Hi,

 

Is it possible to call psa_call() with NULL outvecs with TF-M v2.0?  I am using IPC model.  This worked for me with TF-M v1.8 but now I see get a NULL pointer dereference with TF-M v2.0 when psa_reply() is called.  Specifically, it happens inside update_caller_outvec_len().

 

It seems msg.out_size[i] is non-zero (due to a previous psa_call which had 3 outvecs).  handle->caller_outvec[i].len causes a NULL pointer deference.

 

void update_caller_outvec_len(struct connection_t *handle)

{

    uint32_t i;

 

    for (i = 0; i < PSA_MAX_IOVEC; i++) {

        if (handle->msg.out_size[i] == 0) {

            continue;

        }

 

        SPM_ASSERT(handle->caller_outvec[i].base == handle->outvec_base[i]);

 

        handle->caller_outvec[i].len = handle->outvec_written[i];

    }

}

 

 

spm_associate_call_params() does not clear msg.out_size[] so the previous contents remain.

 

One potential fix is to add the highlighted code below to clear out_size[].  

 

 

 

 

 

Regards,

 

Brian Quach

SimpleLink MCU

Texas Instruments Inc.

12500 TI Blvd, MS F-4000

Dallas, TX 75243

214-479-4076