Bug 2348562 (CVE-2024-57979) - CVE-2024-57979 kernel: pps: Fix a use-after-free
Summary: CVE-2024-57979 kernel: pps: Fix a use-after-free
Keywords:
Status: NEW
Alias: CVE-2024-57979
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-02-27 03:03 UTC by OSIDB Bzimport
Modified: 2025-03-13 18:55 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2025:2478 0 None None None 2025-03-10 04:27:30 UTC
Red Hat Product Errata RHBA-2025:2523 0 None None None 2025-03-10 15:21:14 UTC
Red Hat Product Errata RHBA-2025:2589 0 None None None 2025-03-11 00:01:55 UTC
Red Hat Product Errata RHBA-2025:2689 0 None None None 2025-03-12 15:56:24 UTC
Red Hat Product Errata RHBA-2025:2750 0 None None None 2025-03-13 13:35:26 UTC
Red Hat Product Errata RHBA-2025:2751 0 None None None 2025-03-13 13:15:28 UTC
Red Hat Product Errata RHBA-2025:2752 0 None None None 2025-03-13 13:41:35 UTC
Red Hat Product Errata RHBA-2025:2779 0 None None None 2025-03-13 14:18:54 UTC
Red Hat Product Errata RHBA-2025:2781 0 None None None 2025-03-13 14:11:56 UTC
Red Hat Product Errata RHBA-2025:2782 0 None None None 2025-03-13 14:17:42 UTC
Red Hat Product Errata RHBA-2025:2815 0 None None None 2025-03-13 18:55:25 UTC
Red Hat Product Errata RHSA-2025:2473 0 None None None 2025-03-10 01:31:09 UTC
Red Hat Product Errata RHSA-2025:2474 0 None None None 2025-03-10 01:24:55 UTC

Description OSIDB Bzimport 2025-02-27 03:03:18 UTC 
In the Linux kernel, the following vulnerability has been resolved:

pps: Fix a use-after-free

On a board running ntpd and gpsd, I'm seeing a consistent use-after-free
in sys_exit() from gpsd when rebooting:

    pps pps1: removed
    ------------[ cut here ]------------
    kobject: '(null)' (00000000db4bec24): is not initialized, yet kobject_put() is being called.
    WARNING: CPU: 2 PID: 440 at lib/kobject.c:734 kobject_put+0x120/0x150
    CPU: 2 UID: 299 PID: 440 Comm: gpsd Not tainted 6.11.0-rc6-00308-gb31c44928842 #1
    Hardware name: Raspberry Pi 4 Model B Rev 1.1 (DT)
    pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
    pc : kobject_put+0x120/0x150
    lr : kobject_put+0x120/0x150
    sp : ffffffc0803d3ae0
    x29: ffffffc0803d3ae0 x28: ffffff8042dc9738 x27: 0000000000000001
    x26: 0000000000000000 x25: ffffff8042dc9040 x24: ffffff8042dc9440
    x23: ffffff80402a4620 x22: ffffff8042ef4bd0 x21: ffffff80405cb600
    x20: 000000000008001b x19: ffffff8040b3b6e0 x18: 0000000000000000
    x17: 0000000000000000 x16: 0000000000000000 x15: 696e6920746f6e20
    x14: 7369203a29343263 x13: 205d303434542020 x12: 0000000000000000
    x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000
    x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
    x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
    x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000
    Call trace:
     kobject_put+0x120/0x150
     cdev_put+0x20/0x3c
     __fput+0x2c4/0x2d8
     ____fput+0x1c/0x38
     task_work_run+0x70/0xfc
     do_exit+0x2a0/0x924
     do_group_exit+0x34/0x90
     get_signal+0x7fc/0x8c0
     do_signal+0x128/0x13b4
     do_notify_resume+0xdc/0x160
     el0_svc+0xd4/0xf8
     el0t_64_sync_handler+0x140/0x14c
     el0t_64_sync+0x190/0x194
    ---[ end trace 0000000000000000 ]---

...followed by more symptoms of corruption, with similar stacks:

    refcount_t: underflow; use-after-free.
    kernel BUG at lib/list_debug.c:62!
    Kernel panic - not syncing: Oops - BUG: Fatal exception

This happens because pps_device_destruct() frees the pps_device with the
embedded cdev immediately after calling cdev_del(), but, as the comment
above cdev_del() notes, fops for previously opened cdevs are still
callable even after cdev_del() returns. I think this bug has always
been there: I can't explain why it suddenly started happening every time
I reboot this particular board.

In commit d953e0e837e6 ("pps: Fix a use-after free bug when
unregistering a source."), George Spelvin suggested removing the
embedded cdev. That seems like the simplest way to fix this, so I've
implemented his suggestion, using __register_chrdev() with pps_idr
becoming the source of truth for which minor corresponds to which
device.

But now that pps_idr defines userspace visibility instead of cdev_add(),
we need to be sure the pps->dev refcount can't reach zero while
userspace can still find it again. So, the idr_remove() call moves to
pps_unregister_cdev(), and pps_idr now holds a reference to pps->dev.

    pps_core: source serial1 got cdev (251:1)
    <...>
    pps pps1: removed
    pps_core: unregistering pps1
    pps_core: deallocating pps1
Comment 1 Michal Findra 2025-02-27 12:34:58 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025022634-CVE-2024-57979-aad0@gregkh/T
Comment 3 errata-xmlrpc 2025-03-10 01:24:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:2474 https://access.redhat.com/errata/RHSA-2025:2474
Comment 4 errata-xmlrpc 2025-03-10 01:31:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:2473 https://access.redhat.com/errata/RHSA-2025:2473
Note You need to log in before you can comment on or make changes to this bug.