CVE-2024-56772
Vulnerability from cvelistv5
Published
2025-01-08 17:49
Modified
2025-01-08 17:49
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: kunit: string-stream: Fix a UAF bug in kunit_init_suite() In kunit_debugfs_create_suite(), if alloc_string_stream() fails in the kunit_suite_for_each_test_case() loop, the "suite->log = stream" has assigned before, and the error path only free the suite->log's stream memory but not set it to NULL, so the later string_stream_clear() of suite->log in kunit_init_suite() will cause below UAF bug. Set stream pointer to NULL after free to fix it. Unable to handle kernel paging request at virtual address 006440150000030d Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [006440150000030d] address between user and kernel address ranges Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: iio_test_gts industrialio_gts_helper cfg80211 rfkill ipv6 [last unloaded: iio_test_gts] CPU: 5 UID: 0 PID: 6253 Comm: modprobe Tainted: G B W N 6.12.0-rc4+ #458 Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST Hardware name: linux,dummy-virt (DT) pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : string_stream_clear+0x54/0x1ac lr : string_stream_clear+0x1a8/0x1ac sp : ffffffc080b47410 x29: ffffffc080b47410 x28: 006440550000030d x27: ffffff80c96b5e98 x26: ffffff80c96b5e80 x25: ffffffe461b3f6c0 x24: 0000000000000003 x23: ffffff80c96b5e88 x22: 1ffffff019cdf4fc x21: dfffffc000000000 x20: ffffff80ce6fa7e0 x19: 032202a80000186d x18: 0000000000001840 x17: 0000000000000000 x16: 0000000000000000 x15: ffffffe45c355cb4 x14: ffffffe45c35589c x13: ffffffe45c03da78 x12: ffffffb810168e75 x11: 1ffffff810168e74 x10: ffffffb810168e74 x9 : dfffffc000000000 x8 : 0000000000000004 x7 : 0000000000000003 x6 : 0000000000000001 x5 : ffffffc080b473a0 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000000001 x1 : ffffffe462fbf620 x0 : dfffffc000000000 Call trace: string_stream_clear+0x54/0x1ac __kunit_test_suites_init+0x108/0x1d8 kunit_exec_run_tests+0xb8/0x100 kunit_module_notify+0x400/0x55c notifier_call_chain+0xfc/0x3b4 blocking_notifier_call_chain+0x68/0x9c do_init_module+0x24c/0x5c8 load_module+0x4acc/0x4e90 init_module_from_file+0xd4/0x128 idempotent_init_module+0x2d4/0x57c __arm64_sys_finit_module+0xac/0x100 invoke_syscall+0x6c/0x258 el0_svc_common.constprop.0+0x160/0x22c do_el0_svc+0x44/0x5c el0_svc+0x48/0xb8 el0t_64_sync_handler+0x13c/0x158 el0t_64_sync+0x190/0x194 Code: f9400753 d2dff800 f2fbffe0 d343fe7c (38e06b80) ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Oops: Fatal exception
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/3213b92754b94dec6836e8b4d6ec7d224a805b61
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/39e21403c978862846fa68b7f6d06f9cca235194
Impacted products
Vendor Product Version
Linux Linux Version: 6.7
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "lib/kunit/debugfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3213b92754b94dec6836e8b4d6ec7d224a805b61",
              "status": "affected",
              "version": "a3fdf784780ccb0008d630e8722d1389c49c7499",
              "versionType": "git"
            },
            {
              "lessThan": "39e21403c978862846fa68b7f6d06f9cca235194",
              "status": "affected",
