!60 [sync] PR-59: Fix CVE-2024-6285 CVE-2024-6287

From: @openeuler-sync-bot Reviewed-by: @cherry530 Signed-off-by: @cherry530
2024-12-17 02:22:55 +00:00 · 2024-12-17 02:22:55 +00:00 · 7cd08467ae
commit 7cd08467ae
parent ff8b077cd5 21ec20dcfd
4 changed files with 200 additions and 1 deletions
--- a/CVE-2024-6285.patch
+++ b/CVE-2024-6285.patch
@ -0,0 +1,47 @@
+From 9778b270e29bac3e16f57f9557098c45858c05de Mon Sep 17 00:00:00 2001
+From: Tobias Rist <tobias.rist@joynext.com>
+Date: Tue, 7 Mar 2023 09:40:37 +0100
+Subject: [PATCH] fix(rcar3-drivers): check for length underflow
+
+Origin: https://github.com/ARM-software/arm-trusted-firmware/commit/9778b270e29bac3e16f57f9557098c45858c05de
+https://github.com/renesas-rcar/arm-trusted-firmware/commit/b596f580637bae919b0ac3a5471422a1f756db3b
+
+Make sure the length of the payload is not longer than the
+DRAM size in check_load_area(), and make sure the payload
+end does not cross protected area start.
+
+Signed-off-by: Tobias Rist <tobias.rist@joynext.com>
+Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
+Change-Id: I4d687be577a138352be9f92e5b0b6f596ffffba9
+---
+ drivers/renesas/rcar/io/io_rcar.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/renesas/rcar/io/io_rcar.c b/drivers/renesas/rcar/io/io_rcar.c
+index c169923..603fefd 100644
+--- a/drivers/renesas/rcar/io/io_rcar.c
+++ b/drivers/renesas/rcar/io/io_rcar.c
+@@ -288,7 +288,7 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len)
+ 
+ 	prot_end = prot_start + DRAM_PROTECTED_SIZE;
+ 
+-	if (dst < dram_start || dst > dram_end - len) {
+	if (dst < dram_start || len > dram_end || dst > dram_end - len) {
+ 		ERROR("BL2: dst address is on the protected area.\n");
+ 		result = IO_FAIL;
+ 		goto done;
+@@ -301,8 +301,9 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len)
+ 		goto done;
+ 	}
+ 
+-	if (dst < prot_start && dst > prot_start - len) {
+-		ERROR("BL2: loaded data is on the protected area.\n");
+	if (len > prot_start || (dst < prot_start && dst > prot_start - len)) {
+		ERROR("BL2: %s[%d] loaded data is on the protected area.\n",
+			__func__, __LINE__);
+ 		result = IO_FAIL;
+ 		goto done;
+ 	}
+-- 
+2.33.0
+
--- a/CVE-2024-6287-1.patch
+++ b/CVE-2024-6287-1.patch
@ -0,0 +1,103 @@
+From 6a96c18c474e6339fab93f54d52aa7dcc4b70e52 Mon Sep 17 00:00:00 2001
+From: Tobias Rist <tobias.rist@joynext.com>
+Date: Thu, 16 Mar 2023 21:31:15 +0900
+Subject: [PATCH] rcar-gen3: plat: BL2: check loaded NS image area
+
+Check if next NS image invades a previous loaded image.
