diff --git a/CVE-2022-47630-1.patch b/CVE-2022-47630-1.patch deleted file mode 100644 index 1efce78d14a57da6d55e47b3c40aee8c9027c71d..0000000000000000000000000000000000000000 --- a/CVE-2022-47630-1.patch +++ /dev/null @@ -1,50 +0,0 @@ -From fd37982a19a4a2911912ce321b9468993a0919ad Mon Sep 17 00:00:00 2001 -From: Demi Marie Obenour -Date: Thu, 8 Dec 2022 15:23:56 -0500 -Subject: fix(auth): forbid junk after extensions - -The extensions must use all remaining bytes in the TBSCertificate. - -Change-Id: Idf48f7168e146d050ba62dbc732638946fcd6c92 -Signed-off-by: Demi Marie Obenour ---- - drivers/auth/mbedtls/mbedtls_x509_parser.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/drivers/auth/mbedtls/mbedtls_x509_parser.c b/drivers/auth/mbedtls/mbedtls_x509_parser.c -index 49bc008ed1..8c78003bb2 100644 ---- a/drivers/auth/mbedtls/mbedtls_x509_parser.c -+++ b/drivers/auth/mbedtls/mbedtls_x509_parser.c -@@ -304,24 +304,26 @@ static int cert_parse(void *img, unsigned int img_len) - - /* - * extensions [3] EXPLICIT Extensions OPTIONAL -+ * -- must use all remaining bytes in TBSCertificate - */ - ret = mbedtls_asn1_get_tag(&p, end, &len, - MBEDTLS_ASN1_CONTEXT_SPECIFIC | - MBEDTLS_ASN1_CONSTRUCTED | 3); -- if (ret != 0) { -+ if ((ret != 0) || (len != (size_t)(end - p))) { - return IMG_PARSER_ERR_FORMAT; - } - - /* - * Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension -+ * -- must use all remaining bytes in TBSCertificate - */ - v3_ext.p = p; - ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | - MBEDTLS_ASN1_SEQUENCE); -- if (ret != 0) { -+ if ((ret != 0) || (len != (size_t)(end - p))) { - return IMG_PARSER_ERR_FORMAT; - } -- v3_ext.len = (p + len) - v3_ext.p; -+ v3_ext.len = end - v3_ext.p; - - /* - * Check extensions integrity --- -cgit v1.2.3 - diff --git a/CVE-2022-47630-2.patch b/CVE-2022-47630-2.patch deleted file mode 100644 index 4a2a118bcff0e2aa8786b3693975a7d607e41292..0000000000000000000000000000000000000000 --- a/CVE-2022-47630-2.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 72460f50e2437a85ce5229c430931aab8f4a0d5b Mon Sep 17 00:00:00 2001 -From: Demi Marie Obenour -Date: Thu, 8 Dec 2022 15:23:58 -0500 -Subject: fix(auth): require at least one extension to be present - -X.509 and RFC5280 allow omitting the extensions entirely, but require -that if the extensions field is present at all, it must contain at least -one certificate. TF-A already requires the extensions to be present, -but allows them to be empty. However, a certificate with an empty -extensions field will always fail later on, as the extensions contain -the information needed to validate the next stage in the boot chain. -Therefore, it is simpler to require the extension field to be present -and contain at least one extension. Also add a comment explaining why -the extensions field is required, even though it is OPTIONAL in the -ASN.1 syntax. - -Change-Id: Ie26eed8a7924bf50937a6b27ccdf7cc9a390588d -Signed-off-by: Demi Marie Obenour ---- - drivers/auth/mbedtls/mbedtls_x509_parser.c | 22 ++++++++++++++++++---- - 1 file changed, 18 insertions(+), 4 deletions(-) - -diff --git a/drivers/auth/mbedtls/mbedtls_x509_parser.c b/drivers/auth/mbedtls/mbedtls_x509_parser.c -index 8c78003bb2..9cccd964d4 100644 ---- a/drivers/auth/mbedtls/mbedtls_x509_parser.c -+++ b/drivers/auth/mbedtls/mbedtls_x509_parser.c -@@ -304,7 +304,18 @@ static int cert_parse(void *img, unsigned int img_len) - - /* - * extensions [3] EXPLICIT Extensions OPTIONAL -- * -- must use all remaining