Linux Kernel Serial Port Driver Unbind Vulnerability Causes Internal Error on TI SoCs

A vulnerability in the Linux kernel's handling of serial ports can lead to an internal error on some Texas Instruments (TI) System-on-Chips (SoCs). When a hardware-specific 8250 driver is unbound, the generic serial8250 driver takes over. This transition can trigger an 'oops' error about 10 seconds later, resulting in an unhandled fault: imprecise external abort (0x1406) Internal error: : 1406 [#1] SMP ARM. The issue arises because the generic serial8250 driver may still reference the unbound hardware-specific driver's power management functions. As a result, the serial8250_pm() function attempts to call these references after the specific driver has been removed, leading to the error.

Impact

The vulnerability can cause a system crash or instability by triggering an internal error on affected TI SoCs, disrupting normal operations and potentially leading to a denial of service.

Reproduction

To reproduce this vulnerability, unbind a serial port hardware-specific 8250 driver on a system using a Texas Instruments SoC. The generic serial8250 driver will take over the port. After about 10 seconds, an 'oops' error will occur, indicating an unhandled fault: imprecise external abort (0x1406) Internal error: : 1406 [#1] SMP ARM, which is a sign of the vulnerability being triggered.

Remediation

The vulnerability has been addressed in the Linux kernel by modifying the serial8250_unregister_port() function to reset the port to its default state before unbinding, ensuring that the generic driver does not reference a non-existent power management function. Users should upgrade to the latest version of the Linux kernel where this fix has been applied.