packages/arm-trusted-firmware
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2024-6285 CVE-2024-6287

Browse Source 
(cherry picked from commit dd9fc61912b8de22d8ee559504a5c0af3cfb8c32)
This commit is contained in:
wk333 2024-12-17 09:34:09 +08:00 committed by openeuler-sync-bot
parent ff8b077cd5
commit 21ec20dcfd
4 changed files with 200 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
CVE-2024-6285.patch Normal file
View File

@ -0,0 +1,47 @@
From 9778b270e29bac3e16f57f9557098c45858c05de Mon Sep 17 00:00:00 2001
From: Tobias Rist <tobias.rist@joynext.com>
Date: Tue, 7 Mar 2023 09:40:37 +0100
Subject: [PATCH] fix(rcar3-drivers): check for length underflow
Origin: https://github.com/ARM-software/arm-trusted-firmware/commit/9778b270e29bac3e16f57f9557098c45858c05de
https://github.com/renesas-rcar/arm-trusted-firmware/commit/b596f580637bae919b0ac3a5471422a1f756db3b
Make sure the length of the payload is not longer than the
DRAM size in check_load_area(), and make sure the payload
end does not cross protected area start.
Signed-off-by: Tobias Rist <tobias.rist@joynext.com>
Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
Change-Id: I4d687be577a138352be9f92e5b0b6f596ffffba9
---
drivers/renesas/rcar/io/io_rcar.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/renesas/rcar/io/io_rcar.c b/drivers/renesas/rcar/io/io_rcar.c
index c169923..603fefd 100644
--- a/drivers/renesas/rcar/io/io_rcar.c
+++ b/drivers/renesas/rcar/io/io_rcar.c
@@ -288,7 +288,7 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len)
prot_end = prot_start + DRAM_PROTECTED_SIZE;
- if (dst < dram_start || dst > dram_end - len) {
+ if (dst < dram_start || len > dram_end || dst > dram_end - len) {
ERROR("BL2: dst address is on the protected area.\n");
result = IO_FAIL;
goto done;
@@ -301,8 +301,9 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len)
goto done;
}
- if (dst < prot_start && dst > prot_start - len) {
- ERROR("BL2: loaded data is on the protected area.\n");
+ if (len > prot_start || (dst < prot_start && dst > prot_start - len)) {
+ ERROR("BL2: %s[%d] loaded data is on the protected area.\n",
+ __func__, __LINE__);
result = IO_FAIL;
goto done;
}
--
2.33.0

