Linux Kernel Jailhouse Hypervisor NULL Pointer Dereference Vulnerability in IMX Serial Driver

A vulnerability in the Linux kernel's IMX serial driver can lead to a NULL pointer dereference, causing a kernel panic. This issue occurs in the inmate Linux environment when the Jailhouse hypervisor is enabled. The problem arises because pending USR interrupts may not be properly handled before the Ageing Timer interrupt is requested, leading to a crash. The vulnerability has been addressed by modifying the driver to disable the Ageing Timer interrupt before requesting it, ensuring that interrupts are properly managed and preventing the kernel panic.

Impact

Exploitation of this vulnerability causes a kernel panic due to a NULL pointer dereference, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by enabling the Jailhouse hypervisor on an IMX8MP cell and then starting a second Linux console. Interrupts from the first console may remain pending, and when the second console is activated, the vulnerability triggers a kernel panic. This can be automated with a script that cycles through enabling and disabling the Jailhouse cell, while pressing keys in the second Linux console to create the conditions for the vulnerability.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this issue has been addressed.