!56 Fix CVE-2024-6285

From: @wk333 
Reviewed-by: @cherry530 
Signed-off-by: @cherry530

CVE-2023-49100.patch

@@ -0,0 +1,37 @@
+From a7eff3477dcf3624c74f5217419b1a27b7ebd2aa Mon Sep 17 00:00:00 2001
+From: Manish Pandey <manish.pandey2@arm.com>
+Date: Thu, 26 Oct 2023 11:14:21 +0100
+Subject: fix(sdei): ensure that interrupt ID is valid
+
+As per SDEI spec (section 5.1.14.1), SDEI_INTERRUPT_BIND interface
+expects a valid PPI or SPI. SGI's are not allowed to be bounded.
+Current check in the code only checks for an SGI and returns invalid
+ID. This check is insufficient as it will not catch architecturally
+invalid interrupt IDs.
+
+Modify the check to ensure that interrupt is either PPI or SPI.
+
+Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
+Change-Id: I52eb0a6d7f88a12f6816cff9b68fb3a7ca12cbb7
+---
+ services/std_svc/sdei/sdei_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/services/std_svc/sdei/sdei_main.c b/services/std_svc/sdei/sdei_main.c
+index 44178eddd3..0fd3c1d32c 100644
+--- a/services/std_svc/sdei/sdei_main.c
++++ b/services/std_svc/sdei/sdei_main.c
+@@ -710,8 +710,8 @@ static int sdei_interrupt_bind(unsigned int intr_num)
+ 	sdei_ev_map_t *map;
+ 	bool retry = true, shared_mapping;
+ 
+-	/* SGIs are not allowed to be bound */
+-	if (plat_ic_is_sgi(intr_num) != 0)
++	/* Interrupt must be either PPI or SPI */
++	if (!(plat_ic_is_ppi(intr_num) || plat_ic_is_spi(intr_num)))
+ 		return SDEI_EINVAL;
+ 
+ 	shared_mapping = (plat_ic_is_spi(intr_num) != 0);
+-- 
+cgit v1.2.3
+

CVE-2024-6285.patch

@@ -0,0 +1,47 @@
+From 9778b270e29bac3e16f57f9557098c45858c05de Mon Sep 17 00:00:00 2001
+From: Tobias Rist <tobias.rist@joynext.com>
+Date: Tue, 7 Mar 2023 09:40:37 +0100
+Subject: [PATCH] fix(rcar3-drivers): check for length underflow
+
+Origin: https://github.com/ARM-software/arm-trusted-firmware/commit/9778b270e29bac3e16f57f9557098c45858c05de
+https://github.com/renesas-rcar/arm-trusted-firmware/commit/b596f580637bae919b0ac3a5471422a1f756db3b
+
+Make sure the length of the payload is not longer than the
+DRAM size in check_load_area(), and make sure the payload
+end does not cross protected area start.
+
+Signed-off-by: Tobias Rist <tobias.rist@joynext.com>
+Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
+Change-Id: I4d687be577a138352be9f92e5b0b6f596ffffba9
+---
+ drivers/renesas/common/io/io_rcar.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/renesas/common/io/io_rcar.c b/drivers/renesas/common/io/io_rcar.c
+index c169923..603fefd 100644
+--- a/drivers/renesas/common/io/io_rcar.c
++++ b/drivers/renesas/common/io/io_rcar.c
+@@ -288,7 +288,7 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len)
+ 
+ 	prot_end = prot_start + DRAM_PROTECTED_SIZE;
+ 
+-	if (dst < dram_start || dst > dram_end - len) {
++	if (dst < dram_start || len > dram_end || dst > dram_end - len) {
+ 		ERROR("BL2: dst address is on the protected area.\n");
+ 		result = IO_FAIL;
+ 		goto done;
+@@ -301,8 +301,9 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len)
+ 		goto done;
+ 	}
+ 
+-	if (dst < prot_start && dst > prot_start - len) {
+-		ERROR("BL2: loaded data is on the protected area.\n");
++	if (len > prot_start || (dst < prot_start && dst > prot_start - len)) {
++		ERROR("BL2: %s[%d] loaded data is on the protected area.\n",
++			__func__, __LINE__);
+ 		result = IO_FAIL;
+ 		goto done;
+ 	}
+-- 
+2.33.0
+

