Merge changes Ieeabafa8,I4d687be5,I0c50152a,I80e93582 into integration * changes: fix(rcar3-drivers): check "rcar_image_number" variable before use fix(rcar3-drivers): check for length underflow fix(rcar3-drivers): add integer overflow check fix(rcar3-drivers): add integer overflow check

commit: 05916637e44597537e58601dc63da69489b00950 [log] [tgz]
author: Sandrine Bailleux <sandrine.bailleux@arm.com> Mon Dec 04 17:22:44 2023 +0100
committer: TrustedFirmware Code Review <review@review.trustedfirmware.org> Mon Dec 04 17:22:44 2023 +0100
tree: f25084ae002c548ff556e6835e5d83ead12f29cd
parent: e2ed3e7ecea338ee7c7a2192e2983b452bcd8ada [diff]
parent: 473cfc83806af342310ca269b034750894e6ff44 [diff]
diff --git a/drivers/renesas/common/io/io_rcar.c b/drivers/renesas/common/io/io_rcar.c
index 45ef386..0c49ec9 100644
--- a/drivers/renesas/common/io/io_rcar.c
+++ b/drivers/renesas/common/io/io_rcar.c

@@ -244,8 +244,16 @@
 			dstl = cert + RCAR_CERT_INFO_DST_OFFSET;
 			break;
 		}
+		val = mmio_read_32(size);
+		if (val > (UINT32_MAX / 4)) {
+			ERROR("BL2: %s[%d] uint32 overflow!\n",
+				__func__, __LINE__);
+			*dst = 0;
+			*len = 0;
+			return;
+		}
 
-		*len = mmio_read_32(size) * 4U;
+		*len = val * 4U;
 		dsth = dstl + 4U;
 		*dst = ((uintptr_t) mmio_read_32(dsth) << 32) +
 		    ((uintptr_t) mmio_read_32(dstl));
@@ -253,7 +261,14 @@
 	}
 
 	size = cert + RCAR_CERT_INFO_SIZE_OFFSET;
-	*len = mmio_read_32(size) * 4U;
+	val = mmio_read_32(size);
+	if (val > (UINT32_MAX / 4)) {
+		ERROR("BL2: %s[%d] uint32 overflow!\n", __func__, __LINE__);
+		*dst = 0;
+		*len = 0;
+		return;
+	}
+	*len = val * 4U;
 	dstl = cert + RCAR_CERT_INFO_DST_OFFSET;
 	dsth = dstl + 4U;
 	*dst = ((uintptr_t) mmio_read_32(dsth) << 32) +
@@ -276,7 +291,7 @@
 
 	prot_end = prot_start + DRAM_PROTECTED_SIZE;
 
-	if (dst < dram_start || dst > dram_end - len) {
+	if (dst < dram_start || len > dram_end || dst > dram_end - len) {
 		ERROR("BL2: dst address is on the protected area.\n");
 		result = IO_FAIL;
 		goto done;
@@ -288,8 +303,9 @@
 		result = IO_FAIL;
 	}
 
-	if (dst < prot_start && dst > prot_start - len) {
-		ERROR("BL2: loaded data is on the protected area.\n");
+	if (len > prot_start || (dst < prot_start && dst > prot_start - len)) {
+		ERROR("BL2: %s[%d] loaded data is on the protected area.\n",
+			__func__, __LINE__);
 		result = IO_FAIL;
 	}
 done:
@@ -435,17 +451,17 @@
 #endif
 
 	rcar_image_number = header[0];
-	for (i = 0; i < rcar_image_number + 2; i++) {
-		rcar_image_header[i] = header[i * 2 + 1];
-		rcar_image_header_prttn[i] = header[i * 2 + 2];
-	}
-
 	if (rcar_image_number == 0 || rcar_image_number > RCAR_MAX_BL3X_IMAGE) {
 		WARN("Firmware Image Package header check failed.\n");
 		rc = IO_FAIL;
 		goto error;
 	}
 
+	for (i = 0; i < rcar_image_number + 2; i++) {
+		rcar_image_header[i] = header[i * 2 + 1];
+		rcar_image_header_prttn[i] = header[i * 2 + 2];
+	}
+
 	rc = io_seek(handle, IO_SEEK_SET, offset + RCAR_SECTOR6_CERT_OFFSET);
 	if (rc != IO_SUCCESS) {
 		WARN("Firmware Image Package header failed to seek cert\n");
commit	05916637e44597537e58601dc63da69489b00950	[log] [tgz]
author	Sandrine Bailleux <sandrine.bailleux@arm.com>	Mon Dec 04 17:22:44 2023 +0100
committer	TrustedFirmware Code Review <review@review.trustedfirmware.org>	Mon Dec 04 17:22:44 2023 +0100
tree	f25084ae002c548ff556e6835e5d83ead12f29cd
parent	e2ed3e7ecea338ee7c7a2192e2983b452bcd8ada [diff]
parent	473cfc83806af342310ca269b034750894e6ff44 [diff]