cve/published/2024/CVE-2024-27000.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-27000: serial: mxs-auart: add spinlock around changing cts state

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 serial: mxs-auart: add spinlock around changing cts state

 The uart_handle_cts_change() function in serial_core expects the caller
 to hold uport->lock. For example, I have seen the below kernel splat,
 when the Bluetooth driver is loaded on an i.MX28 board.

     [   85.119255] ------------[ cut here ]------------
     [   85.124413] WARNING: CPU: 0 PID: 27 at /drivers/tty/serial/serial_core.c:3453 uart_handle_cts_change+0xb4/0xec
     [   85.134694] Modules linked in: hci_uart bluetooth ecdh_generic ecc wlcore_sdio configfs
     [   85.143314] CPU: 0 PID: 27 Comm: kworker/u3:0 Not tainted 6.6.3-00021-gd62a2f068f92 #1
     [   85.151396] Hardware name: Freescale MXS (Device Tree)
     [   85.156679] Workqueue: hci0 hci_power_on [bluetooth]
     (...)
     [   85.191765]  uart_handle_cts_change from mxs_auart_irq_handle+0x380/0x3f4
     [   85.198787]  mxs_auart_irq_handle from __handle_irq_event_percpu+0x88/0x210
     (...)

 The Linux kernel CVE team has assigned CVE-2024-27000 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.18 with commit 4d90bb147ef6b91f529a21b498ff2b5fdc6785b4 and fixed in 4.19.313 with commit 56434e295bd446142025913bfdf1587f5e1970ad
 	Issue introduced in 3.18 with commit 4d90bb147ef6b91f529a21b498ff2b5fdc6785b4 and fixed in 5.4.275 with commit 21535ef0ac1945080198fe3e4347ea498205c99a
 	Issue introduced in 3.18 with commit 4d90bb147ef6b91f529a21b498ff2b5fdc6785b4 and fixed in 5.10.216 with commit 0dc0637e6b16158af85945425821bfd0151adb37
 	Issue introduced in 3.18 with commit 4d90bb147ef6b91f529a21b498ff2b5fdc6785b4 and fixed in 5.15.158 with commit 479244d68f5d94f3903eced52b093c1e01ddb495
 	Issue introduced in 3.18 with commit 4d90bb147ef6b91f529a21b498ff2b5fdc6785b4 and fixed in 6.1.88 with commit 2c9b943e9924cf1269e44289bc5e60e51b0f5270
 	Issue introduced in 3.18 with commit 4d90bb147ef6b91f529a21b498ff2b5fdc6785b4 and fixed in 6.6.29 with commit 5f40fd6ca2cf0bfbc5a5c9e403dfce8ca899ba37
 	Issue introduced in 3.18 with commit 4d90bb147ef6b91f529a21b498ff2b5fdc6785b4 and fixed in 6.8.8 with commit 94b0e65c75f4af888ab2dd6c90f060f762924e86
 	Issue introduced in 3.18 with commit 4d90bb147ef6b91f529a21b498ff2b5fdc6785b4 and fixed in 6.9 with commit 54c4ec5f8c471b7c1137a1f769648549c423c026

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-27000
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/tty/serial/mxs-auart.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/56434e295bd446142025913bfdf1587f5e1970ad
 	https://git.kernel.org/stable/c/21535ef0ac1945080198fe3e4347ea498205c99a
 	https://git.kernel.org/stable/c/0dc0637e6b16158af85945425821bfd0151adb37
 	https://git.kernel.org/stable/c/479244d68f5d94f3903eced52b093c1e01ddb495
 	https://git.kernel.org/stable/c/2c9b943e9924cf1269e44289bc5e60e51b0f5270
 	https://git.kernel.org/stable/c/5f40fd6ca2cf0bfbc5a5c9e403dfce8ca899ba37
 	https://git.kernel.org/stable/c/94b0e65c75f4af888ab2dd6c90f060f762924e86
 	https://git.kernel.org/stable/c/54c4ec5f8c471b7c1137a1f769648549c423c026
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-27000: serial: mxs-auart: add spinlock around changing cts state

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	serial: mxs-auart: add spinlock around changing cts state

	The uart_handle_cts_change() function in serial_core expects the caller
	to hold uport->lock. For example, I have seen the below kernel splat,
	when the Bluetooth driver is loaded on an i.MX28 board.

