From 8c2d6fefc81461b1388ee17dd7eaf07b965686a5 Mon Sep 17 00:00:00 2001 From: hezhongkun Date: Fri, 13 Dec 2024 10:21:28 +0800 Subject: [PATCH] Bugfix for CVE-2024-6563 CVE-2024-6287 fix CVE-2024-6563 CVE-2024-6287 Project: TC2024080204 Signed-off-by: Zhongkun He --- CVE-2024-6287-1.patch | 100 ++++++++++++++++++++++++++++++++++++++ CVE-2024-6287-2.patch | 41 ++++++++++++++++ CVE-2024-6563.patch | 34 +++++++++++++ arm-trusted-firmware.spec | 11 ++++- 4 files changed, 185 insertions(+), 1 deletion(-) create mode 100644 CVE-2024-6287-1.patch create mode 100644 CVE-2024-6287-2.patch create mode 100644 CVE-2024-6563.patch diff --git a/CVE-2024-6287-1.patch b/CVE-2024-6287-1.patch new file mode 100644 index 0000000..8d00e74 --- /dev/null +++ b/CVE-2024-6287-1.patch @@ -0,0 +1,100 @@ +From 6a96c18c474e6339fab93f54d52aa7dcc4b70e52 Mon Sep 17 00:00:00 2001 +From: Tobias Rist +Date: Thu, 16 Mar 2023 21:31:15 +0900 +Subject: [PATCH] rcar-gen3: plat: BL2: check loaded NS image area + +Check if next NS image invades a previous loaded image. +Correct non secure image area to avoid loading a NS image to secure + +Signed-off-by: Tobias Rist +Signed-off-by: Yoshifumi Hosoya +--- + drivers/renesas/common/io/io_rcar.c | 46 ++++++++++++++++++++++++-- + plat/renesas/common/include/rcar_def.h | 2 +- + 2 files changed, 45 insertions(+), 3 deletions(-) + +diff --git a/drivers/renesas/common/io/io_rcar.c b/drivers/renesas/common/io/io_rcar.c +index 1459ba28b2..1a32430847 100644 +--- a/drivers/renesas/common/io/io_rcar.c ++++ b/drivers/renesas/common/io/io_rcar.c +@@ -84,6 +84,18 @@ typedef struct { + #define RCAR_COUNT_LOAD_BL33 (2U) + #define RCAR_COUNT_LOAD_BL33X (3U) + ++#define CHECK_IMAGE_AREA_CNT (5U) ++#define BOOT_BL2_ADDR (0xE6304000U) ++#define BOOT_BL2_LENGTH (0x19000U) ++ ++typedef struct { ++ uintptr_t dest; ++ uintptr_t length; ++} addr_loaded_t; ++ ++static addr_loaded_t addr_loaded[CHECK_IMAGE_AREA_CNT] = { [0] = {BOOT_BL2_ADDR, BOOT_BL2_LENGTH} }; ++static uint32_t addr_loaded_cnt = 1; ++ + static const plat_rcar_name_offset_t name_offset[] = { + {BL31_IMAGE_ID, 0U, RCAR_ATTR_SET_ALL(0, 0, 0)}, + +@@ -268,9 +280,9 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len) + uintptr_t prot_start, prot_end; + int32_t result = IO_SUCCESS; + +- dram_start = legacy ? DRAM1_BASE : DRAM_40BIT_BASE; ++ dram_start = legacy ? DRAM1_NS_BASE : DRAM_40BIT_BASE; + +- dram_end = legacy ? DRAM1_BASE + DRAM1_SIZE : ++ dram_end = legacy ? DRAM1_NS_BASE + DRAM1_NS_SIZE : + DRAM_40BIT_BASE + DRAM_40BIT_SIZE; + + prot_start = legacy ? DRAM_PROTECTED_BASE : DRAM_40BIT_PROTECTED_BASE; +@@ -298,6 +310,36 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len) + ERROR("BL2: Out of range : dst=0x%lx len=0x%lx\n", dst, len); + } + ++ if (addr_loaded_cnt >= CHECK_IMAGE_AREA_CNT) { ++ ERROR("BL2: max loadable non secure images reached\n"); ++ result = IO_FAIL; ++ } ++ addr_loaded[addr_loaded_cnt].dest = dst; ++ addr_loaded[addr_loaded_cnt].length = len; ++ for(int n=0; n addr_loaded[n].dest) && ++ (dst < addr_loaded[n].dest + addr_loaded[n].length)) || ++ (((dst < addr_loaded[n].dest) && ++ (dst + len)) > addr_loaded[n].dest)) { ++ ERROR("BL2: image is inside a previous image area.\n"); ++ result = IO_FAIL; ++ } ++ } ++ addr_loaded_cnt++; ++ + return result; + } + +diff --git a/plat/renesas/common/include/rcar_def.h b/plat/renesas/common/include/rcar_def.h +index 1b4527a9fc..38706a8373 100644 +--- a/plat/renesas/common/include/rcar_def.h ++++ b/plat/renesas/common/include/rcar_def.h +@@ -31,7 +31,7 @@ + #define DRAM_LIMIT ULL(0x0000010000000000) + #define DRAM1_BASE U(0x40000000) + #define DRAM1_SIZE U(0x80000000) +-#define DRAM1_NS_BASE (DRAM1_BASE + U(0x10000000)) ++#define DRAM1_NS_BASE (DRAM1_BASE + U(0x08000000)) + #define DRAM1_NS_SIZE (DRAM1_SIZE - DRAM1_NS_BASE) + #define DRAM_40BIT_BASE ULL(0x0400000000) + #define DRAM_40BIT_SIZE ULL(0x0400000000) diff --git a/CVE-2024-6287-2.patch b/CVE-2024-6287-2.patch new file mode 100644 index 0000000..d67279b --- /dev/null +++ b/CVE-2024-6287-2.patch @@ -0,0 +1,41 @@ +From 954d488a9798f8fda675c6b57c571b469b298f04 Mon Sep 17 00:00:00 2001 +From: Yoshifumi Hosoya +Date: Sun, 23 Apr 2023 21:11:15 +0900 +Subject: [PATCH] rcar-gen3: plat: BL2: fix Incorrect Address Range Calculation + +Check against all address overlap cases + +Reviewed-by: Tomer Fichman +Signed-off-by: Yoshifumi Hosoya +--- + drivers/renesas/common/io/io_rcar.