CVE-2025-68311

Vulnerability

A change in Linux kernel commit 84a9582fd203 ("serial: core: Start managing serial controllers to enable runtime PM") requires all serial drivers to provide a valid device pointer in struct uart_port.dev. The ip22zilog driver, used on SGI IP22 systems, did not fulfill this requirement, leading to a kernel NULL-pointer dereference (oops) when the serial core tried to access the device for runtime power management operations. [1]

Exploitation

The vulnerability is triggered during normal system operation on any SGI IP22 (Indy/Indigo2) machine using the ip22zilog serial ports. No special authentication or network access is needed—the oops occurs the moment the serial core interacts with the port, such as during boot or when a serial console or getty process opens the device. The bug is a driver-level oversight, not a remotely triggerable condition. [2]

Impact

An attacker with local access or the ability to influence serial port usage (e.g., via physical console) could deliberately trigger the oops, causing a denial of service (system crash). However, the more common impact is that any user or automated process using the serial ports will encounter an unexpected kernel panic, rendering the system unusable until a patched kernel is deployed. There is no evidence of privilege escalation or data corruption.

Mitigation

The fix introduces a platform driver for ip22zilog and sets up the serial device in the SGI IP22 platform code, ensuring that uart_port.dev is properly initialized. The patch is committed in the Linux kernel stable tree (commit 3fc36ae6abd2) and should be applied to any affected kernel version. Users are advised to update to a kernel containing this fix. No workaround is available beyond avoiding serial port use on unpatched systems.