tee crashed by assert err while using gen_mdbg_check api

[coversky2018]

when i dump all teeos use malloc api , i got a crash issue , i do not know why it happend .
it seams that this is a assert err , but why ?

5,3630,154367403,-;[TEE] I/TC:3 00 gen_mdbg_check:639 buffer: 16 bytes core/arch/arm/mm/tee_mm.c:19
5,3631,154367406,-;[TEE] I/TC:3 00 gen_mdbg_check:639 buffer: 16 bytes core/mm/fobj.c:526
5,3632,154367409,-;[TEE] I/TC:3 00 gen_mdbg_check:639 buffer: 28 bytes core/arch/arm/mm/tee_mmu.c:257
5,3633,154367412,-;[TEE] I/TC:3 00 gen_mdbg_check:639 buffer: 60 bytes core/arch/arm/kernel/pseudo_ta.c:294
5,3634,154367416,-;[TEE] I/TC:3 00 gen_mdbg_check:639 buffer: 88 bytes core/kernel/tee_ta_manager.c:622
5,3635,154367419,-;[TEE] I/TC:3 00 gen_mdbg_check:639 buffer: 24 bytes core/arch/arm/mm/mobj.c:533
5,3636,154367422,-;[TEE] I/TC:3 00 gen_mdbg_check:639 buffer: 16 bytes core/arch/arm/mm/tee_mm.c:19
5,3637,154367425,-;[TEE] I/TC:3 00 gen_mdbg_check:639 buffer: 16 bytes core/mm/fobj.c:526
5,3638,154367428,-;[TEE] I/TC:3 00 gen_mdbg_check:639 buffer: 28 bytes core/arch/arm/mm/tee_mmu.c:257
5,3639,154367431,-;[TEE] I/TC:3 00 gen_mdbg_check:639 buffer: 24 bytes core/arch/arm/mm/mobj.c:533
5,3640,154367434,-;[TEE] I/TC:3 00 gen_mdbg_check:639 buffer: 16 bytes core/arch/arm/mm/tee_mm.c:19
5,3641,154367437,-;[TEE] I/TC:3 00 gen_mdbg_check:639 buffer: 16 bytes core/mm/fobj.c:526
5,3642,154367440,-;[TEE] I/TC:3 00 gen_mdbg_check:639 buffer: 28 bytes core/arch/arm/mm/tee_mmu.c:257
5,3643,154367443,-;[TEE] I/TC:3 00 gen_mdbg_check:639 buffer: 24 bytes core/arch/arm/mm/mobj.c:533
5,3644,154367446,-;[TEE] I/TC:3 00 gen_mdbg_check:639 buffer: 16 bytes core/arch/arm/mm/tee_mm.c:19
5,3645,154367449,-;[TEE] I/TC:3 00 gen_mdbg_check:639 buffer: 16 bytes core/mm/fobj.c:526
5,3646,154367452,-;[TEE] I/TC:3 00 gen_mdbg_check:639 buffer: 28 bytes core/arch/arm/mm/tee_mmu.c:257
5,3647,154367455,-;[TEE] I/TC:3 00 gen_mdbg_check:639 buffer: 24 bytes core/arch/arm/mm/mobj.c:533
5,3648,154367458,-;[TEE] I/TC:3 00 gen_mdbg_check:639 buffer: 16 bytes core/arch/arm/mm/tee_mm.c:19
5,3649,154367461,-;[TEE] I/TC:3 00 gen_mdbg_check:639 buffer: 16 bytes core/mm/fobj.c:526
5,3650,154367465,-;[TEE] I/TC:3 00 gen_mdbg_check:639 buffer: 408 bytes core/arch/arm/kernel/user_ta.c:6
5,3651,155391279,-;[TEE] 93
5,3652,155391291,-;[TEE] I/TC:3 00 gen_mdbg_check:639 buffer: 60 bytes core/arch/arm/kernel/pseudo_ta.c:294
5,3653,155391295,-;[TEE] I/TC:3 00 gen_mdbg_check:639 buffer: 28 bytes core/arch/arm/mm/tee_mmu.c:257
5,3654,155391298,-;[TEE] I/TC:3 00 gen_mdbg_check:639 buffer: 88 bytes core/kernel/tee_ta_manager.c:622
5,3655,155391302,-;[TEE] I/TC:3 00 gen_mdbg_check:639 buffer: 32 bytes core/arch/arm/mm/mobj.c:396
5,3656,155391305,-;[TEE] I/TC:3 00 gen_mdbg_check:639 buffer: 32 bytes core/arch/arm/mm/mobj.c:168
5,3657,155391308,-;[TEE] I/TC:3 00 gen_mdbg_check:639 buffer: 32 bytes core/arch/arm/mm/mobj.c:168
5,3658,155391311,-;[TEE] I/TC:3 00 gen_mdbg_check:639 buffer: 32 bytes core/arch/arm/mm/mobj.c:168
5,3659,155391314,-;[TEE] E/TC:3 00 assertion '*mdbg_get_footer(hdr) == MDBG_FOOTER_MAGIC' failed at lib/libutils/isoc/bget_malloc.c:537 <assert_header>
5,3660,155391317,-;[TEE] E/TC:3 00 Panic at core/kernel/assert.c:28 <_assert_break>
5,3661,155391320,-;[TEE] E/TC:3 00 TEE load address @ 0x24b00000
5,3662,155391323,-;[TEE] E/TC:3 00 Call stack:
5,3663,155391326,-;[TEE] E/TC:3 00 0x24b0a149
5,3664,155391329,-;[TEE] E/TC:3 00 0x24b20a5b
5,3665,155391331,-;[TEE] E/TC:3 00 0x24b205c7
5,3666,155391334,-;[TEE] E/TC:3 00 0x24b3e3e7
5,3667,155391337,-;[TEE] E/TC:3 00 0x24b3eba9
5,3668,155391340,-;[TEE] E/TC:3 00 0x24b21e41
5,3669,155391343,-;[TEE] E/TC:3 00 0x24b061a9
5,3670,155391345,-;[TEE] E/TC:3 00 0x24b2158f
5,3671,155391348,-;[TEE] E/TC:3 00 0x24b0f51d
5,3672,155391351,-;[TEE] E/TC:3 00 0x24b07f15
5,3673,155391353,-;[TEE] E/TC:3 00 0x24b08140

