packages/arm-trusted-firmware
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!68 [sync] PR-67: Update to 2.12.1 for fix CVE-2024-7881 and CVE-2024-5660

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @lyn1001 
Signed-off-by: @lyn1001
This commit is contained in:
openeuler-ci-bot 2025-03-24 06:24:43 +00:00 committed by Gitee
commit 5cc11286b3
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
13 changed files with 58 additions and 621 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
CVE-2022-47630-1.patch
View File

@ -1,50 +0,0 @@
From fd37982a19a4a2911912ce321b9468993a0919ad Mon Sep 17 00:00:00 2001
From: Demi Marie Obenour <demiobenour@gmail.com>
Date: Thu, 8 Dec 2022 15:23:56 -0500
Subject: fix(auth): forbid junk after extensions
The extensions must use all remaining bytes in the TBSCertificate.
Change-Id: Idf48f7168e146d050ba62dbc732638946fcd6c92
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
drivers/auth/mbedtls/mbedtls_x509_parser.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/auth/mbedtls/mbedtls_x509_parser.c b/drivers/auth/mbedtls/mbedtls_x509_parser.c
index 49bc008ed1..8c78003bb2 100644
--- a/drivers/auth/mbedtls/mbedtls_x509_parser.c
+++ b/drivers/auth/mbedtls/mbedtls_x509_parser.c
@@ -304,24 +304,26 @@ static int cert_parse(void *img, unsigned int img_len)
/*
* extensions [3] EXPLICIT Extensions OPTIONAL
+ * -- must use all remaining bytes in TBSCertificate
*/
ret = mbedtls_asn1_get_tag(&p, end, &len,
MBEDTLS_ASN1_CONTEXT_SPECIFIC |
MBEDTLS_ASN1_CONSTRUCTED | 3);
- if (ret != 0) {
+ if ((ret != 0) || (len != (size_t)(end - p))) {
return IMG_PARSER_ERR_FORMAT;
}
/*
* Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
+ * -- must use all remaining bytes in TBSCertificate
*/
v3_ext.p = p;
ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
MBEDTLS_ASN1_SEQUENCE);
- if (ret != 0) {
+ if ((ret != 0) || (len != (size_t)(end - p))) {
return IMG_PARSER_ERR_FORMAT;
}
- v3_ext.len = (p + len) - v3_ext.p;
+ v3_ext.len = end - v3_ext.p;
/*
* Check extensions integrity
--
cgit v1.2.3

73
CVE-2022-47630-2.patch
View File

@ -1,73 +0,0 @@
From 72460f50e2437a85ce5229c430931aab8f4a0d5b Mon Sep 17 00:00:00 2001
From: Demi Marie Obenour <demiobenour@gmail.com>
Date: Thu, 8 Dec 2022 15:23:58 -0500
Subject: fix(auth): require at least one extension to be present
X.509 and RFC5280 allow omitting the extensions entirely, but require
that if the extensions field is present at all, it must contain at least
one certificate. TF-A already requires the extensions to be present,
but allows them to be empty. However, a certificate with an empty
extensions field will always fail later on, as the extensions contain
the information needed to validate the next stage in the boot chain.
Therefore, it is simpler to require the extension field to be present
and contain at least one extension. Also add a comment explaining why
the extensions field is required, even though it is OPTIONAL in the
ASN.1 syntax.
Change-Id: Ie26eed8a7924bf50937a6b27ccdf7cc9a390588d
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
drivers/auth/mbedtls/mbedtls_x509_parser.c | 22 ++++++++++++++++++----
1 file changed, 18 insertions(+), 4 deletions(-)
diff --git a/drivers/auth/mbedtls/mbedtls_x509_parser.c b/drivers/auth/mbedtls/mbedtls_x509_parser.c
index 8c78003bb2..9cccd964d4 100644
--- a/drivers/auth/mbedtls/mbedtls_x509_parser.c
+++ b/drivers/auth/mbedtls/mbedtls_x509_parser.c
@@ -304,7 +304,18 @@ static int cert_parse(void *img, unsigned int img_len)
/*
* extensions [3] EXPLICIT Extensions OPTIONAL
- * -- must use all remaining bytes in TBSCertificate
+ * }
+ *
+ * X.509 and RFC5280 allow omitting the extensions entirely.
+ * However, in TF-A, a certificate with no extensions would
+ * always fail later on, as the extensions contain the
+ * information needed to authenticate the next stage in the
+ * boot chain. Furthermore, get_ext() assumes that the
+ * extensions have been parsed into v3_ext, and allowing
+ * there to be no extensions would pointlessly complicate
+ * the code. Therefore, just reject certificates without
+ * extensions. This is also why version 1 and 2 certificates
+ * are rejected above.
*/
ret = mbedtls_asn1_get_tag(&p, end, &len,
MBEDTLS_ASN1_CONTEXT_SPECIFIC |
@@ -326,9 +337,12 @@ static int cert_parse(void *img, unsigned int img_len)
v3_ext.len = end - v3_ext.p;
/*
- * Check extensions integrity
+ * Check extensions integrity. At least one extension is
+ * required: the ASN.1 specifies a minimum size of 1, and at
+ * least one extension is needed to authenticate the next stage
+ * in the boot chain.
*/
- while (p < end) {
+ do {
ret = mbedtls_asn1_get_tag(&p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED |
MBEDTLS_ASN1_SEQUENCE);
@@ -356,7 +370,7 @@ static int cert_parse(void *img, unsigned int img_len)
return IMG_PARSER_ERR_FORMAT;
}
p += len;
- }
+ } while (p < end);
if (p != end) {
return IMG_PARSER_ERR_FORMAT;
--
cgit v1.2.3

84
CVE-2022-47630-3.patch
View File

@ -1,84 +0,0 @@
From f5c51855d36e399e6e22cc1eb94f6b58e51b3b6d Mon Sep 17 00:00:00 2001
From: Demi Marie Obenour <demiobenour@gmail.com>
Date: Fri, 9 Dec 2022 17:19:08 -0500
Subject: fix(auth): properly validate X.509 extensions
get_ext() does not check the return value of the various mbedtls_*
functions, as cert_parse() is assumed to have guaranteed that they will
always succeed. However, it passes the end of an extension as the end
pointer to these functions, whereas cert_parse() passes the end of the
TBSCertificate. Furthermore, cert_parse() does *not* check that the
contents of the extension have the same length as the extension itself.
Before fd37982a19a4a291 ("fix(auth): forbid junk after extensions"),
cert_parse() also does not check that the extension block extends to the
end of the TBSCertificate.
This is a problem, as mbedtls_asn1_get_tag() leaves *p and *len
undefined on failure. In practice, this results in get_ext() continuing
to parse at different offsets than were used (and validated) by
cert_parse(), which means that the in-bounds guarantee provided by
cert_parse() no longer holds.
This patch fixes the remaining flaw by enforcing that the contents of an
extension are the same length as the extension itself.
Change-Id: Id4570f911402e34d5d6c799ae01a01f184c68d7c
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
---
drivers/auth/mbedtls/mbedtls_x509_parser.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/drivers/auth/mbedtls/mbedtls_x509_parser.c b/drivers/auth/mbedtls/mbedtls_x509_parser.c
index 44b25ba72b..bef2f3d0a6 100644
--- a/drivers/auth/mbedtls/mbedtls_x509_parser.c
+++ b/drivers/auth/mbedtls/mbedtls_x509_parser.c
@@ -355,33 +355,39 @@ static int cert_parse(void *img, unsigned int img_len)
* in the boot chain.
*/
do {
+ unsigned char *end_ext_data;
+
ret = mbedtls_asn1_get_tag(&p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED |
MBEDTLS_ASN1_SEQUENCE);
if (ret != 0) {
return IMG_PARSER_ERR_FORMAT;
}
+ end_ext_data = p + len;
/* Get extension ID */
- ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID);
+ ret = mbedtls_asn1_get_tag(&p, end_ext_data, &len, MBEDTLS_ASN1_OID);
if (ret != 0) {
return IMG_PARSER_ERR_FORMAT;
}
p += len;
/* Get optional critical */
- ret = mbedtls_asn1_get_bool(&p, end, &is_critical);
+ ret = mbedtls_asn1_get_bool(&p, end_ext_data, &is_critical);
if ((ret != 0) && (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)) {
return IMG_PARSER_ERR_FORMAT;
}
- /* Data should be octet string type */
- ret = mbedtls_asn1_get_tag(&p, end, &len,
+ /*
+ * Data should be octet string type and must use all bytes in
+ * the Extension.
+ */
+ ret = mbedtls_asn1_get_tag(&p, end_ext_data, &len,
MBEDTLS_ASN1_OCTET_STRING);
- if (ret != 0) {
+ if ((ret != 0) || ((p + len) != end_ext_data)) {
return IMG_PARSER_ERR_FORMAT;
}
- p += len;
+ p = end_ext_data;
} while (p < end);
if (p != end) {
--
cgit v1.2.3