103
CVE-2024-6287-1.patch Normal file
View File

@ -0,0 +1,103 @@
From 6a96c18c474e6339fab93f54d52aa7dcc4b70e52 Mon Sep 17 00:00:00 2001
From: Tobias Rist <tobias.rist@joynext.com>
Date: Thu, 16 Mar 2023 21:31:15 +0900
Subject: [PATCH] rcar-gen3: plat: BL2: check loaded NS image area
Check if next NS image invades a previous loaded image.
Correct non secure image area to avoid loading a NS image to secure
Signed-off-by: Tobias Rist <tobias.rist@joynext.com>
Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
---
drivers/renesas/rcar/io/io_rcar.c | 46 ++++++++++++++++++++++++++--
plat/renesas/rcar/include/rcar_def.h | 2 +-
2 files changed, 45 insertions(+), 3 deletions(-)
diff --git a/drivers/renesas/rcar/io/io_rcar.c b/drivers/renesas/rcar/io/io_rcar.c
index fe968b6..dc1b786 100644
--- a/drivers/renesas/rcar/io/io_rcar.c
+++ b/drivers/renesas/rcar/io/io_rcar.c
@@ -84,6 +84,18 @@ typedef struct {
#define RCAR_COUNT_LOAD_BL33 (2U)
#define RCAR_COUNT_LOAD_BL33X (3U)
+#define CHECK_IMAGE_AREA_CNT (5U)
+#define BOOT_BL2_ADDR (0xE6304000U)
+#define BOOT_BL2_LENGTH (0x19000U)
+
+typedef struct {
+ uintptr_t dest;
+ uintptr_t length;
+} addr_loaded_t;
+
+static addr_loaded_t addr_loaded[CHECK_IMAGE_AREA_CNT] = { [0] = {BOOT_BL2_ADDR, BOOT_BL2_LENGTH} };
+static uint32_t addr_loaded_cnt = 1;
+
static const plat_rcar_name_offset_t name_offset[] = {
{BL31_IMAGE_ID, 0U, RCAR_ATTR_SET_ALL(0, 0, 0)},
@@ -256,9 +268,9 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len)
uintptr_t prot_start, prot_end;
int32_t result = IO_SUCCESS;
- dram_start = legacy ? DRAM1_BASE : DRAM_40BIT_BASE;
+ dram_start = legacy ? DRAM1_NS_BASE : DRAM_40BIT_BASE;
- dram_end = legacy ? DRAM1_BASE + DRAM1_SIZE :
+ dram_end = legacy ? DRAM1_NS_BASE + DRAM1_NS_SIZE :
DRAM_40BIT_BASE + DRAM_40BIT_SIZE;
prot_start = legacy ? DRAM_PROTECTED_BASE : DRAM_40BIT_PROTECTED_BASE;
@@ -287,6 +299,36 @@ done:
if (result == IO_FAIL)
ERROR("BL2: Out of range : dst=0x%lx len=0x%lx\n", dst, len);
+ if (addr_loaded_cnt >= CHECK_IMAGE_AREA_CNT) {
+ ERROR("BL2: max loadable non secure images reached\n");
+ result = IO_FAIL;
+ }
+ addr_loaded[addr_loaded_cnt].dest = dst;
+ addr_loaded[addr_loaded_cnt].length = len;
+ for(int n=0; n<addr_loaded_cnt; n++) {
+ /* Check if next image invades a previous loaded image
+ *
+ * IMAGE n: area from previous image: dest| IMAGE n |length
+ * IMAGE n+1: area from next image: dst | IMAGE n |len
+ *
+ * 1. check:
+ * | IMAGE n |
+ * | IMAGE n+1 |
+ * 2. check:
+ * | IMAGE n |
+ * | IMAGE n+1 |
+ *
+ * */
+ if (((dst > addr_loaded[n].dest) &&
+ (dst < addr_loaded[n].dest + addr_loaded[n].length)) ||
+ (((dst < addr_loaded[n].dest) &&
+ (dst + len)) > addr_loaded[n].dest)) {
+ ERROR("BL2: image is inside a previous image area.\n");
+ result = IO_FAIL;
+ }
+ }
+ addr_loaded_cnt++;
+
return result;
}
diff --git a/plat/renesas/rcar/include/rcar_def.h b/plat/renesas/rcar/include/rcar_def.h
index 0ffbfe9..a41a994 100644
--- a/plat/renesas/rcar/include/rcar_def.h
+++ b/plat/renesas/rcar/include/rcar_def.h
@@ -31,7 +31,7 @@
#define DRAM_LIMIT ULL(0x0000010000000000)
#define DRAM1_BASE U(0x40000000)
#define DRAM1_SIZE U(0x80000000)
-#define DRAM1_NS_BASE (DRAM1_BASE + U(0x10000000))
+#define DRAM1_NS_BASE (DRAM1_BASE + U(0x08000000))
#define DRAM1_NS_SIZE (DRAM1_SIZE - DRAM1_NS_BASE)
#define DRAM_40BIT_BASE ULL(0x0400000000)
#define DRAM_40BIT_SIZE ULL(0x0400000000)
--
2.33.0

