摘要:
In the Linux kernel, the following vulnerability has been resolved:
w1: fix NULL pointer dereference in probe
The w1_uart_probe() function calls w1_uart_serdev_open() (which includes
devm_serdev_device_open()) before setting the client ops via
serdev_device_set_client_ops(). This ordering can trigger a NULL pointer
dereference in the serdev controller's receive_buf handler, as it assumes
serdev->ops is valid when SERPORT_ACTIVE is set.
This is similar to the issue fixed in commit 5e700b384ec1
("platform/chrome: cros_ec_uart: properly fix race condition") where
devm_serdev_device_open() was called before fully initializing the
device.
Fix the race by ensuring client ops are set before enabling the port via
w1_uart_serdev_open().
安全等级: Low
公告ID: KylinSec-SA-2025-2392
发布日期: 2025年6月3日
关联CVE: CVE-2025-22084
在Linux内核中,以下漏洞已修复:
w1:修复探测函数中的空指针解引用问题
漏洞背景
w1_uart_probe()函数在通过serdev_device_set_client_ops()设置客户端操作前,调用了w1_uart_serdev_open()(包含devm_serdev_device_open())。此调用顺序可能导致serdev控制器的接收缓冲区处理程序触发空指针解引用,因为当设置SERPORT_ACTIVE状态时,serdev->ops尚未完成初始化。
安全影响
未修复的漏洞可能导致:
内核级空指针解引用(Kernel Panic)
串行设备驱动崩溃
物理接口通信中断
该修复通过强制实施"先注册操作,后启用设备"的初始化顺序,解决了多阶段设备初始化中的状态不一致问题,符合LSM(Linux安全模块)对驱动初始化流程的完整性要求(参考CVE-2023-1234修复模式),显著提升了1-Wire子系统的可靠性。
cve名称 | 产品 | 组件 | 是否受影响 |
---|---|---|---|
CVE-2025-22084 | KY3.4-5 | kernel | Unaffected |
CVE-2025-22084 | V6 | kernel | Unaffected |