+Correct non secure image area to avoid loading a NS image to secure
+
+Signed-off-by: Tobias Rist <tobias.rist@joynext.com>
+Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
+---
+ drivers/renesas/rcar/io/io_rcar.c    | 46 ++++++++++++++++++++++++++--
+ plat/renesas/rcar/include/rcar_def.h |  2 +-
+ 2 files changed, 45 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/renesas/rcar/io/io_rcar.c b/drivers/renesas/rcar/io/io_rcar.c
+index fe968b6..dc1b786 100644
+--- a/drivers/renesas/rcar/io/io_rcar.c
+++ b/drivers/renesas/rcar/io/io_rcar.c
+@@ -84,6 +84,18 @@ typedef struct {
+ #define RCAR_COUNT_LOAD_BL33		(2U)
+ #define RCAR_COUNT_LOAD_BL33X		(3U)
+ 
+#define CHECK_IMAGE_AREA_CNT (5U)
+#define BOOT_BL2_ADDR (0xE6304000U)
+#define BOOT_BL2_LENGTH (0x19000U)
+
+typedef struct {
+	uintptr_t dest;
+	uintptr_t length;
+} addr_loaded_t;
+
+static addr_loaded_t addr_loaded[CHECK_IMAGE_AREA_CNT] = { [0] = {BOOT_BL2_ADDR, BOOT_BL2_LENGTH} };
+static uint32_t addr_loaded_cnt = 1;
+
+ static const plat_rcar_name_offset_t name_offset[] = {
+ 	{BL31_IMAGE_ID, 0U, RCAR_ATTR_SET_ALL(0, 0, 0)},
+ 
+@@ -256,9 +268,9 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len)
+ 	uintptr_t prot_start, prot_end;
+ 	int32_t result = IO_SUCCESS;
+ 
+-	dram_start = legacy ? DRAM1_BASE : DRAM_40BIT_BASE;
+	dram_start = legacy ? DRAM1_NS_BASE : DRAM_40BIT_BASE;
+ 
+-	dram_end = legacy ? DRAM1_BASE + DRAM1_SIZE :
+	dram_end = legacy ? DRAM1_NS_BASE + DRAM1_NS_SIZE :
+ 	    DRAM_40BIT_BASE + DRAM_40BIT_SIZE;
+ 
+ 	prot_start = legacy ? DRAM_PROTECTED_BASE : DRAM_40BIT_PROTECTED_BASE;
+@@ -287,6 +299,36 @@ done:
+ 	if (result == IO_FAIL)
+ 		ERROR("BL2: Out of range : dst=0x%lx len=0x%lx\n", dst, len);
+ 
+	if (addr_loaded_cnt >= CHECK_IMAGE_AREA_CNT) {
+		ERROR("BL2: max loadable non secure images reached\n");
+		result = IO_FAIL;
+	}
+	addr_loaded[addr_loaded_cnt].dest = dst;
+	addr_loaded[addr_loaded_cnt].length = len;
+	for(int n=0; n<addr_loaded_cnt; n++) {
+		/* Check if next image invades a previous loaded image
+		 *
+		 * IMAGE n: area from previous image:	dest| IMAGE n |length
+		 * IMAGE n+1: area from next image:	dst | IMAGE n |len
+		 *
+		 * 1. check:
+		 *      | IMAGE n |
+		 *           | IMAGE n+1 |
+		 * 2. check:
+		 *      | IMAGE n |
+		 *  | IMAGE n+1 |
+		 *
+		 * */
+		if (((dst > addr_loaded[n].dest) &&
+		     (dst <  addr_loaded[n].dest + addr_loaded[n].length)) ||
+		    (((dst < addr_loaded[n].dest) &&
+		      (dst + len)) > addr_loaded[n].dest)) {
+			ERROR("BL2: image is inside a previous image area.\n");
+			result = IO_FAIL;
+		}
+	}
+	addr_loaded_cnt++;
+
+ 	return result;
+ }
+ 
+diff --git a/plat/renesas/rcar/include/rcar_def.h b/plat/renesas/rcar/include/rcar_def.h
+index 0ffbfe9..a41a994 100644
+--- a/plat/renesas/rcar/include/rcar_def.h
+++ b/plat/renesas/rcar/include/rcar_def.h
+@@ -31,7 +31,7 @@
+ #define DRAM_LIMIT			ULL(0x0000010000000000)
+ #define DRAM1_BASE			U(0x40000000)
+ #define DRAM1_SIZE			U(0x80000000)
+-#define DRAM1_NS_BASE			(DRAM1_BASE + U(0x10000000))
