cve/2024/CVE-2024-26998.md

### [CVE-2024-26998](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26998)
![](https://img.shields.io/static/v1?label=Product&message=Linux&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=434beb66368d%3C%207ae7104d5434%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)

### Description

In the Linux kernel, the following vulnerability has been resolved:serial: core: Clearing the circular buffer before NULLifying itThe circular buffer is NULLified in uart_tty_port_shutdown()under the spin lock. However, the PM or other timer based callbacksmay still trigger after this event without knowning that buffer pointeris not valid. Since the serial code is a bit inconsistent in checkingthe buffer state (some rely on the head-tail positions, some on thebuffer pointer), it's better to have both aligned, i.e. buffer pointerto be NULL and head-tail possitions to be the same, meaning it's empty.This will prevent asynchronous calls to dereference NULL pointer asreported recently in 8250 case:  BUG: kernel NULL pointer dereference, address: 00000cf5  Workqueue: pm pm_runtime_work  EIP: serial8250_tx_chars (drivers/tty/serial/8250/8250_port.c:1809)  ...  ? serial8250_tx_chars (drivers/tty/serial/8250/8250_port.c:1809)  __start_tx (drivers/tty/serial/8250/8250_port.c:1551)  serial8250_start_tx (drivers/tty/serial/8250/8250_port.c:1654)  serial_port_runtime_suspend (include/linux/serial_core.h:667 drivers/tty/serial/serial_port.c:63)  __rpm_callback (drivers/base/power/runtime.c:393)  ? serial_port_remove (drivers/tty/serial/serial_port.c:50)  rpm_suspend (drivers/base/power/runtime.c:447)The proposed change will prevent ->start_tx() to be called duringsuspend on shut down port.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/fkie-cad/nvd-json-data-feeds
Update Sat May 25 21:48:12 CEST 2024 2024-05-25 21:48:12 +02:00			`### [CVE-2024-26998](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26998)`
			`![](https://img.shields.io/static/v1?label=Product&message=Linux&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=434beb66368d%3C%207ae7104d5434%20&color=brighgreen)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)`

			`### Description`

			In the Linux kernel, the following vulnerability has been resolved:serial: core: Clearing the circular buffer before NULLifying itThe circular buffer is NULLified in uart_tty_port_shutdown()under the spin lock. However, the PM or other timer based callbacksmay still trigger after this event without knowning that buffer pointeris not valid. Since the serial code is a bit inconsistent in checkingthe buffer state (some rely on the head-tail positions, some on thebuffer pointer), it's better to have both aligned, i.e. buffer pointerto be NULL and head-tail possitions to be the same, meaning it's empty.This will prevent asynchronous calls to dereference NULL pointer asreported recently in 8250 case: BUG: kernel NULL pointer dereference, address: 00000cf5 Workqueue: pm pm_runtime_work EIP: serial8250_tx_chars (drivers/tty/serial/8250/8250_port.c:1809) ... ? serial8250_tx_chars (drivers/tty/serial/8250/8250_port.c:1809) __start_tx (drivers/tty/serial/8250/8250_port.c:1551) serial8250_start_tx (drivers/tty/serial/8250/8250_port.c:1654) serial_port_runtime_suspend (include/linux/serial_core.h:667 drivers/tty/serial/serial_port.c:63) __rpm_callback (drivers/base/power/runtime.c:393) ? serial_port_remove (drivers/tty/serial/serial_port.c:50) rpm_suspend (drivers/base/power/runtime.c:447)The proposed change will prevent ->start_tx() to be called duringsuspend on shut down port.

			`### POC`

			`#### Reference`
			`No PoCs from references.`

			`#### Github`
			`- https://github.com/fkie-cad/nvd-json-data-feeds`