bytes in TBSCertificate -+ * } -+ * -+ * X.509 and RFC5280 allow omitting the extensions entirely. -+ * However, in TF-A, a certificate with no extensions would -+ * always fail later on, as the extensions contain the -+ * information needed to authenticate the next stage in the -+ * boot chain. Furthermore, get_ext() assumes that the -+ * extensions have been parsed into v3_ext, and allowing -+ * there to be no extensions would pointlessly complicate -+ * the code. Therefore, just reject certificates without -+ * extensions. This is also why version 1 and 2 certificates -+ * are rejected above. - */ - ret = mbedtls_asn1_get_tag(&p, end, &len, - MBEDTLS_ASN1_CONTEXT_SPECIFIC | -@@ -326,9 +337,12 @@ static int cert_parse(void *img, unsigned int img_len) - v3_ext.len = end - v3_ext.p; - - /* -- * Check extensions integrity -+ * Check extensions integrity. At least one extension is -+ * required: the ASN.1 specifies a minimum size of 1, and at -+ * least one extension is needed to authenticate the next stage -+ * in the boot chain. - */ -- while (p < end) { -+ do { - ret = mbedtls_asn1_get_tag(&p, end, &len, - MBEDTLS_ASN1_CONSTRUCTED | - MBEDTLS_ASN1_SEQUENCE); -@@ -356,7 +370,7 @@ static int cert_parse(void *img, unsigned int img_len) - return IMG_PARSER_ERR_FORMAT; - } - p += len; -- } -+ } while (p < end); - - if (p != end) { - return IMG_PARSER_ERR_FORMAT; --- -cgit v1.2.3 - diff --git a/CVE-2022-47630-3.patch b/CVE-2022-47630-3.patch deleted file mode 100644 index f79c23d507179a814df61e625955b4e1caf7a5eb..0000000000000000000000000000000000000000 --- a/CVE-2022-47630-3.patch +++ /dev/null @@ -1,84 +0,0 @@ -From f5c51855d36e399e6e22cc1eb94f6b58e51b3b6d Mon Sep 17 00:00:00 2001 -From: Demi Marie Obenour -Date: Fri, 9 Dec 2022 17:19:08 -0500 -Subject: fix(auth): properly validate X.509 extensions - -get_ext() does not check the return value of the various mbedtls_* -functions, as cert_parse() is assumed to have guaranteed that they will -always succeed. However, it passes the end of an extension as the end -pointer to these functions, whereas cert_parse() passes the end of the -TBSCertificate. Furthermore, cert_parse() does *not* check that the -contents of the extension have the same length as the extension itself. -Before fd37982a19a4a291 ("fix(auth): forbid junk after extensions"), -cert_parse() also does not check that the extension block extends to the -end of the TBSCertificate. - -This is a problem, as mbedtls_asn1_get_tag() leaves *p and *len -undefined on failure. In practice, this results in get_ext() continuing -to parse at different offsets than were used (and validated) by -cert_parse(), which means that the in-bounds guarantee provided by -cert_parse() no longer holds. - -This patch fixes the remaining flaw by enforcing that the contents of an -extension are the same length as the extension itself. - -Change-Id: Id4570f911402e34d5d6c799ae01a01f184c68d7c -Signed-off-by: Demi Marie Obenour -Signed-off-by: Sandrine Bailleux ---- - drivers/auth/mbedtls/mbedtls_x509_parser.c | 18 ++++++++++++------ - 1 file changed, 12 insertions(+), 6 deletions(-) - -diff --git a/drivers/auth/mbedtls/mbedtls_x509_parser.c b/drivers/auth/mbedtls/mbedtls_x509_parser.c -index 44b25ba72b..bef2f3d0a6 100644 ---- a/drivers/auth/mbedtls/mbedtls_x509_parser.c -+++ b/drivers/auth/mbedtls/mbedtls_x509_parser.c -@@ -355,33 +355,39 @@ static int cert_parse(void *img, unsigned int img_len) - * in the boot chain. - */ - do { -+ unsigned char *end_ext_data; -+ - ret = mbedtls_asn1_get_tag(&p, end, &len, - MBEDTLS_ASN1_CONSTRUCTED | - MBEDTLS_ASN1_SEQUENCE); - if (ret != 0) { - return IMG_PARSER_ERR_FORMAT; - } -+ end_ext_data = p + len; - - /* Get extension ID */ -- ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID); -+ ret = mbedtls_asn1_get_tag(&p, end_ext_data, &len, MBEDTLS_ASN1_OID); - if (ret != 0) { - return IMG_PARSER_ERR_FORMAT; - } - p += len; - - /* Get optional critical */ -- ret = mbedtls_asn1_get_bool(&p, end, &is_critical); -+ ret = mbedtls_asn1_get_bool(&p, end_ext_data, &is_critical); - if ((ret != 0) && (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)) { - return IMG_PARSER_ERR_FORMAT; - } - -- /* Data should be octet string type */ -- ret = mbedtls_asn1_get_tag(&p, end, &len, -+ /* -+ * Data should be octet string type and must use all bytes in -+ * the Extension. -+ */ -+ ret = mbedtls_asn1_get_tag(&p, end_ext_data, &len, - MBEDTLS_ASN1_OCTET_STRING); -- if (ret != 0) { -+ if ((ret != 0) || ((p + len) != end_ext_data)) { - return IMG_PARSER_ERR_FORMAT; - } -- p += len; -+ p = end_ext_data; - } while (p < end); - - if (p != end) { --- -cgit v1.2.3 - diff --git a/CVE-2022-47630-4.patch b/CVE-2022-47630-4.patch deleted file mode 100644 index cf427a1c262877030669acbbcc29818262d33298..0000000000000000000000000000000000000000 --- a/CVE-2022-47630-4.patch +++ /dev/null @@ -1,82 +0,0 @@ -From abb8f936fd0ad085b1966bdc2cddf040ba3865e3 Mon Sep 17 00:00:00 2001 -From: Demi Marie Obenour -Date: Fri, 9 Dec 2022 18:21:47 -0500 -Subject: fix(auth): avoid out-of-bounds read in auth_nvctr() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -auth_nvctr() does not check that the buffer provided is long enough to -hold an ASN.1 INTEGER, or even that the buffer is non-empty. Since -auth_nvctr() will only ever read 6 bytes, it is possible to read up to -6 bytes past the end of the buffer. - -This out-of-bounds read turns out to be harmless. The only caller of -auth_nvctr() always passes a pointer into an X.509 TBSCertificate, and -all in-tree chains of trust require that the certificate’s signature has -already been validated. This means that the signature algorithm -identifier is at least 4 bytes and the signature itself more than that. -Therefore, the data read will be from the certificate itself. Even if -the certificate signature has not been validated, an out-of-bounds read -is still not possible. Since there are at least two bytes (tag and -length) in both the signature algorithm ID and the signature itself, an -out-of-bounds read would require that the tag byte of the signature -algorithm ID would need to be either the tag or length byte of the -DER-encoded nonvolatile counter. However, this byte must be -(MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE) (0x30), which is -greater than 4 and not equal to MBEDTLS_ASN1_INTEGER (2). Therefore, -auth_nvctr() will error out before reading the integer itself, -preventing an out-of-bounds read. - -Change-Id: Ibdf1af702fbeb98a94c0c96456ebddd3d392ad44 -Signed-off-by: Demi Marie Obenour ---- - drivers/auth/auth_mod.c | 20 ++++++++++++++------ - 1 file changed, 14 insertions(+), 6 deletions(-) - -diff --git a/drivers/auth/auth_mod.c b/drivers/auth/auth_mod.c -index eb537b6..070f60f 100644 ---- a/drivers/auth/auth_mod.c -+++ b/drivers/auth/auth_mod.c -@@ -228,7 +228,7 @@ static int auth_nvctr(const auth_method_param_nv_ctr_t *param, - const auth_img_desc_t *img_desc, - void *img, unsigned int img_len) - { -- char *p; -+ unsigned char *p; - void *data_ptr = NULL; - unsigned int data_len, len, i; - unsigned int cert_nv_ctr, plat_nv_ctr; -@@ -242,16 +242,24 @@ static int auth_nvctr(const auth_method_param_nv_ctr_t *param, - - /* Parse the DER encoded integer */ - assert(data_ptr); -- p = (char *)data_ptr; -- if (*p != ASN1_INTEGER) { -+ p = (unsigned char *)data_ptr; -+ -+ /* -+ * Integers must be at least 3 bytes: 1 for tag, 1 for length, and 1 -+ * for value. The first byte (tag) must be ASN1_INTEGER. -+ */ -+ if ((data_len < 3) || (*p != ASN1_INTEGER)) { - /* Invalid ASN.1 integer */ - return 1; - } - p++; - -- /* NV-counters are unsigned integers up to 32-bit */ -- len = (unsigned int)(*p & 0x7f); -- if ((*p & 0x80) || (len > 4)) { -+ /* -+ * NV-counters are unsigned integers up to 31 bits. Trailing -+ * padding is not allowed. -+ */ -+ len = (unsigned int)*p; -+ if ((len > 4) || (data_len - 2 != len)) { - return 1; - } - p++; --- -2.30.0 - diff --git a/CVE-2023-49100.patch b/CVE-2023-49100.patch deleted file mode 100644 index 0afed3b030641fe7c4aa954d41766ea67d111063..0000000000000000000000000000000000000000 --- a/CVE-2023-49100.patch +++ /dev/null @@ -1,37 +0,0 @@ -From a7eff3477dcf3624c74f5217419b1a27b7ebd2aa Mon Sep 17 00:00:00 2001 -From: Manish Pandey -Date: Thu, 26 Oct 2023 11:14:21 +0100 -Subject: fix(sdei): ensure that interrupt ID is valid - -As per SDEI spec (section 5.1.14.1), SDEI_INTERRUPT_BIND interface -expects a valid PPI or SPI. SGI's are not allowed to be bounded. -Current check in the code only checks for an SGI and returns invalid -ID. This check is insufficient as it will not catch architecturally -invalid interrupt IDs. - -Modify the check to ensure that interrupt is either PPI or SPI. - -Signed-off-by: Manish Pandey -Change-Id: I52eb0a6d7f88a12f6816cff9b68fb3a7ca12cbb7 ---- - services/std_svc/sdei/sdei_main.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/services/std_svc/sdei/sdei_main.c b/services/std_svc/sdei/sdei_main.c -index 44178eddd3..0fd3c1d32c 100644 ---- a/services/std_svc/sdei/sdei_main.c -+++ b/services/std_svc/sdei/sdei_main.c -@@ -710,8 +710,8 @@ static int sdei_interrupt_bind(unsigned int intr_num) - sdei_ev_map_t *map; - bool retry = true, shared_mapping; - -- /* SGIs are not allowed to be bound */ -- if (plat_ic_is_sgi(intr_num) != 0) -+ /* Interrupt must be either PPI or SPI */ -+ if (!(plat_ic_is_ppi(intr_num) || plat_ic_is_spi(intr_num))) - return SDEI_EINVAL; - - shared_mapping = (plat_ic_is_spi(intr_num) != 0); --- -cgit v1.2.3 - diff --git a/CVE-2024-6285.patch b/CVE-2024-6285.patch deleted file mode 100644 index 9e9f3a795b1e84d5141e7581c723bf1fd0b61438..0000000000000000000000000000000000000000 --- a/CVE-2024-6285.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 9778b270e29bac3e16f57f9557098c45858c05de Mon Sep 17 00:00:00 2001 -From: Tobias Rist -Date: Tue, 7 Mar 2023 09:40:37 +0100 -Subject: [PATCH] fix(rcar3-drivers): check for length underflow - -Origin: https://github.com/ARM-software/arm-trusted-firmware/commit/9778b270e29bac3e16f57f9557098c45858c05de -https://github.com/renesas-rcar/arm-trusted-firmware/commit/b596f580637bae919b0ac3a5471422a1f756db3b - -Make sure the length of the payload is not longer than the -DRAM size in check_load_area(), and make sure the payload -end does not cross protected area start. - -Signed-off-by: Tobias Rist -Signed-off-by: Yoshifumi Hosoya -Change-Id: I4d687be577a138352be9f92e5b0b6f596ffffba9 ---- - drivers/renesas/rcar/io/io_rcar.