| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025070936-CVE-2025-38262-419f@gregkh> Date: Wed, 9 Jul 2025 12:42:54 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-38262: tty: serial: uartlite: register uart driver in init From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: tty: serial: uartlite: register uart driver in init When two instances of uart devices are probing, a concurrency race can occur. If one thread calls uart_register_driver function, which first allocates and assigns memory to 'uart_state' member of uart_driver structure, the other instance can bypass uart driver registration and call ulite_assign. This calls uart_add_one_port, which expects the uart driver to be fully initialized. This leads to a kernel panic due to a null pointer dereference: [ 8.143581] BUG: kernel NULL pointer dereference, address: 00000000000002b8 [ 8.156982] #PF: supervisor write access in kernel mode [ 8.156984] #PF: error_code(0x0002) - not-present page [ 8.156986] PGD 0 P4D 0 ... [ 8.180668] RIP: 0010:mutex_lock+0x19/0x30 [ 8.188624] Call Trace: [ 8.188629] ? __die_body.cold+0x1a/0x1f [ 8.195260] ? page_fault_oops+0x15c/0x290 [ 8.209183] ? __irq_resolve_mapping+0x47/0x80 [ 8.209187] ? exc_page_fault+0x64/0x140 [ 8.209190] ? asm_exc_page_fault+0x22/0x30 [ 8.209196] ? mutex_lock+0x19/0x30 [ 8.223116] uart_add_one_port+0x60/0x440 [ 8.223122] ? proc_tty_register_driver+0x43/0x50 [ 8.223126] ? tty_register_driver+0x1ca/0x1e0 [ 8.246250] ulite_probe+0x357/0x4b0 [uartlite] To prevent it, move uart driver registration in to init function. This will ensure that uart_driver is always registered when probe function is called. The Linux kernel CVE team has assigned CVE-2025-38262 to this issue. Affected and fixed versions =========================== Fixed in 6.1.143 with commit 6db06aaea07bb7c8e33a425cf7b98bf29ee6056e Fixed in 6.6.96 with commit 8e958d10dd0ce5ae674cce460db5c9ca3f25243b Fixed in 6.12.36 with commit 685d29f2c5057b32c7b1b46f2a7d303b926c8f72 Fixed in 6.15.5 with commit f5e4229d94792b40e750f30c92bcf7a3107c72ef Fixed in 6.16-rc1 with commit 6bd697b5fc39fd24e2aa418c7b7d14469f550a93 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-38262 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/tty/serial/uartlite.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/6db06aaea07bb7c8e33a425cf7b98bf29ee6056e https://git.kernel.org/stable/c/8e958d10dd0ce5ae674cce460db5c9ca3f25243b https://git.kernel.org/stable/c/685d29f2c5057b32c7b1b46f2a7d303b926c8f72 https://git.kernel.org/stable/c/f5e4229d94792b40e750f30c92bcf7a3107c72ef https://git.kernel.org/stable/c/6bd697b5fc39fd24e2aa418c7b7d14469f550a93
Powered by blists - more mailing lists