CVE-2024-35977

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-35977
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-35977.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-35977
Downstream
Related
Published
2024-05-20T09:42:03Z
Modified
2025-10-09T09:24:15.411046Z
Summary
platform/chrome: cros_ec_uart: properly fix race condition
Details

In the Linux kernel, the following vulnerability has been resolved:

platform/chrome: crosecuart: properly fix race condition

The crosecuartprobe() function calls devmserdevdeviceopen() before it calls serdevdevicesetclientops(). This can trigger a NULL pointer dereference:

BUG: kernel NULL pointer dereference, address: 0000000000000000
...
Call Trace:
 <TASK>
 ...
 ? ttyport_receive_buf

A simplified version of crashing code is as follows:

static inline size_t serdev_controller_receive_buf(struct serdev_controller *ctrl,
                                                  const u8 *data,
                                                  size_t count)
{
        struct serdev_device *serdev = ctrl->serdev;

        if (!serdev || !serdev->ops->receive_buf) // CRASH!
            return 0;

        return serdev->ops->receive_buf(serdev, data, count);
}

It assumes that if SERPORTACTIVE is set and serdev exists, serdev->ops will also exist. This conflicts with the existing crosecuartprobe() logic, as it first calls devmserdevdeviceopen() (which sets SERPORTACTIVE), and only later sets serdev->ops via serdevdevicesetclientops().

Commit 01f95d42b8f4 ("platform/chrome: crosecuart: fix race condition") attempted to fix a similar race condition, but while doing so, made the window of error for this race condition to happen much wider.

Attempt to fix the race condition again, making sure we fully setup before calling devmserdevdevice_open().

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
01f95d42b8f4e88f20d68791b0a85dbb9e3d1ac9
Fixed
cfd758041d8b79aa8c3f811b6bd6105379f2f702
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
01f95d42b8f4e88f20d68791b0a85dbb9e3d1ac9
Fixed
9e9bb74a93b7daa32313ccaefd0edc529d40daf8
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
01f95d42b8f4e88f20d68791b0a85dbb9e3d1ac9
Fixed
5e700b384ec13f5bcac9855cb28fcc674f1d3593

Affected versions

v6.*

v6.2
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.3
v6.6.4
v6.6.5
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.8.1
v6.8.2
v6.8.3
v6.8.4
v6.8.5
v6.8.6

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.3.0
Fixed
6.6.28
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.8.7