Linux Kernel PPS Subsystem Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's PPS (Pulse Per Second) subsystem. This issue occurs when a PPS device is unregistered, leading to a use-after-free condition in the associated character device. The vulnerability was observed on a Raspberry Pi 4 Model B board running NTP daemon (ntpd) and GPS daemon (gpsd). The problem arises because the function that unregisters the PPS device frees the device structure before ensuring that all references to it have been properly handled, allowing for potential memory corruption and exploitation.

Impact

Exploitation of this vulnerability causes a kernel panic, leading to a fatal exception and termination of the kernel process.

Reproduction

The vulnerability can be reproduced by rebooting a Raspberry Pi 4 Model B board running the Linux kernel version 6.11.0-rc6-00308-gb31c44928842, with both the NTP daemon and GPS daemon active. During the reboot process, the PPS device is removed, triggering the use-after-free condition in the GPS daemon's exit routine. This sequence of events causes a reference count underflow and memory corruption, ultimately resulting in a kernel panic.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed.