diff --git a/CVE-2023-49100.patch b/CVE-2023-49100.patch new file mode 100644 index 0000000000000000000000000000000000000000..0afed3b030641fe7c4aa954d41766ea67d111063 --- /dev/null +++ b/CVE-2023-49100.patch @@ -0,0 +1,37 @@ +From a7eff3477dcf3624c74f5217419b1a27b7ebd2aa Mon Sep 17 00:00:00 2001 +From: Manish Pandey +Date: Thu, 26 Oct 2023 11:14:21 +0100 +Subject: fix(sdei): ensure that interrupt ID is valid + +As per SDEI spec (section 5.1.14.1), SDEI_INTERRUPT_BIND interface +expects a valid PPI or SPI. SGI's are not allowed to be bounded. +Current check in the code only checks for an SGI and returns invalid +ID. This check is insufficient as it will not catch architecturally +invalid interrupt IDs. + +Modify the check to ensure that interrupt is either PPI or SPI. + +Signed-off-by: Manish Pandey +Change-Id: I52eb0a6d7f88a12f6816cff9b68fb3a7ca12cbb7 +--- + services/std_svc/sdei/sdei_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/services/std_svc/sdei/sdei_main.c b/services/std_svc/sdei/sdei_main.c +index 44178eddd3..0fd3c1d32c 100644 +--- a/services/std_svc/sdei/sdei_main.c ++++ b/services/std_svc/sdei/sdei_main.c +@@ -710,8 +710,8 @@ static int sdei_interrupt_bind(unsigned int intr_num) + sdei_ev_map_t *map; + bool retry = true, shared_mapping; + +- /* SGIs are not allowed to be bound */ +- if (plat_ic_is_sgi(intr_num) != 0) ++ /* Interrupt must be either PPI or SPI */ ++ if (!(plat_ic_is_ppi(intr_num) || plat_ic_is_spi(intr_num))) + return SDEI_EINVAL; + + shared_mapping = (plat_ic_is_spi(intr_num) != 0); +-- +cgit v1.2.3 + diff --git a/CVE-2024-6563.patch b/CVE-2024-6563.patch new file mode 100644 index 0000000000000000000000000000000000000000..b4f522d524b76db3aadf52126d111a15df715a83 --- /dev/null +++ b/CVE-2024-6563.patch @@ -0,0 +1,33 @@ +From: Yoshifumi Hosoya +Date: Sun, 23 Apr 2023 21:37:42 +0900 +Subject: [PATCH] rcar-gen3: plat: BL2: Enhanced buffer protection + +If the parameter check is an error, the function is terminated immediately. + +Reviewed-by: Ilay Levi +Signed-off-by: Yoshifumi Hosoya +--- + drivers/renesas/rcar/io/io_rcar.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/renesas/rcar/io/io_rcar.c b/drivers/renesas/rcar/io/io_rcar.c +index b82c510..884d9b1 100644 +--- a/drivers/renesas/rcar/io/io_rcar.c ++++ b/drivers/renesas/rcar/io/io_rcar.c +@@ -275,11 +275,13 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len) + if (dst >= prot_start && dst < prot_end) { + ERROR("BL2: dst address is on the protected area.\n"); + result = IO_FAIL; ++ goto done; + } + + if (dst < prot_start && dst > prot_start - len) { + ERROR("BL2: loaded data is on the protected area.\n"); + result = IO_FAIL; ++ goto done; + } + done: + if (result == IO_FAIL) +-- +2.33.0 + diff --git a/arm-trusted-firmware.spec b/arm-trusted-firmware.spec index 50436f28fa01b40d016601c6f96f2f014e9efb07..3949b3fd77dcae36fd9746bf38dffc364f866a3c 100644 --- a/arm-trusted-firmware.spec +++ b/arm-trusted-firmware.spec @@ -1,4 +1,4 @@ -%define anolis_release 2 +%define anolis_release 3 %global debug_package %{nil} @@ -11,7 +11,9 @@ URL: https://github.com/ARM-software/arm-trusted-firmware Source0: https://github.com/ARM-software/arm-trusted-firmware/archive/refs/tags/v%{version}.tar.gz Source1: aarch64-bl31 Patch0001: 0001-atf-2.8-fix-linking.patch - +Patch0002: CVE-2023-49100.patch +Patch0003: CVE-2024-6563.patch + ExclusiveArch: aarch64 BuildRequires: gcc dtc @@ -47,6 +49,9 @@ The arm-trusted-firmware-armv8-doc package contains documentation files for arm- %autosetup -n %{name}-%{version} -p1 cp %SOURCE1 . sed -i 's/arm-none-eabi-/arm-linux-gnu-/' plat/rockchip/rk3399/drivers/m0/Makefile +%patch0001 -p1 +%patch0002 -p1 +%patch0003 -p1 %build %undefine _auto_set_build_flags @@ -101,6 +106,9 @@ done %doc readme.rst %changelog +* Fri Nov 08 2024 Zhongkun He - 2.8-3 +- fix CVE-2023-49100 CVE-2024-6563 + * Mon Apr 17 2023 yuanhui - 2.8-2 - Fix the bug for sun50i_a64 not found error