CVE-2023-52922: can: bcm: Fix UAF in bcm_proc_show()
First published: Thu Nov 28 2024(Updated: )
In the Linux kernel, the following vulnerability has been resolved: can: bcm: Fix UAF in bcm_proc_show() BUG: KASAN: slab-use-after-free in bcm_proc_show+0x969/0xa80 Read of size 8 at addr ffff888155846230 by task cat/7862 CPU: 1 PID: 7862 Comm: cat Not tainted 6.5.0-rc1-00153-gc8746099c197 #230 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xd5/0x150 print_report+0xc1/0x5e0 kasan_report+0xba/0xf0 bcm_proc_show+0x969/0xa80 seq_read_iter+0x4f6/0x1260 seq_read+0x165/0x210 proc_reg_read+0x227/0x300 vfs_read+0x1d5/0x8d0 ksys_read+0x11e/0x240 do_syscall_64+0x35/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Allocated by task 7846: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0x9e/0xa0 bcm_sendmsg+0x264b/0x44e0 sock_sendmsg+0xda/0x180 ____sys_sendmsg+0x735/0x920 ___sys_sendmsg+0x11d/0x1b0 __sys_sendmsg+0xfa/0x1d0 do_syscall_64+0x35/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 7846: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x27/0x40 ____kasan_slab_free+0x161/0x1c0 slab_free_freelist_hook+0x119/0x220 __kmem_cache_free+0xb4/0x2e0 rcu_core+0x809/0x1bd0 bcm_op is freed before procfs entry be removed in bcm_release(), this lead to bcm_proc_show() may read the freed bcm_op.
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Kernel | ||
| Linux Kernel | >=2.6.25<4.14.322 | |
| Linux Kernel | >=4.15<4.19.291 | |
| Linux Kernel | >=4.20<5.4.251 | |
| Linux Kernel | >=5.5<5.10.188 | |
| Linux Kernel | >=5.11<5.15.123 | |
| Linux Kernel | >=5.16<6.1.42 | |
| Linux Kernel | >=6.2<6.4.7 | |
| Linux Kernel | =6.5-rc1 | |
| Linux Kernel | =6.5-rc2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/11b8e27ed448baa385d90154a141466bd5e92f18
- https://git.kernel.org/stable/c/9b58d36d0c1ea29a9571e0222a9c29df0ccfb7ff
- https://git.kernel.org/stable/c/9533dbfac0ff7edd77a5fa2c24974b1d66c8b0a6
- https://git.kernel.org/stable/c/cf254b4f68e480e73dab055014e002b77aed30ed
- https://git.kernel.org/stable/c/3c3941bb1eb53abe7d640ffee5c4d6b559829ab3
- https://git.kernel.org/stable/c/995f47d76647708ec26c6e388663ad4f3f264787
- https://git.kernel.org/stable/c/dfd0aa26e9a07f2ce546ccf8304ead6a2914e8a7
- https://git.kernel.org/stable/c/55c3b96074f3f9b0aee19bf93cd71af7516582bb
- https://lore.kernel.org/linux-cve-announce/2024112856-CVE-2023-52922-39e1@gregkh/T
- https://gitlab.com/iwienand/cve-2023-52922
- https://access.redhat.com/errata/RHSA-2025:2488
- https://access.redhat.com/errata/RHSA-2025:2489
- https://access.redhat.com/errata/RHSA-2025:2490
- https://access.redhat.com/errata/RHSA-2025:2501
- https://access.redhat.com/errata/RHSA-2025:2510
- https://access.redhat.com/errata/RHSA-2025:2512
- https://access.redhat.com/errata/RHSA-2025:2514
- https://access.redhat.com/errata/RHSA-2025:2517
- https://access.redhat.com/errata/RHSA-2025:2524
- https://access.redhat.com/errata/RHSA-2025:2525
- https://access.redhat.com/errata/RHSA-2025:2528
- https://access.redhat.com/errata/RHSA-2025:2627
- https://access.redhat.com/errata/RHSA-2025:2646
- https://access.redhat.com/errata/RHSA-2025:3024
- https://access.redhat.com/errata/RHSA-2025:3027
- https://access.redhat.com/errata/RHSA-2025:3025
- https://access.redhat.com/errata/RHSA-2025:3026
- https://access.redhat.com/errata/RHSA-2025:3048
- https://access.redhat.com/errata/RHSA-2025:3049
- https://access.redhat.com/errata/RHSA-2025:3093
- https://access.redhat.com/errata/RHSA-2025:3095
- https://access.redhat.com/errata/RHSA-2025:3096
- https://access.redhat.com/errata/RHSA-2025:3094
- https://access.redhat.com/errata/RHSA-2025:3097
- https://access.redhat.com/errata/RHSA-2025:3112
- https://bugzilla.redhat.com/show_bug.cgi?id=2329370
Frequently Asked Questions
What is the severity of CVE-2023-52922?
CVE-2023-52922 is considered a medium-severity vulnerability due to its potential to cause use-after-free errors in the Linux kernel.
How do I fix CVE-2023-52922?
To fix CVE-2023-52922, update your Linux kernel to the latest version that addresses this vulnerability.
What is the vulnerability type of CVE-2023-52922?
CVE-2023-52922 is classified as a use-after-free vulnerability within the Linux kernel.
Which versions of Linux are affected by CVE-2023-52922?
CVE-2023-52922 impacts certain versions of the Linux kernel, so check for updates from your distribution vendor.
What symptoms indicate a potential exploit of CVE-2023-52922?
Symptoms may include unexpected crashes or abnormal behavior in tasks that interact with the bcm_proc_show function.
- agent/title
- agent/type
- agent/first-publish-date
- agent/author
- agent/weakness
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/description
- agent/guess-ai
- agent/software-canonical-lookup
- agent/remedy
- collector/nvd-api
- source/NVD
- agent/softwarecombine
- agent/event
- agent/references
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-52922
- agent/last-modified-date
- collector/epss-latest
- source/FIRST
- agent/source
- agent/tags
- agent/epss
- vendor/linux
- canonical/linux kernel
- version/linux kernel/2.6.25
- version/linux kernel/4.15
- version/linux kernel/4.20
- version/linux kernel/5.5
- version/linux kernel/5.11
- version/linux kernel/5.16
- version/linux kernel/6.2
- version/linux kernel/6.5-rc1
- version/linux kernel/6.5-rc2