              "version": "a3fdf784780ccb0008d630e8722d1389c49c7499",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "lib/kunit/debugfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkunit: string-stream: Fix a UAF bug in kunit_init_suite()\n\nIn kunit_debugfs_create_suite(), if alloc_string_stream() fails in the\nkunit_suite_for_each_test_case() loop, the \"suite-\u003elog = stream\"\nhas assigned before, and the error path only free the suite-\u003elog\u0027s stream\nmemory but not set it to NULL, so the later string_stream_clear() of\nsuite-\u003elog in kunit_init_suite() will cause below UAF bug.\n\nSet stream pointer to NULL after free to fix it.\n\n\tUnable to handle kernel paging request at virtual address 006440150000030d\n\tMem abort info:\n\t  ESR = 0x0000000096000004\n\t  EC = 0x25: DABT (current EL), IL = 32 bits\n\t  SET = 0, FnV = 0\n\t  EA = 0, S1PTW = 0\n\t  FSC = 0x04: level 0 translation fault\n\tData abort info:\n\t  ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n\t  CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n\t  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n\t[006440150000030d] address between user and kernel address ranges\n\tInternal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n\tDumping ftrace buffer:\n\t   (ftrace buffer empty)\n\tModules linked in: iio_test_gts industrialio_gts_helper cfg80211 rfkill ipv6 [last unloaded: iio_test_gts]\n\tCPU: 5 UID: 0 PID: 6253 Comm: modprobe Tainted: G    B   W        N 6.12.0-rc4+ #458\n\tTainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST\n\tHardware name: linux,dummy-virt (DT)\n\tpstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n\tpc : string_stream_clear+0x54/0x1ac\n\tlr : string_stream_clear+0x1a8/0x1ac\n\tsp : ffffffc080b47410\n\tx29: ffffffc080b47410 x28: 006440550000030d x27: ffffff80c96b5e98\n\tx26: ffffff80c96b5e80 x25: ffffffe461b3f6c0 x24: 0000000000000003\n\tx23: ffffff80c96b5e88 x22: 1ffffff019cdf4fc x21: dfffffc000000000\n\tx20: ffffff80ce6fa7e0 x19: 032202a80000186d x18: 0000000000001840\n\tx17: 0000000000000000 x16: 0000000000000000 x15: ffffffe45c355cb4\n\tx14: ffffffe45c35589c x13: ffffffe45c03da78 x12: ffffffb810168e75\n\tx11: 1ffffff810168e74 x10: ffffffb810168e74 x9 : dfffffc000000000\n\tx8 : 0000000000000004 x7 : 0000000000000003 x6 : 0000000000000001\n\tx5 : ffffffc080b473a0 x4 : 0000000000000000 x3 : 0000000000000000\n\tx2 : 0000000000000001 x1 : ffffffe462fbf620 x0 : dfffffc000000000\n\tCall trace:\n\t string_stream_clear+0x54/0x1ac\n\t __kunit_test_suites_init+0x108/0x1d8\n\t kunit_exec_run_tests+0xb8/0x100\n\t kunit_module_notify+0x400/0x55c\n\t notifier_call_chain+0xfc/0x3b4\n\t blocking_notifier_call_chain+0x68/0x9c\n\t do_init_module+0x24c/0x5c8\n\t load_module+0x4acc/0x4e90\n\t init_module_from_file+0xd4/0x128\n\t idempotent_init_module+0x2d4/0x57c\n\t __arm64_sys_finit_module+0xac/0x100\n\t invoke_syscall+0x6c/0x258\n\t el0_svc_common.constprop.0+0x160/0x22c\n\t do_el0_svc+0x44/0x5c\n\t el0_svc+0x48/0xb8\n\t el0t_64_sync_handler+0x13c/0x158\n\t el0t_64_sync+0x190/0x194\n\tCode: f9400753 d2dff800 f2fbffe0 d343fe7c (38e06b80)\n\t---[ end trace 0000000000000000 ]---\n\tKernel panic - not syncing: Oops: Fatal exception"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-08T17:49:11.544Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3213b92754b94dec6836e8b4d6ec7d224a805b61"
        },
        {
          "url": "https://git.kernel.org/stable/c/39e21403c978862846fa68b7f6d06f9cca235194"
        }
      ],
      "title": "kunit: string-stream: Fix a UAF bug in kunit_init_suite()",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56772",
    "datePublished": "2025-01-08T17:49:11.544Z",
    "dateReserved": "2024-12-29T11:26:39.763Z",
