CVE-2024-57979 in Linuxinfo

Summary

by MITRE • 02/27/2025

In the Linux kernel, the following vulnerability has been resolved:

pps: Fix a use-after-free

On a board running ntpd and gpsd, I'm seeing a consistent use-after-free in sys_exit() from gpsd when rebooting:

pps pps1: removed ------------[ cut here ]------------
kobject: '(null)' (00000000db4bec24): is not initialized, yet kobject_put() is being called. WARNING: CPU: 2 PID: 440 at lib/kobject.c:734 kobject_put+0x120/0x150 CPU: 2 UID: 299 PID: 440 Comm: gpsd Not tainted 6.11.0-rc6-00308-gb31c44928842 #1 Hardware name: Raspberry Pi 4 Model B Rev 1.1 (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : kobject_put+0x120/0x150 lr : kobject_put+0x120/0x150 sp : ffffffc0803d3ae0 x29: ffffffc0803d3ae0 x28: ffffff8042dc9738 x27: 0000000000000001 x26: 0000000000000000 x25: ffffff8042dc9040 x24: ffffff8042dc9440 x23: ffffff80402a4620 x22: ffffff8042ef4bd0 x21: ffffff80405cb600 x20: 000000000008001b x19: ffffff8040b3b6e0 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 696e6920746f6e20 x14: 7369203a29343263 x13: 205d303434542020 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: kobject_put+0x120/0x150 cdev_put+0x20/0x3c __fput+0x2c4/0x2d8 ____fput+0x1c/0x38 task_work_run+0x70/0xfc do_exit+0x2a0/0x924 do_group_exit+0x34/0x90 get_signal+0x7fc/0x8c0 do_signal+0x128/0x13b4 do_notify_resume+0xdc/0x160 el0_svc+0xd4/0xf8 el0t_64_sync_handler+0x140/0x14c el0t_64_sync+0x190/0x194 ---[ end trace 0000000000000000 ]---

...followed by more symptoms of corruption, with similar stacks:

refcount_t: underflow; use-after-free. kernel BUG at lib/list_debug.c:62! Kernel panic - not syncing: Oops - BUG: Fatal exception

This happens because pps_device_destruct() frees the pps_device with the embedded cdev immediately after calling cdev_del(), but, as the comment above cdev_del() notes, fops for previously opened cdevs are still callable even after cdev_del() returns. I think this bug has always been there: I can't explain why it suddenly started happening every time I reboot this particular board.

In commit d953e0e837e6 ("pps: Fix a use-after free bug when unregistering a source."), George Spelvin suggested removing the embedded cdev. That seems like the simplest way to fix this, so I've implemented his suggestion, using __register_chrdev() with pps_idr becoming the source of truth for which minor corresponds to which device.

But now that pps_idr defines userspace visibility instead of cdev_add(), we need to be sure the pps->dev refcount can't reach zero while userspace can still find it again. So, the idr_remove() call moves to pps_unregister_cdev(), and pps_idr now holds a reference to pps->dev.

pps_core: source serial1 got cdev (251:1) pps pps1: removed pps_core: unregistering pps1 pps_core: deallocating pps1

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 05/24/2026

The vulnerability described in CVE-2024-57979 represents a critical use-after-free condition within the Linux kernel's PPS (Pulse Per Second) subsystem, specifically affecting the pps_device_destruct function during device cleanup. This flaw manifests when a system running ntpd and gpsd experiences a consistent kernel panic during reboot operations, indicating a fundamental memory management issue. The root cause lies in the improper sequencing of resource deallocation where the embedded character device structure is freed immediately after cdev_del() is called, despite the kernel's guarantee that file operations for previously opened character devices remain callable even after cdev_del() returns. This timing issue creates a window where userspace processes can still access freed memory, leading to immediate use-after-free conditions and subsequent kernel oopses. The vulnerability directly maps to CWE-416, which specifically addresses use-after-free errors in memory management, and aligns with ATT&CK technique T1068 by exploiting kernel memory corruption to potentially enable privilege escalation or system instability.

The technical implementation of this vulnerability stems from the PPS subsystem's handling of device registration and cleanup processes. When a PPS device is unregistered, the original code path called pps_device_destruct() which first executed cdev_del() followed immediately by freeing the embedded cdev structure. This sequence violates fundamental kernel memory safety principles, as the cdev_del() function does not immediately invalidate all references to the character device, leaving a window where pending I/O operations or process cleanup routines can still reference freed memory. The system stack trace clearly demonstrates this issue through the kobject_put() call that fails due to an uninitialized kobject, indicating that memory corruption has already occurred. The kernel's internal refcount_t underflow further validates that the memory management subsystem has detected the use-after-free condition, triggering a fatal kernel panic. This type of vulnerability is particularly dangerous in embedded systems and real-time applications where GPS synchronization is critical for system timing and reliability.

The operational impact of this vulnerability extends beyond simple system crashes to potentially compromise the integrity of time-critical applications that depend on PPS functionality. Systems running ntpd and gpsd, particularly those deployed in industrial environments or network infrastructure, face significant risk of service disruption when this vulnerability is triggered during normal operations such as system reboots or device hot-plugging. The intermittent nature of the bug, as noted in the report where it "suddenly started happening every time" on a specific board, suggests that environmental factors such as system load, timing conditions, or hardware-specific behaviors may amplify the race condition. This vulnerability affects all Linux kernel versions that implement the PPS subsystem, making it particularly concerning for long-running embedded systems that may not receive frequent updates. The fix implemented addresses this by removing the embedded cdev structure and using the pps_idr (integer descriptor reference) mechanism as the primary source of truth for device identification, thereby ensuring proper reference counting and preventing the race condition between device cleanup and ongoing file operations.

The mitigation strategy for CVE-2024-57979 involves a fundamental restructuring of how PPS devices are managed within the kernel, specifically by decoupling device identification from the embedded character device structure. This approach ensures that device cleanup only occurs after all references have been properly released, preventing the window where userspace processes could still access freed memory. The solution implements a more robust reference counting mechanism where pps_idr maintains a reference to pps->dev until all cleanup operations are complete, ensuring that device visibility in userspace is properly synchronized with kernel resource management. This fix aligns with established kernel security practices and represents a more maintainable approach to device management. System administrators should prioritize updating their kernel versions to include this fix, particularly those running embedded systems or industrial equipment that rely on PPS for precise time synchronization. The vulnerability also underscores the importance of thorough testing for race conditions in kernel subsystems, particularly those involving device registration and cleanup processes that interact with userspace applications. Organizations deploying systems with GPS synchronization capabilities should conduct risk assessments to identify potential exposure and implement appropriate monitoring for similar memory corruption vulnerabilities in other kernel subsystems.

Responsible

Linux

Reservation

02/27/2025

Disclosure

02/27/2025

Moderation

accepted

CPE

ready

EPSS

0.00243

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!