CVE-2024-53071

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-53071
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-53071.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-53071
Downstream
Related
Published
2024-11-19T17:22:38Z
Modified
2025-10-09T22:39:21.462078Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
drm/panthor: Be stricter about IO mapping flags
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/panthor: Be stricter about IO mapping flags

The current panthordevicemmap_io() implementation has two issues:

  1. For mapping DRMPANTHORUSERFLUSHIDMMIOOFFSET, panthordevicemmapio() bails if VMWRITE is set, but does not clear VMMAYWRITE. That means userspace can use mprotect() to make the mapping writable later on. This is a classic Linux driver gotcha. I don't think this actually has any impact in practice: When the GPU is powered, writes to the FLUSHID seem to be ignored; and when the GPU is not powered, the dummylatestflush page provided by the driver is deliberately designed to not do any flushes, so the only thing writing to the dummylatestflush could achieve would be to make more flushes happen.

  2. panthordevicemmapio() does not block MAPPRIVATE mappings (which are mappings without the VMSHARED flag). MAPPRIVATE in combination with VMMAYWRITE indicates that the VMA has copy-on-write semantics, which for VMPFNMAP are semi-supported but fairly cursed. In particular, in such a mapping, the driver can only install PTEs during mmap() by calling remappfnrange() (because remappfnrange() wants to store the physical address of the mapped physical memory into the vmpgoff of the VMA); installing PTEs later on with a fault handler (as panthor does) is not supported in private mappings, and so if you try to fault in such a mapping, vmfinsertpfnprot() splats when it hits a BUG() check.

Fix it by clearing the VMMAYWRITE flag (userspace writing to the FLUSHID doesn't make sense) and requiring VMSHARED (copy-on-write semantics for the FLUSHID don't make sense).

Reproducers for both scenarios are in the notes of my patch on the mailing list; I tested that these bugs exist on a Rock 5B machine.

Note that I only compile-tested the patch, I haven't tested it; I don't have a working kernel build setup for the test machine yet. Please test it before applying it.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
5fe909cae118a757a77afb37174b99436a36d2e2
Fixed
2604afd65043e8f9d4be036cb1242adf6b5723cf
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
5fe909cae118a757a77afb37174b99436a36d2e2
Fixed
f432a1621f049bb207e78363d9d0e3c6fa2da5db

Affected versions

v6.*

v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.11.1
v6.11.2
v6.11.3
v6.11.4
v6.11.5
v6.11.6
v6.11.7
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.8
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.10.0
Fixed
6.11.8