cve/published/2024/CVE-2024-53071.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-53071: drm/panthor: Be stricter about IO mapping flags

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 drm/panthor: Be stricter about IO mapping flags

 The current panthor_device_mmap_io() implementation has two issues:

 1. For mapping DRM_PANTHOR_USER_FLUSH_ID_MMIO_OFFSET,
    panthor_device_mmap_io() bails if VM_WRITE is set, but does not clear
    VM_MAYWRITE. That means userspace can use mprotect() to make the mapping
    writable later on. This is a classic Linux driver gotcha.
    I don't think this actually has any impact in practice:
    When the GPU is powered, writes to the FLUSH_ID seem to be ignored; and
    when the GPU is not powered, the dummy_latest_flush page provided by the
    driver is deliberately designed to not do any flushes, so the only thing
    writing to the dummy_latest_flush could achieve would be to make *more*
    flushes happen.

 2. panthor_device_mmap_io() does not block MAP_PRIVATE mappings (which are
    mappings without the VM_SHARED flag).
    MAP_PRIVATE in combination with VM_MAYWRITE indicates that the VMA has
    copy-on-write semantics, which for VM_PFNMAP are semi-supported but
    fairly cursed.
    In particular, in such a mapping, the driver can only install PTEs
    during mmap() by calling remap_pfn_range() (because remap_pfn_range()
    wants to **store the physical address of the mapped physical memory into
    the vm_pgoff of the VMA**); installing PTEs later on with a fault
    handler (as panthor does) is not supported in private mappings, and so
    if you try to fault in such a mapping, vmf_insert_pfn_prot() splats when
    it hits a BUG() check.

 Fix it by clearing the VM_MAYWRITE flag (userspace writing to the FLUSH_ID
 doesn't make sense) and requiring VM_SHARED (copy-on-write semantics for
 the FLUSH_ID don't make sense).

 Reproducers for both scenarios are in the notes of my patch on the mailing
 list; I tested that these bugs exist on a Rock 5B machine.

 Note that I only compile-tested the patch, I haven't tested it; I don't
 have a working kernel build setup for the test machine yet. Please test it
 before applying it.

 The Linux kernel CVE team has assigned CVE-2024-53071 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.10 with commit 5fe909cae118a757a77afb37174b99436a36d2e2 and fixed in 6.11.8 with commit 2604afd65043e8f9d4be036cb1242adf6b5723cf
 	Issue introduced in 6.10 with commit 5fe909cae118a757a77afb37174b99436a36d2e2 and fixed in 6.12 with commit f432a1621f049bb207e78363d9d0e3c6fa2da5db

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-53071
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/gpu/drm/panthor/panthor_device.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/2604afd65043e8f9d4be036cb1242adf6b5723cf
 	https://git.kernel.org/stable/c/f432a1621f049bb207e78363d9d0e3c6fa2da5db
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-53071: drm/panthor: Be stricter about IO mapping flags

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	drm/panthor: Be stricter about IO mapping flags

	The current panthor_device_mmap_io() implementation has two issues:

	1. For mapping DRM_PANTHOR_USER_FLUSH_ID_MMIO_OFFSET,
	panthor_device_mmap_io() bails if VM_WRITE is set, but does not clear
	VM_MAYWRITE. That means userspace can use mprotect() to make the mapping
	writable later on. This is a classic Linux driver gotcha.
	I don't think this actually has any impact in practice:
	When the GPU is powered, writes to the FLUSH_ID seem to be ignored; and
	when the GPU is not powered, the dummy_latest_flush page provided by the
	driver is deliberately designed to not do any flushes, so the only thing
	writing to the dummy_latest_flush could achieve would be to make more
	flushes happen.

	2. panthor_device_mmap_io() does not block MAP_PRIVATE mappings (which are
	mappings without the VM_SHARED flag).
	MAP_PRIVATE in combination with VM_MAYWRITE indicates that the VMA has
	copy-on-write semantics, which for VM_PFNMAP are semi-supported but
	fairly cursed.
	In particular, in such a mapping, the driver can only install PTEs
	during mmap() by calling remap_pfn_range() (because remap_pfn_range()
	wants to **store the physical address of the mapped physical memory into
	the vm_pgoff of the VMA**); installing PTEs later on with a fault
	handler (as panthor does) is not supported in private mappings, and so
	if you try to fault in such a mapping, vmf_insert_pfn_prot() splats when
	it hits a BUG() check.

	Fix it by clearing the VM_MAYWRITE flag (userspace writing to the FLUSH_ID
	doesn't make sense) and requiring VM_SHARED (copy-on-write semantics for
	the FLUSH_ID don't make sense).

	Reproducers for both scenarios are in the notes of my patch on the mailing
	list; I tested that these bugs exist on a Rock 5B machine.

	Note that I only compile-tested the patch, I haven't tested it; I don't
	have a working kernel build setup for the test machine yet. Please test it
	before applying it.

	The Linux kernel CVE team has assigned CVE-2024-53071 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.10 with commit 5fe909cae118a757a77afb37174b99436a36d2e2 and fixed in 6.11.8 with commit 2604afd65043e8f9d4be036cb1242adf6b5723cf
	Issue introduced in 6.10 with commit 5fe909cae118a757a77afb37174b99436a36d2e2 and fixed in 6.12 with commit f432a1621f049bb207e78363d9d0e3c6fa2da5db

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-53071
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/gpu/drm/panthor/panthor_device.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/2604afd65043e8f9d4be036cb1242adf6b5723cf
	https://git.kernel.org/stable/c/f432a1621f049bb207e78363d9d0e3c6fa2da5db