CVE-2023-54287

Published: Dic 30, 2025 Last Modified: Dic 31, 2025

ExploitDB:

Other exploit source:

Google Dorks:

Description

AI Translation Available

In the Linux kernel, the following vulnerability has been resolved:

tty: serial: imx: disable Ageing Timer interrupt request irq

There maybe pending USR interrupt before requesting irq, however
uart_add_one_port has not executed, so there will be kernel panic:
[ 0.795668] Unable to handle kernel NULL pointer dereference at virtual addre
ss 0000000000000080
[ 0.802701] Mem abort info:
[ 0.805367] ESR = 0x0000000096000004
[ 0.808950] EC = 0x25: DABT (current EL), IL = 32 bits
[ 0.814033] SET = 0, FnV = 0
[ 0.816950] EA = 0, S1PTW = 0
[ 0.819950] FSC = 0x04: level 0 translation fault
[ 0.824617] Data abort info:
[ 0.827367] ISV = 0, ISS = 0x00000004
[ 0.831033] CM = 0, WnR = 0
[ 0.833866] [0000000000000080] user address but active_mm is swapper
[ 0.839951] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
[ 0.845953] Modules linked in:
[ 0.848869] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.1+g56321e101aca #1
[ 0.855617] Hardware name: Freescale i.MX8MP EVK (DT)
[ 0.860452] pstate: 000000c5 (nzcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 0.867117] pc : __imx_uart_rxint.constprop.0+0x11c/0x2c0
[ 0.872283] lr : imx_uart_int+0xf8/0x1ec

The issue only happends in the inmate linux when Jailhouse hypervisor
enabled. The test procedure is:
while true; do
jailhouse enable imx8mp.cell
jailhouse cell linux xxxx
sleep 10
jailhouse cell destroy 1
jailhouse disable
sleep 5
done

And during the upper test, press keys to the 2nd linux console.
When `jailhouse cell destroy 1`, the 2nd linux has no chance to put
the uart to a quiese state, so USR1/2 may has pending interrupts. Then
when `jailhosue cell linux xx` to start 2nd linux again, the issue
trigger.

In order to disable irqs before requesting them, both UCR1 and UCR2 irqs
should be disabled, so here fix that, disable the Ageing Timer interrupt
in UCR2 as UCR1 does.

AI Generated Translation

Nel kernel Linux, è stata risolta la seguente vulnerabilità:

tty: serial: imx: disabilitare l'interrupt request dell'Ageing Timer

Potrebbero esserci interrupt USR pendenti prima di richiedere l'irq, tuttavia
la funzione uart_add_one_port non è stata eseguita, quindi si verifica un kernel panic:
[ 0.795668] Impossibile gestire dereferenziazione di puntatore NULL nel kernel all'indirizzo virtuale
0000000000000080
[ 0.802701] Mem abort info:
[ 0.805367] ESR = 0x0000000096000004
[ 0.808950] EC = 0x25: DABT (current EL), IL = 32 bit
[ 0.814033] SET = 0, FnV = 0
[ 0.816950] EA = 0, S1PTW = 0
[ 0.819950] FSC = 0x04: livello 0 fault di traduzione
[ 0.824617] Data abort info:
[ 0.827367] ISV = 0, ISS = 0x00000004
[ 0.831033] CM = 0, WnR = 0
[ 0.833866] [0000000000000080] indirizzo utente ma active_mm è swapper
[ 0.839951] Errore interno: Oops: 0000000096000004 [#1] PREEMPT SMP
[ 0.845953] Moduli collegati:
[ 0.848869] CPU: 0 PID: 1 Comm: swapper/0 Kernel non manomesso 6.1.1+g56321e101aca #1
[ 0.855617] Nome hardware: Freescale i.MX8MP EVK (DT)
[ 0.860452] pstate: 000000c5 (nzcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 0.867117] pc : __imx_uart_rxint.constprop.0+0x11c/0x2c0
[ 0.872283] lr : imx_uart_int+0xf8/0x1ec

Il problema si verifica solo in Linux in modalità inmate quando l'hypervisor Jailhouse è abilitato. La procedura di test è:
while true; do
jailhouse enable imx8mp.cell
jailhouse cell linux xxxx
sleep 10
jailhouse cell destroy 1
jailhouse disable
sleep 5
done

Durante il test sopra, premere i tasti sulla seconda console Linux.
Quando si esegue `jailhouse cell destroy 1`, il secondo Linux non ha modo di mettere
l'uart in uno stato di quiescenza, quindi gli interrupt USR1/2 potrebbero essere pendenti. Successivamente,
quando si avvia di nuovo `jailhouse cell linux xx`, si verifica il trigger del problema.

Per disabilitare gli irq prima di richiederli, sia gli irq UCR1 che UCR2 devono essere disabilitati,
quindi questa correzione disabilita l'interrupt dell'Ageing Timer in UCR2 come avviene già in UCR1.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score

0,0002

Percentile

0,1th

Updated

EPSS Score Trend (Last 76 Days)

https://git.kernel.org/stable/c/3d41d9b256ae626c0dc434427c8…

https://git.kernel.org/stable/c/3d41d9b256ae626c0dc434427c8e32450358d3b4

https://git.kernel.org/stable/c/963875b0655197281775b0ea614…

https://git.kernel.org/stable/c/963875b0655197281775b0ea614aab8b6b3eb001

https://git.kernel.org/stable/c/9795ece3a85ba9238191e976655…

https://git.kernel.org/stable/c/9795ece3a85ba9238191e97665586e2d79703ff3

https://git.kernel.org/stable/c/ef25e16ea9674b713a68c3bda82…

https://git.kernel.org/stable/c/ef25e16ea9674b713a68c3bda821556ce9901254