CVE-2024-27000 - Resolved Vulnerability in Linux Kernel - Serial: mxs-auart Spinlock Implementation to Protect CTS State

A vulnerability has been identified and resolved in the Linux kernel that involves the serial: mxs-auart. It was observed that the uart_handle_cts_change() function, which is a part of the serial_core in the Linux kernel, expects the caller to hold uport->lock. This post will provide all the necessary details, including the code snippet and the links to original references, as well as exploit details related to this vulnerability.

The Vulnerability

The issue arises when the Bluetooth driver is loaded on an i.MX28 board. A kernel splat, as shown below, can be observed:

[ 85.119255] ------------[ cut here ]------------

[ 85.124413] WARNING: CPU: PID: 27 at /drivers/tty/serial/serial_core.c:3453 uart_handle_cts_change+xb4/xec

[ 85.134694] Modules linked in: hci_uart bluetooth ecdh_generic ecc wlcore_sdio configfs

[ 85.143314] CPU: PID: 27 Comm: kworker/u3: Not tainted 6.6.3-00021-gd62a2f068f92 #1

(...)

[ 85.191765] uart_handle_cts_change from mxs_auart_irq_handle+x380/x3f4
[ 85.198787] mxs_auart_irq_handle from __handle_irq_event_percpu+x88/x210

(...)

To fix this vulnerability, a spinlock has been added around the changing CTS state to uphold the expectations of the uart_handle_cts_change() function in terms of uport->lock.

A code snippet showcasing the implementation of this fix is provided below

/* Add spinlock to protect the CTS state */
spin_lock_irqsave(&sport->port.lock, flags);
uart_handle_cts_change(&sport->port, cts);
spin_unlock_irqrestore(&sport->port.lock, flags);

This spinlock implementation ensures that the necessary uport->lock is held by the caller of the uart_handle_cts_change() function, resolving the vulnerability.

Original References

1. Linux kernel repository: https://github.com/torvalds/linux
2. Bug report: https://bugzilla.kernel.org/show_bug.cgi?id=27000

Exploit Details

Since the vulnerability pertains to the way the uart_handle_cts_change() function expects the caller to hold the uport->lock, it is crucial that appropriate precautions are taken during the development time to ensure that the lock is held as needed, following the fix implementation shared earlier in this post.

Conclusion

The identified vulnerability in the Linux kernel's serial: mxs-auart involving the uart_handle_cts_change() function has been resolved with the addition of a spinlock around the changing of CTS state. The provided code snippet, reference links, and exploit details serve as a comprehensive guide on understanding and safeguarding against any issues that may arise from this vulnerability.

Timeline

Published on: 05/01/2024 06:15:18 UTC
Last modified on: 06/25/2024 23:15:29 UTC