vulnerability

Ubuntu: (Multiple Advisories) (CVE-2024-53071): Linux kernel vulnerabilities

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
5	(AV:L/AC:L/Au:S/C:N/I:N/A:C)	Nov 19, 2024	Feb 20, 2025	Mar 3, 2025

Severity

CVSS

(AV:L/AC:L/Au:S/C:N/I:N/A:C)

Published

Nov 19, 2024

Added

Feb 20, 2025

Modified

Mar 3, 2025

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/panthor: Be stricter about IO mapping flags

The current panthor_device_mmap_io() implementation has two issues:

1. For mapping DRM_PANTHOR_USER_FLUSH_ID_MMIO_OFFSET,
panthor_device_mmap_io() bails if VM_WRITE is set, but does not clear
VM_MAYWRITE. That means userspace can use mprotect() to make the mapping
writable later on. This is a classic Linux driver gotcha.
I don't think this actually has any impact in practice:
When the GPU is powered, writes to the FLUSH_ID seem to be ignored; and
when the GPU is not powered, the dummy_latest_flush page provided by the
driver is deliberately designed to not do any flushes, so the only thing
writing to the dummy_latest_flush could achieve would be to make *more*
flushes happen.

2. panthor_device_mmap_io() does not block MAP_PRIVATE mappings (which are
mappings without the VM_SHARED flag).
MAP_PRIVATE in combination with VM_MAYWRITE indicates that the VMA has
copy-on-write semantics, which for VM_PFNMAP are semi-supported but
fairly cursed.
In particular, in such a mapping, the driver can only install PTEs
during mmap() by calling remap_pfn_range() (because remap_pfn_range()
wants to **store the physical address of the mapped physical memory into
the vm_pgoff of the VMA**); installing PTEs later on with a fault
handler (as panthor does) is not supported in private mappings, and so
if you try to fault in such a mapping, vmf_insert_pfn_prot() splats when
it hits a BUG() check.

Fix it by clearing the VM_MAYWRITE flag (userspace writing to the FLUSH_ID
doesn't make sense) and requiring VM_SHARED (copy-on-write semantics for
the FLUSH_ID don't make sense).

Reproducers for both scenarios are in the notes of my patch on the mailing
list; I tested that these bugs exist on a Rock 5B machine.

Note that I only compile-tested the patch, I haven't tested it; I don't
have a working kernel build setup for the test machine yet. Please test it
before applying it.

Solutions

ubuntu-upgrade-linux-image-6-11-0-1005-realtimeubuntu-upgrade-linux-image-6-11-0-1008-raspiubuntu-upgrade-linux-image-6-11-0-1009-awsubuntu-upgrade-linux-image-6-11-0-1009-azureubuntu-upgrade-linux-image-6-11-0-1009-azure-fdeubuntu-upgrade-linux-image-6-11-0-1009-gcpubuntu-upgrade-linux-image-6-11-0-1010-lowlatencyubuntu-upgrade-linux-image-6-11-0-1010-lowlatency-64kubuntu-upgrade-linux-image-6-11-0-1011-oracleubuntu-upgrade-linux-image-6-11-0-1011-oracle-64kubuntu-upgrade-linux-image-6-11-0-1015-oemubuntu-upgrade-linux-image-6-11-0-18-genericubuntu-upgrade-linux-image-6-11-0-18-generic-64kubuntu-upgrade-linux-image-awsubuntu-upgrade-linux-image-azureubuntu-upgrade-linux-image-azure-fdeubuntu-upgrade-linux-image-gcpubuntu-upgrade-linux-image-genericubuntu-upgrade-linux-image-generic-64kubuntu-upgrade-linux-image-generic-64k-hwe-24-04ubuntu-upgrade-linux-image-generic-hwe-24-04ubuntu-upgrade-linux-image-lowlatencyubuntu-upgrade-linux-image-lowlatency-64kubuntu-upgrade-linux-image-oem-24-04ubuntu-upgrade-linux-image-oem-24-04aubuntu-upgrade-linux-image-oem-24-04bubuntu-upgrade-linux-image-oracleubuntu-upgrade-linux-image-oracle-64kubuntu-upgrade-linux-image-raspiubuntu-upgrade-linux-image-realtimeubuntu-upgrade-linux-image-realtime-hwe-24-04ubuntu-upgrade-linux-image-virtualubuntu-upgrade-linux-image-virtual-hwe-24-04

References

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today