82
CVE-2022-47630-4.patch
View File

@ -1,82 +0,0 @@
From abb8f936fd0ad085b1966bdc2cddf040ba3865e3 Mon Sep 17 00:00:00 2001
From: Demi Marie Obenour <demiobenour@gmail.com>
Date: Fri, 9 Dec 2022 18:21:47 -0500
Subject: fix(auth): avoid out-of-bounds read in auth_nvctr()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
auth_nvctr() does not check that the buffer provided is long enough to
hold an ASN.1 INTEGER, or even that the buffer is non-empty. Since
auth_nvctr() will only ever read 6 bytes, it is possible to read up to
6 bytes past the end of the buffer.
This out-of-bounds read turns out to be harmless. The only caller of
auth_nvctr() always passes a pointer into an X.509 TBSCertificate, and
all in-tree chains of trust require that the certificates signature has
already been validated. This means that the signature algorithm
identifier is at least 4 bytes and the signature itself more than that.
Therefore, the data read will be from the certificate itself. Even if
the certificate signature has not been validated, an out-of-bounds read
is still not possible. Since there are at least two bytes (tag and
length) in both the signature algorithm ID and the signature itself, an
out-of-bounds read would require that the tag byte of the signature
algorithm ID would need to be either the tag or length byte of the
DER-encoded nonvolatile counter. However, this byte must be
(MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE) (0x30), which is
greater than 4 and not equal to MBEDTLS_ASN1_INTEGER (2). Therefore,
auth_nvctr() will error out before reading the integer itself,
preventing an out-of-bounds read.
Change-Id: Ibdf1af702fbeb98a94c0c96456ebddd3d392ad44
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
drivers/auth/auth_mod.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/drivers/auth/auth_mod.c b/drivers/auth/auth_mod.c
index eb537b6..070f60f 100644
--- a/drivers/auth/auth_mod.c
+++ b/drivers/auth/auth_mod.c
@@ -228,7 +228,7 @@ static int auth_nvctr(const auth_method_param_nv_ctr_t *param,
const auth_img_desc_t *img_desc,
void *img, unsigned int img_len)
{
- char *p;
+ unsigned char *p;
void *data_ptr = NULL;
unsigned int data_len, len, i;
unsigned int cert_nv_ctr, plat_nv_ctr;
@@ -242,16 +242,24 @@ static int auth_nvctr(const auth_method_param_nv_ctr_t *param,
/* Parse the DER encoded integer */
assert(data_ptr);
- p = (char *)data_ptr;
- if (*p != ASN1_INTEGER) {
+ p = (unsigned char *)data_ptr;
+
+ /*
+ * Integers must be at least 3 bytes: 1 for tag, 1 for length, and 1
+ * for value. The first byte (tag) must be ASN1_INTEGER.
+ */
+ if ((data_len < 3) || (*p != ASN1_INTEGER)) {
/* Invalid ASN.1 integer */
return 1;
}
p++;
- /* NV-counters are unsigned integers up to 32-bit */
- len = (unsigned int)(*p & 0x7f);
- if ((*p & 0x80) || (len > 4)) {
+ /*
+ * NV-counters are unsigned integers up to 31 bits. Trailing
+ * padding is not allowed.
+ */
+ len = (unsigned int)*p;
+ if ((len > 4) || (data_len - 2 != len)) {
return 1;
}
p++;
--
2.30.0

