CVE-2024-49963: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-49963 affects the Linux kernel's BCM2835 mailbox driver, specifically during the suspend mode operation. The vulnerability was discovered in October 2024 and affects Linux kernel versions from 4.2 up to versions before 5.10.227, 5.11 to before 5.15.168, 5.16 to before 6.1.113, 6.2 to before 6.6.55, and other versions (NVD).

The vulnerability occurs during the noirq suspend phase where the Raspberry Pi power driver experiences firmware property timeouts. The root cause is that the IRQ of the underlying BCM2835 mailbox is disabled, causing rpi_firmware_property_list() to consistently timeout. This happens because the VideoCore side isn't considered as a wakeup source. The issue has been assigned a CVSS v3.1 base score of 5.5 (MEDIUM) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability results in firmware property timeouts during the suspend phase, which can lead to system suspend failures and potential denial of service conditions. This affects the system's power management capabilities and can cause significant delays in the suspend process, with reported suspend completion times of over 3000 milliseconds (Kernel Patch).

The vulnerability has been fixed by adding the IRQF_NO_SUSPEND flag to the mailbox IRQ to keep it enabled during the suspend-resume cycle. The fix has been implemented in various kernel versions through patches. Users should update their Linux kernel to the latest patched version that includes this fix (Kernel Patch).