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/drivers/renesas/rcar/io/io_rcar.c b/drivers/renesas/rcar/io/io_rcar.c -index c169923..603fefd 100644 ---- a/drivers/renesas/rcar/io/io_rcar.c -+++ b/drivers/renesas/rcar/io/io_rcar.c -@@ -288,7 +288,7 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len) - - prot_end = prot_start + DRAM_PROTECTED_SIZE; - -- if (dst < dram_start || dst > dram_end - len) { -+ if (dst < dram_start || len > dram_end || dst > dram_end - len) { - ERROR("BL2: dst address is on the protected area.\n"); - result = IO_FAIL; - goto done; -@@ -301,8 +301,9 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len) - goto done; - } - -- if (dst < prot_start && dst > prot_start - len) { -- ERROR("BL2: loaded data is on the protected area.\n"); -+ if (len > prot_start || (dst < prot_start && dst > prot_start - len)) { -+ ERROR("BL2: %s[%d] loaded data is on the protected area.\n", -+ __func__, __LINE__); - result = IO_FAIL; - goto done; - } --- -2.33.0 - diff --git a/CVE-2024-6287-1.patch b/CVE-2024-6287-1.patch deleted file mode 100644 index b864cfe4baf05da007b968f9237ec7bd2e0ad73b..0000000000000000000000000000000000000000 --- a/CVE-2024-6287-1.patch +++ /dev/null @@ -1,103 +0,0 @@ -From 6a96c18c474e6339fab93f54d52aa7dcc4b70e52 Mon Sep 17 00:00:00 2001 -From: Tobias Rist -Date: Thu, 16 Mar 2023 21:31:15 +0900 -Subject: [PATCH] rcar-gen3: plat: BL2: check loaded NS image area - -Check if next NS image invades a previous loaded image. -Correct non secure image area to avoid loading a NS image to secure - -Signed-off-by: Tobias Rist -Signed-off-by: Yoshifumi Hosoya ---- - drivers/renesas/rcar/io/io_rcar.c | 46 ++++++++++++++++++++++++++-- - plat/renesas/rcar/include/rcar_def.h | 2 +- - 2 files changed, 45 insertions(+), 3 deletions(-) - -diff --git a/drivers/renesas/rcar/io/io_rcar.c b/drivers/renesas/rcar/io/io_rcar.c -index fe968b6..dc1b786 100644 ---- a/drivers/renesas/rcar/io/io_rcar.c -+++ b/drivers/renesas/rcar/io/io_rcar.c -@@ -84,6 +84,18 @@ typedef struct { - #define RCAR_COUNT_LOAD_BL33 (2U) - #define RCAR_COUNT_LOAD_BL33X (3U) - -+#define CHECK_IMAGE_AREA_CNT (5U) -+#define BOOT_BL2_ADDR (0xE6304000U) -+#define BOOT_BL2_LENGTH (0x19000U) -+ -+typedef struct { -+ uintptr_t dest; -+ uintptr_t length; -+} addr_loaded_t; -+ -+static addr_loaded_t addr_loaded[CHECK_IMAGE_AREA_CNT] = { [0] = {BOOT_BL2_ADDR, BOOT_BL2_LENGTH} }; -+static uint32_t addr_loaded_cnt = 1; -+ - static const plat_rcar_name_offset_t name_offset[] = { - {BL31_IMAGE_ID, 0U, RCAR_ATTR_SET_ALL(0, 0, 0)}, - -@@ -256,9 +268,9 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len) - uintptr_t prot_start, prot_end; - int32_t result = IO_SUCCESS; - -- dram_start = legacy ? DRAM1_BASE : DRAM_40BIT_BASE; -+ dram_start = legacy ? DRAM1_NS_BASE : DRAM_40BIT_BASE; - -- dram_end = legacy ? DRAM1_BASE + DRAM1_SIZE : -+ dram_end = legacy ? DRAM1_NS_BASE + DRAM1_NS_SIZE : - DRAM_40BIT_BASE + DRAM_40BIT_SIZE; - - prot_start = legacy ? DRAM_PROTECTED_BASE : DRAM_40BIT_PROTECTED_BASE; -@@ -287,6 +299,36 @@ done: - if (result == IO_FAIL) - ERROR("BL2: Out of range : dst=0x%lx len=0x%lx\n", dst, len); - -+ if (addr_loaded_cnt >= CHECK_IMAGE_AREA_CNT) { -+ ERROR("BL2: max loadable non secure images reached\n"); -+ result = IO_FAIL; -+ } -+ addr_loaded[addr_loaded_cnt].dest = dst; -+ addr_loaded[addr_loaded_cnt].length = len; -+ for(int n=0; n addr_loaded[n].dest) && -+ (dst < addr_loaded[n].dest + addr_loaded[n].length)) || -+ (((dst < addr_loaded[n].dest) && -+ (dst + len)) > addr_loaded[n].dest)) { -+ ERROR("BL2: image is inside a previous image area.