Linux Kernel Concurrency Vulnerability in UART Driver Registration Leading to Kernel Panic

A concurrency race vulnerability has been identified in the Linux kernel's handling of UART device driver registration. When two UART device instances are probed simultaneously, a race condition can occur. One thread may initiate the driver registration process by calling the 'uart_register_driver' function, which allocates memory for the 'uart_state' member of the 'uart_driver' structure. Meanwhile, another instance can bypass this registration and invoke 'ulite_assign', which calls 'uart_add_one_port'. This function expects the UART driver to be fully initialized, but the race condition can lead to a null pointer dereference, causing a kernel panic. The issue arises because the driver registration is not completed before the probe function is called, creating a timing conflict that can be exploited.

Impact

Exploitation of this vulnerability leads to a kernel panic caused by a null pointer dereference, disrupting system operations and potentially causing a crash.

Reproduction

To reproduce this vulnerability, load two instances of UART devices simultaneously. As one instance begins the driver registration process, the other can bypass this step and attempt to add a UART port. This will trigger the vulnerability by causing a null pointer dereference when the system tries to access an uninitialized driver state, resulting in a kernel panic.

Remediation

The vulnerability can be addressed by modifying the driver registration process to ensure it is completed before the probe function is called. This can be done by moving the registration into the initialization function of the driver.