37
CVE-2023-49100.patch
View File

@ -1,37 +0,0 @@
From a7eff3477dcf3624c74f5217419b1a27b7ebd2aa Mon Sep 17 00:00:00 2001
From: Manish Pandey <manish.pandey2@arm.com>
Date: Thu, 26 Oct 2023 11:14:21 +0100
Subject: fix(sdei): ensure that interrupt ID is valid
As per SDEI spec (section 5.1.14.1), SDEI_INTERRUPT_BIND interface
expects a valid PPI or SPI. SGI's are not allowed to be bounded.
Current check in the code only checks for an SGI and returns invalid
ID. This check is insufficient as it will not catch architecturally
invalid interrupt IDs.
Modify the check to ensure that interrupt is either PPI or SPI.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I52eb0a6d7f88a12f6816cff9b68fb3a7ca12cbb7
---
services/std_svc/sdei/sdei_main.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/services/std_svc/sdei/sdei_main.c b/services/std_svc/sdei/sdei_main.c
index 44178eddd3..0fd3c1d32c 100644
--- a/services/std_svc/sdei/sdei_main.c
+++ b/services/std_svc/sdei/sdei_main.c
@@ -710,8 +710,8 @@ static int sdei_interrupt_bind(unsigned int intr_num)
sdei_ev_map_t *map;
bool retry = true, shared_mapping;
- /* SGIs are not allowed to be bound */
- if (plat_ic_is_sgi(intr_num) != 0)
+ /* Interrupt must be either PPI or SPI */
+ if (!(plat_ic_is_ppi(intr_num) || plat_ic_is_spi(intr_num)))
return SDEI_EINVAL;
shared_mapping = (plat_ic_is_spi(intr_num) != 0);
--
cgit v1.2.3

47
CVE-2024-6285.patch
View File

@ -1,47 +0,0 @@
From 9778b270e29bac3e16f57f9557098c45858c05de Mon Sep 17 00:00:00 2001
From: Tobias Rist <tobias.rist@joynext.com>
Date: Tue, 7 Mar 2023 09:40:37 +0100
Subject: [PATCH] fix(rcar3-drivers): check for length underflow
Origin: https://github.com/ARM-software/arm-trusted-firmware/commit/9778b270e29bac3e16f57f9557098c45858c05de
https://github.com/renesas-rcar/arm-trusted-firmware/commit/b596f580637bae919b0ac3a5471422a1f756db3b
Make sure the length of the payload is not longer than the
DRAM size in check_load_area(), and make sure the payload
end does not cross protected area start.
Signed-off-by: Tobias Rist <tobias.rist@joynext.com>
Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
Change-Id: I4d687be577a138352be9f92e5b0b6f596ffffba9
---
drivers/renesas/rcar/io/io_rcar.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/renesas/rcar/io/io_rcar.c b/drivers/renesas/rcar/io/io_rcar.c
index c169923..603fefd 100644
--- a/drivers/renesas/rcar/io/io_rcar.c
+++ b/drivers/renesas/rcar/io/io_rcar.c
@@ -288,7 +288,7 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len)
prot_end = prot_start + DRAM_PROTECTED_SIZE;
- if (dst < dram_start || dst > dram_end - len) {
+ if (dst < dram_start || len > dram_end || dst > dram_end - len) {
ERROR("BL2: dst address is on the protected area.\n");
result = IO_FAIL;
goto done;
@@ -301,8 +301,9 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len)
goto done;
}
- if (dst < prot_start && dst > prot_start - len) {
- ERROR("BL2: loaded data is on the protected area.\n");
+ if (len > prot_start || (dst < prot_start && dst > prot_start - len)) {
+ ERROR("BL2: %s[%d] loaded data is on the protected area.\n",
+ __func__, __LINE__);
result = IO_FAIL;
goto done;
}
--
2.33.0

