Update to 2.12.1 for fix CVE-2024-7881 and CVE-2024-5660

(cherry picked from commit 0c548ea012bd592b1fc655b361de4fa0eeda2795)
2025-03-21 09:31:07 +08:00 · 2025-03-21 09:31:07 +08:00 · 5c85002ffe
commit 5c85002ffe
parent 2c7a048d0d
9 changed files with 50 additions and 318 deletions
--- a/CVE-2023-49100.patch
+++ b/CVE-2023-49100.patch
@ -1,37 +0,0 @@
 From a7eff3477dcf3624c74f5217419b1a27b7ebd2aa Mon Sep 17 00:00:00 2001
 From: Manish Pandey <manish.pandey2@arm.com>
 Date: Thu, 26 Oct 2023 11:14:21 +0100
 Subject: fix(sdei): ensure that interrupt ID is valid
 As per SDEI spec (section 5.1.14.1), SDEI_INTERRUPT_BIND interface
 expects a valid PPI or SPI. SGI's are not allowed to be bounded.
 Current check in the code only checks for an SGI and returns invalid
 ID. This check is insufficient as it will not catch architecturally
 invalid interrupt IDs.
 Modify the check to ensure that interrupt is either PPI or SPI.
 Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
 Change-Id: I52eb0a6d7f88a12f6816cff9b68fb3a7ca12cbb7
 ---
 services/std_svc/sdei/sdei_main.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/services/std_svc/sdei/sdei_main.c b/services/std_svc/sdei/sdei_main.c
 index 44178eddd3..0fd3c1d32c 100644
 --- a/services/std_svc/sdei/sdei_main.c
 +++ b/services/std_svc/sdei/sdei_main.c
@@ -710,8 +710,8 @@ static int sdei_interrupt_bind(unsigned int intr_num)
 	sdei_ev_map_t *map;
 	bool retry = true, shared_mapping;
 -	/* SGIs are not allowed to be bound */
 -	if (plat_ic_is_sgi(intr_num) != 0)
 +	/* Interrupt must be either PPI or SPI */
 +	if (!(plat_ic_is_ppi(intr_num) || plat_ic_is_spi(intr_num)))
 		return SDEI_EINVAL;
 	shared_mapping = (plat_ic_is_spi(intr_num) != 0);
 -- 
 cgit v1.2.3
--- a/CVE-2024-6285.patch
+++ b/CVE-2024-6285.patch
@ -1,47 +0,0 @@
 From 9778b270e29bac3e16f57f9557098c45858c05de Mon Sep 17 00:00:00 2001
 From: Tobias Rist <tobias.rist@joynext.com>
 Date: Tue, 7 Mar 2023 09:40:37 +0100
 Subject: [PATCH] fix(rcar3-drivers): check for length underflow
 Origin: https://github.com/ARM-software/arm-trusted-firmware/commit/9778b270e29bac3e16f57f9557098c45858c05de
 https://github.com/renesas-rcar/arm-trusted-firmware/commit/b596f580637bae919b0ac3a5471422a1f756db3b
 Make sure the length of the payload is not longer than the
 DRAM size in check_load_area(), and make sure the payload
 end does not cross protected area start.
 Signed-off-by: Tobias Rist <tobias.rist@joynext.com>
 Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
 Change-Id: I4d687be577a138352be9f92e5b0b6f596ffffba9
 ---
 drivers/renesas/common/io/io_rcar.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)
 diff --git a/drivers/renesas/common/io/io_rcar.c b/drivers/renesas/common/io/io_rcar.c
 index c169923..603fefd 100644
 --- a/drivers/renesas/common/io/io_rcar.c
 +++ b/drivers/renesas/common/io/io_rcar.c
@@ -288,7 +288,7 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len)
 	prot_end = prot_start + DRAM_PROTECTED_SIZE;
 -	if (dst < dram_start || dst > dram_end - len) {
 +	if (dst < dram_start || len > dram_end || dst > dram_end - len) {
 		ERROR("BL2: dst address is on the protected area.\n");
 		result = IO_FAIL;
 		goto done;
@@ -301,8 +301,9 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len)
 		goto done;
 	}
 -	if (dst < prot_start && dst > prot_start - len) {
 -		ERROR("BL2: loaded data is on the protected area.\n");
 +	if (len > prot_start || (dst < prot_start && dst > prot_start - len)) {
 +		ERROR("BL2: %s[%d] loaded data is on the protected area.\n",
 +			__func__, __LINE__);
 		result = IO_FAIL;
 		goto done;
 	}
 -- 
 2.33.0
--- a/CVE-2024-6287-1.patch
+++ b/CVE-2024-6287-1.patch
@ -1,100 +0,0 @@
 From 6a96c18c474e6339fab93f54d52aa7dcc4b70e52 Mon Sep 17 00:00:00 2001
 From: Tobias Rist <tobias.rist@joynext.com>
 Date: Thu, 16 Mar 2023 21:31:15 +0900
 Subject: [PATCH] rcar-gen3: plat: BL2: check loaded NS image area
 Check if next NS image invades a previous loaded image.
