CVE-2025-68754

Vulnerability

In the Linux kernel's Amlogic A4 real-time clock (RTC) driver, a double-free vulnerability exists due to improper resource management. The driver uses devm_clk_get_enabled() to obtain and enable a clock, which automatically registers the clock for devres-based cleanup. However, the error path in the probe function and the aml_rtc_remove() function also call clk_disable_unprepare() manually, causing the clock. This results in addition to the automatic devres cleanup. This results in the clock being freed twice, leading to a double-free condition [1].

Exploitation

An attacker would need to trigger the driver's probe failure or removal path. The vulnerability is reachable when the RTC device is probed on a system with the Amlogic A4 SoC and the driver is loaded. No special privileges are required beyond the ability to cause the driver to be probed or removed, which could be achieved through hotplug events or module unloading. The double-free occurs in kernel memory management, which can lead to memory corruption [1].

Impact

Successful exploitation could cause a kernel crash (denial denial of service. In some cases, the memory corruption might be leveraged for privilege escalation, though the reference does not confirm this. The primary impact is system instability and potential data loss due to corruption [1].

Mitigation

The fix removes the redundant clk_disable_unprepare() calls from the probe error path and the aml_rtc_remove() function, allowing the devm framework to handle the clock lifecycle automatically. The patch has been applied to the Linux kernel stable tree [1]. Users should update to a kernel version containing this commit to mitigate the vulnerability.