CVE-2024-57979: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: pps: Fix a use-after-free On a board running ntpd and gpsd, I'm seeing a consistent use-after-free in sys_exit() from gpsd when rebooting: pps pps1: removed ------------[ cut here ]------------ kobject: '(null)' (00000000db4bec24): is not initialized, yet kobject_put() is being called. WARNING: CPU: 2 PID: 440 at lib/kobject.c:734 kobject_put+0x120/0x150 CPU: 2 UID: 299 PID: 440 Comm: gpsd Not tainted 6.11.0-rc6-00308-gb31c44928842 #1 Hardware name: Raspberry Pi 4 Model B Rev 1.1 (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : kobject_put+0x120/0x150 lr : kobject_put+0x120/0x150 sp : ffffffc0803d3ae0 x29: ffffffc0803d3ae0 x28: ffffff8042dc9738 x27: 0000000000000001 x26: 0000000000000000 x25: ffffff8042dc9040 x24: ffffff8042dc9440 x23: ffffff80402a4620 x22: ffffff8042ef4bd0 x21: ffffff80405cb600 x20: 000000000008001b x19: ffffff8040b3b6e0 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 696e6920746f6e20 x14: 7369203a29343263 x13: 205d303434542020 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: kobject_put+0x120/0x150 cdev_put+0x20/0x3c __fput+0x2c4/0x2d8 ____fput+0x1c/0x38 task_work_run+0x70/0xfc do_exit+0x2a0/0x924 do_group_exit+0x34/0x90 get_signal+0x7fc/0x8c0 do_signal+0x128/0x13b4 do_notify_resume+0xdc/0x160 el0_svc+0xd4/0xf8 el0t_64_sync_handler+0x140/0x14c el0t_64_sync+0x190/0x194 ---[ end trace 0000000000000000 ]--- ...followed by more symptoms of corruption, with similar stacks: refcount_t: underflow; use-after-free. kernel BUG at lib/list_debug.c:62! Kernel panic - not syncing: Oops - BUG: Fatal exception This happens because pps_device_destruct() frees the pps_device with the embedded cdev immediately after calling cdev_del(), but, as the comment above cdev_del() notes, fops for previously opened cdevs are still callable even after cdev_del() returns. I think this bug has always been there: I can't explain why it suddenly started happening every time I reboot this particular board. In commit d953e0e837e6 ("pps: Fix a use-after free bug when unregistering a source."), George Spelvin suggested removing the embedded cdev. That seems like the simplest way to fix this, so I've implemented his suggestion, using __register_chrdev() with pps_idr becoming the source of truth for which minor corresponds to which device. But now that pps_idr defines userspace visibility instead of cdev_add(), we need to be sure the pps->dev refcount can't reach zero while userspace can still find it again. So, the idr_remove() call moves to pps_unregister_cdev(), and pps_idr now holds a reference to pps->dev. pps_core: source serial1 got cdev (251:1) <...> pps pps1: removed pps_core: unregistering pps1 pps_core: deallocating pps1
AI Analysis
Technical Summary
CVE-2024-57979 is a high-severity use-after-free vulnerability in the Linux kernel's Pulse Per Second (PPS) subsystem, specifically related to the handling of character devices (cdev) embedded within pps_device structures. The flaw arises because the pps_device_destruct() function frees the pps_device containing the embedded cdev immediately after calling cdev_del(). However, as documented in the kernel source, file operations (fops) for previously opened cdevs remain callable even after cdev_del() returns. This leads to a use-after-free condition when these stale fops are invoked, causing kernel memory corruption, refcount underflows, and potentially kernel panics or system crashes. The vulnerability was observed on a Raspberry Pi 4 running ntpd and gpsd, where rebooting triggered consistent kernel warnings and panics due to this bug. The root cause is that the embedded cdev is freed prematurely, and the fix involved removing the embedded cdev and switching to __register_chrdev() with pps_idr as the authoritative source for device minor numbers. This change ensures that the pps->dev reference count remains valid while userspace can still access the device, preventing premature freeing. The vulnerability affects multiple Linux kernel versions prior to the patch commit d953e0e837e6 and is classified under CWE-416 (Use After Free). The CVSS v3.1 score is 7.8 (High), reflecting the local attack vector, low complexity, low privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild. This vulnerability impacts systems using the PPS subsystem, commonly employed in precise time synchronization setups involving GPS devices and ntpd/gpsd services.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially to infrastructure relying on precise time synchronization, such as telecommunications, financial trading platforms, scientific research facilities, and industrial control systems. The use-after-free can lead to kernel crashes, denial of service, and potentially privilege escalation if exploited in conjunction with other vulnerabilities. Systems running Linux kernels with affected versions and utilizing PPS devices for GPS-based timing are at risk. Disruptions in time synchronization can cascade into operational failures, data integrity issues, and compliance violations, particularly in sectors with strict timing requirements like finance and critical infrastructure. Given the vulnerability requires local privileges but no user interaction, insider threats or compromised accounts could exploit this to destabilize systems. The lack of known exploits reduces immediate threat but the high impact and kernel-level nature warrant urgent patching to prevent future exploitation.