 Correct non secure image area to avoid loading a NS image to secure
 Signed-off-by: Tobias Rist <tobias.rist@joynext.com>
 Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
 ---
 drivers/renesas/common/io/io_rcar.c    | 46 ++++++++++++++++++++++++--
 plat/renesas/common/include/rcar_def.h |  2 +-
 2 files changed, 45 insertions(+), 3 deletions(-)
 diff --git a/drivers/renesas/common/io/io_rcar.c b/drivers/renesas/common/io/io_rcar.c
 index 1459ba28b2..1a32430847 100644
 --- a/drivers/renesas/common/io/io_rcar.c
 +++ b/drivers/renesas/common/io/io_rcar.c
@@ -84,6 +84,18 @@ typedef struct {
 #define RCAR_COUNT_LOAD_BL33		(2U)
 #define RCAR_COUNT_LOAD_BL33X		(3U)
 +#define CHECK_IMAGE_AREA_CNT (5U)
 +#define BOOT_BL2_ADDR (0xE6304000U)
 +#define BOOT_BL2_LENGTH (0x19000U)
 +
 +typedef struct {
 +	uintptr_t dest;
 +	uintptr_t length;
 +} addr_loaded_t;
 +
 +static addr_loaded_t addr_loaded[CHECK_IMAGE_AREA_CNT] = { [0] = {BOOT_BL2_ADDR, BOOT_BL2_LENGTH} };
 +static uint32_t addr_loaded_cnt = 1;
 +
 static const plat_rcar_name_offset_t name_offset[] = {
 	{BL31_IMAGE_ID, 0U, RCAR_ATTR_SET_ALL(0, 0, 0)},
@@ -268,9 +280,9 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len)
 	uintptr_t prot_start, prot_end;
 	int32_t result = IO_SUCCESS;
 -	dram_start = legacy ? DRAM1_BASE : DRAM_40BIT_BASE;
 +	dram_start = legacy ? DRAM1_NS_BASE : DRAM_40BIT_BASE;
 -	dram_end = legacy ? DRAM1_BASE + DRAM1_SIZE :
 +	dram_end = legacy ? DRAM1_NS_BASE + DRAM1_NS_SIZE :
 	    DRAM_40BIT_BASE + DRAM_40BIT_SIZE;
 	prot_start = legacy ? DRAM_PROTECTED_BASE : DRAM_40BIT_PROTECTED_BASE;
@@ -298,6 +310,36 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len)
 		ERROR("BL2: Out of range : dst=0x%lx len=0x%lx\n", dst, len);
 	}
 +	if (addr_loaded_cnt >= CHECK_IMAGE_AREA_CNT) {
 +		ERROR("BL2: max loadable non secure images reached\n");
 +		result = IO_FAIL;
 +	}
 +	addr_loaded[addr_loaded_cnt].dest = dst;
 +	addr_loaded[addr_loaded_cnt].length = len;
 +	for(int n=0; n<addr_loaded_cnt; n++) {
 +		/* Check if next image invades a previous loaded image
 +		 *
 +		 * IMAGE n: area from previous image:	dest| IMAGE n |length
 +		 * IMAGE n+1: area from next image:	dst | IMAGE n |len
 +		 *
 +		 * 1. check:
 +		 *      | IMAGE n |
 +		 *           | IMAGE n+1 |
 +		 * 2. check:
 +		 *      | IMAGE n |
 +		 *  | IMAGE n+1 |
 +		 *
 +		 * */
 +		if (((dst > addr_loaded[n].dest) &&
 +		     (dst <  addr_loaded[n].dest + addr_loaded[n].length)) ||
 +		    (((dst < addr_loaded[n].dest) &&
 +		      (dst + len)) > addr_loaded[n].dest)) {
 +			ERROR("BL2: image is inside a previous image area.\n");
 +			result = IO_FAIL;
 +		}
 +	}
 +	addr_loaded_cnt++;
 +
 	return result;
 }
