Description

In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Be stricter about IO mapping flags The current panthor_device_mmap_io() implementation has two issues: 1. For mapping DRM_PANTHOR_USER_FLUSH_ID_MMIO_OFFSET, panthor_device_mmap_io() bails if VM_WRITE is set, but does not clear VM_MAYWRITE. That means userspace can use mprotect() to make the mapping writable later on. This is a classic Linux driver gotcha. I don't think this actually has any impact in practice: When the GPU is powered, writes to the FLUSH_ID seem to be ignored; and when the GPU is not powered, the dummy_latest_flush page provided by the driver is deliberately designed to not do any flushes, so the only thing writing to the dummy_latest_flush could achieve would be to make *more* flushes happen. 2. panthor_device_mmap_io() does not block MAP_PRIVATE mappings (which are mappings without the VM_SHARED flag). MAP_PRIVATE in combination with VM_MAYWRITE indicates that the VMA has copy-on-write semantics, which for VM_PFNMAP are semi-supported but fairly cursed. In particular, in such a mapping, the driver can only install PTEs during mmap() by calling remap_pfn_range() (because remap_pfn_range() wants to **store the physical address of the mapped physical memory into the vm_pgoff of the VMA**); installing PTEs later on with a fault handler (as panthor does) is not supported in private mappings, and so if you try to fault in such a mapping, vmf_insert_pfn_prot() splats when it hits a BUG() check. Fix it by clearing the VM_MAYWRITE flag (userspace writing to the FLUSH_ID doesn't make sense) and requiring VM_SHARED (copy-on-write semantics for the FLUSH_ID don't make sense). Reproducers for both scenarios are in the notes of my patch on the mailing list; I tested that these bugs exist on a Rock 5B machine. Note that I only compile-tested the patch, I haven't tested it; I don't have a working kernel build setup for the test machine yet. Please test it before applying it.

Metrics

 

CVSS Version 4.0 CVSS Version 3.x CVSS Version 2.0

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score:  5.5 MEDIUM

Vector:  CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0 Severity and Vector Strings:

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
https://git.kernel.org/stable/c/2604afd65043e8f9d4be036cb1242adf6b5723cf	Patch
https://git.kernel.org/stable/c/f432a1621f049bb207e78363d9d0e3c6fa2da5db	Patch

Weakness Enumeration

CWE-ID	CWE Name	Source
NVD-CWE-noinfo	Insufficient Information	NIST

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

2 change records found show changes

Initial Analysis by NIST 11/26/2024 5:18:28 PM

Action	Type	Old Value	New Value
Added	CVSS V3.1		NIST AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Added	CWE		NIST NVD-CWE-noinfo
Added	CPE Configuration		OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.10 up to (excluding) 6.11.8 *cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.12:rc4:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.12:rc5:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.12:rc6:*:*:*:*:*:*
Changed	Reference Type	https://git.kernel.org/stable/c/2604afd65043e8f9d4be036cb1242adf6b5723cf No Types Assigned	https://git.kernel.org/stable/c/2604afd65043e8f9d4be036cb1242adf6b5723cf Patch
Changed	Reference Type	https://git.kernel.org/stable/c/f432a1621f049bb207e78363d9d0e3c6fa2da5db No Types Assigned	https://git.kernel.org/stable/c/f432a1621f049bb207e78363d9d0e3c6fa2da5db Patch

New CVE Received from kernel.org 11/19/2024 1:15:26 PM

Action	Type	Old Value	New Value
Added	Description		Record truncated, showing 500 of 2058 characters. View Entire Change Record In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Be stricter about IO mapping flags The current panthor_device_mmap_io() implementation has two issues: 1. For mapping DRM_PANTHOR_USER_FLUSH_ID_MMIO_OFFSET, panthor_device_mmap_io() bails if VM_WRITE is set, but does not clear VM_MAYWRITE. That means userspace can use mprotect() to make the mapping writable later on. This is a classic Linux driver gotcha. I don't think this actually has any impact in
Added	Reference		kernel.org https://git.kernel.org/stable/c/2604afd65043e8f9d4be036cb1242adf6b5723cf [No types assigned]
Added	Reference		kernel.org https://git.kernel.org/stable/c/f432a1621f049bb207e78363d9d0e3c6fa2da5db [No types assigned]