Fix CVE-2024-6563 CVE-2024-6564

(cherry picked from commit 332ad893354e0f03bc07ebd0fec68b51ba6af993)

CVE-2024-6563.patch

@@ -0,0 +1,34 @@
+From 235f85b654a031f7647e81b86fc8e4ffeb430164 Mon Sep 17 00:00:00 2001
+From: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
+Date: Sun, 23 Apr 2023 21:37:42 +0900
+Subject: [PATCH] rcar-gen3: plat: BL2: Enhanced buffer protection
+
+If the parameter check is an error, the function is terminated immediately.
+
+Reviewed-by: Ilay Levi <Ilay.levi@cymotive.com>
+Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
+---
+ drivers/renesas/common/io/io_rcar.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/renesas/common/io/io_rcar.c b/drivers/renesas/common/io/io_rcar.c
+index 45ef386..3ed5eaf 100644
+--- a/drivers/renesas/common/io/io_rcar.c
++++ b/drivers/renesas/common/io/io_rcar.c
+@@ -286,11 +286,13 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len)
+ 	if (dst >= prot_start && dst < prot_end) {
+ 		ERROR("BL2: dst address is on the protected area.\n");
+ 		result = IO_FAIL;
++		goto done;
+ 	}
+ 
+ 	if (dst < prot_start && dst > prot_start - len) {
+ 		ERROR("BL2: loaded data is on the protected area.\n");
+ 		result = IO_FAIL;
++		goto done;
+ 	}
+ done:
+ 	if (result == IO_FAIL) {
+-- 
+2.33.0
+

CVE-2024-6564.patch

@@ -0,0 +1,42 @@
+From c9fb3558410032d2660c7f3b7d4b87dec09fe2f2 Mon Sep 17 00:00:00 2001
+From: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
+Date: Mon, 3 Jul 2023 16:58:11 +0900
+Subject: [PATCH] rcar-gen3: plat: BL2: Fix to check "rcar_image_number"
+ variable before use
+
+Reviewed-by: Tomer Fichman <Tomer.Fichman@cymotive.com>
+Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
+---
+ drivers/renesas/common/io/io_rcar.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/renesas/common/io/io_rcar.c b/drivers/renesas/common/io/io_rcar.c
+index b1638a1e0..03a8f8212 100644
+--- a/drivers/renesas/common/io/io_rcar.c
++++ b/drivers/renesas/common/io/io_rcar.c
+@@ -496,17 +496,17 @@ static int32_t rcar_dev_init(io_dev_info_t *dev_info, const uintptr_t name)
+ #endif
+ 
+ 	rcar_image_number = header[0];
+-	for (i = 0; i < rcar_image_number + 2; i++) {
+-		rcar_image_header[i] = header[i * 2 + 1];
+-		rcar_image_header_prttn[i] = header[i * 2 + 2];
+-	}
+-
+ 	if (rcar_image_number == 0 || rcar_image_number > RCAR_MAX_BL3X_IMAGE) {
+ 		WARN("Firmware Image Package header check failed.\n");
+ 		rc = IO_FAIL;
+ 		goto error;
+ 	}
+ 
++	for (i = 0; i < rcar_image_number + 2; i++) {
++		rcar_image_header[i] = header[i * 2 + 1];
++		rcar_image_header_prttn[i] = header[i * 2 + 2];
++	}
++
+ 	rc = io_seek(handle, IO_SEEK_SET, offset + RCAR_SECTOR6_CERT_OFFSET);
+ 	if (rc != IO_SUCCESS) {
+ 		WARN("Firmware Image Package header failed to seek cert\n");
+-- 
+2.20.1
+

arm-trusted-firmware.spec

@@ -2,13 +2,16 @@
 
 Name:          arm-trusted-firmware
 Version:       2.9
-Release:       2
+Release:       3
 Summary:       ARM Trusted Firmware
 License:       BSD
 URL:           https://github.com/ARM-software/arm-trusted-firmware/wiki
 Source0:       https://github.com/ARM-software/arm-trusted-firmware/archive/v%{version}/%{name}-%{version}.tar.gz
 # https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=a7eff3477dcf3624
 Patch0:        CVE-2023-49100.patch
+# https://github.com/renesas-rcar/arm-trusted-firmware/commit/235f85b654a031f7647e81b86fc8e4ffeb430164
+Patch1:        CVE-2024-6563.patch
+Patch2:        CVE-2024-6564.patch
 ExclusiveArch: aarch64
 BuildRequires: dtc
 
@@ -63,6 +66,9 @@ strip %{buildroot}/%{_datadir}/%{name}/rk3368/bl31.elf
 %{_datadir}/%{name}
 
 %changelog
+* Tue Jul 09 2024 zhangxianting <zhangxianting@uniontech.com> - 2.9-3
+- Fix CVE-2024-6563 CVE-2024-6564
+
 * Tue Jan 23 2024 yaoxin <yao_xin001@hoperun.com> - 2.9-2
 - Fix CVE-2023-49100