\n"); -+ result = IO_FAIL; -+ } -+ } -+ addr_loaded_cnt++; -+ - return result; - } - -diff --git a/plat/renesas/rcar/include/rcar_def.h b/plat/renesas/rcar/include/rcar_def.h -index 0ffbfe9..a41a994 100644 ---- a/plat/renesas/rcar/include/rcar_def.h -+++ b/plat/renesas/rcar/include/rcar_def.h -@@ -31,7 +31,7 @@ - #define DRAM_LIMIT ULL(0x0000010000000000) - #define DRAM1_BASE U(0x40000000) - #define DRAM1_SIZE U(0x80000000) --#define DRAM1_NS_BASE (DRAM1_BASE + U(0x10000000)) -+#define DRAM1_NS_BASE (DRAM1_BASE + U(0x08000000)) - #define DRAM1_NS_SIZE (DRAM1_SIZE - DRAM1_NS_BASE) - #define DRAM_40BIT_BASE ULL(0x0400000000) - #define DRAM_40BIT_SIZE ULL(0x0400000000) --- -2.33.0 - diff --git a/CVE-2024-6287-2.patch b/CVE-2024-6287-2.patch deleted file mode 100644 index 6116f5acd25046b4c205bdca3524590638fd4edd..0000000000000000000000000000000000000000 --- a/CVE-2024-6287-2.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 954d488a9798f8fda675c6b57c571b469b298f04 Mon Sep 17 00:00:00 2001 -From: Yoshifumi Hosoya -Date: Sun, 23 Apr 2023 21:11:15 +0900 -Subject: [PATCH] rcar-gen3: plat: BL2: fix Incorrect Address Range Calculation - -Check against all address overlap cases - -Reviewed-by: Tomer Fichman -Signed-off-by: Yoshifumi Hosoya ---- - drivers/renesas/rcar/io/io_rcar.c | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - -diff --git a/drivers/renesas/rcar/io/io_rcar.c b/drivers/renesas/rcar/io/io_rcar.c -index 9b29a5be81..21ed411137 100644 ---- a/drivers/renesas/rcar/io/io_rcar.c -+++ b/drivers/renesas/rcar/io/io_rcar.c -@@ -335,13 +335,18 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len) - * 2. check: - * | IMAGE n | - * | IMAGE n+1 | -+ * 3. check: -+ * | IMAGE n | -+ * | IMAGE n+1 | - * - * */ -- if (((dst > addr_loaded[n].dest) && -- (dst < addr_loaded[n].dest + addr_loaded[n].length)) || -- (((dst < addr_loaded[n].dest) && -- (dst + len)) > addr_loaded[n].dest)) { -- ERROR("BL2: image is inside a previous image area.\n"); -+ if (((dst >= addr_loaded[n].dest) && -+ (dst <= addr_loaded[n].dest + addr_loaded[n].length)) || -+ ((dst + len >= addr_loaded[n].dest) && -+ (dst + len <= addr_loaded[n].dest + addr_loaded[n].length)) || -+ ((dst <= addr_loaded[n].dest) && -+ (dst + len >= addr_loaded[n].dest + addr_loaded[n].length))) { -+ ERROR("BL2: next image overlap a previous image area.\n"); - result = IO_FAIL; - } - } diff --git a/CVE-2024-6563.patch b/CVE-2024-6563.patch deleted file mode 100644 index b4f522d524b76db3aadf52126d111a15df715a83..0000000000000000000000000000000000000000 --- a/CVE-2024-6563.patch +++ /dev/null @@ -1,33 +0,0 @@ -From: Yoshifumi Hosoya -Date: Sun, 23 Apr 2023 21:37:42 +0900 -Subject: [PATCH] rcar-gen3: plat: BL2: Enhanced buffer protection - -If the parameter check is an error, the function is terminated immediately. - -Reviewed-by: Ilay Levi -Signed-off-by: Yoshifumi Hosoya ---- - drivers/renesas/rcar/io/io_rcar.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/renesas/rcar/io/io_rcar.c b/drivers/renesas/rcar/io/io_rcar.c -index b82c510..884d9b1 100644 ---- a/drivers/renesas/rcar/io/io_rcar.c -+++ b/drivers/renesas/rcar/io/io_rcar.c -@@ -275,11 +275,13 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len) - if (dst >= prot_start && dst < prot_end) { - ERROR("BL2: dst address is on the protected area.\n"); - result = IO_FAIL; -+ goto done; - } - - if (dst < prot_start && dst > prot_start - len) { - ERROR("BL2: loaded data is on the protected area.