CVE-2025-40222

In the Linux kernel, the following vulnerability has been resolved:

tty: serial: sh-sci: fix RSCI FIFO overrun handling

The receive error handling code is shared between RSCI and all other SCIF port types, but the RSCI overrunreg is specified as a memory offset, while for other SCIF types it is an enum value used to index into the sciportparams->regs array, as mentioned above the sciserial_in() function.

For RSCI, the overrunreg is CSR (0x48), causing the scigetreg() call inside the scihandlefifooverrun() function to index outside the bounds of the regs array, which currently has a size of 20, as specified by SCINR_REGS.

Because of this, we end up accessing memory outside of RSCI's rsciportparams structure, which, when interpreted as a platscireg, happens to have a non-zero size, causing the following WARN when sciserialin() is called, as the accidental size does not match the supported register sizes.

The existence of the overrunreg needs to be checked because SCIxSH3SCIFREGTYPE has overrun_reg set to SCLSR, but SCLSR is not present in the regs array.

Avoid calling sci_getreg() for port types which don't use standard register handling.

Use the ops->readreg() and ops->writereg() functions to properly read and write registers for RSCI, and change the type of the status variable to accommodate the 32-bit CSR register.

scigetreg() and sciserialin() are also called with overrunreg in the scimpxedinterrupt() interrupt handler, but that code path is not used for RSCI, as it does not have a muxed interrupt.

------------[ cut here ]------------ Invalid register access WARNING: CPU: 0 PID: 0 at drivers/tty/serial/sh-sci.c:522 sciserialin+0x38/0xac Modules linked in: renesasusbhs at24 rzt2hadc industrialioadc sha256 cfg80211 bluetooth ecdhgeneric ecc rfkill fuse drm backlight ipv6 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.17.0-rc1+ #30 PREEMPT Hardware name: Renesas RZ/T2H EVK Board based on r9a09g077m44 (DT) pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : sciserialin+0x38/0xac lr : sciserialin+0x38/0xac sp : ffff800080003e80 x29: ffff800080003e80 x28: ffff800082195b80 x27: 000000000000000d x26: ffff8000821956d0 x25: 0000000000000000 x24: ffff800082195b80 x23: ffff000180e0d800 x22: 0000000000000010 x21: 0000000000000000 x20: 0000000000000010 x19: ffff000180e72000 x18: 000000000000000a x17: ffff8002bcee7000 x16: ffff800080000000 x15: 0720072007200720 x14: 0720072007200720 x13: 0720072007200720 x12: 0720072007200720 x11: 0000000000000058 x10: 0000000000000018 x9 : ffff8000821a6a48 x8 : 0000000000057fa8 x7 : 0000000000000406 x6 : ffff8000821fea48 x5 : ffff00033ef88408 x4 : ffff8002bcee7000 x3 : ffff800082195b80 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff800082195b80 Call trace: sciserialin+0x38/0xac (P) scihandlefifooverrun.isra.0+0x70/0x134 scierinterrupt+0x50/0x39c _handleirqeventpercpu+0x48/0x140 handleirqevent+0x44/0xb0 handlefasteoiirq+0xf4/0x1a0 handleirqdesc+0x34/0x58 generichandledomainirq+0x1c/0x28 gichandleirq+0x4c/0x140 callonirqstack+0x30/0x48 dointerrupthandler+0x80/0x84 el1interrupt+0x34/0x68 el1h64irqhandler+0x18/0x24 el1h64irq+0x6c/0x70 defaultidlecall+0x28/0x58 (P) doidle+0x1f8/0x250 cpustartupentry+0x34/0x3c restinit+0xd8/0xe0 consoleonrootfs+0x0/0x6c _primary_switched+0x88/0x90 ---[ end trace 0000000000000000 ]---