103
CVE-2024-6287-1.patch
View File

@ -1,103 +0,0 @@
From 6a96c18c474e6339fab93f54d52aa7dcc4b70e52 Mon Sep 17 00:00:00 2001
From: Tobias Rist <tobias.rist@joynext.com>
Date: Thu, 16 Mar 2023 21:31:15 +0900
Subject: [PATCH] rcar-gen3: plat: BL2: check loaded NS image area
Check if next NS image invades a previous loaded image.
Correct non secure image area to avoid loading a NS image to secure
Signed-off-by: Tobias Rist <tobias.rist@joynext.com>
Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
---
drivers/renesas/rcar/io/io_rcar.c | 46 ++++++++++++++++++++++++++--
plat/renesas/rcar/include/rcar_def.h | 2 +-
2 files changed, 45 insertions(+), 3 deletions(-)
diff --git a/drivers/renesas/rcar/io/io_rcar.c b/drivers/renesas/rcar/io/io_rcar.c
index fe968b6..dc1b786 100644
--- a/drivers/renesas/rcar/io/io_rcar.c
+++ b/drivers/renesas/rcar/io/io_rcar.c
@@ -84,6 +84,18 @@ typedef struct {
#define RCAR_COUNT_LOAD_BL33 (2U)
#define RCAR_COUNT_LOAD_BL33X (3U)
+#define CHECK_IMAGE_AREA_CNT (5U)
+#define BOOT_BL2_ADDR (0xE6304000U)
+#define BOOT_BL2_LENGTH (0x19000U)
+
+typedef struct {
+ uintptr_t dest;
+ uintptr_t length;
+} addr_loaded_t;
+
+static addr_loaded_t addr_loaded[CHECK_IMAGE_AREA_CNT] = { [0] = {BOOT_BL2_ADDR, BOOT_BL2_LENGTH} };
+static uint32_t addr_loaded_cnt = 1;
+
static const plat_rcar_name_offset_t name_offset[] = {
{BL31_IMAGE_ID, 0U, RCAR_ATTR_SET_ALL(0, 0, 0)},
@@ -256,9 +268,9 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len)
uintptr_t prot_start, prot_end;
int32_t result = IO_SUCCESS;
- dram_start = legacy ? DRAM1_BASE : DRAM_40BIT_BASE;
+ dram_start = legacy ? DRAM1_NS_BASE : DRAM_40BIT_BASE;
- dram_end = legacy ? DRAM1_BASE + DRAM1_SIZE :
+ dram_end = legacy ? DRAM1_NS_BASE + DRAM1_NS_SIZE :
DRAM_40BIT_BASE + DRAM_40BIT_SIZE;
prot_start = legacy ? DRAM_PROTECTED_BASE : DRAM_40BIT_PROTECTED_BASE;
@@ -287,6 +299,36 @@ done:
if (result == IO_FAIL)
ERROR("BL2: Out of range : dst=0x%lx len=0x%lx\n", dst, len);
+ if (addr_loaded_cnt >= CHECK_IMAGE_AREA_CNT) {
+ ERROR("BL2: max loadable non secure images reached\n");
+ result = IO_FAIL;
+ }
+ addr_loaded[addr_loaded_cnt].dest = dst;
+ addr_loaded[addr_loaded_cnt].length = len;
+ for(int n=0; n<addr_loaded_cnt; n++) {
+ /* Check if next image invades a previous loaded image
+ *
+ * IMAGE n: area from previous image: dest| IMAGE n |length
+ * IMAGE n+1: area from next image: dst | IMAGE n |len
+ *
+ * 1. check:
+ * | IMAGE n |
+ * | IMAGE n+1 |
+ * 2. check:
+ * | IMAGE n |
+ * | IMAGE n+1 |
+ *
+ * */
+ if (((dst > addr_loaded[n].dest) &&
+ (dst < addr_loaded[n].dest + addr_loaded[n].length)) ||
+ (((dst < addr_loaded[n].dest) &&
+ (dst + len)) > addr_loaded[n].dest)) {
+ ERROR("BL2: image is inside a previous image area.\n");
+ result = IO_FAIL;
+ }
+ }
+ addr_loaded_cnt++;
+
return result;
}
diff --git a/plat/renesas/rcar/include/rcar_def.h b/plat/renesas/rcar/include/rcar_def.h
index 0ffbfe9..a41a994 100644
--- a/plat/renesas/rcar/include/rcar_def.h
+++ b/plat/renesas/rcar/include/rcar_def.h
@@ -31,7 +31,7 @@
#define DRAM_LIMIT ULL(0x0000010000000000)
#define DRAM1_BASE U(0x40000000)
#define DRAM1_SIZE U(0x80000000)
-#define DRAM1_NS_BASE (DRAM1_BASE + U(0x10000000))
+#define DRAM1_NS_BASE (DRAM1_BASE + U(0x08000000))
#define DRAM1_NS_SIZE (DRAM1_SIZE - DRAM1_NS_BASE)
#define DRAM_40BIT_BASE ULL(0x0400000000)
#define DRAM_40BIT_SIZE ULL(0x0400000000)
--
2.33.0

