5.5.24 · D1Embedded Systems & Real-Time Software

Foundations — Memory protection units (MPU) — preventing stack overflow, access faults

1,889 words9 min readBack to topic

Before you can read the parent note, you need to own a handful of ideas: what memory even is, how an address points into it, what a stack is and which way it grows, what "read / write / execute" mean, and what a fault is. This page builds each one from nothing, in the order they depend on each other.


1. Memory as a long numbered street

Picture a street where every house has a house number. In memory the "house number" is called an address.

Figure — Memory protection units (MPU) — preventing stack overflow, access faults

Why the topic needs it: the MPU's whole job is to look at the address of every access and decide if it is allowed. No address → no MPU.

Recall Why not just count in normal (decimal) numbers?

Question: Why do addresses use hexadecimal like 0x2000_0000? ::: Because memory boundaries fall on powers of two, and each hex digit is exactly 4 bits — so alignment to is easy to see by looking at the low hex digits.


2. Hexadecimal and the meaning of "low bits"

Every address is really a string of bits (0s and 1s). Hex is just shorthand: one hex digit = 4 bits.

Figure — Memory protection units (MPU) — preventing stack overflow, access faults

Why the topic needs it: the MPU decodes which region an address belongs to by masking off low bits. If your region base is not aligned, the hardware silently ignores the low bits and your protection lands somewhere you did not intend (Mistake 1 in the parent).


3. Read / Write / Execute — the three things you can do to a byte

The MPU can allow or forbid each of these independently. The parent's AP bits (access permission) and XN bit (eXecute-Never) are exactly this: XN = "never treat these bytes as instructions."

Recall Why separate "execute" from "read"?

Question: Why does the MPU treat execute as a different permission from read? ::: So data regions (stack, heap) can be marked Execute-Never — if an attacker writes shellcode into a buffer, the CPU faults the moment it tries to run that data. This kills code-injection attacks.


4. The stack: a pile that grows downward

The surprising part for beginners: on ARM (and most CPUs) the stack grows toward lower addresses. The stack pointer () is a register holding the address of the current top of the pile; pushing subtracts from .

Figure — Memory protection units (MPU) — preventing stack overflow, access faults

Why the topic needs it: the MPU's headline trick is placing a tiny no-access guard band at the bottom (lowest address) of each stack. Since the stack grows downward, the overflow hits the guard first, and the guard is where the MPU fires. See Stack memory layout for the full picture of what lives on a stack frame.

Recall Which direction does the stack grow on ARM Cortex-M?

Question: Push data on the stack — does the stack pointer go up or down in address? ::: Down (it subtracts). So guards go at the bottom / lowest address of the stack.


5. Privileged vs unprivileged — the CPU has two "modes"

This is why the parent talks about "RW in privileged+user" vs "RW privileged only." A user task calling *UART_TXREG = data; on a privileged-only peripheral region gets a fault. Deeper detail lives in ARM Cortex-M privilege levels.

Why the topic needs it: each MPU region carries two answers — what privileged code may do, and what unprivileged code may do. Isolation of peripherals (Memory-mapped IO) depends entirely on this split.


6. Fault (exception): the alarm bell

Think of a smoke alarm wired to shut off the stove. The MPU is the sensor; the fault is the alarm; the handler is your decision ("kill the task / log / reboot"). Because it fires before the bad write completes, no corruption happens. This whole machinery is Memory faults and exception handling.

Why the topic needs it: a guard band is useless unless something happens when you hit it. The fault → handler → MMFAR chain is that "something."


7. Region: one fenced yard, plus overlap priority

The half-open bracket means: include the left endpoint (BASE), exclude the right one (BASE + SIZE). So the very last byte is at address .


How these feed the topic

Memory = numbered byte boxes

Address A

Hex and low bits

Alignment to 2 to the n

Read Write Execute

Stack grows downward

Stack overflow

Privileged vs user mode

Region permissions

MPU region matching

Fault raised MemManage

Handler reads MMFAR decides

Guard band protects stack bottom

Every arrow says "you must understand the tail before the head." Alignment () and permissions () both flow into region setup (); overflow () plus regions () produce the fault () that the guard band () relies on.


Equipment checklist

Test yourself — reveal only after answering out loud.

  • One byte holds a number from … to … ::: 0 to 255 (8 bits).
  • An address is … ::: the number that names one byte-box in memory.
  • "Low 10 bits zero" means the address is a multiple of … ::: (aligned to 1 KB).
  • The bitmask test for alignment to is … ::: .
  • The three access types the MPU controls are … ::: Read, Write, Execute.
  • XN stands for … and means … ::: eXecute-Never; the bytes may never be run as instructions.
  • On ARM Cortex-M the stack grows toward … addresses ::: lower (the stack pointer subtracts).
  • A guard band therefore sits at the … of the stack ::: bottom / lowest address.
  • The two CPU privilege levels are … ::: privileged (kernel) and unprivileged (user tasks).
  • When two regions overlap, the winner is the … numbered one ::: highest.
  • An MPU violation raises a … fault, handled in … ::: MemManage fault; MemManage_Handler().
  • The register holding the illegal address is called … ::: MMFAR.

When you can answer all twelve without peeking, you are ready for the parent note and the region-configuration walkthrough it contains — plus Buffer overflow attacks and Real-time system determinism for the "why it matters" context.