{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-56772","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-12-29T11:26:39.763Z","datePublished":"2025-01-08T17:49:11.544Z","dateUpdated":"2025-05-04T10:04:22.165Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T10:04:22.165Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nkunit: string-stream: Fix a UAF bug in kunit_init_suite()\n\nIn kunit_debugfs_create_suite(), if alloc_string_stream() fails in the\nkunit_suite_for_each_test_case() loop, the \"suite->log = stream\"\nhas assigned before, and the error path only free the suite->log's stream\nmemory but not set it to NULL, so the later string_stream_clear() of\nsuite->log in kunit_init_suite() will cause below UAF bug.\n\nSet stream pointer to NULL after free to fix it.\n\n\tUnable to handle kernel paging request at virtual address 006440150000030d\n\tMem abort info:\n\t  ESR = 0x0000000096000004\n\t  EC = 0x25: DABT (current EL), IL = 32 bits\n\t  SET = 0, FnV = 0\n\t  EA = 0, S1PTW = 0\n\t  FSC = 0x04: level 0 translation fault\n\tData abort info:\n\t  ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n\t  CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n\t  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n\t[006440150000030d] address between user and kernel address ranges\n\tInternal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n\tDumping ftrace buffer:\n\t   (ftrace buffer empty)\n\tModules linked in: iio_test_gts industrialio_gts_helper cfg80211 rfkill ipv6 [last unloaded: iio_test_gts]\n\tCPU: 5 UID: 0 PID: 6253 Comm: modprobe Tainted: G    B   W        N 6.12.0-rc4+ #458\n\tTainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST\n\tHardware name: linux,dummy-virt (DT)\n\tpstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n\tpc : string_stream_clear+0x54/0x1ac\n\tlr : string_stream_clear+0x1a8/0x1ac\n\tsp : ffffffc080b47410\n\tx29: ffffffc080b47410 x28: 006440550000030d x27: ffffff80c96b5e98\n\tx26: ffffff80c96b5e80 x25: ffffffe461b3f6c0 x24: 0000000000000003\n\tx23: ffffff80c96b5e88 x22: 1ffffff019cdf4fc x21: dfffffc000000000\n\tx20: ffffff80ce6fa7e0 x19: 032202a80000186d x18: 0000000000001840\n\tx17: 0000000000000000 x16: 0000000000000000 x15: ffffffe45c355cb4\n\tx14: ffffffe45c35589c x13: ffffffe45c03da78 x12: ffffffb810168e75\n\tx11: 1ffffff810168e74 x10: ffffffb810168e74 x9 : dfffffc000000000\n\tx8 : 0000000000000004 x7 : 0000000000000003 x6 : 0000000000000001\n\tx5 : ffffffc080b473a0 x4 : 0000000000000000 x3 : 0000000000000000\n\tx2 : 0000000000000001 x1 : ffffffe462fbf620 x0 : dfffffc000000000\n\tCall trace:\n\t string_stream_clear+0x54/0x1ac\n\t __kunit_test_suites_init+0x108/0x1d8\n\t kunit_exec_run_tests+0xb8/0x100\n\t kunit_module_notify+0x400/0x55c\n\t notifier_call_chain+0xfc/0x3b4\n\t blocking_notifier_call_chain+0x68/0x9c\n\t do_init_module+0x24c/0x5c8\n\t load_module+0x4acc/0x4e90\n\t init_module_from_file+0xd4/0x128\n\t idempotent_init_module+0x2d4/0x57c\n\t __arm64_sys_finit_module+0xac/0x100\n\t invoke_syscall+0x6c/0x258\n\t el0_svc_common.constprop.0+0x160/0x22c\n\t do_el0_svc+0x44/0x5c\n\t el0_svc+0x48/0xb8\n\t el0t_64_sync_handler+0x13c/0x158\n\t el0t_64_sync+0x190/0x194\n\tCode: f9400753 d2dff800 f2fbffe0 d343fe7c (38e06b80)\n\t---[ end trace 0000000000000000 ]---\n\tKernel panic - not syncing: Oops: Fatal exception"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["lib/kunit/debugfs.c"],"versions":[{"version":"a3fdf784780ccb0008d630e8722d1389c49c7499","lessThan":"3213b92754b94dec6836e8b4d6ec7d224a805b61","status":"affected","versionType":"git"},{"version":"a3fdf784780ccb0008d630e8722d1389c49c7499","lessThan":"39e21403c978862846fa68b7f6d06f9cca235194","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["lib/kunit/debugfs.c"],"versions":[{"version":"6.7","status":"affected"},{"version":"0","lessThan":"6.7","status":"unaffected","versionType":"semver"},{"version":"6.12.4","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.13","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.13"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/3213b92754b94dec6836e8b4d6ec7d224a805b61"},{"url":"https://git.kernel.org/stable/c/39e21403c978862846fa68b7f6d06f9cca235194"}],"title":"kunit: string-stream: Fix a UAF bug in kunit_init_suite()","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":7.8,"attackVector":"LOCAL","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"id":"CVE-2024-56772","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2025-02-10T17:12:12.420293Z"}}}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","cweId":"CWE-416","description":"CWE-416 Use After Free"}]}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-02-10T17:21:06.581Z"}}]}}