CVE-2024-57979

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to the fixed version

Description A use-after-free issue has been identified in the Linux kernel, specifically in the pps (pulse per second) subsystem. This issue occurs when the pps device destruct() function frees the pps device with the embedded cdev immediately after calling cdev del(), but the file operations for previously opened cdevs are still callable even after cdev del() returns. The estimated number of potentially affected devices is not provided. There is no information about real-world incidents where this issue was exploited.

Recommendations For Linux kernel versions prior to the fixed version, consider applying the patch that removes the embedded cdev and uses register chrdev() with pps idr as the source of truth for which minor corresponds to which device. Additionally, ensure that the pps->dev refcount cannot reach zero while userspace can still find it again by moving the idr remove() call to pps unregister cdev() and having pps idr hold a reference to pps->dev.