| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2026010549-CVE-2025-68754-7189@gregkh> Date: Mon, 5 Jan 2026 10:32:50 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-68754: rtc: amlogic-a4: fix double free caused by devm From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: rtc: amlogic-a4: fix double free caused by devm The clock obtained via devm_clk_get_enabled() is automatically managed by devres and will be disabled and freed on driver detach. Manually calling clk_disable_unprepare() in error path and remove function causes double free. Remove the redundant clk_disable_unprepare() calls from the probe error path and aml_rtc_remove(), allowing the devm framework to automatically manage the clock lifecycle. The Linux kernel CVE team has assigned CVE-2025-68754 to this issue. Affected and fixed versions =========================== Issue introduced in 6.13 with commit c89ac9182ee297597f1c6971045382bae19c3f9d and fixed in 6.17.13 with commit 9fed02c16488050cd4e33e045506336b216d7301 Issue introduced in 6.13 with commit c89ac9182ee297597f1c6971045382bae19c3f9d and fixed in 6.18.2 with commit 2e1c79299036614ac32b251d145fad5391f4bcab Issue introduced in 6.13 with commit c89ac9182ee297597f1c6971045382bae19c3f9d and fixed in 6.19-rc1 with commit 384150d7a5b60c1086790a8ee07b0629f906cca2 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-68754 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/rtc/rtc-amlogic-a4.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/9fed02c16488050cd4e33e045506336b216d7301 https://git.kernel.org/stable/c/2e1c79299036614ac32b251d145fad5391f4bcab https://git.kernel.org/stable/c/384150d7a5b60c1086790a8ee07b0629f906cca2
Powered by blists - more mailing lists