In this long-read post, we will discuss the recently resolved vulnerability CVE-2024-56773 found within the Linux kernel's KUnit subsystem. In particular, we will be focusing on the kunit_device_driver_test() function and how kunit_kzalloc() can potentially lead to a NULL dereference. We will also include relevant code snippets, links to original references, and more details about the exploit itself.

Background

KUnit is a lightweight unit testing and mocking framework for the Linux kernel. It is heavily inspired by JUnit, Python's unittest.mock, and other existing test frameworks. The core of KUnit consists of the kunit kernel module and the kunit_tool, which runs the tests. The primary goal of KUnit is to make it easier for developers to write and run tests within the kernel environment, thus improving the overall robustness and quality of the Linux kernel source code.

Link to the Linux Kernel documentation on KUnit:
- (https://www.kernel.org/doc/html/latest/dev-tools/kunit/index.html)

Exploit Details

The vulnerability focused on the kunit_device_driver_test() function, which may potentially have a NULL dereference issue caused by kunit_kzalloc(). This problematic code can lead to null pointer dereferences and provoke undefined behavior.

The kunit_kzalloc() function returns NULL when there is insufficient memory to satisfy the request. Without a null check after calling this function, dereferencing the returned pointer could lead to a segmentation fault or other unexpected behavior.

Here's the relevant code snippet with the potential vulnerability

// drivers/base/kunit/kunit-device-driver.c
...
static int kunit_kzalloc(struct device_driver *drv, struct kunit **test_state)
{
	struct kunit_test *t;
	int ret = ;

	*test_state = kzalloc(sizeof(**test_state), GFP_KERNEL);
...
}
...
static void kunit_device_driver_test(struct kunit *k)
{
	struct kunit *test_state;
	int ret;

	ret = kunit_kzalloc(k, &test_state);
	if (ret < )
		return;
...
}

The kunit_kzalloc() function is called within the kunit_device_driver_test() function, which assigns the result to the test_state pointer. However, in the original code, there was no NULL check for test_state after calling the kunit_kzalloc() function.

Resolution

To patch this vulnerability and prevent any possible NULL dereference, a NULL check for test_state has been added right after the call to kunit_kzalloc(). The updated and patched code looks like this:

static void kunit_device_driver_test(struct kunit *k)
{
	struct kunit *test_state;
	int ret;

	ret = kunit_kzalloc(k, &test_state);
	if (ret <  || !test_state)
		return;
...
}

With this patch applied, the potential NULL dereference issue is now avoided, ensuring that the kunit_device_driver_test() function will not cause undefined behavior due to NULL pointers.

Conclusion

The Linux kernel team has worked to resolve this vulnerability under the identifier CVE-2024-56773. The addition of a NULL check for test_state after calling kunit_kzalloc() has effectively mitigated the risk of NULL dereferences in the kunit_device_driver_test() function. This resolution ensures that software developers using KUnit can continue to write and run tests within the kernel with improved risk mitigation.

Timeline

Published on: 01/08/2025 18:15:18 UTC
Last modified on: 01/20/2025 06:27:53 UTC