{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-53071","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-11-19T17:17:24.976Z","datePublished":"2024-11-19T17:22:38.327Z","dateUpdated":"2025-10-01T20:17:16.169Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T09:52:13.347Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panthor: Be stricter about IO mapping flags\n\nThe current panthor_device_mmap_io() implementation has two issues:\n\n1. For mapping DRM_PANTHOR_USER_FLUSH_ID_MMIO_OFFSET,\n   panthor_device_mmap_io() bails if VM_WRITE is set, but does not clear\n   VM_MAYWRITE. That means userspace can use mprotect() to make the mapping\n   writable later on. This is a classic Linux driver gotcha.\n   I don't think this actually has any impact in practice:\n   When the GPU is powered, writes to the FLUSH_ID seem to be ignored; and\n   when the GPU is not powered, the dummy_latest_flush page provided by the\n   driver is deliberately designed to not do any flushes, so the only thing\n   writing to the dummy_latest_flush could achieve would be to make *more*\n   flushes happen.\n\n2. panthor_device_mmap_io() does not block MAP_PRIVATE mappings (which are\n   mappings without the VM_SHARED flag).\n   MAP_PRIVATE in combination with VM_MAYWRITE indicates that the VMA has\n   copy-on-write semantics, which for VM_PFNMAP are semi-supported but\n   fairly cursed.\n   In particular, in such a mapping, the driver can only install PTEs\n   during mmap() by calling remap_pfn_range() (because remap_pfn_range()\n   wants to **store the physical address of the mapped physical memory into\n   the vm_pgoff of the VMA**); installing PTEs later on with a fault\n   handler (as panthor does) is not supported in private mappings, and so\n   if you try to fault in such a mapping, vmf_insert_pfn_prot() splats when\n   it hits a BUG() check.\n\nFix it by clearing the VM_MAYWRITE flag (userspace writing to the FLUSH_ID\ndoesn't make sense) and requiring VM_SHARED (copy-on-write semantics for\nthe FLUSH_ID don't make sense).\n\nReproducers for both scenarios are in the notes of my patch on the mailing\nlist; I tested that these bugs exist on a Rock 5B machine.\n\nNote that I only compile-tested the patch, I haven't tested it; I don't\nhave a working kernel build setup for the test machine yet. Please test it\nbefore applying it."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/gpu/drm/panthor/panthor_device.c"],"versions":[{"version":"5fe909cae118a757a77afb37174b99436a36d2e2","lessThan":"2604afd65043e8f9d4be036cb1242adf6b5723cf","status":"affected","versionType":"git"},{"version":"5fe909cae118a757a77afb37174b99436a36d2e2","lessThan":"f432a1621f049bb207e78363d9d0e3c6fa2da5db","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/gpu/drm/panthor/panthor_device.c"],"versions":[{"version":"6.10","status":"affected"},{"version":"0","lessThan":"6.10","status":"unaffected","versionType":"semver"},{"version":"6.11.8","lessThanOrEqual":"6.11.*","status":"unaffected","versionType":"semver"},{"version":"6.12","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.10","versionEndExcluding":"6.11.8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.10","versionEndExcluding":"6.12"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2604afd65043e8f9d4be036cb1242adf6b5723cf"},{"url":"https://git.kernel.org/stable/c/f432a1621f049bb207e78363d9d0e3c6fa2da5db"}],"title":"drm/panthor: Be stricter about IO mapping flags","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":5.5,"attackVector":"LOCAL","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"NONE"}},{"other":{"type":"ssvc","content":{"id":"CVE-2024-53071","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2025-10-01T20:12:23.550632Z"}}}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","description":"CWE-noinfo Not enough information"}]}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-10-01T20:17:16.169Z"}}]}}