CVE-2024-56772

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> kunit: string-stream: Fix a UAF bug in kunit_init_suite()<br /> <br /> In kunit_debugfs_create_suite(), if alloc_string_stream() fails in the<br /> kunit_suite_for_each_test_case() loop, the "suite-&gt;log = stream"<br /> has assigned before, and the error path only free the suite-&gt;log&amp;#39;s stream<br /> memory but not set it to NULL, so the later string_stream_clear() of<br /> suite-&gt;log in kunit_init_suite() will cause below UAF bug.<br /> <br /> Set stream pointer to NULL after free to fix it.<br /> <br /> Unable to handle kernel paging request at virtual address 006440150000030d<br /> Mem abort info:<br /> ESR = 0x0000000096000004<br /> EC = 0x25: DABT (current EL), IL = 32 bits<br /> SET = 0, FnV = 0<br /> EA = 0, S1PTW = 0<br /> FSC = 0x04: level 0 translation fault<br /> Data abort info:<br /> ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000<br /> CM = 0, WnR = 0, TnD = 0, TagAccess = 0<br /> GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0<br /> [006440150000030d] address between user and kernel address ranges<br /> Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP<br /> Dumping ftrace buffer:<br /> (ftrace buffer empty)<br /> Modules linked in: iio_test_gts industrialio_gts_helper cfg80211 rfkill ipv6 [last unloaded: iio_test_gts]<br /> CPU: 5 UID: 0 PID: 6253 Comm: modprobe Tainted: G B W N 6.12.0-rc4+ #458<br /> Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST<br /> Hardware name: linux,dummy-virt (DT)<br /> pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : string_stream_clear+0x54/0x1ac<br /> lr : string_stream_clear+0x1a8/0x1ac<br /> sp : ffffffc080b47410<br /> x29: ffffffc080b47410 x28: 006440550000030d x27: ffffff80c96b5e98<br /> x26: ffffff80c96b5e80 x25: ffffffe461b3f6c0 x24: 0000000000000003<br /> x23: ffffff80c96b5e88 x22: 1ffffff019cdf4fc x21: dfffffc000000000<br /> x20: ffffff80ce6fa7e0 x19: 032202a80000186d x18: 0000000000001840<br /> x17: 0000000000000000 x16: 0000000000000000 x15: ffffffe45c355cb4<br /> x14: ffffffe45c35589c x13: ffffffe45c03da78 x12: ffffffb810168e75<br /> x11: 1ffffff810168e74 x10: ffffffb810168e74 x9 : dfffffc000000000<br /> x8 : 0000000000000004 x7 : 0000000000000003 x6 : 0000000000000001<br /> x5 : ffffffc080b473a0 x4 : 0000000000000000 x3 : 0000000000000000<br /> x2 : 0000000000000001 x1 : ffffffe462fbf620 x0 : dfffffc000000000<br /> Call trace:<br /> string_stream_clear+0x54/0x1ac<br /> __kunit_test_suites_init+0x108/0x1d8<br /> kunit_exec_run_tests+0xb8/0x100<br /> kunit_module_notify+0x400/0x55c<br /> notifier_call_chain+0xfc/0x3b4<br /> blocking_notifier_call_chain+0x68/0x9c<br /> do_init_module+0x24c/0x5c8<br /> load_module+0x4acc/0x4e90<br /> init_module_from_file+0xd4/0x128<br /> idempotent_init_module+0x2d4/0x57c<br /> __arm64_sys_finit_module+0xac/0x100<br /> invoke_syscall+0x6c/0x258<br /> el0_svc_common.constprop.0+0x160/0x22c<br /> do_el0_svc+0x44/0x5c<br /> el0_svc+0x48/0xb8<br /> el0t_64_sync_handler+0x13c/0x158<br /> el0t_64_sync+0x190/0x194<br /> Code: f9400753 d2dff800 f2fbffe0 d343fe7c (38e06b80)<br /> ---[ end trace 0000000000000000 ]---<br /> Kernel panic - not syncing: Oops: Fatal exception