Bug 2329370 (CVE-2023-52922) - CVE-2023-52922 kernel: can: bcm: Fix UAF in bcm_proc_show()
Summary: CVE-2023-52922 kernel: can: bcm: Fix UAF in bcm_proc_show()
Keywords:
Status: NEW
Alias: CVE-2023-52922
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-11-28 16:01 UTC by OSIDB Bzimport
Modified: 2025-05-01 19:59 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2025:2783 0 None None None 2025-03-13 14:16:49 UTC
Red Hat Product Errata RHBA-2025:3020 0 None None None 2025-03-18 21:39:08 UTC
Red Hat Product Errata RHBA-2025:3035 0 None None None 2025-03-19 04:29:34 UTC
Red Hat Product Errata RHBA-2025:3070 0 None None None 2025-03-20 08:47:19 UTC
Red Hat Product Errata RHBA-2025:3116 0 None None None 2025-03-24 13:58:15 UTC
Red Hat Product Errata RHBA-2025:3117 0 None None None 2025-03-24 14:55:50 UTC
Red Hat Product Errata RHBA-2025:3159 0 None None None 2025-03-25 13:39:42 UTC
Red Hat Product Errata RHBA-2025:3161 0 None None None 2025-03-25 13:07:41 UTC
Red Hat Product Errata RHBA-2025:3163 0 None None None 2025-03-25 14:05:56 UTC
Red Hat Product Errata RHBA-2025:3263 0 None None None 2025-03-26 14:14:01 UTC
Red Hat Product Errata RHSA-2025:2488 0 None None None 2025-03-10 08:34:44 UTC
Red Hat Product Errata RHSA-2025:2489 0 None None None 2025-03-10 08:51:11 UTC
Red Hat Product Errata RHSA-2025:2490 0 None None None 2025-03-10 10:43:53 UTC
Red Hat Product Errata RHSA-2025:2501 0 None None None 2025-03-10 12:38:34 UTC
Red Hat Product Errata RHSA-2025:2510 0 None None None 2025-03-10 13:17:14 UTC
Red Hat Product Errata RHSA-2025:2512 0 None None None 2025-03-10 13:58:24 UTC
Red Hat Product Errata RHSA-2025:2514 0 None None None 2025-03-10 14:13:28 UTC
Red Hat Product Errata RHSA-2025:2517 0 None None None 2025-03-10 14:32:00 UTC
Red Hat Product Errata RHSA-2025:2524 0 None None None 2025-03-10 15:20:38 UTC
Red Hat Product Errata RHSA-2025:2525 0 None None None 2025-03-10 15:40:05 UTC
Red Hat Product Errata RHSA-2025:2528 0 None None None 2025-03-10 16:00:55 UTC
Red Hat Product Errata RHSA-2025:2627 0 None None None 2025-03-11 06:34:49 UTC
Red Hat Product Errata RHSA-2025:2646 0 None None None 2025-03-11 08:55:51 UTC
Red Hat Product Errata RHSA-2025:3024 0 None None None 2025-03-19 00:26:35 UTC
Red Hat Product Errata RHSA-2025:3025 0 None None None 2025-03-19 00:42:16 UTC
Red Hat Product Errata RHSA-2025:3026 0 None None None 2025-03-19 00:50:27 UTC
Red Hat Product Errata RHSA-2025:3027 0 None None None 2025-03-19 00:34:32 UTC
Red Hat Product Errata RHSA-2025:3048 0 None None None 2025-03-20 01:08:39 UTC
Red Hat Product Errata RHSA-2025:3049 0 None None None 2025-03-20 01:10:54 UTC
Red Hat Product Errata RHSA-2025:3093 0 None None None 2025-03-20 19:14:26 UTC
Red Hat Product Errata RHSA-2025:3094 0 None None None 2025-03-20 19:17:57 UTC
Red Hat Product Errata RHSA-2025:3095 0 None None None 2025-03-20 19:16:16 UTC
Red Hat Product Errata RHSA-2025:3096 0 None None None 2025-03-20 19:16:22 UTC
Red Hat Product Errata RHSA-2025:3097 0 None None None 2025-03-20 19:18:01 UTC
Red Hat Product Errata RHSA-2025:3112 0 None None None 2025-03-24 13:38:47 UTC

Description OSIDB Bzimport 2024-11-28 16:01:19 UTC 
In the Linux kernel, the following vulnerability has been resolved:

can: bcm: Fix UAF in bcm_proc_show()

BUG: KASAN: slab-use-after-free in bcm_proc_show+0x969/0xa80
Read of size 8 at addr ffff888155846230 by task cat/7862

