Bug 2329370 (CVE-2023-52922)

Summary: CVE-2023-52922 kernel: can: bcm: Fix UAF in bcm_proc_show()
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: dfreiber, drow, iwienand, jburrell, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2024-11-28 16:01:19 UTC 
In the Linux kernel, the following vulnerability has been resolved:

can: bcm: Fix UAF in bcm_proc_show()

BUG: KASAN: slab-use-after-free in bcm_proc_show+0x969/0xa80
Read of size 8 at addr ffff888155846230 by task cat/7862

CPU: 1 PID: 7862 Comm: cat Not tainted 6.5.0-rc1-00153-gc8746099c197 #230
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0xd5/0x150
 print_report+0xc1/0x5e0
 kasan_report+0xba/0xf0
 bcm_proc_show+0x969/0xa80
 seq_read_iter+0x4f6/0x1260
 seq_read+0x165/0x210
 proc_reg_read+0x227/0x300
 vfs_read+0x1d5/0x8d0
 ksys_read+0x11e/0x240
 do_syscall_64+0x35/0xb0
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Allocated by task 7846:
 kasan_save_stack+0x1e/0x40
 kasan_set_track+0x21/0x30
 __kasan_kmalloc+0x9e/0xa0
 bcm_sendmsg+0x264b/0x44e0
 sock_sendmsg+0xda/0x180
 ____sys_sendmsg+0x735/0x920
 ___sys_sendmsg+0x11d/0x1b0
 __sys_sendmsg+0xfa/0x1d0
 do_syscall_64+0x35/0xb0
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 7846:
 kasan_save_stack+0x1e/0x40
 kasan_set_track+0x21/0x30
 kasan_save_free_info+0x27/0x40
 ____kasan_slab_free+0x161/0x1c0
 slab_free_freelist_hook+0x119/0x220
 __kmem_cache_free+0xb4/0x2e0
 rcu_core+0x809/0x1bd0

bcm_op is freed before procfs entry be removed in bcm_release(),
this lead to bcm_proc_show() may read the freed bcm_op.
Comment 1 Avinash Hanwate 2024-11-29 05:47:41 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024112856-CVE-2023-52922-39e1@gregkh/T
Comment 5 Ian Wienand 2025-02-27 01:59:56 UTC 
It's fairly easy to replicate on a debug kernel with a "vcan" device and something that creates and destroys "broadcast manager" (BCM) sockets.

I've pulled a few different things together into https://gitlab.com/iwienand/cve-2023-52922 for a simple test & replicator
Comment 6 errata-xmlrpc 2025-03-10 08:34:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:2488 https://access.redhat.com/errata/RHSA-2025:2488
Comment 7 errata-xmlrpc 2025-03-10 08:51:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2025:2489 https://access.redhat.com/errata/RHSA-2025:2489
Comment 8 errata-xmlrpc 2025-03-10 10:43:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:2490 https://access.redhat.com/errata/RHSA-2025:2490
Comment 9 errata-xmlrpc 2025-03-10 12:38:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2025:2501 https://access.redhat.com/errata/RHSA-2025:2501
Comment 10 errata-xmlrpc 2025-03-10 13:17:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2025:2510 https://access.redhat.com/errata/RHSA-2025:2510
Comment 11 errata-xmlrpc 2025-03-10 13:58:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:2512 https://access.redhat.com/errata/RHSA-2025:2512
Comment 12 errata-xmlrpc 2025-03-10 14:13:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support

Via RHSA-2025:2514 https://access.redhat.com/errata/RHSA-2025:2514
Comment 13 errata-xmlrpc 2025-03-10 14:31:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Extended Lifecycle Support  - EXTENSION

Via RHSA-2025:2517 https://access.redhat.com/errata/RHSA-2025:2517
Comment 14 errata-xmlrpc 2025-03-10 15:20:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2025:2524 https://access.redhat.com/errata/RHSA-2025:2524
Comment 15 errata-xmlrpc 2025-03-10 15:40:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2025:2525 https://access.redhat.com/errata/RHSA-2025:2525
Comment 16 errata-xmlrpc 2025-03-10 16:00:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2025:2528 https://access.redhat.com/errata/RHSA-2025:2528
Comment 17 errata-xmlrpc 2025-03-11 06:34:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:2627 https://access.redhat.com/errata/RHSA-2025:2627
Comment 18 errata-xmlrpc 2025-03-11 08:55:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2025:2646 https://access.redhat.com/errata/RHSA-2025:2646
Comment 19 errata-xmlrpc 2025-03-19 00:26:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2025:3024 https://access.redhat.com/errata/RHSA-2025:3024
Comment 20 errata-xmlrpc 2025-03-19 00:34:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:3027 https://access.redhat.com/errata/RHSA-2025:3027
Comment 21 errata-xmlrpc 2025-03-19 00:42:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2025:3025 https://access.redhat.com/errata/RHSA-2025:3025
Comment 22 errata-xmlrpc 2025-03-19 00:50:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:3026 https://access.redhat.com/errata/RHSA-2025:3026
Comment 23 errata-xmlrpc 2025-03-20 01:08:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:3048 https://access.redhat.com/errata/RHSA-2025:3048
Comment 24 errata-xmlrpc 2025-03-20 01:10:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:3049 https://access.redhat.com/errata/RHSA-2025:3049
Comment 25 errata-xmlrpc 2025-03-20 19:14:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2025:3093 https://access.redhat.com/errata/RHSA-2025:3093
Comment 26 errata-xmlrpc 2025-03-20 19:16:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions

Via RHSA-2025:3095 https://access.redhat.com/errata/RHSA-2025:3095
Comment 27 errata-xmlrpc 2025-03-20 19:16:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2025:3096 https://access.redhat.com/errata/RHSA-2025:3096
Comment 28 errata-xmlrpc 2025-03-20 19:17:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2025:3094 https://access.redhat.com/errata/RHSA-2025:3094
Comment 29 errata-xmlrpc 2025-03-20 19:17:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:3097 https://access.redhat.com/errata/RHSA-2025:3097
Comment 30 errata-xmlrpc 2025-03-24 13:38:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:3112 https://access.redhat.com/errata/RHSA-2025:3112