CVE-2024-26998: Linux Kernel Vulnerability - Clearing Circular Buffer Before NULLifying it in Serial Core

In the Linux kernel, a vulnerability has been identified and resolved in the serial core that deals with clearing the circular buffer before NULLifying it. This vulnerability can lead to kernel NULL pointer dereference, causing system crashes and potential exploitations in some cases. This article will discuss the details of the vulnerability, the code fix that has been implemented, and the potential impact it may have on affected systems.

Vulnerability Details

The vulnerability was found in the uart_tty_port_shutdown() function, which NULLifies the circular buffer under the spin lock. However, the power management (PM) or other timer-based callbacks may still trigger after this event, even though the buffer pointer is not valid. This can cause asynchronous calls to dereference the NULL pointer, as was observed recently in an 825 case:

BUG: kernel NULL pointer dereference, address: 00000cf5
Workqueue: pm pm_runtime_work
EIP: serial825_tx_chars (drivers/tty/serial/825/825_port.c:1809)
...
? serial825_tx_chars (drivers/tty/serial/825/825_port.c:1809)
__start_tx (drivers/tty/serial/825/825_port.c:1551)
serial825_start_tx (drivers/tty/serial/825/825_port.c:1654)
serial_port_runtime_suspend (include/linux/serial_core.h:667 drivers/tty/serial/serial_port.c:63)
__rpm_callback (drivers/base/power/runtime.c:393)
? serial_port_remove (drivers/tty/serial/serial_port.c:50)
rpm_suspend (drivers/base/power/runtime.c:447)

In order to fix this issue and prevent potential crashes or exploitations, both the buffer pointer and the head-tail positions in the circular buffer need to be aligned, meaning the buffer pointer should be NULL and the head-tail positions should be the same, signifying the buffer is empty.

Code Fix

A fix has been proposed that will prevent the ->start_tx() function from being called during suspend on a shut down port. An example of this fix is shown below:

void uart_tty_port_shutdown(struct tty_port *port)
{
  ...
  spin_lock_irqsave(&state->port.lock, flags);
  // Clear the circular buffer before NULLify it
  state->xmit.head = state->xmit.tail = ; 
  ...
  // Now NULLify the circular buffer
  state->xmit.buf = NULL;
  ...
  spin_unlock_irqrestore(&state->port.lock, flags);
}

By adding this fix to the uart_tty_port_shutdown() function, it ensures that the buffer pointer is NULL and the head-tail positions are the same, signifying the buffer is empty. This prevents asynchronous calls from dereferencing the NULL pointer and avoids the observed error.

Conclusion

CVE-2024-26998 identifies a vulnerability in the Linux kernel, specifically in the serial core, that can lead to kernel crashes and potential exploitations. The proposed code fix helps resolve this issue by ensuring the head-tail positions in the circular buffer and the buffer pointer are properly aligned. This will help prevent errors caused by dereferencing NULL pointers and potentially lead to more stable and secure Linux systems. It is recommended that all affected systems apply this patch as soon as possible to minimize any potential risks associated with this vulnerability.

Original References

- Linux Kernel Mailing List
- Kernel Git (Replace with actual commit ID when available)

Timeline

Published on: 05/01/2024 06:15:17 UTC
Last modified on: 12/23/2024 19:50:05 UTC