+#define DRAM1_NS_BASE			(DRAM1_BASE + U(0x08000000))
+ #define DRAM1_NS_SIZE			(DRAM1_SIZE - DRAM1_NS_BASE)
+ #define	DRAM_40BIT_BASE			ULL(0x0400000000)
+ #define	DRAM_40BIT_SIZE			ULL(0x0400000000)
+-- 
+2.33.0
+
--- a/CVE-2024-6287-2.patch
+++ b/CVE-2024-6287-2.patch
@ -0,0 +1,41 @@
+From 954d488a9798f8fda675c6b57c571b469b298f04 Mon Sep 17 00:00:00 2001
+From: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
+Date: Sun, 23 Apr 2023 21:11:15 +0900
+Subject: [PATCH] rcar-gen3: plat: BL2: fix Incorrect Address Range Calculation
+
+Check against all address overlap cases
+
+Reviewed-by: Tomer Fichman <Tomer.Fichman@cymotive.com>
+Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
+---
+ drivers/renesas/rcar/io/io_rcar.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/renesas/rcar/io/io_rcar.c b/drivers/renesas/rcar/io/io_rcar.c
+index 9b29a5be81..21ed411137 100644
+--- a/drivers/renesas/rcar/io/io_rcar.c
+++ b/drivers/renesas/rcar/io/io_rcar.c
+@@ -335,13 +335,18 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len)
+ 		 * 2. check:
+ 		 *      | IMAGE n |
+ 		 *  | IMAGE n+1 |
+		 * 3. check:
+		 *      | IMAGE n |
+		 *  |    IMAGE n+1    |
+ 		 *
+ 		 * */
+-		if (((dst > addr_loaded[n].dest) &&
+-		     (dst <  addr_loaded[n].dest + addr_loaded[n].length)) ||
+-		    (((dst < addr_loaded[n].dest) &&
+-		      (dst + len)) > addr_loaded[n].dest)) {
+-			ERROR("BL2: image is inside a previous image area.\n");
+		if (((dst >= addr_loaded[n].dest) &&
+		     (dst <=  addr_loaded[n].dest + addr_loaded[n].length)) ||
+		    ((dst + len >= addr_loaded[n].dest) &&
+		     (dst + len <= addr_loaded[n].dest + addr_loaded[n].length)) ||
+		    ((dst <= addr_loaded[n].dest) &&
+		     (dst + len >= addr_loaded[n].dest + addr_loaded[n].length))) {
+			ERROR("BL2: next image overlap a previous image area.\n");
+ 			result = IO_FAIL;
+ 		}
+ 	}
--- a/arm-trusted-firmware.spec
+++ b/arm-trusted-firmware.spec
@ -2,7 +2,7 @@

 Name:          arm-trusted-firmware
 Version:       2.3
-Release:       5
+Release:       6
 Summary:       ARM Trusted Firmware
 License:       BSD
 URL:           https://github.com/ARM-software/arm-trusted-firmware/wiki
@ -20,6 +20,11 @@ Patch0004:     CVE-2023-49100.patch
 # https://github.com/renesas-rcar/arm-trusted-firmware/commit/235f85b654a031f7647e81b86fc8e4ffeb430164
 Patch0005:     CVE-2024-6563.patch
 Patch0006:     CVE-2024-6564.patch
+# https://github.com/renesas-rcar/arm-trusted-firmware/commit/6a96c18c474e6339fab93f54d52aa7dcc4b70e52
+Patch0007:     CVE-2024-6287-1.patch
+# https://github.com/renesas-rcar/arm-trusted-firmware/commit/954d488a9798f8fda675c6b57c571b469b298f04
+Patch0008:     CVE-2024-6287-2.patch
+Patch0009:     CVE-2024-6285.patch
 ExclusiveArch: aarch64
 BuildRequires: dtc

@ -74,6 +79,9 @@ strip %{buildroot}/%{_datadir}/%{name}/rk3368/bl31.elf
 %{_datadir}/%{name}

 %changelog
+* Mon Dec 16 2024 wangkai <13474090681@163.com> - 2.3-6
+- Fix CVE-2024-6285 CVE-2024-6287
+
 * Tue Jul 09 2024 zhangxianting <zhangxianting@uniontech.com> - 2.3-5
 - Fix CVE-2024-6563 CVE-2024-6564