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/drivers/renesas/common/io/io_rcar.c b/drivers/renesas/common/io/io_rcar.c +index 9b29a5be81..21ed411137 100644 +--- a/drivers/renesas/common/io/io_rcar.c ++++ b/drivers/renesas/common/io/io_rcar.c +@@ -335,13 +335,18 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len) + * 2. check: + * | IMAGE n | + * | IMAGE n+1 | ++ * 3. check: ++ * | IMAGE n | ++ * | IMAGE n+1 | + * + * */ +- if (((dst > addr_loaded[n].dest) && +- (dst < addr_loaded[n].dest + addr_loaded[n].length)) || +- (((dst < addr_loaded[n].dest) && +- (dst + len)) > addr_loaded[n].dest)) { +- ERROR("BL2: image is inside a previous image area.\n"); ++ if (((dst >= addr_loaded[n].dest) && ++ (dst <= addr_loaded[n].dest + addr_loaded[n].length)) || ++ ((dst + len >= addr_loaded[n].dest) && ++ (dst + len <= addr_loaded[n].dest + addr_loaded[n].length)) || ++ ((dst <= addr_loaded[n].dest) && ++ (dst + len >= addr_loaded[n].dest + addr_loaded[n].length))) { ++ ERROR("BL2: next image overlap a previous image area.\n"); + result = IO_FAIL; + } + } diff --git a/CVE-2024-6563.patch b/CVE-2024-6563.patch new file mode 100644 index 0000000..835f08b --- /dev/null +++ b/CVE-2024-6563.patch @@ -0,0 +1,34 @@ +From 235f85b654a031f7647e81b86fc8e4ffeb430164 Mon Sep 17 00:00:00 2001 +From: Yoshifumi Hosoya +Date: Sun, 23 Apr 2023 21:37:42 +0900 +Subject: [PATCH] rcar-gen3: plat: BL2: Enhanced buffer protection + +If the parameter check is an error, the function is terminated immediately. + +Reviewed-by: Ilay Levi +Signed-off-by: Yoshifumi Hosoya +--- + drivers/renesas/common/io/io_rcar.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/renesas/common/io/io_rcar.c b/drivers/renesas/common/io/io_rcar.c +index 45ef386..3ed5eaf 100644 +--- a/drivers/renesas/common/io/io_rcar.c ++++ b/drivers/renesas/common/io/io_rcar.c +@@ -286,11 +286,13 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len) + if (dst >= prot_start && dst < prot_end) { + ERROR("BL2: dst address is on the protected area.\n"); + result = IO_FAIL; ++ goto done; + } + + if (dst < prot_start && dst > prot_start - len) { + ERROR("BL2: loaded data is on the protected area.\n"); + result = IO_FAIL; ++ goto done; + } + done: + if (result == IO_FAIL) { +-- +2.33.0 + diff --git a/arm-trusted-firmware.spec b/arm-trusted-firmware.spec index 87b20c6..b359ea0 100644 --- a/arm-trusted-firmware.spec +++ b/arm-trusted-firmware.spec @@ -1,4 +1,4 @@ -%define anolis_release 3 +%define anolis_release 4 %global debug_package %{nil} @@ -17,6 +17,12 @@ Patch0002: CVE-2022-47630-1.patch Patch0003: CVE-2022-47630-2.patch # https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=f5c51855d36e399e Patch0004: CVE-2022-47630-3.patch +# https://github.com/renesas-rcar/arm-trusted-firmware/commit/235f85b654a031f7647e81b86fc8e4ffeb430164 +Patch0005: CVE-2024-6563.patch +# https://github.com/renesas-rcar/arm-trusted-firmware/commit/6a96c18c474e6339fab93f54d52aa7dcc4b70e52 +Patch0006: CVE-2024-6287-1.patch +# https://github.com/renesas-rcar/arm-trusted-firmware/commit/954d488a9798f8fda675c6b57c571b469b298f04 +Patch0007: CVE-2024-6287-2.patch ExclusiveArch: aarch64 BuildRequires: gcc dtc @@ -107,6 +113,9 @@ done %doc readme.rst %changelog +* Fri Dec 13 2024 Zhongkun He - 2.8-4 +- Fix CVE-2024-6563 CVE-2024-6287 + * Wed Dec 04 2024 Zhongkun He - 2.8-3 - Fix CVE-2022-47630 -- Gitee