cve/published/2024/CVE-2024-26998.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26998: serial: core: Clearing the circular buffer before NULLifying it

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 serial: core: Clearing the circular buffer before NULLifying it

 The circular buffer is NULLified in uart_tty_port_shutdown()
 under the spin lock. However, the PM or other timer based callbacks
 may still trigger after this event without knowning that buffer pointer
 is not valid. Since the serial code is a bit inconsistent in checking
 the buffer state (some rely on the head-tail positions, some on the
 buffer pointer), it's better to have both aligned, i.e. buffer pointer
 to be NULL and head-tail possitions to be the same, meaning it's empty.
 This will prevent asynchronous calls to dereference NULL pointer as
 reported recently in 8250 case:

   BUG: kernel NULL pointer dereference, address: 00000cf5
   Workqueue: pm pm_runtime_work
   EIP: serial8250_tx_chars (drivers/tty/serial/8250/8250_port.c:1809)
   ...
   ? serial8250_tx_chars (drivers/tty/serial/8250/8250_port.c:1809)
   __start_tx (drivers/tty/serial/8250/8250_port.c:1551)
   serial8250_start_tx (drivers/tty/serial/8250/8250_port.c:1654)
   serial_port_runtime_suspend (include/linux/serial_core.h:667 drivers/tty/serial/serial_port.c:63)
   __rpm_callback (drivers/base/power/runtime.c:393)
   ? serial_port_remove (drivers/tty/serial/serial_port.c:50)
   rpm_suspend (drivers/base/power/runtime.c:447)

 The proposed change will prevent ->start_tx() to be called during
 suspend on shut down port.

 The Linux kernel CVE team has assigned CVE-2024-26998 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.6.24 with commit 434beb66368d4fb4d3119c2116b9398500adbf47 and fixed in 6.6.29 with commit 7ae7104d54342433a3a73975f6569beefdd86350
 	Issue introduced in 6.8 with commit 43066e32227ecde674e8ae1fcdd4a1ede67680c2 and fixed in 6.8.8 with commit bb1118905e875c111d7ccef9aee86ac5e4e7f985
 	Issue introduced in 6.8 with commit 43066e32227ecde674e8ae1fcdd4a1ede67680c2 and fixed in 6.9 with commit 9cf7ea2eeb745213dc2a04103e426b960e807940
 	Issue introduced in 6.7.12 with commit a629a9b2f7699314a4abe8fbc37b0ee667b60f33

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26998
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/tty/serial/serial_core.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/7ae7104d54342433a3a73975f6569beefdd86350
 	https://git.kernel.org/stable/c/bb1118905e875c111d7ccef9aee86ac5e4e7f985
 	https://git.kernel.org/stable/c/9cf7ea2eeb745213dc2a04103e426b960e807940
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26998: serial: core: Clearing the circular buffer before NULLifying it

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	serial: core: Clearing the circular buffer before NULLifying it

	The circular buffer is NULLified in uart_tty_port_shutdown()
	under the spin lock. However, the PM or other timer based callbacks
	may still trigger after this event without knowning that buffer pointer
	is not valid. Since the serial code is a bit inconsistent in checking
	the buffer state (some rely on the head-tail positions, some on the
	buffer pointer), it's better to have both aligned, i.e. buffer pointer
	to be NULL and head-tail possitions to be the same, meaning it's empty.
	This will prevent asynchronous calls to dereference NULL pointer as
	reported recently in 8250 case:

	BUG: kernel NULL pointer dereference, address: 00000cf5
	Workqueue: pm pm_runtime_work
	EIP: serial8250_tx_chars (drivers/tty/serial/8250/8250_port.c:1809)
	...
	? serial8250_tx_chars (drivers/tty/serial/8250/8250_port.c:1809)
	__start_tx (drivers/tty/serial/8250/8250_port.c:1551)
	serial8250_start_tx (drivers/tty/serial/8250/8250_port.c:1654)
	serial_port_runtime_suspend (include/linux/serial_core.h:667 drivers/tty/serial/serial_port.c:63)
	__rpm_callback (drivers/base/power/runtime.c:393)
	? serial_port_remove (drivers/tty/serial/serial_port.c:50)
	rpm_suspend (drivers/base/power/runtime.c:447)

	The proposed change will prevent ->start_tx() to be called during
	suspend on shut down port.

	The Linux kernel CVE team has assigned CVE-2024-26998 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.6.24 with commit 434beb66368d4fb4d3119c2116b9398500adbf47 and fixed in 6.6.29 with commit 7ae7104d54342433a3a73975f6569beefdd86350
	Issue introduced in 6.8 with commit 43066e32227ecde674e8ae1fcdd4a1ede67680c2 and fixed in 6.8.8 with commit bb1118905e875c111d7ccef9aee86ac5e4e7f985
	Issue introduced in 6.8 with commit 43066e32227ecde674e8ae1fcdd4a1ede67680c2 and fixed in 6.9 with commit 9cf7ea2eeb745213dc2a04103e426b960e807940
	Issue introduced in 6.7.12 with commit a629a9b2f7699314a4abe8fbc37b0ee667b60f33

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26998
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/tty/serial/serial_core.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/7ae7104d54342433a3a73975f6569beefdd86350
	https://git.kernel.org/stable/c/bb1118905e875c111d7ccef9aee86ac5e4e7f985
	https://git.kernel.org/stable/c/9cf7ea2eeb745213dc2a04103e426b960e807940