CVE-2024-6287-1.patch

@@ -0,0 +1,100 @@
+From 6a96c18c474e6339fab93f54d52aa7dcc4b70e52 Mon Sep 17 00:00:00 2001
+From: Tobias Rist <tobias.rist@joynext.com>
+Date: Thu, 16 Mar 2023 21:31:15 +0900
+Subject: [PATCH] rcar-gen3: plat: BL2: check loaded NS image area
+
+Check if next NS image invades a previous loaded image.
+Correct non secure image area to avoid loading a NS image to secure
+
+Signed-off-by: Tobias Rist <tobias.rist@joynext.com>
+Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
+---
+ drivers/renesas/common/io/io_rcar.c    | 46 ++++++++++++++++++++++++--
+ plat/renesas/common/include/rcar_def.h |  2 +-
+ 2 files changed, 45 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/renesas/common/io/io_rcar.c b/drivers/renesas/common/io/io_rcar.c
+index 1459ba28b2..1a32430847 100644
+--- a/drivers/renesas/common/io/io_rcar.c
++++ b/drivers/renesas/common/io/io_rcar.c
+@@ -84,6 +84,18 @@ typedef struct {
+ #define RCAR_COUNT_LOAD_BL33		(2U)
+ #define RCAR_COUNT_LOAD_BL33X		(3U)
+ 
++#define CHECK_IMAGE_AREA_CNT (5U)
++#define BOOT_BL2_ADDR (0xE6304000U)
++#define BOOT_BL2_LENGTH (0x19000U)
++
++typedef struct {
++	uintptr_t dest;
++	uintptr_t length;
++} addr_loaded_t;
++
++static addr_loaded_t addr_loaded[CHECK_IMAGE_AREA_CNT] = { [0] = {BOOT_BL2_ADDR, BOOT_BL2_LENGTH} };
++static uint32_t addr_loaded_cnt = 1;
++
+ static const plat_rcar_name_offset_t name_offset[] = {
+ 	{BL31_IMAGE_ID, 0U, RCAR_ATTR_SET_ALL(0, 0, 0)},
+ 
+@@ -268,9 +280,9 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len)
+ 	uintptr_t prot_start, prot_end;
+ 	int32_t result = IO_SUCCESS;
+ 
+-	dram_start = legacy ? DRAM1_BASE : DRAM_40BIT_BASE;
++	dram_start = legacy ? DRAM1_NS_BASE : DRAM_40BIT_BASE;
+ 
+-	dram_end = legacy ? DRAM1_BASE + DRAM1_SIZE :
++	dram_end = legacy ? DRAM1_NS_BASE + DRAM1_NS_SIZE :
+ 	    DRAM_40BIT_BASE + DRAM_40BIT_SIZE;
+ 
+ 	prot_start = legacy ? DRAM_PROTECTED_BASE : DRAM_40BIT_PROTECTED_BASE;
+@@ -298,6 +310,36 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len)
+ 		ERROR("BL2: Out of range : dst=0x%lx len=0x%lx\n", dst, len);
+ 	}
+ 
++	if (addr_loaded_cnt >= CHECK_IMAGE_AREA_CNT) {
++		ERROR("BL2: max loadable non secure images reached\n");
++		result = IO_FAIL;
++	}
++	addr_loaded[addr_loaded_cnt].dest = dst;
++	addr_loaded[addr_loaded_cnt].length = len;
++	for(int n=0; n<addr_loaded_cnt; n++) {
++		/* Check if next image invades a previous loaded image
++		 *
++		 * IMAGE n: area from previous image:	dest| IMAGE n |length
++		 * IMAGE n+1: area from next image:	dst | IMAGE n |len
++		 *
++		 * 1. check:
++		 *      | IMAGE n |
++		 *           | IMAGE n+1 |
++		 * 2. check:
++		 *      | IMAGE n |
++		 *  | IMAGE n+1 |
++		 *
++		 * */
++		if (((dst > addr_loaded[n].dest) &&
++		     (dst <  addr_loaded[n].dest + addr_loaded[n].length)) ||
++		    (((dst < addr_loaded[n].dest) &&
++		      (dst + len)) > addr_loaded[n].dest)) {
++			ERROR("BL2: image is inside a previous image area.\n");
++			result = IO_FAIL;
++		}
++	}
++	addr_loaded_cnt++;
++
+ 	return result;
+ }
+ 
+diff --git a/plat/renesas/common/include/rcar_def.h b/plat/renesas/common/include/rcar_def.h
+index 1b4527a9fc..38706a8373 100644
+--- a/plat/renesas/common/include/rcar_def.h
++++ b/plat/renesas/common/include/rcar_def.h
+@@ -31,7 +31,7 @@
+ #define DRAM_LIMIT			ULL(0x0000010000000000)
+ #define DRAM1_BASE			U(0x40000000)
+ #define DRAM1_SIZE			U(0x80000000)
+-#define DRAM1_NS_BASE			(DRAM1_BASE + U(0x10000000))
++#define DRAM1_NS_BASE			(DRAM1_BASE + U(0x08000000))
+ #define DRAM1_NS_SIZE			(DRAM1_SIZE - DRAM1_NS_BASE)
+ #define DRAM_40BIT_BASE			ULL(0x0400000000)
+ #define DRAM_40BIT_SIZE			ULL(0x0400000000)

