Hi,
Is it possible to call psa_call() with NULL outvecs with TF-M v2.0? I am using IPC model. This worked for me with TF-M v1.8 but now I see get a NULL pointer dereference with TF-M v2.0 when psa_reply() is called. Specifically, it happens inside update_caller_outvec_len().
It seems msg.out_size[i] is non-zero (due to a previous psa_call which had 3 outvecs). handle->caller_outvec[i].len causes a NULL pointer deference.
void update_caller_outvec_len(struct connection_t *handle) { uint32_t i;
for (i = 0; i < PSA_MAX_IOVEC; i++) { if (handle->msg.out_size[i] == 0) { continue; }
SPM_ASSERT(handle->caller_outvec[i].base == handle->outvec_base[i]);
handle->caller_outvec[i].len = handle->outvec_written[i]; } }
spm_associate_call_params() does not clear msg.out_size[] so the previous contents remain.
One potential fix is to add the highlighted code below to clear out_size[].
if (ns_access == TFM_HAL_ACCESS_NS && !PARAM_IS_NS_VEC(ctrl_param) && !PARAM_IS_NS_OUTVEC(ctrl_param)) { ns_access = 0; }
spm_memset(p_connection->msg.out_size, 0, sizeof(p_connection->msg.out_size));
/* * For client output vector, it is a PROGRAMMER ERROR if the provided * payload memory reference was invalid or not read-write. */ for (i = 0; i < ovec_num; i++) { FIH_CALL(tfm_hal_memory_check, fih_rc, curr_partition->boundary, (uintptr_t)ovecs_local[i].base, ovecs_local[i].len, TFM_HAL_ACCESS_READWRITE | ns_access); if (fih_not_eq(fih_rc, fih_int_encode(PSA_SUCCESS))) { return PSA_ERROR_PROGRAMMER_ERROR; }
p_connection->msg.out_size[i] = ovecs_local[i].len; p_connection->outvec_base[i] = ovecs_local[i].base; p_connection->outvec_written[i] = 0; }
p_connection->caller_outvec = outptr;
return PSA_SUCCESS; }
Regards,
Brian Quach SimpleLink MCU Texas Instruments Inc. 12500 TI Blvd, MS F-4000 Dallas, TX 75243 214-479-4076