\n"); - result = IO_FAIL; -+ goto done; - } - done: - if (result == IO_FAIL) --- -2.33.0 - diff --git a/CVE-2024-6564.patch b/CVE-2024-6564.patch deleted file mode 100644 index bb921e2d7151052cf60d220f256fcd0411ec722a..0000000000000000000000000000000000000000 --- a/CVE-2024-6564.patch +++ /dev/null @@ -1,41 +0,0 @@ -From c9fb3558410032d2660c7f3b7d4b87dec09fe2f2 Mon Sep 17 00:00:00 2001 -From: Yoshifumi Hosoya -Date: Mon, 3 Jul 2023 16:58:11 +0900 -Subject: [PATCH] rcar-gen3: plat: BL2: Fix to check "rcar_image_number" - variable before use - -Reviewed-by: Tomer Fichman -Signed-off-by: Yoshifumi Hosoya ---- - drivers/renesas/rcar/io/io_rcar.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/drivers/renesas/rcar/io/io_rcar.c b/drivers/renesas/rcar/io/io_rcar.c -index 884d9b1..fe968b6 100644 ---- a/drivers/renesas/rcar/io/io_rcar.c -+++ b/drivers/renesas/rcar/io/io_rcar.c -@@ -420,16 +420,16 @@ static int32_t rcar_dev_init(io_dev_info_t *dev_info, const uintptr_t name) - } - - rcar_image_number = header[0]; -- for (i = 0; i < rcar_image_number + 2; i++) { -- rcar_image_header[i] = header[i * 2 + 1]; -- rcar_image_header_prttn[i] = header[i * 2 + 2]; -- } -- - if (rcar_image_number == 0 || rcar_image_number > RCAR_MAX_BL3X_IMAGE) { - WARN("Firmware Image Package header check failed.\n"); - goto error; - } - -+ for (i = 0; i < rcar_image_number + 2; i++) { -+ rcar_image_header[i] = header[i * 2 + 1]; -+ rcar_image_header_prttn[i] = header[i * 2 + 2]; -+ } -+ - rc = io_seek(handle, IO_SEEK_SET, offset + RCAR_SECTOR6_CERT_OFFSET); - if (rc != IO_SUCCESS) { - WARN("Firmware Image Package header failed to seek cert\n"); --- -2.33.0 - diff --git a/arm-trusted-firmware-2.12.1.tar.gz b/arm-trusted-firmware-2.12.1.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..8673417199b8e5bef282f2974ccf65a1fa70ae54 Binary files /dev/null and b/arm-trusted-firmware-2.12.1.tar.gz differ diff --git a/arm-trusted-firmware.spec b/arm-trusted-firmware.spec index dd2bbcba2bbee77f57c4f4373dc26dd561c9c11b..70867fbdee8c164cc4f6a8ac55ebce58615f40b9 100644 --- a/arm-trusted-firmware.spec +++ b/arm-trusted-firmware.spec @@ -1,32 +1,15 @@ %global debug_package %{nil} Name: arm-trusted-firmware -Version: 2.3 -Release: 6 +Version: 2.12.1 +Release: 1 Summary: ARM Trusted Firmware -License: BSD +License: BSD-3-clause URL: https://github.com/ARM-software/arm-trusted-firmware/wiki -Source0: https://github.com/ARM-software/arm-trusted-firmware/archive/v%{version}.tar.gz -# https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=fd37982a19a4a291 -Patch0000: CVE-2022-47630-1.patch -# https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=72460f50e2437a85 -Patch0001: CVE-2022-47630-2.patch -# https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=f5c51855d36e399e -Patch0002: CVE-2022-47630-3.patch -# https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=abb8f936fd0ad085 -Patch0003: CVE-2022-47630-4.patch -# https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=a7eff3477dcf3624 -Patch0004: CVE-2023-49100.patch -# https://github.com/renesas-rcar/arm-trusted-firmware/commit/235f85b654a031f7647e81b86fc8e4ffeb430164 -Patch0005: CVE-2024-6563.patch -Patch0006: CVE-2024-6564.patch -# https://github.com/renesas-rcar/arm-trusted-firmware/commit/6a96c18c474e6339fab93f54d52aa7dcc4b70e52 -Patch0007: CVE-2024-6287-1.patch -# https://github.com/renesas-rcar/arm-trusted-firmware/commit/954d488a9798f8fda675c6b57c571b469b298f04 -Patch0008: