{
  "threat_severity" : "Moderate",
  "public_date" : "2025-02-27T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: pps: Fix a use-after-free",
    "id" : "2348562",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2348562"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\npps: Fix a use-after-free\nOn a board running ntpd and gpsd, I'm seeing a consistent use-after-free\nin sys_exit() from gpsd when rebooting:\npps pps1: removed\n------------[ cut here ]------------\nkobject: '(null)' (00000000db4bec24): is not initialized, yet kobject_put() is being called.\nWARNING: CPU: 2 PID: 440 at lib/kobject.c:734 kobject_put+0x120/0x150\nCPU: 2 UID: 299 PID: 440 Comm: gpsd Not tainted 6.11.0-rc6-00308-gb31c44928842 #1\nHardware name: Raspberry Pi 4 Model B Rev 1.1 (DT)\npstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : kobject_put+0x120/0x150\nlr : kobject_put+0x120/0x150\nsp : ffffffc0803d3ae0\nx29: ffffffc0803d3ae0 x28: ffffff8042dc9738 x27: 0000000000000001\nx26: 0000000000000000 x25: ffffff8042dc9040 x24: ffffff8042dc9440\nx23: ffffff80402a4620 x22: ffffff8042ef4bd0 x21: ffffff80405cb600\nx20: 000000000008001b x19: ffffff8040b3b6e0 x18: 0000000000000000\nx17: 0000000000000000 x16: 0000000000000000 x15: 696e6920746f6e20\nx14: 7369203a29343263 x13: 205d303434542020 x12: 0000000000000000\nx11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000\nx8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000\nx5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000\nx2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000\nCall trace:\nkobject_put+0x120/0x150\ncdev_put+0x20/0x3c\n__fput+0x2c4/0x2d8\n____fput+0x1c/0x38\ntask_work_run+0x70/0xfc\ndo_exit+0x2a0/0x924\ndo_group_exit+0x34/0x90\nget_signal+0x7fc/0x8c0\ndo_signal+0x128/0x13b4\ndo_notify_resume+0xdc/0x160\nel0_svc+0xd4/0xf8\nel0t_64_sync_handler+0x140/0x14c\nel0t_64_sync+0x190/0x194\n---[ end trace 0000000000000000 ]---\n...followed by more symptoms of corruption, with similar stacks:\nrefcount_t: underflow; use-after-free.\nkernel BUG at lib/list_debug.c:62!\nKernel panic - not syncing: Oops - BUG: Fatal exception\nThis happens because pps_device_destruct() frees the pps_device with the\nembedded cdev immediately after calling cdev_del(), but, as the comment\nabove cdev_del() notes, fops for previously opened cdevs are still\ncallable even after cdev_del() returns. I think this bug has always\nbeen there: I can't explain why it suddenly started happening every time\nI reboot this particular board.\nIn commit d953e0e837e6 (\"pps: Fix a use-after free bug when\nunregistering a source.\"), George Spelvin suggested removing the\nembedded cdev. That seems like the simplest way to fix this, so I've\nimplemented his suggestion, using __register_chrdev() with pps_idr\nbecoming the source of truth for which minor corresponds to which\ndevice.\nBut now that pps_idr defines userspace visibility instead of cdev_add(),\nwe need to be sure the pps->dev refcount can't reach zero while\nuserspace can still find it again. So, the idr_remove() call moves to\npps_unregister_cdev(), and pps_idr now holds a reference to pps->dev.\npps_core: source serial1 got cdev (251:1)\n<...>\npps pps1: removed\npps_core: unregistering pps1\npps_core: deallocating pps1" ],
  "statement" : "The bug could happen during reboot (or other similar condition of removing pps_core driver module) and only if PPS (Pulse Per Second) that is a special pulse provided by some GPS antennae being used. The security impact is limited.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-03-10T00:00:00Z",
    "advisory" : "RHSA-2025:2474",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-553.44.1.rt7.385.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-03-10T00:00:00Z",
    "advisory" : "RHSA-2025:2473",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.44.1.el8_10"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Will not fix",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-57979\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-57979\nhttps://lore.kernel.org/linux-cve-announce/2025022634-CVE-2024-57979-aad0@gregkh/T" ],
  "name" : "CVE-2024-57979",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent module pps_core from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.",
    "lang" : "en:us"
  },
  "csaw" : false
}