CVE-2024-44951 (GCVE-0-2024-44951)

Vulnerability from cvelistv5 – Published: 2024-09-04 18:35 – Updated: 2025-05-04 12:58
VLAI?
Title
serial: sc16is7xx: fix TX fifo corruption
Summary
In the Linux kernel, the following vulnerability has been resolved: serial: sc16is7xx: fix TX fifo corruption Sometimes, when a packet is received on channel A at almost the same time as a packet is about to be transmitted on channel B, we observe with a logic analyzer that the received packet on channel A is transmitted on channel B. In other words, the Tx buffer data on channel B is corrupted with data from channel A. The problem appeared since commit 4409df5866b7 ("serial: sc16is7xx: change EFR lock to operate on each channels"), which changed the EFR locking to operate on each channel instead of chip-wise. This commit has introduced a regression, because the EFR lock is used not only to protect the EFR registers access, but also, in a very obscure and undocumented way, to protect access to the data buffer, which is shared by the Tx and Rx handlers, but also by each channel of the IC. Fix this regression first by switching to kfifo_out_linear_ptr() in sc16is7xx_handle_tx() to eliminate the need for a shared Rx/Tx buffer. Secondly, replace the chip-wise Rx buffer with a separate Rx buffer for each channel.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 4409df5866b7ff7686ba27e449ca97a92ee063c9 , < 09cfe05e9907f3276887a20e267cc40e202f4fdd (git)
Affected: 4409df5866b7ff7686ba27e449ca97a92ee063c9 , < 133f4c00b8b2bfcacead9b81e7e8edfceb4b06c4 (git)
Affected: 4b068e55bf5ea7bab4d8a282c6a24b03e80c0b68 (git)
Affected: 9879e1bec3c0f077427dd0d258c80c63ce9babdf (git)
Affected: dbe196ca489f3833e0f9eeb86ac346194f131c91 (git)
Create a notification for this product.
    Linux Linux Affected: 6.8
Unaffected: 0 , < 6.8 (semver)
Unaffected: 6.10.5 , ≤ 6.10.* (semver)
Unaffected: 6.11 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-44951",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T17:40:19.986023Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-12T17:33:36.992Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/tty/serial/sc16is7xx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "09cfe05e9907f3276887a20e267cc40e202f4fdd",
              "status": "affected",
              "version": "4409df5866b7ff7686ba27e449ca97a92ee063c9",
              "versionType": "git"
            },
            {
              "lessThan": "133f4c00b8b2bfcacead9b81e7e8edfceb4b06c4",
              "status": "affected",
              "version": "4409df5866b7ff7686ba27e449ca97a92ee063c9",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "4b068e55bf5ea7bab4d8a282c6a24b03e80c0b68",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "9879e1bec3c0f077427dd0d258c80c63ce9babdf",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "dbe196ca489f3833e0f9eeb86ac346194f131c91",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/tty/serial/sc16is7xx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.10.*",
              "status": "unaffected",
              "version": "6.10.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.11",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10.5",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.1.76",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.7.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: sc16is7xx: fix TX fifo corruption\n\nSometimes, when a packet is received on channel A at almost the same time\nas a packet is about to be transmitted on channel B, we observe with a\nlogic analyzer that the received packet on channel A is transmitted on\nchannel B. In other words, the Tx buffer data on channel B is corrupted\nwith data from channel A.\n\nThe problem appeared since commit 4409df5866b7 (\"serial: sc16is7xx: change\nEFR lock to operate on each channels\"), which changed the EFR locking to\noperate on each channel instead of chip-wise.\n\nThis commit has introduced a regression, because the EFR lock is used not\nonly to protect the EFR registers access, but also, in a very obscure and\nundocumented way, to protect access to the data buffer, which is shared by\nthe Tx and Rx handlers, but also by each channel of the IC.\n\nFix this regression first by switching to kfifo_out_linear_ptr() in\nsc16is7xx_handle_tx() to eliminate the need for a shared Rx/Tx buffer.\n\nSecondly, replace the chip-wise Rx buffer with a separate Rx buffer for\neach channel."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T12:58:25.989Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/09cfe05e9907f3276887a20e267cc40e202f4fdd"
        },
        {
          "url": "https://git.kernel.org/stable/c/133f4c00b8b2bfcacead9b81e7e8edfceb4b06c4"
        }
      ],
      "title": "serial: sc16is7xx: fix TX fifo corruption",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-44951",
    "datePublished": "2024-09-04T18:35:51.366Z",
    "dateReserved": "2024-08-21T05:34:56.665Z",
    "dateUpdated": "2025-05-04T12:58:25.989Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-44951\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-10T17:40:19.986023Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-11T12:42:27.672Z\"}}], \"cna\": {\"title\": \"serial: sc16is7xx: fix TX fifo corruption\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"4409df5866b7ff7686ba27e449ca97a92ee063c9\", \"lessThan\": \"09cfe05e9907f3276887a20e267cc40e202f4fdd\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"4409df5866b7ff7686ba27e449ca97a92ee063c9\", \"lessThan\": \"133f4c00b8b2bfcacead9b81e7e8edfceb4b06c4\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"4b068e55bf5ea7bab4d8a282c6a24b03e80c0b68\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"9879e1bec3c0f077427dd0d258c80c63ce9babdf\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"dbe196ca489f3833e0f9eeb86ac346194f131c91\", \"versionType\": \"git\"}], \"programFiles\": [\"drivers/tty/serial/sc16is7xx.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.8\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"6.8\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"6.10.5\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.10.*\"}, {\"status\": \"unaffected\", \"version\": \"6.11\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"drivers/tty/serial/sc16is7xx.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/09cfe05e9907f3276887a20e267cc40e202f4fdd\"}, {\"url\": \"https://git.kernel.org/stable/c/133f4c00b8b2bfcacead9b81e7e8edfceb4b06c4\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nserial: sc16is7xx: fix TX fifo corruption\\n\\nSometimes, when a packet is received on channel A at almost the same time\\nas a packet is about to be transmitted on channel B, we observe with a\\nlogic analyzer that the received packet on channel A is transmitted on\\nchannel B. In other words, the Tx buffer data on channel B is corrupted\\nwith data from channel A.\\n\\nThe problem appeared since commit 4409df5866b7 (\\\"serial: sc16is7xx: change\\nEFR lock to operate on each channels\\\"), which changed the EFR locking to\\noperate on each channel instead of chip-wise.\\n\\nThis commit has introduced a regression, because the EFR lock is used not\\nonly to protect the EFR registers access, but also, in a very obscure and\\nundocumented way, to protect access to the data buffer, which is shared by\\nthe Tx and Rx handlers, but also by each channel of the IC.\\n\\nFix this regression first by switching to kfifo_out_linear_ptr() in\\nsc16is7xx_handle_tx() to eliminate the need for a shared Rx/Tx buffer.\\n\\nSecondly, replace the chip-wise Rx buffer with a separate Rx buffer for\\neach channel.\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.10.5\", \"versionStartIncluding\": \"6.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.11\", \"versionStartIncluding\": \"6.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"6.1.76\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"6.6.15\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"6.7.3\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-05-04T12:58:25.989Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-44951\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-04T12:58:25.989Z\", \"dateReserved\": \"2024-08-21T05:34:56.665Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-09-04T18:35:51.366Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.