CVE-2023-53344
Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
17/09/2025
Última modificación:
17/09/2025
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
can: bcm: bcm_tx_setup(): fix KMSAN uninit-value in vfs_write<br />
<br />
Syzkaller reported the following issue:<br />
<br />
=====================================================<br />
BUG: KMSAN: uninit-value in aio_rw_done fs/aio.c:1520 [inline]<br />
BUG: KMSAN: uninit-value in aio_write+0x899/0x950 fs/aio.c:1600<br />
aio_rw_done fs/aio.c:1520 [inline]<br />
aio_write+0x899/0x950 fs/aio.c:1600<br />
io_submit_one+0x1d1c/0x3bf0 fs/aio.c:2019<br />
__do_sys_io_submit fs/aio.c:2078 [inline]<br />
__se_sys_io_submit+0x293/0x770 fs/aio.c:2048<br />
__x64_sys_io_submit+0x92/0xd0 fs/aio.c:2048<br />
do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br />
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80<br />
entry_SYSCALL_64_after_hwframe+0x63/0xcd<br />
<br />
Uninit was created at:<br />
slab_post_alloc_hook mm/slab.h:766 [inline]<br />
slab_alloc_node mm/slub.c:3452 [inline]<br />
__kmem_cache_alloc_node+0x71f/0xce0 mm/slub.c:3491<br />
__do_kmalloc_node mm/slab_common.c:967 [inline]<br />
__kmalloc+0x11d/0x3b0 mm/slab_common.c:981<br />
kmalloc_array include/linux/slab.h:636 [inline]<br />
bcm_tx_setup+0x80e/0x29d0 net/can/bcm.c:930<br />
bcm_sendmsg+0x3a2/0xce0 net/can/bcm.c:1351<br />
sock_sendmsg_nosec net/socket.c:714 [inline]<br />
sock_sendmsg net/socket.c:734 [inline]<br />
sock_write_iter+0x495/0x5e0 net/socket.c:1108<br />
call_write_iter include/linux/fs.h:2189 [inline]<br />
aio_write+0x63a/0x950 fs/aio.c:1600<br />
io_submit_one+0x1d1c/0x3bf0 fs/aio.c:2019<br />
__do_sys_io_submit fs/aio.c:2078 [inline]<br />
__se_sys_io_submit+0x293/0x770 fs/aio.c:2048<br />
__x64_sys_io_submit+0x92/0xd0 fs/aio.c:2048<br />
do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br />
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80<br />
entry_SYSCALL_64_after_hwframe+0x63/0xcd<br />
<br />
CPU: 1 PID: 5034 Comm: syz-executor350 Not tainted 6.2.0-rc6-syzkaller-80422-geda666ff2276 #0<br />
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023<br />
=====================================================<br />
<br />
We can follow the call chain and find that &#39;bcm_tx_setup&#39; function<br />
calls &#39;memcpy_from_msg&#39; to copy some content to the newly allocated<br />
frame of &#39;op->frames&#39;. After that the &#39;len&#39; field of copied structure<br />
being compared with some constant value (64 or 8). However, if<br />
&#39;memcpy_from_msg&#39; returns an error, we will compare some uninitialized<br />
memory. This triggers &#39;uninit-value&#39; issue.<br />
<br />
This patch will add &#39;memcpy_from_msg&#39; possible errors processing to<br />
avoid uninit-value issue.<br />
<br />
Tested via syzkaller
Impacto
Referencias a soluciones, herramientas e información
- https://git.kernel.org/stable/c/2b4c99f7d9a57ecd644eda9b1fb0a1072414959f
- https://git.kernel.org/stable/c/2e6ad51c709fa794e0ce26003c9c9cd944e3383a
- https://git.kernel.org/stable/c/3fa0f1e0e31b1b73cdf59d4c36c7242e6ef821be
- https://git.kernel.org/stable/c/618b15d09fed6126356101543451d49860db4388
- https://git.kernel.org/stable/c/78bc7f0ab99458221224d3ab97199c0f8e6861f1
- https://git.kernel.org/stable/c/ab2a55907823f0bca56b6d03ea05e4071ba8535f
- https://git.kernel.org/stable/c/bf70e0eab64c625da84d9fdf4e84466b79418920
- https://git.kernel.org/stable/c/c11dbc7705b3739974ac31a13f4ab81e61a5fb07