CVE-2024-6287-2.patch

@@ -0,0 +1,41 @@
+From 954d488a9798f8fda675c6b57c571b469b298f04 Mon Sep 17 00:00:00 2001
+From: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
+Date: Sun, 23 Apr 2023 21:11:15 +0900
+Subject: [PATCH] rcar-gen3: plat: BL2: fix Incorrect Address Range Calculation
+
+Check against all address overlap cases
+
+Reviewed-by: Tomer Fichman <Tomer.Fichman@cymotive.com>
+Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
+---
+ drivers/renesas/common/io/io_rcar.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/renesas/common/io/io_rcar.c b/drivers/renesas/common/io/io_rcar.c
+index 9b29a5be81..21ed411137 100644
+--- a/drivers/renesas/common/io/io_rcar.c
++++ b/drivers/renesas/common/io/io_rcar.c
+@@ -335,13 +335,18 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len)
+ 		 * 2. check:
+ 		 *      | IMAGE n |
+ 		 *  | IMAGE n+1 |
++		 * 3. check:
++		 *      | IMAGE n |
++		 *  |    IMAGE n+1    |
+ 		 *
+ 		 * */
+-		if (((dst > addr_loaded[n].dest) &&
+-		     (dst <  addr_loaded[n].dest + addr_loaded[n].length)) ||
+-		    (((dst < addr_loaded[n].dest) &&
+-		      (dst + len)) > addr_loaded[n].dest)) {
+-			ERROR("BL2: image is inside a previous image area.\n");
++		if (((dst >= addr_loaded[n].dest) &&
++		     (dst <=  addr_loaded[n].dest + addr_loaded[n].length)) ||
++		    ((dst + len >= addr_loaded[n].dest) &&
++		     (dst + len <= addr_loaded[n].dest + addr_loaded[n].length)) ||
++		    ((dst <= addr_loaded[n].dest) &&
++		     (dst + len >= addr_loaded[n].dest + addr_loaded[n].length))) {
++			ERROR("BL2: next image overlap a previous image area.\n");
+ 			result = IO_FAIL;
+ 		}
+ 	}

CVE-2024-6563.patch

@@ -0,0 +1,34 @@
+From 235f85b654a031f7647e81b86fc8e4ffeb430164 Mon Sep 17 00:00:00 2001
+From: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
+Date: Sun, 23 Apr 2023 21:37:42 +0900
+Subject: [PATCH] rcar-gen3: plat: BL2: Enhanced buffer protection
+
+If the parameter check is an error, the function is terminated immediately.
+
+Reviewed-by: Ilay Levi <Ilay.levi@cymotive.com>
+Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
+---
+ drivers/renesas/common/io/io_rcar.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/renesas/common/io/io_rcar.c b/drivers/renesas/common/io/io_rcar.c
+index 45ef386..3ed5eaf 100644
+--- a/drivers/renesas/common/io/io_rcar.c
++++ b/drivers/renesas/common/io/io_rcar.c
+@@ -286,11 +286,13 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len)
+ 	if (dst >= prot_start && dst < prot_end) {
+ 		ERROR("BL2: dst address is on the protected area.\n");
+ 		result = IO_FAIL;
++		goto done;
+ 	}
+ 
+ 	if (dst < prot_start && dst > prot_start - len) {
+ 		ERROR("BL2: loaded data is on the protected area.\n");
+ 		result = IO_FAIL;
++		goto done;
+ 	}
+ done:
+ 	if (result == IO_FAIL) {
+-- 
+2.33.0
+

