CVE-2024-43893: serial: core: check uartclk for zero to avoid divide by zero
First published: Mon Aug 26 2024(Updated: )
In the Linux kernel, the following vulnerability has been resolved: serial: core: check uartclk for zero to avoid divide by zero Calling ioctl TIOCSSERIAL with an invalid baud_base can result in uartclk being zero, which will result in a divide by zero error in uart_get_divisor(). The check for uartclk being zero in uart_set_info() needs to be done before other settings are made as subsequent calls to ioctl TIOCSSERIAL for the same port would be impacted if the uartclk check was done where uartclk gets set. Oops: divide error: 0000 PREEMPT SMP KASAN PTI RIP: 0010:uart_get_divisor (drivers/tty/serial/serial_core.c:580) Call Trace: <TASK> serial8250_get_divisor (drivers/tty/serial/8250/8250_port.c:2576 drivers/tty/serial/8250/8250_port.c:2589) serial8250_do_set_termios (drivers/tty/serial/8250/8250_port.c:502 drivers/tty/serial/8250/8250_port.c:2741) serial8250_set_termios (drivers/tty/serial/8250/8250_port.c:2862) uart_change_line_settings (./include/linux/spinlock.h:376 ./include/linux/serial_core.h:608 drivers/tty/serial/serial_core.c:222) uart_port_startup (drivers/tty/serial/serial_core.c:342) uart_startup (drivers/tty/serial/serial_core.c:368) uart_set_info (drivers/tty/serial/serial_core.c:1034) uart_set_info_user (drivers/tty/serial/serial_core.c:1059) tty_set_serial (drivers/tty/tty_io.c:2637) tty_ioctl (drivers/tty/tty_io.c:2647 drivers/tty/tty_io.c:2791) __x64_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:907 fs/ioctl.c:893 fs/ioctl.c:893) do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Rule: add
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Kernel | <4.19.320 | |
| Linux Kernel | >=4.20<5.4.282 | |
| Linux Kernel | >=5.5<5.10.224 | |
| Linux Kernel | >=5.11<5.15.165 | |
| Linux Kernel | >=5.16<6.1.105 | |
| Linux Kernel | >=6.2<6.6.46 | |
| Linux Kernel | >=6.7<6.10.5 | |
| Linux Kernel | =6.11-rc1 | |
| Linux Kernel | =6.11-rc2 | |
| debian/linux | <=5.10.223-1 | 5.10.226-1 6.1.123-1 6.1.119-1 6.12.11-1 6.12.12-1 |
| debian/linux-6.1 | 6.1.119-1~deb11u1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/3bbd90fca824e6fd61fb20f6dd2b0fa5f8b14bba
- https://git.kernel.org/stable/c/52b138f1021113e593ee6ad258ce08fe90693a9e
- https://git.kernel.org/stable/c/55b2a5d331a6ceb1c4372945fdb77181265ba24f
- https://git.kernel.org/stable/c/68dc02f319b9ee54dc23caba742a5c754d1cccc8
- https://git.kernel.org/stable/c/6eabce6608d6f3440f4c03aa3d3ef50a47a3d193
- https://git.kernel.org/stable/c/9196e42a3b8eeff1707e6ef769112b4b6096be49
- https://git.kernel.org/stable/c/e13ba3fe5ee070f8a9dab60029d52b1f61da5051
- https://git.kernel.org/stable/c/e3ad503876283ac3fcca922a1bf243ef9eb0b0e2
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43893
- https://nvd.nist.gov/vuln/detail/CVE-2024-43893
- https://launchpad.net/bugs/cve/CVE-2024-43893
- https://security-tracker.debian.org/tracker/CVE-2024-43893
- https://ubuntu.com/security/CVE-2024-43893
- https://git.kernel.org/linus/6eabce6608d6f3440f4c03aa3d3ef50a47a3d193
Frequently Asked Questions
What is the severity of CVE-2024-43893?
CVE-2024-43893 has been classified with a medium severity due to the potential for a divide-by-zero error.
How do I fix CVE-2024-43893?
To fix CVE-2024-43893, you should upgrade your Linux kernel to one of the following versions: 5.10.226-1, 6.1.123-1, 6.1.119-1, 6.12.10-1, or 6.12.11-1.
What systems are affected by CVE-2024-43893?
CVE-2024-43893 affects various versions of the Linux kernel, particularly those prior to 5.10.224, 6.1.119-1~deb11u1, and other specific versions outlined in the vulnerability description.
What is the potential impact of CVE-2024-43893?
The potential impact of CVE-2024-43893 includes system instability due to divide-by-zero errors when an invalid baud base is set.
Is there a workaround for CVE-2024-43893 if I cannot update immediately?
Currently, the best practice is to avoid using TIOCSSERIAL with invalid baud_base values until you can apply the recommended kernel updates.
- agent/title
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/severity
- agent/weakness
- agent/author
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- collector/usn-cve
- source/Ubuntu
- agent/description
- agent/event
- agent/source
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-api
- agent/softwarecombine
- agent/tags
- package-manager/debian
- vendor/linux
- canonical/linux kernel
- version/linux kernel/4.20
- version/linux kernel/5.5
- version/linux kernel/5.11
- version/linux kernel/5.16
- version/linux kernel/6.2
- version/linux kernel/6.7
- version/linux kernel/6.11-rc1
- version/linux kernel/6.11-rc2