CVE-2025-38004

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> can: bcm: add locking for bcm_op runtime updates<br /> <br /> The CAN broadcast manager (CAN BCM) can send a sequence of CAN frames via<br /> hrtimer. The content and also the length of the sequence can be changed<br /> resp reduced at runtime where the &amp;#39;currframe&amp;#39; counter is then set to zero.<br /> <br /> Although this appeared to be a safe operation the updates of &amp;#39;currframe&amp;#39;<br /> can be triggered from user space and hrtimer context in bcm_can_tx().<br /> Anderson Nascimento created a proof of concept that triggered a KASAN<br /> slab-out-of-bounds read access which can be prevented with a spin_lock_bh.<br /> <br /> At the rework of bcm_can_tx() the &amp;#39;count&amp;#39; variable has been moved into<br /> the protected section as this variable can be modified from both contexts<br /> too.