NULL Pointer Dereference Affecting kernel-uek-core package, versions <0:5.15.0-305.176.4.el8uek


Severity

Recommended
high

Based on Oracle Linux security rating.

Threat Intelligence

EPSS
0.05% (14th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about NULL Pointer Dereference vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-ORACLE8-KERNELUEKCORE-8712784
  • published12 Feb 2025
  • disclosed27 Dec 2024

Introduced: 27 Dec 2024

CVE-2024-56670  (opens in a new tab)
CWE-476  (opens in a new tab)

How to fix?

Upgrade Oracle:8 kernel-uek-core to version 0:5.15.0-305.176.4.el8uek or higher.
This issue was patched in ELSA-2025-20095.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kernel-uek-core package and not the kernel-uek-core package as distributed by Oracle. See How to fix? for Oracle:8 relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: u_serial: Fix the issue that gs_start_io crashed due to accessing null pointer

Considering that in some extreme cases, when u_serial driver is accessed by multiple threads, Thread A is executing the open operation and calling the gs_open, Thread B is executing the disconnect operation and calling the gserial_disconnect function,The port->port_usb pointer will be set to NULL.

E.g. Thread A Thread B gs_open() gadget_unbind_driver() gs_start_io() composite_disconnect() gs_start_rx() gserial_disconnect() ... ... spin_unlock(&port->port_lock) status = usb_ep_queue() spin_lock(&port->port_lock) spin_lock(&port->port_lock) port->port_usb = NULL gs_free_requests(port->port_usb->in) spin_unlock(&port->port_lock) Crash

This causes thread A to access a null pointer (port->port_usb is null) when calling the gs_free_requests function, causing a crash.

If port_usb is NULL, the release request will be skipped as it will be done by gserial_disconnect.

So add a null pointer check to gs_start_io before attempting to access the value of the pointer port->port_usb.

Call trace: gs_start_io+0x164/0x25c gs_open+0x108/0x13c tty_open+0x314/0x638 chrdev_open+0x1b8/0x258 do_dentry_open+0x2c4/0x700 vfs_open+0x2c/0x3c path_openat+0xa64/0xc60 do_filp_open+0xb8/0x164 do_sys_openat2+0x84/0xf0 __arm64_sys_openat+0x70/0x9c invoke_syscall+0x58/0x114 el0_svc_common+0x80/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x38/0x68

CVSS Base Scores

version 3.1