CVE-2024-6287-2.patch -Patch0009: CVE-2024-6285.patch +Source0: https://github.com/ARM-software/arm-trusted-firmware/archive/lts-v%{version}/%{name}-%{version}.tar.gz ExclusiveArch: aarch64 BuildRequires: dtc +BuildRequires: gcc openssl-devel %description Trusted Firmware-A is a reference implementation of secure world software @@ -39,13 +22,14 @@ ARM Trusted Firmware for various ARMv8-A SoCs. %prep -%autosetup -p1 -n %{name}-%{version} +%autosetup -p1 -n %{name}-lts-v%{version} sed -i 's/arm-none-eabi-/arm-linux-gnu-/' plat/rockchip/rk3399/drivers/m0/Makefile %build +export CC=gcc for soc in hikey hikey960 imx8qm imx8qx juno rk3368 rk3328 rpi3 sun50i_a64 sun50i_h6 zynqmp do -make HOSTCC="gcc $RPM_OPT_FLAGS -fPIE -Wl,-z,relro,-z,now" CROSS_COMPILE="" PLAT=$(echo $soc) bl31 +make HOSTCC="%{CC} $RPM_OPT_FLAGS -fPIE -Wl,-z,relro,-z,now" CROSS_COMPILE="" PLAT=$(echo $soc) bl31 done @@ -79,17 +63,61 @@ strip %{buildroot}/%{_datadir}/%{name}/rk3368/bl31.elf %{_datadir}/%{name} %changelog -* Mon Dec 16 2024 wangkai <13474090681@163.com> - 2.3-6 -- Fix CVE-2024-6285 CVE-2024-6287 - -* Tue Jul 09 2024 zhangxianting - 2.3-5 +* Thu Mar 20 2025 yaoxin <1024769339@qq.com> - 2.12.1-1 +- Update to 2.12.1 for fix CVE-2024-7881 and CVE-2024-5660 + +* Wed Nov 27 2024 yaoxin - 2.12.0-1 +- Update to 2.12.0 +- Bootloader Images: + * remove unused plat_try_next_boot_source +- Architecture: + *Branch Record Buffer Extension (FEAT_BRBE) + * allow RME builds with BRBE +- Arm: + * avoid stripping kernel trampoline + * add DRAM memory regions that linux kernel can share + * add optee specific mem-size attribute + * add secure uart interrupt in device region + * enable FEAT_MTE2 + * fix the FF-A optee manifest by adding the boot info node + * update the memory size allocated to optee at EL1 +- Intel: + * add cache invalidation during BL31 initialization + * add in JTAG ID for Linux FCS + * add in missing ECC register + * add in watchdog for QSPI driver + * bridge ack timing issue causing fpga config hung + * correct macro naming + * f2sdram bridge quick write thru failed + * fix bridge enable and disable function + * fix CCU for cache maintenance + * flush L1/L2/L3/Sys cache before HPS cold reset + * implement soc and lwsoc bridge control for burst speed + * refactor SDMMC driver for Altera products + * remove redundant BIT_32 macro + * software workaround for bridge timeout + * update Agilex5 BL2 init flow and other misc changes + * update Agilex5 warm reset subroutines + * update all the platforms hand-off data offset value + * update CCU configuration for Agilex5 platform + * update mailbox SDM printout message + * update memcpy to memcpy_s ([e264b55] + * update outdated code for Linux direct boot + * update preloaded_bl33_base for legacy product + * update sip smc config addr for agilex5 + * update the size with addition 0x8000 0000 base + +* Tue Oct 15 2024 yaoxin - 2.9-4 +- Fix CVE-2024-6287 + +* Tue Jul 09 2024 zhangxianting - 2.9-3 - Fix CVE-2024-6563 CVE-2024-6564 -* Tue Jan 23 2024 yaoxin - 2.3-4 +* Tue Jan 23 2024 yaoxin - 2.9-2 - Fix CVE-2023-49100 -* Fri Dec 01 2023 yaoxin - 2.3-3 -- Fix CVE-2022-47630 +* Fri Jul 07 2023 xu_ping <707078654@qq.com> -2.9-1 +- Upgrade to 2.9 * Wed Dec 07 2022 yaoxin -2.3-2 - Add RELRO,PIE,BIND_NOW flags and fix not striped problem diff --git a/v2.3.tar.gz b/v2.3.tar.gz deleted file mode 100644 index 8abefbc49ad5b29113c6c201dd29dee9c896eec4..0000000000000000000000000000000000000000 Binary files a/v2.3.tar.gz and /dev/null differ