CVE-2023-54287
Unknown Unknown - Not Provided
NULL Pointer Dereference in Linux imx UART Causes Kernel Panic

Publication date: 2025-12-30

Last updated on: 2025-12-30

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: tty: serial: imx: disable Ageing Timer interrupt request irq There maybe pending USR interrupt before requesting irq, however uart_add_one_port has not executed, so there will be kernel panic: [ 0.795668] Unable to handle kernel NULL pointer dereference at virtual addre ss 0000000000000080 [ 0.802701] Mem abort info: [ 0.805367] ESR = 0x0000000096000004 [ 0.808950] EC = 0x25: DABT (current EL), IL = 32 bits [ 0.814033] SET = 0, FnV = 0 [ 0.816950] EA = 0, S1PTW = 0 [ 0.819950] FSC = 0x04: level 0 translation fault [ 0.824617] Data abort info: [ 0.827367] ISV = 0, ISS = 0x00000004 [ 0.831033] CM = 0, WnR = 0 [ 0.833866] [0000000000000080] user address but active_mm is swapper [ 0.839951] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 0.845953] Modules linked in: [ 0.848869] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.1+g56321e101aca #1 [ 0.855617] Hardware name: Freescale i.MX8MP EVK (DT) [ 0.860452] pstate: 000000c5 (nzcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 0.867117] pc : __imx_uart_rxint.constprop.0+0x11c/0x2c0 [ 0.872283] lr : imx_uart_int+0xf8/0x1ec The issue only happends in the inmate linux when Jailhouse hypervisor enabled. The test procedure is: while true; do jailhouse enable imx8mp.cell jailhouse cell linux xxxx sleep 10 jailhouse cell destroy 1 jailhouse disable sleep 5 done And during the upper test, press keys to the 2nd linux console. When `jailhouse cell destroy 1`, the 2nd linux has no chance to put the uart to a quiese state, so USR1/2 may has pending interrupts. Then when `jailhosue cell linux xx` to start 2nd linux again, the issue trigger. In order to disable irqs before requesting them, both UCR1 and UCR2 irqs should be disabled, so here fix that, disable the Ageing Timer interrupt in UCR2 as UCR1 does.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-30
Last Modified
2025-12-30
Generated
2026-05-07
AI Q&A
2025-12-30
EPSS Evaluated
2026-05-05
NVD
CVE-2023-54287
EUVD
EUVD-2023-60517
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel 6.1.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs in the Linux kernel's serial driver for the i.MX platform when used with the Jailhouse hypervisor enabled. It happens because there may be pending user interrupts before the interrupt request (irq) is requested, but the uart_add_one_port function has not yet executed. This leads to a kernel panic due to a NULL pointer dereference. The issue arises specifically when a Jailhouse cell running Linux is destroyed and restarted without the UART being put into a quiescent state, causing pending interrupts that trigger the crash. The fix involves disabling the Ageing Timer interrupt request in UCR2, similar to UCR1, to prevent interrupts before they are properly requested.


How can this vulnerability impact me? :

This vulnerability can cause a kernel panic and system crash on affected Linux systems running on i.MX hardware with the Jailhouse hypervisor enabled. This can lead to system instability, denial of service, and potential loss of data or availability due to unexpected reboots or crashes when managing Jailhouse cells and interacting with the serial console.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, ensure that the Linux kernel is updated to a version where the fix is applied. The fix involves disabling the Ageing Timer interrupt request (IRQ) in UCR2 as is done in UCR1, preventing pending USR interrupts before requesting IRQs that cause kernel panic. Additionally, avoid running the Jailhouse hypervisor with the imx8mp cell in a way that triggers the issue until the patch is applied.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring the Linux kernel logs for specific kernel panic messages related to the imx UART serial driver, such as 'Unable to handle kernel NULL pointer dereference at virtual address 0000000000000080' and 'Internal error: Oops: 0000000096000004'. Additionally, reproducing the issue involves running the Jailhouse hypervisor with the imx8mp cell enabled and destroyed repeatedly while interacting with the second Linux console. There are no specific commands provided to detect this vulnerability automatically, but checking dmesg or journalctl logs for the mentioned error messages can help identify if the issue occurs.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart