From 7ad837e995e7cb91785f9e00b0d353521d60bbb8 Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Tue, 10 Dec 2024 14:36:55 +0800
Subject: [PATCH] Fix CVE-2024-6285

---
 CVE-2024-6285.patch       | 44 +++++++++++++++++++++++++++++++++++++++
 arm-trusted-firmware.spec |  7 ++++++-
 2 files changed, 50 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2024-6285.patch

diff --git a/CVE-2024-6285.patch b/CVE-2024-6285.patch
new file mode 100644
index 0000000..b7d572d
--- /dev/null
+++ b/CVE-2024-6285.patch
@@ -0,0 +1,44 @@
+From 9778b270e29bac3e16f57f9557098c45858c05de Mon Sep 17 00:00:00 2001
+From: Tobias Rist <tobias.rist@joynext.com>
+Date: Tue, 7 Mar 2023 09:40:37 +0100
+Subject: [PATCH] fix(rcar3-drivers): check for length underflow
+
+Make sure the length of the payload is not longer than the
+DRAM size in check_load_area(), and make sure the payload
+end does not cross protected area start.
+
+Signed-off-by: Tobias Rist <tobias.rist@joynext.com>
+Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
+Change-Id: I4d687be577a138352be9f92e5b0b6f596ffffba9
+
+Origin:
+https://github.com/ARM-software/arm-trusted-firmware/commit/9778b270e29bac3e16f57f9557098c45858c05de
+---
+ drivers/renesas/common/io/io_rcar.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/renesas/common/io/io_rcar.c b/drivers/renesas/common/io/io_rcar.c
+index bbd0b892ed..82bf3289a2 100644
+--- a/drivers/renesas/common/io/io_rcar.c
++++ b/drivers/renesas/common/io/io_rcar.c
+@@ -291,7 +291,7 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len)
+ 
+ 	prot_end = prot_start + DRAM_PROTECTED_SIZE;
+ 
+-	if (dst < dram_start || dst > dram_end - len) {
++	if (dst < dram_start || len > dram_end || dst > dram_end - len) {
+ 		ERROR("BL2: dst address is on the protected area.\n");
+ 		result = IO_FAIL;
+ 		goto done;
+@@ -303,8 +303,9 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len)
+ 		result = IO_FAIL;
+ 	}
+ 
+-	if (dst < prot_start && dst > prot_start - len) {
+-		ERROR("BL2: loaded data is on the protected area.\n");
++	if (len > prot_start || (dst < prot_start && dst > prot_start - len)) {
++		ERROR("BL2: %s[%d] loaded data is on the protected area.\n",
++			__func__, __LINE__);
+ 		result = IO_FAIL;
+ 	}
+ done:
diff --git a/arm-trusted-firmware.spec b/arm-trusted-firmware.spec
index 965b67b..84b2d79 100644
--- a/arm-trusted-firmware.spec
+++ b/arm-trusted-firmware.spec
@@ -2,7 +2,7 @@
 
 Name:          arm-trusted-firmware
 Version:       2.9
-Release:       4
+Release:       5
 Summary:       ARM Trusted Firmware
 License:       BSD
 URL:           https://github.com/ARM-software/arm-trusted-firmware/wiki
@@ -16,6 +16,8 @@ Patch2:        CVE-2024-6564.patch
 Patch3:        CVE-2024-6287-1.patch
 # https://github.com/renesas-rcar/arm-trusted-firmware/commit/954d488a9798f8fda675c6b57c571b469b298f04
 Patch4:        CVE-2024-6287-2.patch
+# https://github.com/ARM-software/arm-trusted-firmware/commit/9778b270e29bac3e16f57f9557098c45858c05de
+Patch5:        CVE-2024-6285.patch
 ExclusiveArch: aarch64
 BuildRequires: dtc
 
@@ -70,6 +72,9 @@ strip %{buildroot}/%{_datadir}/%{name}/rk3368/bl31.elf
 %{_datadir}/%{name}
 
 %changelog
+* Tue Dec 10 2024 yaoxin <yao_xin001@hoperun.com> - 2.9-5
+- Fix CVE-2024-6285
+
 * Tue Oct 15 2024 yaoxin <yao_xin001@hoperun.com> - 2.9-4
 - Fix CVE-2024-6287
 
-- 
Gitee