diff --git a/CVE-2024-6563.patch b/CVE-2024-6563.patch new file mode 100644 index 0000000000000000000000000000000000000000..b4f522d524b76db3aadf52126d111a15df715a83 --- /dev/null +++ b/CVE-2024-6563.patch @@ -0,0 +1,33 @@ +From: Yoshifumi Hosoya +Date: Sun, 23 Apr 2023 21:37:42 +0900 +Subject: [PATCH] rcar-gen3: plat: BL2: Enhanced buffer protection + +If the parameter check is an error, the function is terminated immediately. + +Reviewed-by: Ilay Levi +Signed-off-by: Yoshifumi Hosoya +--- + drivers/renesas/rcar/io/io_rcar.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/renesas/rcar/io/io_rcar.c b/drivers/renesas/rcar/io/io_rcar.c +index b82c510..884d9b1 100644 +--- a/drivers/renesas/rcar/io/io_rcar.c ++++ b/drivers/renesas/rcar/io/io_rcar.c +@@ -275,11 +275,13 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len) + if (dst >= prot_start && dst < prot_end) { + ERROR("BL2: dst address is on the protected area.\n"); + result = IO_FAIL; ++ goto done; + } + + if (dst < prot_start && dst > prot_start - len) { + ERROR("BL2: loaded data is on the protected area.\n"); + result = IO_FAIL; ++ goto done; + } + done: + if (result == IO_FAIL) +-- +2.33.0 + diff --git a/CVE-2024-6564.patch b/CVE-2024-6564.patch new file mode 100644 index 0000000000000000000000000000000000000000..bb921e2d7151052cf60d220f256fcd0411ec722a --- /dev/null +++ b/CVE-2024-6564.patch @@ -0,0 +1,41 @@ +From c9fb3558410032d2660c7f3b7d4b87dec09fe2f2 Mon Sep 17 00:00:00 2001 +From: Yoshifumi Hosoya +Date: Mon, 3 Jul 2023 16:58:11 +0900 +Subject: [PATCH] rcar-gen3: plat: BL2: Fix to check "rcar_image_number" + variable before use + +Reviewed-by: Tomer Fichman +Signed-off-by: Yoshifumi Hosoya +--- + drivers/renesas/rcar/io/io_rcar.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/renesas/rcar/io/io_rcar.c b/drivers/renesas/rcar/io/io_rcar.c +index 884d9b1..fe968b6 100644 +--- a/drivers/renesas/rcar/io/io_rcar.c ++++ b/drivers/renesas/rcar/io/io_rcar.c +@@ -420,16 +420,16 @@ static int32_t rcar_dev_init(io_dev_info_t *dev_info, const uintptr_t name) + } + + rcar_image_number = header[0]; +- for (i = 0; i < rcar_image_number + 2; i++) { +- rcar_image_header[i] = header[i * 2 + 1]; +- rcar_image_header_prttn[i] = header[i * 2 + 2]; +- } +- + if (rcar_image_number == 0 || rcar_image_number > RCAR_MAX_BL3X_IMAGE) { + WARN("Firmware Image Package header check failed.\n"); + goto error; + } + ++ for (i = 0; i < rcar_image_number + 2; i++) { ++ rcar_image_header[i] = header[i * 2 + 1]; ++ rcar_image_header_prttn[i] = header[i * 2 + 2]; ++ } ++ + rc = io_seek(handle, IO_SEEK_SET, offset + RCAR_SECTOR6_CERT_OFFSET); + if (rc != IO_SUCCESS) { + WARN("Firmware Image Package header failed to seek cert\n"); +-- +2.33.0 + diff --git a/arm-trusted-firmware.spec b/arm-trusted-firmware.spec index 77bc94b328db99b993c672241750c54244f1066a..1de5c90c3f393d7e35148a03758d15fae8ee638d 100644 --- a/arm-trusted-firmware.spec +++ b/arm-trusted-firmware.spec @@ -2,7 +2,7 @@ Name: arm-trusted-firmware Version: 2.3 -Release: 4 +Release: 5 Summary: ARM Trusted Firmware License: BSD URL: https://github.com/ARM-software/arm-trusted-firmware/wiki @@ -17,6 +17,9 @@ Patch0002: CVE-2022-47630-3.patch Patch0003: CVE-2022-47630-4.patch # https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=a7eff3477dcf3624 Patch0004: CVE-2023-49100.patch +# https://github.com/renesas-rcar/arm-trusted-firmware/commit/235f85b654a031f7647e81b86fc8e4ffeb430164 +Patch0005: CVE-2024-6563.patch +Patch0006: CVE-2024-6564.patch ExclusiveArch: aarch64 BuildRequires: dtc @@ -71,6 +74,9 @@ strip %{buildroot}/%{_datadir}/%{name}/rk3368/bl31.elf %{_datadir}/%{name} %changelog +* Tue Jul 09 2024 zhangxianting - 2.3-5 +- Fix CVE-2024-6563 CVE-2024-6564 + * Tue Jan 23 2024 yaoxin - 2.3-4 - Fix CVE-2023-49100