[coversky2018]

assertion '*mdbg_get_footer(hdr) == MDBG_FOOTER_MAGIC' failed at lib/libutils/isoc/bget_malloc.c:537 <assert_header>
5,3660,155391317,-;[TEE] E/TC:3 00 Panic at core/kernel/assert.c:28 <_assert_break>

[jenswi-linaro]

There has been a write beyond the size of an allocated buffer.

[coversky2018]

how to avoid this crash ? does any patch in it ? i am using version 3.8 @jenswi-linaro

[jenswi-linaro]

I'm not aware of this error upstream.
Have you made any changes to the source code?

[coversky2018]

@jenswi-linaro nothing change in this version , same code run in different type soc , one is ok , one is wrong

[jenswi-linaro]

Do you mean that git describe gives 3.8.0?

[coversky2018]

@jenswi-linaro this branch is our internal branch name , but the source code copy form the optee upstream about 2 years ago .
may be the latest tee has fixed this issue . but it is not the best way to fix this bug .

do you have any guide about this issue ?Where should I do a memory check to prevent memory stampede ？

[coversky2018]

@jenswi-linaro how to avoid write beyond the size of an allocated buffer?

[jenswi-linaro]

I'm sorry, but I can debug your code. The problematic buffer was allocated in mobj_phys_alloc(). I can't tell whether this is an upstream bug or if it has been fixed upstream.