Mitigation Recommendations
1. Apply the official Linux kernel patches that remove the embedded cdev and implement the pps_idr-based device registration as described in commit d953e0e837e6 or later stable kernel releases. 2. For organizations unable to immediately patch, consider disabling the PPS subsystem if not required or isolating systems that use GPSd/ntpd with PPS to minimize exposure. 3. Monitor kernel logs for signs of use-after-free warnings, refcount underflows, or kernel panics related to pps devices to detect potential exploitation attempts or instability. 4. Implement strict access controls and auditing on systems running PPS to limit local user privileges and detect suspicious activity. 5. Coordinate with hardware vendors and Linux distribution maintainers to ensure timely deployment of patched kernels across all affected devices, including embedded systems like Raspberry Pi-based deployments. 6. For critical environments, conduct thorough testing of patched kernels to ensure stability and compatibility with existing time synchronization infrastructure before wide deployment.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-57979: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: pps: Fix a use-after-free On a board running ntpd and gpsd, I'm seeing a consistent use-after-free in sys_exit() from gpsd when rebooting: pps pps1: removed ------------[ cut here ]------------ kobject: '(null)' (00000000db4bec24): is not initialized, yet kobject_put() is being called. WARNING: CPU: 2 PID: 440 at lib/kobject.c:734 kobject_put+0x120/0x150 CPU: 2 UID: 299 PID: 440 Comm: gpsd Not tainted 6.11.0-rc6-00308-gb31c44928842 #1 Hardware name: Raspberry Pi 4 Model B Rev 1.1 (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : kobject_put+0x120/0x150 lr : kobject_put+0x120/0x150 sp : ffffffc0803d3ae0 x29: ffffffc0803d3ae0 x28: ffffff8042dc9738 x27: 0000000000000001 x26: 0000000000000000 x25: ffffff8042dc9040 x24: ffffff8042dc9440 x23: ffffff80402a4620 x22: ffffff8042ef4bd0 x21: ffffff80405cb600 x20: 000000000008001b x19: ffffff8040b3b6e0 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 696e6920746f6e20 x14: 7369203a29343263 x13: 205d303434542020 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: kobject_put+0x120/0x150 cdev_put+0x20/0x3c __fput+0x2c4/0x2d8 ____fput+0x1c/0x38 task_work_run+0x70/0xfc do_exit+0x2a0/0x924 do_group_exit+0x34/0x90 get_signal+0x7fc/0x8c0 do_signal+0x128/0x13b4 do_notify_resume+0xdc/0x160 el0_svc+0xd4/0xf8 el0t_64_sync_handler+0x140/0x14c el0t_64_sync+0x190/0x194 ---[ end trace 0000000000000000 ]--- ...followed by more symptoms of corruption, with similar stacks: refcount_t: underflow; use-after-free. kernel BUG at lib/list_debug.c:62! Kernel panic - not syncing: Oops - BUG: Fatal exception This happens because pps_device_destruct() frees the pps_device with the embedded cdev immediately after calling cdev_del(), but, as the comment above cdev_del() notes, fops for previously opened cdevs are still callable even after cdev_del() returns. I think this bug has always been there: I can't explain why it suddenly started happening every time I reboot this particular board. In commit d953e0e837e6 ("pps: Fix a use-after free bug when unregistering a source."), George Spelvin suggested removing the embedded cdev. That seems like the simplest way to fix this, so I've implemented his suggestion, using __register_chrdev() with pps_idr becoming the source of truth for which minor corresponds to which device. But now that pps_idr defines userspace visibility instead of cdev_add(), we need to be sure the pps->dev refcount can't reach zero while userspace can still find it again. So, the idr_remove() call moves to pps_unregister_cdev(), and pps_idr now holds a reference to pps->dev. pps_core: source serial1 got cdev (251:1) <...> pps pps1: removed pps_core: unregistering pps1 pps_core: deallocating pps1
AI-Powered Analysis
Technical Analysis
