Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

CVE-2024-53071

Disclosure Date: November 19, 2024
CVE-2024-53071
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/panthor: Be stricter about IO mapping flags

The current panthor_device_mmap_io() implementation has two issues:

  1. For mapping DRM_PANTHOR_USER_FLUSH_ID_MMIO_OFFSET,
    panthor_device_mmap_io() bails if VM_WRITE is set, but does not clear
    VM_MAYWRITE. That means userspace can use mprotect() to make the mapping
    writable later on. This is a classic Linux driver gotcha.
    I don’t think this actually has any impact in practice:
    When the GPU is powered, writes to the FLUSH_ID seem to be ignored; and
    when the GPU is not powered, the dummy_latest_flush page provided by the
    driver is deliberately designed to not do any flushes, so the only thing
    writing to the dummy_latest_flush could achieve would be to make more
    flushes happen.

  2. panthor_device_mmap_io() does not block MAP_PRIVATE mappings (which are
    mappings without the VM_SHARED flag).
    MAP_PRIVATE in combination with VM_MAYWRITE indicates that the VMA has
    copy-on-write semantics, which for VM_PFNMAP are semi-supported but
    fairly cursed.
    In particular, in such a mapping, the driver can only install PTEs
    during mmap() by calling remap_pfn_range() (because remap_pfn_range()
    wants to store the physical address of the mapped physical memory into
    the vm_pgoff of the VMA    ); installing PTEs later on with a fault
    handler (as panthor does) is not supported in private mappings, and so
    if you try to fault in such a mapping, vmf_insert_pfn_prot() splats when
    it hits a BUG() check.

Fix it by clearing the VM_MAYWRITE flag (userspace writing to the FLUSH_ID
doesn’t make sense) and requiring VM_SHARED (copy-on-write semantics for
the FLUSH_ID don’t make sense).

Reproducers for both scenarios are in the notes of my patch on the mailing
list; I tested that these bugs exist on a Rock 5B machine.

Note that I only compile-tested the patch, I haven’t tested it; I don’t
have a working kernel build setup for the test machine yet. Please test it
before applying it.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Unknown
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis