diff --git a/CVE-2022-47630-1.patch b/CVE-2022-47630-1.patch new file mode 100644 index 0000000000000000000000000000000000000000..1efce78d14a57da6d55e47b3c40aee8c9027c71d --- /dev/null +++ b/CVE-2022-47630-1.patch @@ -0,0 +1,50 @@ +From fd37982a19a4a2911912ce321b9468993a0919ad Mon Sep 17 00:00:00 2001 +From: Demi Marie Obenour +Date: Thu, 8 Dec 2022 15:23:56 -0500 +Subject: fix(auth): forbid junk after extensions + +The extensions must use all remaining bytes in the TBSCertificate. + +Change-Id: Idf48f7168e146d050ba62dbc732638946fcd6c92 +Signed-off-by: Demi Marie Obenour +--- + drivers/auth/mbedtls/mbedtls_x509_parser.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/auth/mbedtls/mbedtls_x509_parser.c b/drivers/auth/mbedtls/mbedtls_x509_parser.c +index 49bc008ed1..8c78003bb2 100644 +--- a/drivers/auth/mbedtls/mbedtls_x509_parser.c ++++ b/drivers/auth/mbedtls/mbedtls_x509_parser.c +@@ -304,24 +304,26 @@ static int cert_parse(void *img, unsigned int img_len) + + /* + * extensions [3] EXPLICIT Extensions OPTIONAL ++ * -- must use all remaining bytes in TBSCertificate + */ + ret = mbedtls_asn1_get_tag(&p, end, &len, + MBEDTLS_ASN1_CONTEXT_SPECIFIC | + MBEDTLS_ASN1_CONSTRUCTED | 3); +- if (ret != 0) { ++ if ((ret != 0) || (len != (size_t)(end - p))) { + return IMG_PARSER_ERR_FORMAT; + } + + /* + * Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension ++ * -- must use all remaining bytes in TBSCertificate + */ + v3_ext.p = p; + ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE); +- if (ret != 0) { ++ if ((ret != 0) || (len != (size_t)(end - p))) { + return IMG_PARSER_ERR_FORMAT; + } +- v3_ext.len = (p + len) - v3_ext.p; ++ v3_ext.len = end - v3_ext.p; + + /* + * Check extensions integrity +-- +cgit v1.2.3 + diff --git a/CVE-2022-47630-2.patch b/CVE-2022-47630-2.patch new file mode 100644 index 0000000000000000000000000000000000000000..4a2a118bcff0e2aa8786b3693975a7d607e41292 --- /dev/null +++ b/CVE-2022-47630-2.patch @@ -0,0 +1,73 @@ +From 72460f50e2437a85ce5229c430931aab8f4a0d5b Mon Sep 17 00:00:00 2001 +From: Demi Marie Obenour +Date: Thu, 8 Dec 2022 15:23:58 -0500 +Subject: fix(auth): require at least one extension to be present + +X.509 and RFC5280 allow omitting the extensions entirely, but require +that if the extensions field is present at all, it must contain at least +one certificate. TF-A already requires the extensions to be present, +but allows them to be empty. However, a certificate with an empty +extensions field will always fail later on, as the extensions contain +the information needed to validate the next stage in the boot chain. +Therefore, it is simpler to require the extension field to be present +and contain at least one extension. Also add a comment explaining why +the extensions field is required, even though it is OPTIONAL in the +ASN.1 syntax. + +Change-Id: Ie26eed8a7924bf50937a6b27ccdf7cc9a390588d +Signed-off-by: Demi Marie Obenour +--- + drivers/auth/mbedtls/mbedtls_x509_parser.c | 22 ++++++++++++++++++---- + 1 file changed, 18 insertions(+), 4 deletions(-) + +diff --git a/drivers/auth/mbedtls/mbedtls_x509_parser.c b/drivers/auth/mbedtls/mbedtls_x509_parser.c +index 8c78003bb2..9cccd964d4 100644 +--- a/drivers/auth/mbedtls/mbedtls_x509_parser.c ++++ b/drivers/auth/mbedtls/mbedtls_x509_parser.c +@@ -304,7 +304,18 @@ static int cert_parse(void *img, unsigned int img_len) + + /* + * extensions [3] EXPLICIT Extensions OPTIONAL +- * -- must use all remaining bytes in TBSCertificate ++ * } ++ * ++ * X.509 and RFC5280 allow omitting the extensions entirely. ++ * However, in TF-A, a certificate with no extensions would ++ * always fail later on, as the extensions contain the ++ * information needed to authenticate the next stage in the ++ * boot chain. Furthermore, get_ext() assumes that the ++ * extensions have been parsed into v3_ext, and allowing ++ * there to be no extensions would pointlessly complicate ++ * the code. Therefore, just reject certificates without ++ * extensions. This is also why version 1 and 2 certificates ++ * are rejected above. + */ + ret = mbedtls_asn1_get_tag(&p, end, &len, + MBEDTLS_ASN1_CONTEXT_SPECIFIC | +@@ -326,9 +337,12 @@ static int cert_parse(void *img, unsigned int img_len) + v3_ext.len = end - v3_ext.p; + + /* +- * Check extensions integrity ++ * Check extensions integrity. At least one extension is ++ * required: the ASN.1 specifies a minimum size of 1, and at ++ * least one extension is needed to authenticate the next stage ++ * in the boot chain. + */ +- while (p < end) { ++ do { + ret = mbedtls_asn1_get_tag(&p, end, &len, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE); +@@ -356,7 +370,7 @@ static int cert_parse(void *img, unsigned int img_len) + return