CVE-2024-57979 is a high-severity use-after-free vulnerability in the Linux kernel's Pulse Per Second (PPS) subsystem, specifically related to the handling of character devices (cdev) embedded within pps_device structures. The flaw arises because the pps_device_destruct() function frees the pps_device containing the embedded cdev immediately after calling cdev_del(). However, as documented in the kernel source, file operations (fops) for previously opened cdevs remain callable even after cdev_del() returns. This leads to a use-after-free condition when these stale fops are invoked, causing kernel memory corruption, refcount underflows, and potentially kernel panics or system crashes. The vulnerability was observed on a Raspberry Pi 4 running ntpd and gpsd, where rebooting triggered consistent kernel warnings and panics due to this bug. The root cause is that the embedded cdev is freed prematurely, and the fix involved removing the embedded cdev and switching to __register_chrdev() with pps_idr as the authoritative source for device minor numbers. This change ensures that the pps->dev reference count remains valid while userspace can still access the device, preventing premature freeing. The vulnerability affects multiple Linux kernel versions prior to the patch commit d953e0e837e6 and is classified under CWE-416 (Use After Free). The CVSS v3.1 score is 7.8 (High), reflecting the local attack vector, low complexity, low privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild. This vulnerability impacts systems using the PPS subsystem, commonly employed in precise time synchronization setups involving GPS devices and ntpd/gpsd services.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially to infrastructure relying on precise time synchronization, such as telecommunications, financial trading platforms, scientific research facilities, and industrial control systems. The use-after-free can lead to kernel crashes, denial of service, and potentially privilege escalation if exploited in conjunction with other vulnerabilities. Systems running Linux kernels with affected versions and utilizing PPS devices for GPS-based timing are at risk. Disruptions in time synchronization can cascade into operational failures, data integrity issues, and compliance violations, particularly in sectors with strict timing requirements like finance and critical infrastructure. Given the vulnerability requires local privileges but no user interaction, insider threats or compromised accounts could exploit this to destabilize systems. The lack of known exploits reduces immediate threat but the high impact and kernel-level nature warrant urgent patching to prevent future exploitation.
Mitigation Recommendations
1. Apply the official Linux kernel patches that remove the embedded cdev and implement the pps_idr-based device registration as described in commit d953e0e837e6 or later stable kernel releases. 2. For organizations unable to immediately patch, consider disabling the PPS subsystem if not required or isolating systems that use GPSd/ntpd with PPS to minimize exposure. 3. Monitor kernel logs for signs of use-after-free warnings, refcount underflows, or kernel panics related to pps devices to detect potential exploitation attempts or instability. 4. Implement strict access controls and auditing on systems running PPS to limit local user privileges and detect suspicious activity. 5. Coordinate with hardware vendors and Linux distribution maintainers to ensure timely deployment of patched kernels across all affected devices, including embedded systems like Raspberry Pi-based deployments. 6. For critical environments, conduct thorough testing of patched kernels to ensure stability and compatibility with existing time synchronization infrastructure before wide deployment.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-27T02:04:28.912Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9820c4522896dcbdd23e
Added to database: 5/21/2025, 9:08:48 AM
Last enriched: 7/3/2025, 2:25:34 PM
Last updated: 8/18/2025, 9:01:07 AM
Views: 18
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.