/IAR/ARM_CM52/secure/secure_context.c b/portable/IAR/ARM_CM52/secure/secure_context.c index 3aa335e63..a91e5e891 100644 --- a/portable/IAR/ARM_CM52/secure/secure_context.c +++ b/portable/IAR/ARM_CM52/secure/secure_context.c @@ -213,8 +213,15 @@ secureportNON_SECURE_CALLABLE void SecureContext_Init( void ) /* Were we able to get a free context? */ if( ulSecureContextIndex < secureconfigMAX_SECURE_CONTEXTS ) { - /* Allocate the stack space. */ - pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE ); + /* Allocate the stack space if possible. */ + if( ulSecureStackSize > ( UINT32_MAX - securecontextSTACK_SEAL_SIZE ) ) + { + pucStackMemory = NULL; + } + else + { + pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE ); + } if( pucStackMemory != NULL ) { diff --git a/portable/IAR/ARM_CM55/secure/secure_context.c b/portable/IAR/ARM_CM55/secure/secure_context.c index 3aa335e63..a91e5e891 100644 --- a/portable/IAR/ARM_CM55/secure/secure_context.c +++ b/portable/IAR/ARM_CM55/secure/secure_context.c @@ -213,8 +213,15 @@ secureportNON_SECURE_CALLABLE void SecureContext_Init( void ) /* Were we able to get a free context? */ if( ulSecureContextIndex < secureconfigMAX_SECURE_CONTEXTS ) { - /* Allocate the stack space. */ - pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE ); + /* Allocate the stack space if possible. */ + if( ulSecureStackSize > ( UINT32_MAX - securecontextSTACK_SEAL_SIZE ) ) + { + pucStackMemory = NULL; + } + else + { + pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE ); + } if( pucStackMemory != NULL ) { diff --git a/portable/IAR/ARM_CM85/secure/secure_context.c b/portable/IAR/ARM_CM85/secure/secure_context.c index 3aa335e63..a91e5e891 100644 --- a/portable/IAR/ARM_CM85/secure/secure_context.c +++ b/portable/IAR/ARM_CM85/secure/secure_context.c @@ -213,8 +213,15 @@ secureportNON_SECURE_CALLABLE void SecureContext_Init( void ) /* Were we able to get a free context? */ if( ulSecureContextIndex < secureconfigMAX_SECURE_CONTEXTS ) { - /* Allocate the stack space. */ - pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE ); + /* Allocate the stack space if possible. */ + if( ulSecureStackSize > ( UINT32_MAX - securecontextSTACK_SEAL_SIZE ) ) + { + pucStackMemory = NULL; + } + else + { + pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE ); + } if( pucStackMemory != NULL ) { diff --git a/portable/IAR/ARM_STAR_MC3/secure/secure_context.c b/portable/IAR/ARM_STAR_MC3/secure/secure_context.c index 3aa335e63..a91e5e891 100644 --- a/portable/IAR/ARM_STAR_MC3/secure/secure_context.c +++ b/portable/IAR/ARM_STAR_MC3/secure/secure_context.c @@ -213,8 +213,15 @@ secureportNON_SECURE_CALLABLE void SecureContext_Init( void ) /* Were we able to get a free context? */ if( ulSecureContextIndex < secureconfigMAX_SECURE_CONTEXTS ) { - /* Allocate the stack space. */ - pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE ); + /* Allocate the stack space if possible. */ + if( ulSecureStackSize > ( UINT32_MAX - securecontextSTACK_SEAL_SIZE ) ) + { + pucStackMemory = NULL; + } + else + { + pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE ); + } if( pucStackMemory != NULL ) {