41
CVE-2024-6287-2.patch
View File

@ -1,41 +0,0 @@
From 954d488a9798f8fda675c6b57c571b469b298f04 Mon Sep 17 00:00:00 2001
From: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
Date: Sun, 23 Apr 2023 21:11:15 +0900
Subject: [PATCH] rcar-gen3: plat: BL2: fix Incorrect Address Range Calculation
Check against all address overlap cases
Reviewed-by: Tomer Fichman <Tomer.Fichman@cymotive.com>
Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
---
drivers/renesas/rcar/io/io_rcar.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/drivers/renesas/rcar/io/io_rcar.c b/drivers/renesas/rcar/io/io_rcar.c
index 9b29a5be81..21ed411137 100644
--- a/drivers/renesas/rcar/io/io_rcar.c
+++ b/drivers/renesas/rcar/io/io_rcar.c
@@ -335,13 +335,18 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len)
* 2. check:
* | IMAGE n |
* | IMAGE n+1 |
+ * 3. check:
+ * | IMAGE n |
+ * | IMAGE n+1 |
*
* */
- if (((dst > addr_loaded[n].dest) &&
- (dst < addr_loaded[n].dest + addr_loaded[n].length)) ||
- (((dst < addr_loaded[n].dest) &&
- (dst + len)) > addr_loaded[n].dest)) {
- ERROR("BL2: image is inside a previous image area.\n");
+ if (((dst >= addr_loaded[n].dest) &&
+ (dst <= addr_loaded[n].dest + addr_loaded[n].length)) ||
+ ((dst + len >= addr_loaded[n].dest) &&
+ (dst + len <= addr_loaded[n].dest + addr_loaded[n].length)) ||
+ ((dst <= addr_loaded[n].dest) &&
+ (dst + len >= addr_loaded[n].dest + addr_loaded[n].length))) {
+ ERROR("BL2: next image overlap a previous image area.\n");
result = IO_FAIL;
}
}

33
CVE-2024-6563.patch
View File

@ -1,33 +0,0 @@
From: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
Date: Sun, 23 Apr 2023 21:37:42 +0900
Subject: [PATCH] rcar-gen3: plat: BL2: Enhanced buffer protection
If the parameter check is an error, the function is terminated immediately.
Reviewed-by: Ilay Levi <Ilay.levi@cymotive.com>
Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
---
drivers/renesas/rcar/io/io_rcar.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/renesas/rcar/io/io_rcar.c b/drivers/renesas/rcar/io/io_rcar.c
index b82c510..884d9b1 100644
--- a/drivers/renesas/rcar/io/io_rcar.c
+++ b/drivers/renesas/rcar/io/io_rcar.c
@@ -275,11 +275,13 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len)
if (dst >= prot_start && dst < prot_end) {
ERROR("BL2: dst address is on the protected area.\n");
result = IO_FAIL;
+ goto done;
}
if (dst < prot_start && dst > prot_start - len) {
ERROR("BL2: loaded data is on the protected area.\n");
result = IO_FAIL;
+ goto done;
}
done:
if (result == IO_FAIL)
--
2.33.0

