1.8 KiB
CVE-2024-26998
Description
In the Linux kernel, the following vulnerability has been resolved:serial: core: Clearing the circular buffer before NULLifying itThe circular buffer is NULLified in uart_tty_port_shutdown()under the spin lock. However, the PM or other timer based callbacksmay still trigger after this event without knowning that buffer pointeris not valid. Since the serial code is a bit inconsistent in checkingthe buffer state (some rely on the head-tail positions, some on thebuffer pointer), it's better to have both aligned, i.e. buffer pointerto be NULL and head-tail possitions to be the same, meaning it's empty.This will prevent asynchronous calls to dereference NULL pointer asreported recently in 8250 case: BUG: kernel NULL pointer dereference, address: 00000cf5 Workqueue: pm pm_runtime_work EIP: serial8250_tx_chars (drivers/tty/serial/8250/8250_port.c:1809) ... ? serial8250_tx_chars (drivers/tty/serial/8250/8250_port.c:1809) __start_tx (drivers/tty/serial/8250/8250_port.c:1551) serial8250_start_tx (drivers/tty/serial/8250/8250_port.c:1654) serial_port_runtime_suspend (include/linux/serial_core.h:667 drivers/tty/serial/serial_port.c:63) __rpm_callback (drivers/base/power/runtime.c:393) ? serial_port_remove (drivers/tty/serial/serial_port.c:50) rpm_suspend (drivers/base/power/runtime.c:447)The proposed change will prevent ->start_tx() to be called duringsuspend on shut down port.
POC
Reference
No PoCs from references.