mbedTLS fails with uVisor enabled due to memory allocation errors

Question

mbedTLS fails with uVisor enabled due to memory allocation errors

sherrellbc opened this issue 7 years ago · comments

I've created a minimal example that seems to work only when uVisor is not enabled. The failure occurs in the mbedtls_pk_parse_key function when parsing the private key.

When using the "small" key (512 bits) I observe the following run-time error:
mbedtls_pk_parse_key() failed: -0x3d10 (-15632): PK - Invalid key tag or value : BIGNUM - Memory allocation failed

When using the "large" key (2048 bits) I observe a similar error:
mbedtls_pk_parse_key() failed: -0x4210 (-16912): RSA - Key failed to pass the library's validity check : BIGNUM - Memory allocation failed

For reference, the example code is compiled and executed on FRDM board. I have tried adjusting the heap and stack sizes, but it does not seem to help. We are currently working with mbed-os 5.3.4 and uVisor version 0.27.0.

Is there a known issue with running mbedTLS and uVisor concurrently?

ARM mbed CI · Answer 1 · Tue Apr 18 2017 07:52:18 GMT+0800 (China Standard Time)

ARM Internal Ref: IOTSEC-334

Alessandro Angelino · Answer 2 · Thu Apr 20 2017 18:13:27 GMT+0800 (China Standard Time)

Possibly related to ARMmbed/mbed-os#3610. @sherrellbc we are currently investigating the issue.

Deleted user · Answer 3 · Fri Apr 21 2017 05:32:29 GMT+0800 (China Standard Time)

I've been working with @sherrellbc on this, I can verify that it is probably related, but the workaround is not sufficient.

Defining MBED_HEAP_STATS_ENABLED does allow us to get further on our internal code, but still fails with strange errors in mbedtls_pk_parse_key(), around a call to mbedtls_mpi_grow( X, i + j ) at bignum.c:1174 ... which I'm guessing is still a potential memory allocation error based solely on the function name ending in _grow().

We've been testing with our full code, not our example code posted above. We'll re-test with the example code and post results when we can, but it may take until tomorrow.

sherrellbc · Answer 4 · Mon Jun 26 2017 03:12:35 GMT+0800 (China Standard Time)

@AlessandroA Have there been any updates that resolve this problem?

Jaeden Amero · Answer 5 · Mon Jun 26 2017 17:03:46 GMT+0800 (China Standard Time)

@sherrellbc We've fixed a bug in the mbed OS 5.5 release of uVisor where the box main thread stack and box heap were placed incorrectly, leading to heap corruption under certain conditions. It's possible that in your example, you really do run out of memory, but it could also be heap corruption, so it'd be worth retesting with mbed OS 5.5.

Thanks

sherrellbc · Answer 6 · Tue Jun 27 2017 00:12:25 GMT+0800 (China Standard Time)

@Patater The latest 5.5 release candidate seemed to solve the problem. The default heap size for the NXP FRDM board was too small (0x6000). Increasing this (actually doubling it) prevented run-time allocation errors from occurring. Otherwise mbedtls_calloc will fail with mbedtls_ssl_setup() failed: -0x7f00 (-32512): SSL - Memory allocation failed.