 diff --git a/plat/renesas/common/include/rcar_def.h b/plat/renesas/common/include/rcar_def.h
 index 1b4527a9fc..38706a8373 100644
 --- a/plat/renesas/common/include/rcar_def.h
 +++ b/plat/renesas/common/include/rcar_def.h
@@ -31,7 +31,7 @@
 #define DRAM_LIMIT			ULL(0x0000010000000000)
 #define DRAM1_BASE			U(0x40000000)
 #define DRAM1_SIZE			U(0x80000000)
 -#define DRAM1_NS_BASE			(DRAM1_BASE + U(0x10000000))
 +#define DRAM1_NS_BASE			(DRAM1_BASE + U(0x08000000))
 #define DRAM1_NS_SIZE			(DRAM1_SIZE - DRAM1_NS_BASE)
 #define DRAM_40BIT_BASE			ULL(0x0400000000)
 #define DRAM_40BIT_SIZE			ULL(0x0400000000)
--- a/CVE-2024-6287-2.patch
+++ b/CVE-2024-6287-2.patch
@ -1,41 +0,0 @@
 From 954d488a9798f8fda675c6b57c571b469b298f04 Mon Sep 17 00:00:00 2001
 From: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
 Date: Sun, 23 Apr 2023 21:11:15 +0900
 Subject: [PATCH] rcar-gen3: plat: BL2: fix Incorrect Address Range Calculation
 Check against all address overlap cases
 Reviewed-by: Tomer Fichman <Tomer.Fichman@cymotive.com>
 Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
 ---
 drivers/renesas/common/io/io_rcar.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)
 diff --git a/drivers/renesas/common/io/io_rcar.c b/drivers/renesas/common/io/io_rcar.c
 index 9b29a5be81..21ed411137 100644
 --- a/drivers/renesas/common/io/io_rcar.c
 +++ b/drivers/renesas/common/io/io_rcar.c
@@ -335,13 +335,18 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len)
 		 * 2. check:
 		 *      | IMAGE n |
 		 *  | IMAGE n+1 |
 +		 * 3. check:
 +		 *      | IMAGE n |
 +		 *  |    IMAGE n+1    |
 		 *
 		 * */
 -		if (((dst > addr_loaded[n].dest) &&
 -		     (dst <  addr_loaded[n].dest + addr_loaded[n].length)) ||
 -		    (((dst < addr_loaded[n].dest) &&
 -		      (dst + len)) > addr_loaded[n].dest)) {
 -			ERROR("BL2: image is inside a previous image area.\n");
 +		if (((dst >= addr_loaded[n].dest) &&
 +		     (dst <=  addr_loaded[n].dest + addr_loaded[n].length)) ||
 +		    ((dst + len >= addr_loaded[n].dest) &&
 +		     (dst + len <= addr_loaded[n].dest + addr_loaded[n].length)) ||
 +		    ((dst <= addr_loaded[n].dest) &&
 +		     (dst + len >= addr_loaded[n].dest + addr_loaded[n].length))) {
 +			ERROR("BL2: next image overlap a previous image area.\n");
 			result = IO_FAIL;
 		}
 	}
--- a/CVE-2024-6563.patch
+++ b/CVE-2024-6563.patch
@ -1,34 +0,0 @@
 From 235f85b654a031f7647e81b86fc8e4ffeb430164 Mon Sep 17 00:00:00 2001
 From: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
 Date: Sun, 23 Apr 2023 21:37:42 +0900
 Subject: [PATCH] rcar-gen3: plat: BL2: Enhanced buffer protection
 If the parameter check is an error, the function is terminated immediately.
