A recent security vulnerability, CVE-2024-57979, has been identified and patched in the Linux kernel concerning the pps (Pulse Per Second) framework. This post offers an exclusive breakdown of the bug, what caused it, how the fix works, and how it might be exploited. We'll use simple American English, include key references, and look at example code and logs.

What Is PPS in Linux?

PPS — “Pulse Per Second” — is a system in Linux used to get very precise time signals, often from GPS hardware. It’s crucial for things like time synchronization (for example, running ntpd or gpsd on embedded devices like Raspberry Pi).

What Happened?

On boards running both ntpd (Network Time Protocol daemon) and gpsd (a GPS monitor), a use-after-free bug was reliably triggered during system reboot. The kernel reported stack traces and crashed—often with a kernel panic—citing issues deep in device cleanup code.

pps pps1: removed
------------[ cut here ]------------
kobject: '(null)' (00000000db4bec24): is not initialized, yet kobject_put() is being called.
WARNING: CPU: 2 PID: 440 at lib/kobject.c:734 kobject_put+x120/x150
...
refcount_t: underflow; use-after-free.
kernel BUG at lib/list_debug.c:62!
Kernel panic - not syncing: Oops - BUG: Fatal exception

What does this mean?
The kernel code tried to *free* a PPS device structure while code still wanted to *use* it, causing memory corruption and crashes.

Then immediately free the device structure (kfree(pps)).

But even after cdev_del(), opened file descriptors in user space (like gpsd or ntpd) can keep calling functions in the driver (called “file operations” or fops). Now, the device memory is already freed, leading to a classic “use-after-free” error if any code touches the device.

This bug has existed for a long time, but recent changes or updates made it easily reproducible.

2. kfree(pps);

- But, old references to the device in user-space could still call file operations, expecting the device to exist!

The problem: The kernel didn’t ensure all users were finished before freeing the device memory.

The Fix: Remove Embedded cdev and Use Reference Counting

Inspired by George Spelvin’s 2016 patch, the fix does the following:

Stop embedding cdev in the device structure.

- Use the Linux idr (ID Allocator) as the *sole source of truth* for which device minor numbers are in use.

Old approach (“bad”)

// Remove cdev, then free pps.
cdev_del(&pps->cdev);
kfree(pps);

Fixed approach

// Remove device from idr, then clean up after all users are gone.
idr_remove(&pps_idr, pps->minor);
put_device(&pps->dev); // uses reference counting
// The actual freeing happens only when no references remain.

User-space can't re-discover PPS devices once idr_remove is called.

See the actual patch here.

How could this be attacked?

- Malicious code or a user-space program (gpsd or a custom process) could hold an open file to a PPS device,

The kernel frees the device struct while user-space still has its handle.

- Next time the user-space program accesses the device, it could crash the kernel, possibly leading to denial-of-service or, in theory, privilege escalation if the use-after-free can be manipulated.

Note: This would typically require local access (not remote) but makes stable time servers (and IoT boards) vulnerable to local attackers or repeated panics and reboots.

Observe the kernel crash, matching logs above

pps pps1: removed
...
kernel BUG at lib/list_debug.c:62!
Kernel panic - not syncing: Oops - BUG: Fatal exception

Before

struct pps_device {
    ...
    struct cdev cdev;
    ...
};
// Destruct sequence
cdev_del(&pps->cdev);
kfree(pps);

After

// No embedded struct cdev!
// pps_idr holds reference to device; device is removed from idr before freeing.
idr_remove(&pps_idr, pps->minor);
put_device(&pps->dev); // safe, as refcounts are handled

References

- Patch/Pull Request:
- cf7213cdfe7 (pps: Fix use-after-free)
- d953ee837e6 (old bugfix reference)

Original mailing list discussion:

- LKML Patch

CVE Details:

- CVE-2024-57979 on MITRE (pending)

Documentation:

- Linux PPS Subsystem Docs

Summary

- CVE-2024-57979 is a use-after-free in the Linux PPS driver, causing kernel crashes (and possibly escalation).

If you use Linux with PPS hardware (e.g., embedded boards, GPS receivers), update your kernel ASAP!

Stay secure: update early, monitor dmesg, and check with your Linux distributor for backported patches.


_Exclusive analysis written for you. Please cite original kernel.org and LKML resources if sharing further._

Timeline

Published on: 02/27/2025 02:15:11 UTC
Last modified on: 05/04/2025 13:01:47 UTC