CVE-2024-26998: serial: core: Clearing the circular buffer before NULLifying it - Greg Kroah-Hartman

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-cve-announce@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: CVE-2024-26998: serial: core: Clearing the circular buffer before NULLifying it
Date: Wed,  1 May 2024 07:30:59 +0200	[thread overview]
Message-ID: <2024050145-CVE-2024-26998-2262@gregkh> (raw)

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

serial: core: Clearing the circular buffer before NULLifying it

The circular buffer is NULLified in uart_tty_port_shutdown()
under the spin lock. However, the PM or other timer based callbacks
may still trigger after this event without knowning that buffer pointer
is not valid. Since the serial code is a bit inconsistent in checking
the buffer state (some rely on the head-tail positions, some on the
buffer pointer), it's better to have both aligned, i.e. buffer pointer
to be NULL and head-tail possitions to be the same, meaning it's empty.
This will prevent asynchronous calls to dereference NULL pointer as
reported recently in 8250 case:

  BUG: kernel NULL pointer dereference, address: 00000cf5
  Workqueue: pm pm_runtime_work
  EIP: serial8250_tx_chars (drivers/tty/serial/8250/8250_port.c:1809)
  ...
  ? serial8250_tx_chars (drivers/tty/serial/8250/8250_port.c:1809)
  __start_tx (drivers/tty/serial/8250/8250_port.c:1551)
  serial8250_start_tx (drivers/tty/serial/8250/8250_port.c:1654)
  serial_port_runtime_suspend (include/linux/serial_core.h:667 drivers/tty/serial/serial_port.c:63)
  __rpm_callback (drivers/base/power/runtime.c:393)
  ? serial_port_remove (drivers/tty/serial/serial_port.c:50)
  rpm_suspend (drivers/base/power/runtime.c:447)

The proposed change will prevent ->start_tx() to be called during
suspend on shut down port.

The Linux kernel CVE team has assigned CVE-2024-26998 to this issue.

Affected and fixed versions
===========================

	Issue introduced in 6.6.24 with commit 434beb66368d and fixed in 6.6.29 with commit 7ae7104d5434
	Issue introduced in 6.8 with commit 43066e32227e and fixed in 6.8.8 with commit bb1118905e87
	Issue introduced in 6.8 with commit 43066e32227e and fixed in 6.9-rc5 with commit 9cf7ea2eeb74
	Issue introduced in 6.7.12 with commit a629a9b2f769

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26998
will be updated if fixes are backported, please check that for the most
up to date information about this issue.

Affected files
==============

The file(s) affected by this issue are:
	drivers/tty/serial/serial_core.c

Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/7ae7104d54342433a3a73975f6569beefdd86350
	https://git.kernel.org/stable/c/bb1118905e875c111d7ccef9aee86ac5e4e7f985
	https://git.kernel.org/stable/c/9cf7ea2eeb745213dc2a04103e426b960e807940