!46 [sync] PR-45: Fix CVE-2024-6563 CVE-2024-6564

From: @openeuler-sync-bot 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen

CVE-2024-6563.patch

@@ -0,0 +1,33 @@
+From: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
+Date: Sun, 23 Apr 2023 21:37:42 +0900
+Subject: [PATCH] rcar-gen3: plat: BL2: Enhanced buffer protection
+
+If the parameter check is an error, the function is terminated immediately.
+
+Reviewed-by: Ilay Levi <Ilay.levi@cymotive.com>
+Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
+---
+ drivers/renesas/rcar/io/io_rcar.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/renesas/rcar/io/io_rcar.c b/drivers/renesas/rcar/io/io_rcar.c
+index b82c510..884d9b1 100644
+--- a/drivers/renesas/rcar/io/io_rcar.c
++++ b/drivers/renesas/rcar/io/io_rcar.c
+@@ -275,11 +275,13 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len)
+ 	if (dst >= prot_start && dst < prot_end) {
+ 		ERROR("BL2: dst address is on the protected area.\n");
+ 		result = IO_FAIL;
++		goto done;
+ 	}
+ 
+ 	if (dst < prot_start && dst > prot_start - len) {
+ 		ERROR("BL2: loaded data is on the protected area.\n");
+ 		result = IO_FAIL;
++		goto done;
+ 	}
+ done:
+ 	if (result == IO_FAIL)
+-- 
+2.33.0
+

CVE-2024-6564.patch

@@ -0,0 +1,41 @@
+From c9fb3558410032d2660c7f3b7d4b87dec09fe2f2 Mon Sep 17 00:00:00 2001
+From: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
+Date: Mon, 3 Jul 2023 16:58:11 +0900
+Subject: [PATCH] rcar-gen3: plat: BL2: Fix to check "rcar_image_number"
+ variable before use
+
+Reviewed-by: Tomer Fichman <Tomer.Fichman@cymotive.com>
+Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
+---
+ drivers/renesas/rcar/io/io_rcar.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/renesas/rcar/io/io_rcar.c b/drivers/renesas/rcar/io/io_rcar.c
+index 884d9b1..fe968b6 100644
+--- a/drivers/renesas/rcar/io/io_rcar.c
++++ b/drivers/renesas/rcar/io/io_rcar.c
+@@ -420,16 +420,16 @@ static int32_t rcar_dev_init(io_dev_info_t *dev_info, const uintptr_t name)
+ 	}
+ 
+ 	rcar_image_number = header[0];
+-	for (i = 0; i < rcar_image_number + 2; i++) {
+-		rcar_image_header[i] = header[i * 2 + 1];
+-		rcar_image_header_prttn[i] = header[i * 2 + 2];
+-	}
+-
+ 	if (rcar_image_number == 0 || rcar_image_number > RCAR_MAX_BL3X_IMAGE) {
+ 		WARN("Firmware Image Package header check failed.\n");
+ 		goto error;
+ 	}
+ 
++	for (i = 0; i < rcar_image_number + 2; i++) {
++		rcar_image_header[i] = header[i * 2 + 1];
++		rcar_image_header_prttn[i] = header[i * 2 + 2];
++	}
++
+ 	rc = io_seek(handle, IO_SEEK_SET, offset + RCAR_SECTOR6_CERT_OFFSET);
+ 	if (rc != IO_SUCCESS) {
+ 		WARN("Firmware Image Package header failed to seek cert\n");
+-- 
+2.33.0
+

arm-trusted-firmware.spec

@@ -2,7 +2,7 @@
 
 Name:          arm-trusted-firmware
 Version:       2.3
-Release:       4
+Release:       5
 Summary:       ARM Trusted Firmware
 License:       BSD
 URL:           https://github.com/ARM-software/arm-trusted-firmware/wiki
@@ -17,6 +17,9 @@ Patch0002:     CVE-2022-47630-3.patch
 Patch0003:     CVE-2022-47630-4.patch
 # https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=a7eff3477dcf3624
 Patch0004:     CVE-2023-49100.patch
+# https://github.com/renesas-rcar/arm-trusted-firmware/commit/235f85b654a031f7647e81b86fc8e4ffeb430164
+Patch0005:     CVE-2024-6563.patch
+Patch0006:     CVE-2024-6564.patch
 ExclusiveArch: aarch64
 BuildRequires: dtc
 
@@ -71,6 +74,9 @@ strip %{buildroot}/%{_datadir}/%{name}/rk3368/bl31.elf
 %{_datadir}/%{name}
 
 %changelog
+* Tue Jul 09 2024 zhangxianting <zhangxianting@uniontech.com> - 2.3-5
+- Fix CVE-2024-6563 CVE-2024-6564
+
 * Tue Jan 23 2024 yaoxin <yao_xin001@hoperun.com> - 2.3-4
 - Fix CVE-2023-49100