CVE-2024-36899 in Linux
Summary
by MITRE • 05/30/2024
In the Linux kernel, the following vulnerability has been resolved:
gpiolib: cdev: Fix use after free in lineinfo_changed_notify
The use-after-free issue occurs as follows: when the GPIO chip device file is being closed by invoking gpio_chrdev_release(), watched_lines is freed by bitmap_free(), but the unregistration of lineinfo_changed_nb notifier chain failed due to waiting write rwsem. Additionally, one of the GPIO chip's lines is also in the release process and holds the notifier chain's read rwsem. Consequently, a race condition leads to the use-after-free of watched_lines.
Here is the typical stack when issue happened:
[free]
gpio_chrdev_release() --> bitmap_free(cdev->watched_lines) <-- freed --> blocking_notifier_chain_unregister() --> down_write(&nh->rwsem) <-- waiting rwsem --> __down_write_common() --> rwsem_down_write_slowpath() --> schedule_preempt_disabled() --> schedule()
[use]
st54spi_gpio_dev_release() --> gpio_free() --> gpiod_free() --> gpiod_free_commit() --> gpiod_line_state_notify() --> blocking_notifier_call_chain() --> down_read(&nh->rwsem); <-- held rwsem --> notifier_call_chain() --> lineinfo_changed_notify() --> test_bit(xxxx, cdev->watched_lines) <-- use after free
The side effect of the use-after-free issue is that a GPIO line event is being generated for userspace where it shouldn't. However, since the chrdev is being closed, userspace won't have the chance to read that event anyway.
To fix the issue, call the bitmap_free() function after the unregistration of lineinfo_changed_nb notifier chain.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 08/29/2025
The vulnerability described in CVE-2024-36899 represents a critical use-after-free condition within the Linux kernel's GPIO subsystem, specifically affecting the gpiolib component responsible for character device management. This flaw manifests in the gpio_chrdev_release() function where the kernel attempts to clean up resources associated with GPIO chip device files during the closing process. The issue stems from a race condition that occurs when multiple threads attempt to access and modify shared data structures simultaneously, creating a scenario where memory that has been freed is still being referenced, leading to potential system instability or security exploits.
The technical implementation of this vulnerability involves a complex interaction between memory management and synchronization primitives within the kernel. When a GPIO character device is closed, the system calls bitmap_free() to release the watched_lines bitmap structure, but this occurs before the unregistration of the lineinfo_changed_nb notifier chain. The notifier chain uses a read-write semaphore (rwsem) for synchronization, creating a deadlock scenario where one thread holds the read semaphore while another waits for the write semaphore. This race condition allows the freed memory to be accessed through the lineinfo_changed_notify() callback, which attempts to test bits in the already-freed watched_lines structure, resulting in undefined behavior and potential memory corruption.
The operational impact of this vulnerability extends beyond simple memory corruption, as it can lead to unpredictable system behavior and potential privilege escalation opportunities. The use-after-free condition specifically affects GPIO line event generation, where malformed events might be generated for userspace applications, though the practical exploitation is limited since the character device is being closed and userspace cannot properly process these events. However, the underlying memory corruption could be leveraged by malicious actors to execute arbitrary code or cause system crashes, particularly in embedded systems or devices where GPIO functionality is heavily utilized. This vulnerability aligns with CWE-416, which describes the use of freed memory condition, and demonstrates how improper resource management in kernel space can create exploitable conditions.
The fix implemented for this vulnerability addresses the root cause by reordering the cleanup operations within the gpio_chrdev_release() function. By ensuring that the notifier chain unregistration occurs before the bitmap_free() operation, the race condition is eliminated and prevents the use-after-free scenario. This remediation follows established best practices for kernel synchronization and resource management, ensuring proper ordering of operations to prevent concurrent access to freed memory. The solution aligns with ATT&CK technique T1068, which involves exploiting local privilege escalation through kernel vulnerabilities, as this fix prevents potential exploitation pathways that could arise from improper memory handling. Additionally, this vulnerability highlights the importance of careful semaphore management in kernel code and demonstrates how seemingly minor ordering issues in resource cleanup can create significant security implications, making it a prime example of how adherence to proper kernel development practices is crucial for maintaining system security and stability.