IMG_PARSER_ERR_FORMAT; + } + p += len; +- } ++ } while (p < end); + + if (p != end) { + return IMG_PARSER_ERR_FORMAT; +-- +cgit v1.2.3 + diff --git a/CVE-2022-47630-3.patch b/CVE-2022-47630-3.patch new file mode 100644 index 0000000000000000000000000000000000000000..f79c23d507179a814df61e625955b4e1caf7a5eb --- /dev/null +++ b/CVE-2022-47630-3.patch @@ -0,0 +1,84 @@ +From f5c51855d36e399e6e22cc1eb94f6b58e51b3b6d Mon Sep 17 00:00:00 2001 +From: Demi Marie Obenour +Date: Fri, 9 Dec 2022 17:19:08 -0500 +Subject: fix(auth): properly validate X.509 extensions + +get_ext() does not check the return value of the various mbedtls_* +functions, as cert_parse() is assumed to have guaranteed that they will +always succeed. However, it passes the end of an extension as the end +pointer to these functions, whereas cert_parse() passes the end of the +TBSCertificate. Furthermore, cert_parse() does *not* check that the +contents of the extension have the same length as the extension itself. +Before fd37982a19a4a291 ("fix(auth): forbid junk after extensions"), +cert_parse() also does not check that the extension block extends to the +end of the TBSCertificate. + +This is a problem, as mbedtls_asn1_get_tag() leaves *p and *len +undefined on failure. In practice, this results in get_ext() continuing +to parse at different offsets than were used (and validated) by +cert_parse(), which means that the in-bounds guarantee provided by +cert_parse() no longer holds. + +This patch fixes the remaining flaw by enforcing that the contents of an +extension are the same length as the extension itself. + +Change-Id: Id4570f911402e34d5d6c799ae01a01f184c68d7c +Signed-off-by: Demi Marie Obenour +Signed-off-by: Sandrine Bailleux +--- + drivers/auth/mbedtls/mbedtls_x509_parser.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/drivers/auth/mbedtls/mbedtls_x509_parser.c b/drivers/auth/mbedtls/mbedtls_x509_parser.c +index 44b25ba72b..bef2f3d0a6 100644 +--- a/drivers/auth/mbedtls/mbedtls_x509_parser.c ++++ b/drivers/auth/mbedtls/mbedtls_x509_parser.c +@@ -355,33 +355,39 @@ static int cert_parse(void *img, unsigned int img_len) + * in the boot chain. + */ + do { ++ unsigned char *end_ext_data; ++ + ret = mbedtls_asn1_get_tag(&p, end, &len, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE); + if (ret != 0) { + return IMG_PARSER_ERR_FORMAT; + } ++ end_ext_data = p + len; + + /* Get extension ID */ +- ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID); ++ ret = mbedtls_asn1_get_tag(&p, end_ext_data, &len, MBEDTLS_ASN1_OID); + if (ret != 0) { + return IMG_PARSER_ERR_FORMAT; + } + p += len; + + /* Get optional critical */ +- ret = mbedtls_asn1_get_bool(&p, end, &is_critical); ++ ret = mbedtls_asn1_get_bool(&p, end_ext_data, &is_critical); + if ((ret != 0) && (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)) { + return IMG_PARSER_ERR_FORMAT; + } + +- /* Data should be octet string type */ +- ret = mbedtls_asn1_get_tag(&p, end, &len, ++ /* ++ * Data should be octet string type and must use all bytes in ++ * the Extension. ++ */ ++ ret = mbedtls_asn1_get_tag(&p, end_ext_data, &len, + MBEDTLS_ASN1_OCTET_STRING); +- if (ret != 0) { ++ if ((ret != 0) || ((p + len) != end_ext_data)) { + return IMG_PARSER_ERR_FORMAT; + } +- p += len; ++ p = end_ext_data; + } while (p < end); + + if (p != end) { +-- +cgit v1.2.3 + diff --git a/aarch64-bl31 b/aarch64-bl31 index 568b9ecba179f7f0f2b59087846576a367a9db0a..76233643bb1899b4761a22d67a8537e0926f83c6 100644 --- a/aarch64-bl31 +++ b/aarch64-bl31 @@ -3,6 +3,8 @@ hikey960 imx8qm imx8qx juno +rk3368 +rk3328 rpi3 sun50i_a64 sun50i_h6 diff --git a/arm-trusted-firmware.spec b/arm-trusted-firmware.spec index 50436f28fa01b40d016601c6f96f2f014e9efb07..14329a263156c296968bb1eb951f2186a1d5ceae 100644 --- a/arm-trusted-firmware.spec +++ b/arm-trusted-firmware.spec @@ -1,4 +1,4 @@ -%define anolis_release 2 +%define anolis_release 3 %global debug_package %{nil} @@ -11,6 +11,12 @@ URL: https://github.com/ARM-software/arm-trusted-firmware Source0: https://github.com/ARM-software/arm-trusted-firmware/archive/refs/tags/v%{version}.tar.gz Source1: aarch64-bl31 Patch0001: 0001-atf-2.8-fix-linking.patch +# https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=fd37982a19a4a291 +Patch0002: CVE-2022-47630-1.patch +# https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=72460f50e2437a85 +Patch0003: CVE-2022-47630-2.patch +# https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=f5c51855d36e399e +Patch0004: CVE-2022-47630-3.patch ExclusiveArch: aarch64 BuildRequires: gcc dtc @@ -101,6 +107,9 @@ done %doc readme.rst %changelog +* Mon Dec 09 2024 Zhongkun He - 2.8-3 +- Fix CVE-2022-47630 + * Mon Apr 17 2023 yuanhui - 2.8-2 - Fix the bug for sun50i_a64 not found error