    "dateUpdated": "2025-01-08T17:49:11.544Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-56772\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-01-08T18:15:17.897\",\"lastModified\":\"2025-01-08T18:15:17.897\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nkunit: string-stream: Fix a UAF bug in kunit_init_suite()\\n\\nIn kunit_debugfs_create_suite(), if alloc_string_stream() fails in the\\nkunit_suite_for_each_test_case() loop, the \\\"suite-\u003elog = stream\\\"\\nhas assigned before, and the error path only free the suite-\u003elog\u0027s stream\\nmemory but not set it to NULL, so the later string_stream_clear() of\\nsuite-\u003elog in kunit_init_suite() will cause below UAF bug.\\n\\nSet stream pointer to NULL after free to fix it.\\n\\n\\tUnable to handle kernel paging request at virtual address 006440150000030d\\n\\tMem abort info:\\n\\t  ESR = 0x0000000096000004\\n\\t  EC = 0x25: DABT (current EL), IL = 32 bits\\n\\t  SET = 0, FnV = 0\\n\\t  EA = 0, S1PTW = 0\\n\\t  FSC = 0x04: level 0 translation fault\\n\\tData abort info:\\n\\t  ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\\n\\t  CM = 0, WnR = 0, TnD = 0, TagAccess = 0\\n\\t  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\\n\\t[006440150000030d] address between user and kernel address ranges\\n\\tInternal error: Oops: 0000000096000004 [#1] PREEMPT SMP\\n\\tDumping ftrace buffer:\\n\\t   (ftrace buffer empty)\\n\\tModules linked in: iio_test_gts industrialio_gts_helper cfg80211 rfkill ipv6 [last unloaded: iio_test_gts]\\n\\tCPU: 5 UID: 0 PID: 6253 Comm: modprobe Tainted: G    B   W        N 6.12.0-rc4+ #458\\n\\tTainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST\\n\\tHardware name: linux,dummy-virt (DT)\\n\\tpstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n\\tpc : string_stream_clear+0x54/0x1ac\\n\\tlr : string_stream_clear+0x1a8/0x1ac\\n\\tsp : ffffffc080b47410\\n\\tx29: ffffffc080b47410 x28: 006440550000030d x27: ffffff80c96b5e98\\n\\tx26: ffffff80c96b5e80 x25: ffffffe461b3f6c0 x24: 0000000000000003\\n\\tx23: ffffff80c96b5e88 x22: 1ffffff019cdf4fc x21: dfffffc000000000\\n\\tx20: ffffff80ce6fa7e0 x19: 032202a80000186d x18: 0000000000001840\\n\\tx17: 0000000000000000 x16: 0000000000000000 x15: ffffffe45c355cb4\\n\\tx14: ffffffe45c35589c x13: ffffffe45c03da78 x12: ffffffb810168e75\\n\\tx11: 1ffffff810168e74 x10: ffffffb810168e74 x9 : dfffffc000000000\\n\\tx8 : 0000000000000004 x7 : 0000000000000003 x6 : 0000000000000001\\n\\tx5 : ffffffc080b473a0 x4 : 0000000000000000 x3 : 0000000000000000\\n\\tx2 : 0000000000000001 x1 : ffffffe462fbf620 x0 : dfffffc000000000\\n\\tCall trace:\\n\\t string_stream_clear+0x54/0x1ac\\n\\t __kunit_test_suites_init+0x108/0x1d8\\n\\t kunit_exec_run_tests+0xb8/0x100\\n\\t kunit_module_notify+0x400/0x55c\\n\\t notifier_call_chain+0xfc/0x3b4\\n\\t blocking_notifier_call_chain+0x68/0x9c\\n\\t do_init_module+0x24c/0x5c8\\n\\t load_module+0x4acc/0x4e90\\n\\t init_module_from_file+0xd4/0x128\\n\\t idempotent_init_module+0x2d4/0x57c\\n\\t __arm64_sys_finit_module+0xac/0x100\\n\\t invoke_syscall+0x6c/0x258\\n\\t el0_svc_common.constprop.0+0x160/0x22c\\n\\t do_el0_svc+0x44/0x5c\\n\\t el0_svc+0x48/0xb8\\n\\t el0t_64_sync_handler+0x13c/0x158\\n\\t el0t_64_sync+0x190/0x194\\n\\tCode: f9400753 d2dff800 f2fbffe0 d343fe7c (38e06b80)\\n\\t---[ end trace 0000000000000000 ]---\\n\\tKernel panic - not syncing: Oops: Fatal exception\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/3213b92754b94dec6836e8b4d6ec7d224a805b61\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/39e21403c978862846fa68b7f6d06f9cca235194\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.