CVE-2024-6564.patch

@@ -0,0 +1,42 @@
+From c9fb3558410032d2660c7f3b7d4b87dec09fe2f2 Mon Sep 17 00:00:00 2001
+From: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
+Date: Mon, 3 Jul 2023 16:58:11 +0900
+Subject: [PATCH] rcar-gen3: plat: BL2: Fix to check "rcar_image_number"
+ variable before use
+
+Reviewed-by: Tomer Fichman <Tomer.Fichman@cymotive.com>
+Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
+---
+ drivers/renesas/common/io/io_rcar.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/renesas/common/io/io_rcar.c b/drivers/renesas/common/io/io_rcar.c
+index b1638a1e0..03a8f8212 100644
+--- a/drivers/renesas/common/io/io_rcar.c
++++ b/drivers/renesas/common/io/io_rcar.c
+@@ -496,17 +496,17 @@ static int32_t rcar_dev_init(io_dev_info_t *dev_info, const uintptr_t name)
+ #endif
+ 
+ 	rcar_image_number = header[0];
+-	for (i = 0; i < rcar_image_number + 2; i++) {
+-		rcar_image_header[i] = header[i * 2 + 1];
+-		rcar_image_header_prttn[i] = header[i * 2 + 2];
+-	}
+-
+ 	if (rcar_image_number == 0 || rcar_image_number > RCAR_MAX_BL3X_IMAGE) {
+ 		WARN("Firmware Image Package header check failed.\n");
+ 		rc = IO_FAIL;
+ 		goto error;
+ 	}
+ 
++	for (i = 0; i < rcar_image_number + 2; i++) {
++		rcar_image_header[i] = header[i * 2 + 1];
++		rcar_image_header_prttn[i] = header[i * 2 + 2];
++	}
++
+ 	rc = io_seek(handle, IO_SEEK_SET, offset + RCAR_SECTOR6_CERT_OFFSET);
+ 	if (rc != IO_SUCCESS) {
+ 		WARN("Firmware Image Package header failed to seek cert\n");
+-- 
+2.20.1
+

arm-trusted-firmware.spec

@@ -2,11 +2,21 @@
 
 Name:          arm-trusted-firmware
 Version:       2.9
-Release:       1
+Release:       5
 Summary:       ARM Trusted Firmware
 License:       BSD
 URL:           https://github.com/ARM-software/arm-trusted-firmware/wiki
 Source0:       https://github.com/ARM-software/arm-trusted-firmware/archive/v%{version}/%{name}-%{version}.tar.gz
+# https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=a7eff3477dcf3624
+Patch0:        CVE-2023-49100.patch
+# https://github.com/renesas-rcar/arm-trusted-firmware/commit/235f85b654a031f7647e81b86fc8e4ffeb430164
+Patch1:        CVE-2024-6563.patch
+Patch2:        CVE-2024-6564.patch
+# https://github.com/renesas-rcar/arm-trusted-firmware/commit/6a96c18c474e6339fab93f54d52aa7dcc4b70e52
+Patch3:        CVE-2024-6287-1.patch
+# https://github.com/renesas-rcar/arm-trusted-firmware/commit/954d488a9798f8fda675c6b57c571b469b298f04
+Patch4:        CVE-2024-6287-2.patch
+Patch5:        CVE-2024-6285.patch
 ExclusiveArch: aarch64
 BuildRequires: dtc
 
@@ -27,7 +37,7 @@ sed -i 's/arm-none-eabi-/arm-linux-gnu-/' plat/rockchip/rk3399/drivers/m0/Makefi
 %build
 for soc in hikey hikey960 imx8qm imx8qx juno rk3368 rk3328 rpi3 sun50i_a64 sun50i_h6 zynqmp
 do
-make HOSTCC="gcc $RPM_OPT_FLAGS -fPIE -Wl,-z,relro,-z,now" CROSS_COMPILE="" PLAT=$(echo $soc) bl31
+make HOSTCC="%{CC} $RPM_OPT_FLAGS -fPIE -Wl,-z,relro,-z,now" CROSS_COMPILE="" PLAT=$(echo $soc) bl31
 done
 
 
@@ -61,6 +71,18 @@ strip %{buildroot}/%{_datadir}/%{name}/rk3368/bl31.elf
 %{_datadir}/%{name}
 
 %changelog
+* Mon Dec 16 2024 wangkai <13474090681@163.com> - 2.9-5
+- Fix CVE-2024-6285
+
+* Tue Oct 15 2024 yaoxin <yao_xin001@hoperun.com> - 2.9-4
+- Fix CVE-2024-6287
+
+* Tue Jul 09 2024 zhangxianting <zhangxianting@uniontech.com> - 2.9-3
+- Fix CVE-2024-6563 CVE-2024-6564
+
+* Tue Jan 23 2024 yaoxin <yao_xin001@hoperun.com> - 2.9-2
+- Fix CVE-2023-49100
+
 * Fri Jul 07 2023 xu_ping <707078654@qq.com> -2.9-1
 - Upgrade to 2.9