CVE-2023-54287 (GCVE-0-2023-54287)
Vulnerability from cvelistv5
Published
2025-12-30 12:23
Modified
2025-12-30 12:23
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: tty: serial: imx: disable Ageing Timer interrupt request irq There maybe pending USR interrupt before requesting irq, however uart_add_one_port has not executed, so there will be kernel panic: [ 0.795668] Unable to handle kernel NULL pointer dereference at virtual addre ss 0000000000000080 [ 0.802701] Mem abort info: [ 0.805367] ESR = 0x0000000096000004 [ 0.808950] EC = 0x25: DABT (current EL), IL = 32 bits [ 0.814033] SET = 0, FnV = 0 [ 0.816950] EA = 0, S1PTW = 0 [ 0.819950] FSC = 0x04: level 0 translation fault [ 0.824617] Data abort info: [ 0.827367] ISV = 0, ISS = 0x00000004 [ 0.831033] CM = 0, WnR = 0 [ 0.833866] [0000000000000080] user address but active_mm is swapper [ 0.839951] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 0.845953] Modules linked in: [ 0.848869] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.1+g56321e101aca #1 [ 0.855617] Hardware name: Freescale i.MX8MP EVK (DT) [ 0.860452] pstate: 000000c5 (nzcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 0.867117] pc : __imx_uart_rxint.constprop.0+0x11c/0x2c0 [ 0.872283] lr : imx_uart_int+0xf8/0x1ec The issue only happends in the inmate linux when Jailhouse hypervisor enabled. The test procedure is: while true; do jailhouse enable imx8mp.cell jailhouse cell linux xxxx sleep 10 jailhouse cell destroy 1 jailhouse disable sleep 5 done And during the upper test, press keys to the 2nd linux console. When `jailhouse cell destroy 1`, the 2nd linux has no chance to put the uart to a quiese state, so USR1/2 may has pending interrupts. Then when `jailhosue cell linux xx` to start 2nd linux again, the issue trigger. In order to disable irqs before requesting them, both UCR1 and UCR2 irqs should be disabled, so here fix that, disable the Ageing Timer interrupt in UCR2 as UCR1 does.
References
Impacted products
Vendor Product Version
Linux Linux Version: 8a61f0c70ae65c6b70d13228c3120c73d7425a60
Version: 8a61f0c70ae65c6b70d13228c3120c73d7425a60
Version: 8a61f0c70ae65c6b70d13228c3120c73d7425a60
Version: 8a61f0c70ae65c6b70d13228c3120c73d7425a60
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/tty/serial/imx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3d41d9b256ae626c0dc434427c8e32450358d3b4",
              "status": "affected",
              "version": "8a61f0c70ae65c6b70d13228c3120c73d7425a60",
              "versionType": "git"
            },
            {
              "lessThan": "9795ece3a85ba9238191e97665586e2d79703ff3",
              "status": "affected",
              "version": "8a61f0c70ae65c6b70d13228c3120c73d7425a60",
              "versionType": "git"
            },
            {
              "lessThan": "963875b0655197281775b0ea614aab8b6b3eb001",
              "status": "affected",
              "version": "8a61f0c70ae65c6b70d13228c3120c73d7425a60",
              "versionType": "git"
            },
            {
              "lessThan": "ef25e16ea9674b713a68c3bda821556ce9901254",
              "status": "affected",
              "version": "8a61f0c70ae65c6b70d13228c3120c73d7425a60",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/tty/serial/imx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.3"
            },
            {
              "lessThan": "4.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.2.*",
              "status": "unaffected",
              "version": "6.2.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.3",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.99",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.16",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2.3",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.3",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: imx: disable Ageing Timer interrupt request irq\n\nThere maybe pending USR interrupt before requesting irq, however\nuart_add_one_port has not executed, so there will be kernel panic:\n[    0.795668] Unable to handle kernel NULL pointer dereference at virtual addre\nss 0000000000000080\n[    0.802701] Mem abort info:\n[    0.805367]   ESR = 0x0000000096000004\n[    0.808950]   EC = 0x25: DABT (current EL), IL = 32 bits\n[    0.814033]   SET = 0, FnV = 0\n[    0.816950]   EA = 0, S1PTW = 0\n[    0.819950]   FSC = 0x04: level 0 translation fault\n[    0.824617] Data abort info:\n[    0.827367]   ISV = 0, ISS = 0x00000004\n[    0.831033]   CM = 0, WnR = 0\n[    0.833866] [0000000000000080] user address but active_mm is