Linux Kernel Kunit Uninitialized Memory Vulnerability Leading to Use-After-Free

A use-after-free vulnerability has been identified in the Linux kernel's Kunit testing framework. This issue arises in the 'kunit_debugfs_create_suite()' function, where the 'alloc_string_stream()' allocation can fail. If this occurs, the 'suite->log' stream pointer, which has already been assigned, is not set to NULL after the memory is freed. Consequently, the subsequent 'string_stream_clear()' call in 'kunit_init_suite()' attempts to access a dangling pointer, leading to a use-after-free condition. This vulnerability can cause a kernel panic and is exploitable under certain conditions, as detailed in the CVE description.

Impact

Exploitation of this vulnerability causes a kernel panic, leading to a fatal exception and a crash of the kernel.

Reproduction

The vulnerability can be reproduced by creating a Kunit test suite that triggers a failure in the 'alloc_string_stream()' function while the 'kunit_debugfs_create_suite()' loop is processing test cases. This failure allows the 'suite->log' pointer to remain assigned to a freed memory location, which is later accessed by 'string_stream_clear()' in 'kunit_init_suite()', causing the use-after-free vulnerability.

Remediation

The vulnerability has been fixed in the official Linux Git repository. Users should upgrade to the latest version of the Linux kernel where this fix is applied.