	[ 85.119255] ------------[ cut here ]------------
	[ 85.124413] WARNING: CPU: 0 PID: 27 at /drivers/tty/serial/serial_core.c:3453 uart_handle_cts_change+0xb4/0xec
	[ 85.134694] Modules linked in: hci_uart bluetooth ecdh_generic ecc wlcore_sdio configfs
	[ 85.143314] CPU: 0 PID: 27 Comm: kworker/u3:0 Not tainted 6.6.3-00021-gd62a2f068f92 #1
	[ 85.151396] Hardware name: Freescale MXS (Device Tree)
	[ 85.156679] Workqueue: hci0 hci_power_on [bluetooth]
	(...)
	[ 85.191765] uart_handle_cts_change from mxs_auart_irq_handle+0x380/0x3f4
	[ 85.198787] mxs_auart_irq_handle from __handle_irq_event_percpu+0x88/0x210
	(...)

	The Linux kernel CVE team has assigned CVE-2024-27000 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.18 with commit 4d90bb147ef6b91f529a21b498ff2b5fdc6785b4 and fixed in 4.19.313 with commit 56434e295bd446142025913bfdf1587f5e1970ad
	Issue introduced in 3.18 with commit 4d90bb147ef6b91f529a21b498ff2b5fdc6785b4 and fixed in 5.4.275 with commit 21535ef0ac1945080198fe3e4347ea498205c99a
	Issue introduced in 3.18 with commit 4d90bb147ef6b91f529a21b498ff2b5fdc6785b4 and fixed in 5.10.216 with commit 0dc0637e6b16158af85945425821bfd0151adb37
	Issue introduced in 3.18 with commit 4d90bb147ef6b91f529a21b498ff2b5fdc6785b4 and fixed in 5.15.158 with commit 479244d68f5d94f3903eced52b093c1e01ddb495
	Issue introduced in 3.18 with commit 4d90bb147ef6b91f529a21b498ff2b5fdc6785b4 and fixed in 6.1.88 with commit 2c9b943e9924cf1269e44289bc5e60e51b0f5270
	Issue introduced in 3.18 with commit 4d90bb147ef6b91f529a21b498ff2b5fdc6785b4 and fixed in 6.6.29 with commit 5f40fd6ca2cf0bfbc5a5c9e403dfce8ca899ba37
	Issue introduced in 3.18 with commit 4d90bb147ef6b91f529a21b498ff2b5fdc6785b4 and fixed in 6.8.8 with commit 94b0e65c75f4af888ab2dd6c90f060f762924e86
	Issue introduced in 3.18 with commit 4d90bb147ef6b91f529a21b498ff2b5fdc6785b4 and fixed in 6.9 with commit 54c4ec5f8c471b7c1137a1f769648549c423c026

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-27000
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/tty/serial/mxs-auart.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/56434e295bd446142025913bfdf1587f5e1970ad
	https://git.kernel.org/stable/c/21535ef0ac1945080198fe3e4347ea498205c99a
	https://git.kernel.org/stable/c/0dc0637e6b16158af85945425821bfd0151adb37
	https://git.kernel.org/stable/c/479244d68f5d94f3903eced52b093c1e01ddb495
	https://git.kernel.org/stable/c/2c9b943e9924cf1269e44289bc5e60e51b0f5270
	https://git.kernel.org/stable/c/5f40fd6ca2cf0bfbc5a5c9e403dfce8ca899ba37
	https://git.kernel.org/stable/c/94b0e65c75f4af888ab2dd6c90f060f762924e86
	https://git.kernel.org/stable/c/54c4ec5f8c471b7c1137a1f769648549c423c026