FKIE_CVE-2023-54287

Vulnerability from fkie_nvd - Published: 2025-12-30 13:16 - Updated: 2026-04-15 00:35
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: tty: serial: imx: disable Ageing Timer interrupt request irq There maybe pending USR interrupt before requesting irq, however uart_add_one_port has not executed, so there will be kernel panic: [ 0.795668] Unable to handle kernel NULL pointer dereference at virtual addre ss 0000000000000080 [ 0.802701] Mem abort info: [ 0.805367] ESR = 0x0000000096000004 [ 0.808950] EC = 0x25: DABT (current EL), IL = 32 bits [ 0.814033] SET = 0, FnV = 0 [ 0.816950] EA = 0, S1PTW = 0 [ 0.819950] FSC = 0x04: level 0 translation fault [ 0.824617] Data abort info: [ 0.827367] ISV = 0, ISS = 0x00000004 [ 0.831033] CM = 0, WnR = 0 [ 0.833866] [0000000000000080] user address but active_mm is swapper [ 0.839951] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 0.845953] Modules linked in: [ 0.848869] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.1+g56321e101aca #1 [ 0.855617] Hardware name: Freescale i.MX8MP EVK (DT) [ 0.860452] pstate: 000000c5 (nzcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 0.867117] pc : __imx_uart_rxint.constprop.0+0x11c/0x2c0 [ 0.872283] lr : imx_uart_int+0xf8/0x1ec The issue only happends in the inmate linux when Jailhouse hypervisor enabled. The test procedure is: while true; do jailhouse enable imx8mp.cell jailhouse cell linux xxxx sleep 10 jailhouse cell destroy 1 jailhouse disable sleep 5 done And during the upper test, press keys to the 2nd linux console. When `jailhouse cell destroy 1`, the 2nd linux has no chance to put the uart to a quiese state, so USR1/2 may has pending interrupts. Then when `jailhosue cell linux xx` to start 2nd linux again, the issue trigger. In order to disable irqs before requesting them, both UCR1 and UCR2 irqs should be disabled, so here fix that, disable the Ageing Timer interrupt in UCR2 as UCR1 does.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/3d41d9b256ae626c0dc434427c8e32450358d3b4
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/963875b0655197281775b0ea614aab8b6b3eb001
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9795ece3a85ba9238191e97665586e2d79703ff3
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ef25e16ea9674b713a68c3bda821556ce9901254
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: imx: disable Ageing Timer interrupt request irq\n\nThere maybe pending USR interrupt before requesting irq, however\nuart_add_one_port has not executed, so there will be kernel panic:\n[    0.795668] Unable to handle kernel NULL pointer dereference at virtual addre\nss 0000000000000080\n[    0.802701] Mem abort info:\n[    0.805367]   ESR = 0x0000000096000004\n[    0.808950]   EC = 0x25: DABT (current EL), IL = 32 bits\n[    0.814033]   SET = 0, FnV = 0\n[    0.816950]   EA = 0, S1PTW = 0\n[    0.819950]   FSC = 0x04: level 0 translation fault\n[    0.824617] Data abort info:\n[    0.827367]   ISV = 0, ISS = 0x00000004\n[    0.831033]   CM = 0, WnR = 0\n[    0.833866] [0000000000000080] user address but active_mm is swapper\n[    0.839951] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n[    0.845953] Modules linked in:\n[    0.848869] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.1+g56321e101aca #1\n[    0.855617] Hardware name: Freescale i.MX8MP EVK (DT)\n[    0.860452] pstate: 000000c5 (nzcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[    0.867117] pc : __imx_uart_rxint.constprop.0+0x11c/0x2c0\n[    0.872283] lr : imx_uart_int+0xf8/0x1ec\n\nThe issue only happends in the inmate linux when Jailhouse hypervisor\nenabled. The test procedure is:\nwhile true; do\n\tjailhouse enable imx8mp.cell\n\tjailhouse cell linux xxxx\n\tsleep 10\n\tjailhouse cell destroy 1\n\tjailhouse disable\n\tsleep 5\ndone\n\nAnd during the upper test, press keys to the 2nd linux console.