CVE-2023-52922
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
28/11/2024
Last modified:
13/06/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
can: bcm: Fix UAF in bcm_proc_show()<br />
<br />
BUG: KASAN: slab-use-after-free in bcm_proc_show+0x969/0xa80<br />
Read of size 8 at addr ffff888155846230 by task cat/7862<br />
<br />
CPU: 1 PID: 7862 Comm: cat Not tainted 6.5.0-rc1-00153-gc8746099c197 #230<br />
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014<br />
Call Trace:<br />
<br />
dump_stack_lvl+0xd5/0x150<br />
print_report+0xc1/0x5e0<br />
kasan_report+0xba/0xf0<br />
bcm_proc_show+0x969/0xa80<br />
seq_read_iter+0x4f6/0x1260<br />
seq_read+0x165/0x210<br />
proc_reg_read+0x227/0x300<br />
vfs_read+0x1d5/0x8d0<br />
ksys_read+0x11e/0x240<br />
do_syscall_64+0x35/0xb0<br />
entry_SYSCALL_64_after_hwframe+0x63/0xcd<br />
<br />
Allocated by task 7846:<br />
kasan_save_stack+0x1e/0x40<br />
kasan_set_track+0x21/0x30<br />
__kasan_kmalloc+0x9e/0xa0<br />
bcm_sendmsg+0x264b/0x44e0<br />
sock_sendmsg+0xda/0x180<br />
____sys_sendmsg+0x735/0x920<br />
___sys_sendmsg+0x11d/0x1b0<br />
__sys_sendmsg+0xfa/0x1d0<br />
do_syscall_64+0x35/0xb0<br />
entry_SYSCALL_64_after_hwframe+0x63/0xcd<br />
<br />
Freed by task 7846:<br />
kasan_save_stack+0x1e/0x40<br />
kasan_set_track+0x21/0x30<br />
kasan_save_free_info+0x27/0x40<br />
____kasan_slab_free+0x161/0x1c0<br />
slab_free_freelist_hook+0x119/0x220<br />
__kmem_cache_free+0xb4/0x2e0<br />
rcu_core+0x809/0x1bd0<br />
<br />
bcm_op is freed before procfs entry be removed in bcm_release(),<br />
this lead to bcm_proc_show() may read the freed bcm_op.
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 2.6.25 (including) | 4.14.322 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.15 (including) | 4.19.291 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.20 (including) | 5.4.251 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.188 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.123 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.42 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.4.7 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.5:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.5:rc2:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/11b8e27ed448baa385d90154a141466bd5e92f18
- https://git.kernel.org/stable/c/3c3941bb1eb53abe7d640ffee5c4d6b559829ab3
- https://git.kernel.org/stable/c/55c3b96074f3f9b0aee19bf93cd71af7516582bb
- https://git.kernel.org/stable/c/9533dbfac0ff7edd77a5fa2c24974b1d66c8b0a6
- https://git.kernel.org/stable/c/995f47d76647708ec26c6e388663ad4f3f264787
- https://git.kernel.org/stable/c/9b58d36d0c1ea29a9571e0222a9c29df0ccfb7ff
- https://git.kernel.org/stable/c/cf254b4f68e480e73dab055014e002b77aed30ed
- https://git.kernel.org/stable/c/dfd0aa26e9a07f2ce546ccf8304ead6a2914e8a7
- https://allelesecurity.com/use-after-free-vulnerability-in-can-bcm-subsystem-leading-to-information-disclosure-cve-2023-52922/