swapper\n[    0.839951] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n[    0.845953] Modules linked in:\n[    0.848869] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.1+g56321e101aca #1\n[    0.855617] Hardware name: Freescale i.MX8MP EVK (DT)\n[    0.860452] pstate: 000000c5 (nzcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[    0.867117] pc : __imx_uart_rxint.constprop.0+0x11c/0x2c0\n[    0.872283] lr : imx_uart_int+0xf8/0x1ec\n\nThe issue only happends in the inmate linux when Jailhouse hypervisor\nenabled. The test procedure is:\nwhile true; do\n\tjailhouse enable imx8mp.cell\n\tjailhouse cell linux xxxx\n\tsleep 10\n\tjailhouse cell destroy 1\n\tjailhouse disable\n\tsleep 5\ndone\n\nAnd during the upper test, press keys to the 2nd linux console.\nWhen `jailhouse cell destroy 1`, the 2nd linux has no chance to put\nthe uart to a quiese state, so USR1/2 may has pending interrupts. Then\nwhen `jailhosue cell linux xx` to start 2nd linux again, the issue\ntrigger.\n\nIn order to disable irqs before requesting them, both UCR1 and UCR2 irqs\nshould be disabled, so here fix that, disable the Ageing Timer interrupt\nin UCR2 as UCR1 does."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-30T12:23:27.076Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3d41d9b256ae626c0dc434427c8e32450358d3b4"
        },
        {
          "url": "https://git.kernel.org/stable/c/9795ece3a85ba9238191e97665586e2d79703ff3"
        },
        {
          "url": "https://git.kernel.org/stable/c/963875b0655197281775b0ea614aab8b6b3eb001"
        },
        {
          "url": "https://git.kernel.org/stable/c/ef25e16ea9674b713a68c3bda821556ce9901254"
        }
      ],
      "title": "tty: serial: imx: disable Ageing Timer interrupt request irq",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-54287",
    "datePublished": "2025-12-30T12:23:27.076Z",
    "dateReserved": "2025-12-30T12:06:44.526Z",
    "dateUpdated": "2025-12-30T12:23:27.076Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-54287\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-30T13:16:17.730\",\"lastModified\":\"2025-12-31T20:42:43.210\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntty: serial: imx: disable Ageing Timer interrupt request irq\\n\\nThere maybe pending USR interrupt before requesting irq, however\\nuart_add_one_port has not executed, so there will be kernel panic:\\n[    0.795668] Unable to handle kernel NULL pointer dereference at virtual addre\\nss 0000000000000080\\n[    0.802701] Mem abort info:\\n[    0.805367]   ESR = 0x0000000096000004\\n[    0.808950]   EC = 0x25: DABT (current EL), IL = 32 bits\\n[    0.814033]   SET = 0, FnV = 0\\n[    0.816950]   EA = 0, S1PTW = 0\\n[    0.819950]   FSC = 0x04: level 0 translation fault\\n[    0.824617] Data abort info:\\n[    0.827367]   ISV = 0, ISS = 0x00000004\\n[    0.831033]   CM = 0, WnR = 0\\n[    0.833866] [0000000000000080] user address but active_mm is swapper\\n[    0.839951] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\\n[    0.845953] Modules linked in:\\n[    0.848869] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.1+g56321e101aca #1\\n[    0.855617] Hardware name: Freescale i.MX8MP EVK (DT)\\n[    0.860452] pstate: 000000c5 (nzcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n[    0.867117] pc : __imx_uart_rxint.constprop.0+0x11c/0x2c0\\n[    0.872283] lr : imx_uart_int+0xf8/0x1ec\\n\\nThe issue only happends in the inmate linux when Jailhouse hypervisor\\nenabled. The test procedure is:\\nwhile true; do\\n\\tjailhouse enable imx8mp.cell\\n\\tjailhouse cell linux xxxx\\n\\tsleep 10\\n\\tjailhouse cell destroy 1\\n\\tjailhouse disable\\n\\tsleep 5\\ndone\\n\\nAnd during the upper test, press keys to the 2nd linux console.\\nWhen `jailhouse cell destroy 1`, the 2nd linux has no chance to put\\nthe uart to a quiese state, so USR1/2 may has pending interrupts. Then\\nwhen `jailhosue cell linux xx` to start 2nd linux again, the issue\\ntrigger.\\n\\nIn order to disable irqs before requesting them, both UCR1 and UCR2 irqs\\nshould be disabled, so here fix that, disable the Ageing Timer interrupt\\nin UCR2 as UCR1 does.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/3d41d9b256ae626c0dc434427c8e32450358d3b4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/963875b0655197281775b0ea614aab8b6b3eb001\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9795ece3a85ba9238191e97665586e2d79703ff3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ef25e16ea9674b713a68c3bda821556ce9901254\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.