Using the latest toolchain (clang 3.8), it appears that the stack section is described with offset 0 and size 0. load_kernel() procedure in sys/arm/arm/elf_trampoline.c parses all sections to determine last address, but doesn't checks if header address if above KERNVIRTADDR which cause an integer overflow.
Program Header:
0x70000001 off 0x0074f4f8 vaddr 0xc0b4f4f8 paddr 0xc0b4f4f8 align 2**2
filesz 0x00023100 memsz 0x00023100 flags r--
PHDR off 0x00000034 vaddr 0xc0400034 paddr 0xc0400034 align 2**2
filesz 0x000000c0 memsz 0x000000c0 flags r-x
INTERP off 0x006f3808 vaddr 0xc0af3808 paddr 0xc0af3808 align 2**0
filesz 0x0000000d memsz 0x0000000d flags r--
LOAD off 0x00000000 vaddr 0xc0400000 paddr 0xc0400000 align 2**15
filesz 0x007b70a4 memsz 0x008ec000 flags rwxDYNAMIC off 0x007b703c vaddr 0xc0bb703c paddr 0xc0bb703c align 2**2
filesz 0x00000068 memsz 0x00000068 flags rw-
STACK off 0x00000000 vaddr 0x00000000 paddr 0x00000000 align 2**2
filesz 0x00000000 memsz 0x00000000 flags rwx