CVE-2023-52456 - Resolving Vulnerability in Linux Kernel Serial Port: Fixing TX Statemachine Deadlock in RS485

A critical vulnerability (CVE-2023-52456) has been identified and resolved in the Linux kernel related to the serial port driver. This vulnerability could cause the transmission control (TX) state machine to deadlock when using the serial port as an RS485 port. As a result, the TX_EN (Transmit Enable) signal remains low, rendering the interface useless.

Original References

- Linux Kernel Mailing List
- Linux Kernel Git Repository
- NVD - National Vulnerability Database

Vulnerability Details

In the Linux kernel's serial port driver, specifically the imx_uart driver, the TX state machine is used to control the RTS (Request to Send) pin and drive the RS485 transceiver's TX_EN (Transmit Enable) signal. When the TTY (Teletype) port is closed in the middle of a transmission (such as during a userland application crash), the imx_uart_shutdown function disables the interface and disables the Transmission Complete (TC) interrupt. After that, the imx_uart_stop_tx function bails on an incomplete transmission, expecting to be re-triggered by the TC interrupt. However, the TC interrupt is disabled, and the TX state machine never transitions out of the SEND state. This causes the state machine to deadlock, with the TX_EN signal remaining low and the interface becoming useless.

Exploit

An attacker could potentially exploit this vulnerability by forcing the serial port driver into a deadlock state by interrupting transmission with a userland application crash. This would render the RS485 interface unusable and could lead to a denial of service (DoS) attack.

Code Snippet - Fix

To fix this vulnerability, the imx_uart_stop_tx function has been updated to check for incomplete transmissions and whether TC interrupts are enabled before bailing to be re-triggered. This ensures that the state machine handling is reached and is properly set to WAIT_AFTER_SEND.

static void imx_uart_stop_tx(struct uart_port *port)
{
	...
	if (imx_port->txfifo.current <  ||
	    !(readl(imx_port->port.membase + USR1) & USR1_TRDY)) {
		spin_unlock_irqrestore(&port->lock, flags);
		return;
	}

	if (!imx_port->dma_is_enabled && !(ucr1 & UCR1_TCEN)) {
		spin_unlock_irqrestore(&port->lock, flags);
		return;
	}
	...

	/* updated state machine handling */
	if (imx_port->txfifo.current == imx_port->txfifo.len) {
		imx_rs485_stop(port);
		imx_port->txfifo.state = MXC_UART_WAIT_AFTER_SEND;
	} else {
		imx_port->txfifo.state = MXC_UART_SENDING_CANCEL;
		writel(ucr4, imx_port->port.membase + UCR4);
	}
}

Conclusion

The Linux kernel vulnerability CVE-2023-52456 has been addressed by updating the imx_uart_stop_tx function to better handle the TX state machine and prevent deadlocks. Users are advised to apply the relevant patches and updates to their systems to mitigate the risk of this vulnerability being exploited.

Timeline

Published on: 02/23/2024 15:15:08 UTC
Last modified on: 04/30/2024 19:34:11 UTC