CVE-2024-26998
serial: core: Clearing the circular buffer before NULLifying it
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
serial: core: Clearing the circular buffer before NULLifying it
The circular buffer is NULLified in uart_tty_port_shutdown()
under the spin lock. However, the PM or other timer based callbacks
may still trigger after this event without knowning that buffer pointer
is not valid. Since the serial code is a bit inconsistent in checking
the buffer state (some rely on the head-tail positions, some on the
buffer pointer), it's better to have both aligned, i.e. buffer pointer
to be NULL and head-tail possitions to be the same, meaning it's empty.
This will prevent asynchronous calls to dereference NULL pointer as
reported recently in 8250 case:
BUG: kernel NULL pointer dereference, address: 00000cf5
Workqueue: pm pm_runtime_work
EIP: serial8250_tx_chars (drivers/tty/serial/8250/8250_port.c:1809)
...
? serial8250_tx_chars (drivers/tty/serial/8250/8250_port.c:1809)
__start_tx (drivers/tty/serial/8250/8250_port.c:1551)
serial8250_start_tx (drivers/tty/serial/8250/8250_port.c:1654)
serial_port_runtime_suspend (include/linux/serial_core.h:667 drivers/tty/serial/serial_port.c:63)
__rpm_callback (drivers/base/power/runtime.c:393)
? serial_port_remove (drivers/tty/serial/serial_port.c:50)
rpm_suspend (drivers/base/power/runtime.c:447)
The proposed change will prevent ->start_tx() to be called during
suspend on shut down port.
En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: serial: core: borrando el búfer circular antes de anularlo. El búfer circular se anula en uart_tty_port_shutdown() bajo el bloqueo de giro. Sin embargo, el PM u otras devoluciones de llamada basadas en temporizadores aún pueden activarse después de este evento sin saber que el puntero del búfer no es válido. Dado que el código de serie es un poco inconsistente al verificar el estado del búfer (algunos se basan en las posiciones de cabecera y cola, otros en el puntero del búfer), es mejor tener ambos alineados, es decir, que el puntero del búfer sea NULL y las posiciones de cabecera y cola sean lo mismo, lo que significa que está vacío. Esto evitará llamadas asincrónicas para desreferenciar el puntero NULL como se informó recientemente en el caso 8250: ERROR: desreferencia del puntero NULL del kernel, dirección: 00000cf5 Cola de trabajo: pm pm_runtime_work EIP: serial8250_tx_chars (drivers/tty/serial/8250/8250_port.c:1809). . serial8250_tx_chars (drivers/tty/serial/8250/8250_port.c:1809) __start_tx (drivers/tty/serial/8250/8250_port.c:1551) serial8250_start_tx (drivers/tty/serial/8250/8250_port.c:1654) serial_port_runtime_suspend ( incluir/linux/serial_core.h:667 controladores/tty/serial/serial_port.c:63) __rpm_callback (drivers/base/power/runtime.c:393)? serial_port_remove (drivers/tty/serial/serial_port.c:50) rpm_suspend (drivers/base/power/runtime.c:447) El cambio propuesto evitará que se llame a ->start_tx() durante la suspensión al cerrar el puerto.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-02-19 CVE Reserved
- 2024-05-01 CVE Published
- 2024-12-19 CVE Updated
- 2024-12-24 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (6)
URL | Tag | Source |
---|---|---|
https://git.kernel.org/stable/c/434beb66368d4fb4d3119c2116b9398500adbf47 | Vuln. Introduced | |
https://git.kernel.org/stable/c/43066e32227ecde674e8ae1fcdd4a1ede67680c2 | Vuln. Introduced | |
https://git.kernel.org/stable/c/a629a9b2f7699314a4abe8fbc37b0ee667b60f33 | Vuln. Introduced |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.6.24 < 6.6.29 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6.24 < 6.6.29" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.8 < 6.8.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.8 < 6.8.8" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.8 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.8 < 6.9" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 6.7.12 Search vendor "Linux" for product "Linux Kernel" and version "6.7.12" | en |
Affected
|