arm-trusted-firmware/CVE-2024-6563.patch

From 235f85b654a031f7647e81b86fc8e4ffeb430164 Mon Sep 17 00:00:00 2001
From: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
Date: Sun, 23 Apr 2023 21:37:42 +0900
Subject: [PATCH] rcar-gen3: plat: BL2: Enhanced buffer protection

If the parameter check is an error, the function is terminated immediately.

Reviewed-by: Ilay Levi <Ilay.levi@cymotive.com>
Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
---
 drivers/renesas/common/io/io_rcar.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/renesas/common/io/io_rcar.c b/drivers/renesas/common/io/io_rcar.c
index 45ef386..3ed5eaf 100644
--- a/drivers/renesas/common/io/io_rcar.c
+++ b/drivers/renesas/common/io/io_rcar.c
@@ -286,11 +286,13 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len)
 	if (dst >= prot_start && dst < prot_end) {
 		ERROR("BL2: dst address is on the protected area.\n");
 		result = IO_FAIL;
+		goto done;
 	}
 
 	if (dst < prot_start && dst > prot_start - len) {
 		ERROR("BL2: loaded data is on the protected area.\n");
 		result = IO_FAIL;
+		goto done;
 	}
 done:
 	if (result == IO_FAIL) {
-- 
2.33.0
Fix CVE-2024-6563 CVE-2024-6564 (cherry picked from commit 332ad893354e0f03bc07ebd0fec68b51ba6af993) 2024-07-02 23:18:30 +08:00			`From 235f85b654a031f7647e81b86fc8e4ffeb430164 Mon Sep 17 00:00:00 2001`
			`From: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>`
			`Date: Sun, 23 Apr 2023 21:37:42 +0900`
			`Subject: [PATCH] rcar-gen3: plat: BL2: Enhanced buffer protection`

			`If the parameter check is an error, the function is terminated immediately.`

			`Reviewed-by: Ilay Levi <Ilay.levi@cymotive.com>`
			`Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>`
			`---`
			`drivers/renesas/common/io/io_rcar.c \| 2 ++`
			`1 file changed, 2 insertions(+)`

			`diff --git a/drivers/renesas/common/io/io_rcar.c b/drivers/renesas/common/io/io_rcar.c`
			`index 45ef386..3ed5eaf 100644`
			`--- a/drivers/renesas/common/io/io_rcar.c`
			`+++ b/drivers/renesas/common/io/io_rcar.c`
			`@@ -286,11 +286,13 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len)`
			`if (dst >= prot_start && dst < prot_end) {`
			`ERROR("BL2: dst address is on the protected area.\n");`
			`result = IO_FAIL;`
			`+ goto done;`
			`}`

			`if (dst < prot_start && dst > prot_start - len) {`
			`ERROR("BL2: loaded data is on the protected area.\n");`
			`result = IO_FAIL;`
			`+ goto done;`
			`}`
			`done:`
			`if (result == IO_FAIL) {`
			`--`
			`2.33.0`