\nWhen `jailhouse cell destroy 1`, the 2nd linux has no chance to put\nthe uart to a quiese state, so USR1/2 may has pending interrupts. Then\nwhen `jailhosue cell linux xx` to start 2nd linux again, the issue\ntrigger.\n\nIn order to disable irqs before requesting them, both UCR1 and UCR2 irqs\nshould be disabled, so here fix that, disable the Ageing Timer interrupt\nin UCR2 as UCR1 does."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ntty: serial: imx: deshabilitar la solicitud de interrupci\u00f3n irq del temporizador de envejecimiento\n\nPuede haber una interrupci\u00f3n USR pendiente antes de solicitar irq, sin embargo, uart_add_one_port no se ha ejecutado, por lo que habr\u00e1 un p\u00e1nico del kernel:\n[    0.795668] Incapaz de manejar la desreferencia de puntero NULL del kernel en la direcci\u00f3n virtual 0000000000000080\n[    0.802701] Informaci\u00f3n de aborto de memoria:\n[    0.805367]   ESR = 0x0000000096000004\n[    0.808950]   EC = 0x25: DABT (EL actual), IL = 32 bits\n[    0.814033]   SET = 0, FnV = 0\n[    0.816950]   EA = 0, S1PTW = 0\n[    0.819950]   FSC = 0x04: fallo de traducci\u00f3n de nivel 0\n[    0.824617] Informaci\u00f3n de aborto de datos:\n[    0.827367]   ISV = 0, ISS = 0x00000004\n[    0.831033]   CM = 0, WnR = 0\n[    0.833866] [0000000000000080] direcci\u00f3n de usuario pero active_mm es swapper\n[    0.839951] Error interno: Oops: 0000000096000004 [#1] PREEMPT SMP\n[    0.845953] M\u00f3dulos enlazados:\n[    0.848869] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.1+g56321e101aca #1\n[    0.855617] Nombre del hardware: Freescale i.MX8MP EVK (DT)\n[    0.860452] pstate: 000000c5 (nzcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[    0.867117] pc : __imx_uart_rxint.constprop.0+0x11c/0x2c0\n[    0.872283] lr : imx_uart_int+0xf8/0x1ec\n\nEl problema solo ocurre en el linux \u0027inmate\u0027 cuando el hipervisor Jailhouse est\u00e1 habilitado. El procedimiento de prueba es:\nwhile true; do\n\tjailhouse enable imx8mp.cell\n\tjailhouse cell linux xxxx\n\tsleep 10\n\tjailhouse cell destroy 1\n\tjailhouse disable\n\tsleep 5\ndone\n\nY durante la prueba anterior, presione teclas en la segunda consola de linux.\nCuando \u0027jailhouse cell destroy 1\u0027, el segundo linux no tiene oportunidad de poner el uart en un estado de reposo, por lo que USR1/2 puede tener interrupciones pendientes. Luego, cuando \u0027jailhosue cell linux xx\u0027 para iniciar el segundo linux nuevamente, el problema se activa.\n\nPara deshabilitar las irqs antes de solicitarlas, tanto las irqs de UCR1 como las de UCR2 deben deshabilitarse, as\u00ed que aqu\u00ed se corrige eso, deshabilitando la interrupci\u00f3n del temporizador de envejecimiento en UCR2 como lo hace UCR1."
    }
  ],
  "id": "CVE-2023-54287",
  "lastModified": "2026-04-15T00:35:42.020",
  "metrics": {},
  "published": "2025-12-30T13:16:17.730",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/3d41d9b256ae626c0dc434427c8e32450358d3b4"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/963875b0655197281775b0ea614aab8b6b3eb001"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/9795ece3a85ba9238191e97665586e2d79703ff3"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/ef25e16ea9674b713a68c3bda821556ce9901254"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Deferred"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.