41
CVE-2024-6564.patch
View File

@ -1,41 +0,0 @@
From c9fb3558410032d2660c7f3b7d4b87dec09fe2f2 Mon Sep 17 00:00:00 2001
From: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
Date: Mon, 3 Jul 2023 16:58:11 +0900
Subject: [PATCH] rcar-gen3: plat: BL2: Fix to check "rcar_image_number"
variable before use
Reviewed-by: Tomer Fichman <Tomer.Fichman@cymotive.com>
Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
---
drivers/renesas/rcar/io/io_rcar.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/renesas/rcar/io/io_rcar.c b/drivers/renesas/rcar/io/io_rcar.c
index 884d9b1..fe968b6 100644
--- a/drivers/renesas/rcar/io/io_rcar.c
+++ b/drivers/renesas/rcar/io/io_rcar.c
@@ -420,16 +420,16 @@ static int32_t rcar_dev_init(io_dev_info_t *dev_info, const uintptr_t name)
}
rcar_image_number = header[0];
- for (i = 0; i < rcar_image_number + 2; i++) {
- rcar_image_header[i] = header[i * 2 + 1];
- rcar_image_header_prttn[i] = header[i * 2 + 2];
- }
-
if (rcar_image_number == 0 || rcar_image_number > RCAR_MAX_BL3X_IMAGE) {
WARN("Firmware Image Package header check failed.\n");
goto error;
}
+ for (i = 0; i < rcar_image_number + 2; i++) {
+ rcar_image_header[i] = header[i * 2 + 1];
+ rcar_image_header_prttn[i] = header[i * 2 + 2];
+ }
+
rc = io_seek(handle, IO_SEEK_SET, offset + RCAR_SECTOR6_CERT_OFFSET);
if (rc != IO_SUCCESS) {
WARN("Firmware Image Package header failed to seek cert\n");
--
2.33.0

BIN
arm-trusted-firmware-2.12.1.tar.gz Normal file
View File

Binary file not shown.

