CVE-2025-21685 - Resolving Linux Kernel Vulnerability in Lenovo Yoga Tab2 Pro-138 Fast Charger

A vulnerability was identified and resolved in the Linux kernel concerning the implementation of the Lenovo Yoga Tab2 Pro-138 Fast Charger. The vulnerability could have led to a NULL pointer dereference, potentially causing system instability or crashes. In this post, we will discuss the details of the vulnerability and the solution implemented to fix it. The vulnerability has been assigned the CVE identifier CVE-2025-21685.

Vulnerability Details

The vulnerability was found in the yt2_138_fc_serdev_probe() function, which contained a racing condition that could occur when devm_serdev_device_open() was called before setting the client ops via serdev_device_set_client_ops(). This ordering can potentially lead to a NULL pointer dereference in the serdev controller's receive_buf handler. The handler assumes that serdev->ops is valid when the SERPORT_ACTIVE flag is set.

This issue is similar to the one fixed in commit 5e700b384ec1 ("platform/chrome: cros_ec_uart: properly fix race condition"), where devm_serdev_device_open() was also called before the device was fully initialized.

Solution

To resolve this vulnerability, the order of operations was changed to ensure that client ops are set before enabling the port via devm_serdev_device_open(). Additionally, the serdev_device_set_baudrate() and serdev_device_set_flow_control() calls were moved to after the devm_serdev_device_open() call.

Here's a code snippet showing the fix

static void yt2_138_fc_remove(struct serdev_device *serdev) { 
   // [snip] 
} 

static int yt2_138_fc_serdev_probe(struct serdev_device *serdev) { 
   struct device *dev = &serdev->dev; 
   // [snip] 

   // Set client ops before devm_serdev_device_open(): 
   serdev_device_set_client_ops(serdev, &yt2_138_fc_serdev_ops); 

   // Open the serdev device: 
   ret = devm_serdev_device_open(dev, serdev); 
   if (ret) 
      return ret; 

   // Set baudrate and flow control after open: 
   serdev_device_set_baudrate(serdev, YT2_FC_BAUDRATE); 
   serdev_device_set_flow_control(serdev, SERDEV_FLOW_CTRL_RTS_CTS);

   // [snip] 
} 

Original References

1. Lenovo Yoga Tab2 Pro-138 Fast Charger Serdev Race Resolution Commit
2. Linux Kernel Mailing List Announcement

Exploit Details

At this time, there are no known exploits for this vulnerability. However, considering that the vulnerability can cause system instability or crashes, it is strongly advised to apply the fix and update the Linux kernel to prevent any potential issues.

Conclusion

The Linux kernel vulnerability (CVE-2025-21685) related to the Lenovo Yoga Tab2 Pro-138 Fast Charger has been successfully resolved. The issue was due to a race condition caused by calling devm_serdev_device_open() before setting the client ops, leading to a potential NULL pointer dereference. By ensuring that the client ops are set before enabling the port and moving the baudrate and flow control calls after the open() call, the vulnerability has been effectively mitigated. Always be sure to keep your systems up-to-date to prevent security issues and maintain stability.

Timeline

Published on: 02/09/2025 12:15:29 UTC
Last modified on: 02/11/2025 16:11:19 UTC