 Reviewed-by: Ilay Levi <Ilay.levi@cymotive.com>
 Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
 ---
 drivers/renesas/common/io/io_rcar.c | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/drivers/renesas/common/io/io_rcar.c b/drivers/renesas/common/io/io_rcar.c
 index 45ef386..3ed5eaf 100644
 --- a/drivers/renesas/common/io/io_rcar.c
 +++ b/drivers/renesas/common/io/io_rcar.c
@@ -286,11 +286,13 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len)
 	if (dst >= prot_start && dst < prot_end) {
 		ERROR("BL2: dst address is on the protected area.\n");
 		result = IO_FAIL;
 +		goto done;
 	}
 	if (dst < prot_start && dst > prot_start - len) {
 		ERROR("BL2: loaded data is on the protected area.\n");
 		result = IO_FAIL;
 +		goto done;
 	}
 done:
 	if (result == IO_FAIL) {
 -- 
 2.33.0
--- a/CVE-2024-6564.patch
+++ b/CVE-2024-6564.patch
@ -1,42 +0,0 @@
 From c9fb3558410032d2660c7f3b7d4b87dec09fe2f2 Mon Sep 17 00:00:00 2001
 From: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
 Date: Mon, 3 Jul 2023 16:58:11 +0900
 Subject: [PATCH] rcar-gen3: plat: BL2: Fix to check "rcar_image_number"
 variable before use
 Reviewed-by: Tomer Fichman <Tomer.Fichman@cymotive.com>
 Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
 ---
 drivers/renesas/common/io/io_rcar.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)
 diff --git a/drivers/renesas/common/io/io_rcar.c b/drivers/renesas/common/io/io_rcar.c
 index b1638a1e0..03a8f8212 100644
 --- a/drivers/renesas/common/io/io_rcar.c
 +++ b/drivers/renesas/common/io/io_rcar.c
@@ -496,17 +496,17 @@ static int32_t rcar_dev_init(io_dev_info_t *dev_info, const uintptr_t name)
 #endif
 	rcar_image_number = header[0];
 -	for (i = 0; i < rcar_image_number + 2; i++) {
 -		rcar_image_header[i] = header[i * 2 + 1];
 -		rcar_image_header_prttn[i] = header[i * 2 + 2];
 -	}
 -
 	if (rcar_image_number == 0 || rcar_image_number > RCAR_MAX_BL3X_IMAGE) {
 		WARN("Firmware Image Package header check failed.\n");
 		rc = IO_FAIL;
 		goto error;
 	}
 +	for (i = 0; i < rcar_image_number + 2; i++) {
 +		rcar_image_header[i] = header[i * 2 + 1];
 +		rcar_image_header_prttn[i] = header[i * 2 + 2];
 +	}
 +
 	rc = io_seek(handle, IO_SEEK_SET, offset + RCAR_SECTOR6_CERT_OFFSET);
 	if (rc != IO_SUCCESS) {
 		WARN("Firmware Image Package header failed to seek cert\n");
 -- 
 2.20.1
--- a/arm-trusted-firmware-2.12.1.tar.gz
+++ b/arm-trusted-firmware-2.12.1.tar.gz
--- a/arm-trusted-firmware-2.9.tar.gz
+++ b/arm-trusted-firmware-2.9.tar.gz
--- a/arm-trusted-firmware.spec
+++ b/arm-trusted-firmware.spec
@ -1,24 +1,15 @@
 %global debug_package %{nil}
 Name:          arm-trusted-firmware
-Version:       2.9
+Version:       2.12.1
-Release:       5
+Release:       1
 Summary:       ARM Trusted Firmware
-License:       BSD
+License:       BSD-3-clause
 URL:           https://github.com/ARM-software/arm-trusted-firmware/wiki
-Source0:       https://github.com/ARM-software/arm-trusted-firmware/archive/v%{version}/%{name}-%{version}.tar.gz
+Source0:       https://github.com/ARM-software/arm-trusted-firmware/archive/lts-v%{version}/%{name}-%{version}.tar.gz
 # https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=a7eff3477dcf3624
 Patch0:        CVE-2023-49100.patch
 # https://github.com/renesas-rcar/arm-trusted-firmware/commit/235f85b654a031f7647e81b86fc8e4ffeb430164
 Patch1:        CVE-2024-6563.patch
 Patch2:        CVE-2024-6564.patch
 # https://github.com/renesas-rcar/arm-trusted-firmware/commit/6a96c18c474e6339fab93f54d52aa7dcc4b70e52
 Patch3:        CVE-2024-6287-1.patch
 # https://github.com/renesas-rcar/arm-trusted-firmware/commit/954d488a9798f8fda675c6b57c571b469b298f04
 Patch4:        CVE-2024-6287-2.patch
 Patch5:        CVE-2024-6285.patch
 ExclusiveArch: aarch64
 BuildRequires: dtc
 BuildRequires: gcc openssl-devel
 %description
 Trusted Firmware-A is a reference implementation of secure world software
@ -31,10 +22,11 @@ ARM Trusted Firmware for various ARMv8-A SoCs.
 %prep
-%autosetup -p1 -n %{name}-%{version}
+%autosetup -p1 -n %{name}-lts-v%{version}
 sed -i 's/arm-none-eabi-/arm-linux-gnu-/' plat/rockchip/rk3399/drivers/m0/Makefile
 %build
 export CC=gcc
 for soc in hikey hikey960 imx8qm imx8qx juno rk3368 rk3328 rpi3 sun50i_a64 sun50i_h6 zynqmp
 do
 make HOSTCC="%{CC} $RPM_OPT_FLAGS -fPIE -Wl,-z,relro,-z,now" CROSS_COMPILE="" PLAT=$(echo $soc) bl31
@ -71,8 +63,49 @@ strip %{buildroot}/%{_datadir}/%{name}/rk3368/bl31.elf
 %{_datadir}/%{name}
 %changelog
-* Mon Dec 16 2024 wangkai <13474090681@163.com> - 2.9-5
+* Thu Mar 20 2025 yaoxin <1024769339@qq.com> - 2.12.1-1
- Fix CVE-2024-6285
+- Update to 2.12.1 for fix CVE-2024-7881 and CVE-2024-5660
 * Wed Nov 27 2024 yaoxin <yao_xin001@hoperun.com> - 2.12.0-1
 - Update to 2.12.0
 - Bootloader Images:
    * remove unused plat_try_next_boot_source
 - Architecture:
    *Branch Record Buffer Extension (FEAT_BRBE)
    * allow RME builds with BRBE
 - Arm:
    * avoid stripping kernel trampoline
    * add DRAM memory regions that linux kernel can share
    * add optee specific mem-size attribute
    * add secure uart interrupt in device region
    * enable FEAT_MTE2
    * fix the FF-A optee manifest by adding the boot info node
    * update the memory size allocated to optee at EL1
 - Intel:
    * add cache invalidation during BL31 initialization
    * add in JTAG ID for Linux FCS
    * add in missing ECC register
    * add in watchdog for QSPI driver
    * bridge ack timing issue causing fpga config hung
    * correct macro naming
    * f2sdram bridge quick write thru failed
    * fix bridge enable and disable function
    * fix CCU for cache maintenance
    * flush L1/L2/L3/Sys cache before HPS cold reset
    * implement soc and lwsoc bridge control for burst speed
    * refactor SDMMC driver for Altera products
    * remove redundant BIT_32 macro
    * software workaround for bridge timeout
    * update Agilex5 BL2 init flow and other misc changes
    * update Agilex5 warm reset subroutines
    * update all the platforms hand-off data offset value
    * update CCU configuration for Agilex5 platform
    * update mailbox SDM printout message
    * update memcpy to memcpy_s ([e264b55]
    * update outdated code for Linux direct boot
    * update preloaded_bl33_base for legacy product
    * update sip smc config addr for agilex5
    * update the size with addition 0x8000 0000 base
 * Tue Oct 15 2024 yaoxin <yao_xin001@hoperun.com> - 2.9-4
 - Fix CVE-2024-6287