88
arm-trusted-firmware.spec
View File

@ -1,32 +1,15 @@
%global debug_package %{nil} %global debug_package %{nil}
Name: arm-trusted-firmware Name: arm-trusted-firmware
Version: 2.3 Version: 2.12.1
Release: 6 Release: 1
Summary: ARM Trusted Firmware Summary: ARM Trusted Firmware
License: BSD License: BSD-3-clause
URL: https://github.com/ARM-software/arm-trusted-firmware/wiki URL: https://github.com/ARM-software/arm-trusted-firmware/wiki
Source0: https://github.com/ARM-software/arm-trusted-firmware/archive/v%{version}.tar.gz Source0: https://github.com/ARM-software/arm-trusted-firmware/archive/lts-v%{version}/%{name}-%{version}.tar.gz
# https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=fd37982a19a4a291
Patch0000: CVE-2022-47630-1.patch
# https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=72460f50e2437a85
Patch0001: CVE-2022-47630-2.patch
# https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=f5c51855d36e399e
Patch0002: CVE-2022-47630-3.patch
# https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=abb8f936fd0ad085
Patch0003: CVE-2022-47630-4.patch
# https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=a7eff3477dcf3624
Patch0004: CVE-2023-49100.patch
# https://github.com/renesas-rcar/arm-trusted-firmware/commit/235f85b654a031f7647e81b86fc8e4ffeb430164
Patch0005: CVE-2024-6563.patch
Patch0006: CVE-2024-6564.patch
# https://github.com/renesas-rcar/arm-trusted-firmware/commit/6a96c18c474e6339fab93f54d52aa7dcc4b70e52
Patch0007: CVE-2024-6287-1.patch
# https://github.com/renesas-rcar/arm-trusted-firmware/commit/954d488a9798f8fda675c6b57c571b469b298f04
Patch0008: CVE-2024-6287-2.patch
Patch0009: CVE-2024-6285.patch
ExclusiveArch: aarch64 ExclusiveArch: aarch64
BuildRequires: dtc BuildRequires: dtc
BuildRequires: gcc openssl-devel
%description %description
Trusted Firmware-A is a reference implementation of secure world software Trusted Firmware-A is a reference implementation of secure world software
@ -39,13 +22,14 @@ ARM Trusted Firmware for various ARMv8-A SoCs.
%prep %prep
%autosetup -p1 -n %{name}-%{version} %autosetup -p1 -n %{name}-lts-v%{version}
sed -i 's/arm-none-eabi-/arm-linux-gnu-/' plat/rockchip/rk3399/drivers/m0/Makefile sed -i 's/arm-none-eabi-/arm-linux-gnu-/' plat/rockchip/rk3399/drivers/m0/Makefile
%build %build
export CC=gcc
for soc in hikey hikey960 imx8qm imx8qx juno rk3368 rk3328 rpi3 sun50i_a64 sun50i_h6 zynqmp for soc in hikey hikey960 imx8qm imx8qx juno rk3368 rk3328 rpi3 sun50i_a64 sun50i_h6 zynqmp
do do
make HOSTCC="gcc $RPM_OPT_FLAGS -fPIE -Wl,-z,relro,-z,now" CROSS_COMPILE="" PLAT=$(echo $soc) bl31 make HOSTCC="%{CC} $RPM_OPT_FLAGS -fPIE -Wl,-z,relro,-z,now" CROSS_COMPILE="" PLAT=$(echo $soc) bl31
done done
@ -79,17 +63,61 @@ strip %{buildroot}/%{_datadir}/%{name}/rk3368/bl31.elf
%{_datadir}/%{name} %{_datadir}/%{name}
%changelog %changelog
* Mon Dec 16 2024 wangkai <13474090681@163.com> - 2.3-6 * Thu Mar 20 2025 yaoxin <1024769339@qq.com> - 2.12.1-1
- Fix CVE-2024-6285 CVE-2024-6287 - Update to 2.12.1 for fix CVE-2024-7881 and CVE-2024-5660
* Tue Jul 09 2024 zhangxianting <zhangxianting@uniontech.com> - 2.3-5 * Wed Nov 27 2024 yaoxin <yao_xin001@hoperun.com> - 2.12.0-1
- Update to 2.12.0
- Bootloader Images:
* remove unused plat_try_next_boot_source
- Architecture:
*Branch Record Buffer Extension (FEAT_BRBE)
* allow RME builds with BRBE
- Arm:
* avoid stripping kernel trampoline
* add DRAM memory regions that linux kernel can share
* add optee specific mem-size attribute
* add secure uart interrupt in device region
* enable FEAT_MTE2
* fix the FF-A optee manifest by adding the boot info node
* update the memory size allocated to optee at EL1
- Intel:
* add cache invalidation during BL31 initialization
* add in JTAG ID for Linux FCS
* add in missing ECC register
* add in watchdog for QSPI driver
* bridge ack timing issue causing fpga config hung
* correct macro naming
* f2sdram bridge quick write thru failed
* fix bridge enable and disable function
* fix CCU for cache maintenance
* flush L1/L2/L3/Sys cache before HPS cold reset
* implement soc and lwsoc bridge control for burst speed
* refactor SDMMC driver for Altera products
* remove redundant BIT_32 macro
* software workaround for bridge timeout
* update Agilex5 BL2 init flow and other misc changes
* update Agilex5 warm reset subroutines
* update all the platforms hand-off data offset value
* update CCU configuration for Agilex5 platform
* update mailbox SDM printout message
* update memcpy to memcpy_s ([e264b55]
* update outdated code for Linux direct boot
* update preloaded_bl33_base for legacy product
* update sip smc config addr for agilex5
* update the size with addition 0x8000 0000 base
* Tue Oct 15 2024 yaoxin <yao_xin001@hoperun.com> - 2.9-4
- Fix CVE-2024-6287
* Tue Jul 09 2024 zhangxianting <zhangxianting@uniontech.com> - 2.9-3
- Fix CVE-2024-6563 CVE-2024-6564 - Fix CVE-2024-6563 CVE-2024-6564
* Tue Jan 23 2024 yaoxin <yao_xin001@hoperun.com> - 2.3-4 * Tue Jan 23 2024 yaoxin <yao_xin001@hoperun.com> - 2.9-2
- Fix CVE-2023-49100 - Fix CVE-2023-49100
* Fri Dec 01 2023 yaoxin <yao_xin001@hoperun.com> - 2.3-3 * Fri Jul 07 2023 xu_ping <707078654@qq.com> -2.9-1
- Fix CVE-2022-47630 - Upgrade to 2.9
* Wed Dec 07 2022 yaoxin <yaoxin30@h-partners.com> -2.3-2 * Wed Dec 07 2022 yaoxin <yaoxin30@h-partners.com> -2.3-2
- Add RELRO,PIE,BIND_NOW flags and fix not striped problem - Add RELRO,PIE,BIND_NOW flags and fix not striped problem

BIN
v2.3.tar.gz
View File

Binary file not shown.