41
CVE-2024-6287-2.patch Normal file
View File

@ -0,0 +1,41 @@
From 954d488a9798f8fda675c6b57c571b469b298f04 Mon Sep 17 00:00:00 2001
From: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
Date: Sun, 23 Apr 2023 21:11:15 +0900
Subject: [PATCH] rcar-gen3: plat: BL2: fix Incorrect Address Range Calculation
Check against all address overlap cases
Reviewed-by: Tomer Fichman <Tomer.Fichman@cymotive.com>
Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
---
drivers/renesas/rcar/io/io_rcar.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/drivers/renesas/rcar/io/io_rcar.c b/drivers/renesas/rcar/io/io_rcar.c
index 9b29a5be81..21ed411137 100644
--- a/drivers/renesas/rcar/io/io_rcar.c
+++ b/drivers/renesas/rcar/io/io_rcar.c
@@ -335,13 +335,18 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len)
* 2. check:
* | IMAGE n |
* | IMAGE n+1 |
+ * 3. check:
+ * | IMAGE n |
+ * | IMAGE n+1 |
*
* */
- if (((dst > addr_loaded[n].dest) &&
- (dst < addr_loaded[n].dest + addr_loaded[n].length)) ||
- (((dst < addr_loaded[n].dest) &&
- (dst + len)) > addr_loaded[n].dest)) {
- ERROR("BL2: image is inside a previous image area.\n");
+ if (((dst >= addr_loaded[n].dest) &&
+ (dst <= addr_loaded[n].dest + addr_loaded[n].length)) ||
+ ((dst + len >= addr_loaded[n].dest) &&
+ (dst + len <= addr_loaded[n].dest + addr_loaded[n].length)) ||
+ ((dst <= addr_loaded[n].dest) &&
+ (dst + len >= addr_loaded[n].dest + addr_loaded[n].length))) {
+ ERROR("BL2: next image overlap a previous image area.\n");
result = IO_FAIL;
}
}

10
arm-trusted-firmware.spec
View File

@ -2,7 +2,7 @@
Name: arm-trusted-firmware Name: arm-trusted-firmware
Version: 2.3 Version: 2.3
Release: 5 Release: 6
Summary: ARM Trusted Firmware Summary: ARM Trusted Firmware
License: BSD License: BSD
URL: https://github.com/ARM-software/arm-trusted-firmware/wiki URL: https://github.com/ARM-software/arm-trusted-firmware/wiki
@ -20,6 +20,11 @@ Patch0004: CVE-2023-49100.patch
# https://github.com/renesas-rcar/arm-trusted-firmware/commit/235f85b654a031f7647e81b86fc8e4ffeb430164 # https://github.com/renesas-rcar/arm-trusted-firmware/commit/235f85b654a031f7647e81b86fc8e4ffeb430164
Patch0005: CVE-2024-6563.patch Patch0005: CVE-2024-6563.patch
Patch0006: CVE-2024-6564.patch Patch0006: CVE-2024-6564.patch
# https://github.com/renesas-rcar/arm-trusted-firmware/commit/6a96c18c474e6339fab93f54d52aa7dcc4b70e52
Patch0007: CVE-2024-6287-1.patch
# https://github.com/renesas-rcar/arm-trusted-firmware/commit/954d488a9798f8fda675c6b57c571b469b298f04
Patch0008: CVE-2024-6287-2.patch
Patch0009: CVE-2024-6285.patch
ExclusiveArch: aarch64 ExclusiveArch: aarch64
BuildRequires: dtc BuildRequires: dtc
@ -74,6 +79,9 @@ strip %{buildroot}/%{_datadir}/%{name}/rk3368/bl31.elf
%{_datadir}/%{name} %{_datadir}/%{name}
%changelog %changelog
* Mon Dec 16 2024 wangkai <13474090681@163.com> - 2.3-6
- Fix CVE-2024-6285 CVE-2024-6287
* Tue Jul 09 2024 zhangxianting <zhangxianting@uniontech.com> - 2.3-5 * Tue Jul 09 2024 zhangxianting <zhangxianting@uniontech.com> - 2.3-5
- Fix CVE-2024-6563 CVE-2024-6564 - Fix CVE-2024-6563 CVE-2024-6564