CPU: 1 PID: 7862 Comm: cat Not tainted 6.5.0-rc1-00153-gc8746099c197 #230
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0xd5/0x150
 print_report+0xc1/0x5e0
 kasan_report+0xba/0xf0
 bcm_proc_show+0x969/0xa80
 seq_read_iter+0x4f6/0x1260
 seq_read+0x165/0x210
 proc_reg_read+0x227/0x300
 vfs_read+0x1d5/0x8d0
 ksys_read+0x11e/0x240
 do_syscall_64+0x35/0xb0
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Allocated by task 7846:
 kasan_save_stack+0x1e/0x40
 kasan_set_track+0x21/0x30
 __kasan_kmalloc+0x9e/0xa0
 bcm_sendmsg+0x264b/0x44e0
 sock_sendmsg+0xda/0x180
 ____sys_sendmsg+0x735/0x920
 ___sys_sendmsg+0x11d/0x1b0
 __sys_sendmsg+0xfa/0x1d0
 do_syscall_64+0x35/0xb0
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 7846:
 kasan_save_stack+0x1e/0x40
 kasan_set_track+0x21/0x30
 kasan_save_free_info+0x27/0x40
 ____kasan_slab_free+0x161/0x1c0
 slab_free_freelist_hook+0x119/0x220
 __kmem_cache_free+0xb4/0x2e0
 rcu_core+0x809/0x1bd0

bcm_op is freed before procfs entry be removed in bcm_release(),
this lead to bcm_proc_show() may read the freed bcm_op.
Comment 1 Avinash Hanwate 2024-11-29 05:47:41 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024112856-CVE-2023-52922-39e1@gregkh/T
Comment 5 Ian Wienand 2025-02-27 01:59:56 UTC 
It's fairly easy to replicate on a debug kernel with a "vcan" device and something that creates and destroys "broadcast manager" (BCM) sockets.

I've pulled a few different things together into https://gitlab.com/iwienand/cve-2023-52922 for a simple test & replicator
Comment 6 errata-xmlrpc 2025-03-10 08:34:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:2488 https://access.redhat.com/errata/RHSA-2025:2488
Comment 7 errata-xmlrpc 2025-03-10 08:51:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2025:2489 https://access.redhat.com/errata/RHSA-2025:2489
Comment 8 errata-xmlrpc 2025-03-10 10:43:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:2490 https://access.redhat.com/errata/RHSA-2025:2490
Comment 9 errata-xmlrpc 2025-03-10 12:38:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2025:2501 https://access.redhat.com/errata/RHSA-2025:2501
Comment 10 errata-xmlrpc 2025-03-10 13:17:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2025:2510 https://access.redhat.com/errata/RHSA-2025:2510
Comment 11 errata-xmlrpc 2025-03-10 13:58:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:2512 https://access.redhat.com/errata/RHSA-2025:2512
Comment 12 errata-xmlrpc 2025-03-10 14:13:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support

Via RHSA-2025:2514 https://access.redhat.com/errata/RHSA-2025:2514
Comment 13 errata-xmlrpc 2025-03-10 14:31:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Extended Lifecycle Support  - EXTENSION

Via RHSA-2025:2517 https://access.redhat.com/errata/RHSA-2025:2517
Comment 14 errata-xmlrpc 2025-03-10 15:20:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2025:2524 https://access.redhat.com/errata/RHSA-2025:2524
Comment 15 errata-xmlrpc 2025-03-10 15:40:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2025:2525 https://access.redhat.com/errata/RHSA-2025:2525
Comment 16 errata-xmlrpc 2025-03-10 16:00:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2025:2528 https://access.redhat.com/errata/RHSA-2025:2528
Comment 17 errata-xmlrpc 2025-03-11 06:34:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:2627 https://access.redhat.com/errata/RHSA-2025:2627
Comment 18 errata-xmlrpc 2025-03-11 08:55:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2025:2646 https://access.redhat.com/errata/RHSA-2025:2646
Comment 19 errata-xmlrpc 2025-03-19 00:26:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2025:3024 https://access.redhat.com/errata/RHSA-2025:3024
Comment 20 errata-xmlrpc 2025-03-19 00:34:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:3027 https://access.redhat.com/errata/RHSA-2025:3027
Comment 21 errata-xmlrpc 2025-03-19 00:42:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2025:3025 https://access.redhat.com/errata/RHSA-2025:3025
Comment 22 errata-xmlrpc 2025-03-19 00:50:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:3026 https://access.redhat.com/errata/RHSA-2025:3026
Comment 23 errata-xmlrpc 2025-03-20 01:08:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:3048 https://access.redhat.com/errata/RHSA-2025:3048
Comment 24 errata-xmlrpc 2025-03-20 01:10:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:3049 https://access.redhat.com/errata/RHSA-2025:3049
Comment 25 errata-xmlrpc 2025-03-20 19:14:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2025:3093 https://access.redhat.com/errata/RHSA-2025:3093
Comment 26 errata-xmlrpc 2025-03-20 19:16:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions

Via RHSA-2025:3095 https://access.redhat.com/errata/RHSA-2025:3095
Comment 27 errata-xmlrpc 2025-03-20 19:16:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2025:3096 https://access.redhat.com/errata/RHSA-2025:3096
Comment 28 errata-xmlrpc 2025-03-20 19:17:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2025:3094 https://access.redhat.com/errata/RHSA-2025:3094
Comment 29 errata-xmlrpc 2025-03-20 19:17:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:3097 https://access.redhat.com/errata/RHSA-2025:3097
Comment 30 errata-xmlrpc 2025-03-24 13:38:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:3112 https://access.redhat.com/errata/RHSA-2025:3112
Note You need to log in before you can comment on or make changes to this bug.